Rethinking Acceptable Use Policies

A staple of many Information Technology (IT) policy suites is the Acceptable Use Policy (AUP), intended to govern what people working in the organization can and cannot do with the technology we provide them. 

IIM professionals and consultants push to have these kinds of policies in place, and countless templates are available on the Internet to use as a starting point if we don’t have one already.

But are they necessary? Maybe the better question is Why is the AUP considered part of the organization’s IT policies? 

Let’s take a typical example. Here’s one I pulled from real-life documents:

When using corporate technology, users are expected to refrain from:

  • conducting themselves in an unprofessional manner
  • conducting activities related to a personal business
  • creating, storing, or distributing racist, sexist, hateful, or otherwise objectionable content
  • engaging in illegal activity
  • harassing or bullying others
  • committing libel or slander
  • impersonating another individual
  • disclosing any sensitive corporate information
  • destroying corporate information without authorization
  • endorsing a product or service without authorization

…and so on, with dozens of similar clauses. 

These prohibitions themselves are all reasonable things to ask of an employee. The problem is that not one of these items has anything to do with technology. Each activity on the list above is an activity that was prohibited in many organizations long before the computer arrived.

Now that the computer is here, granted, we do things differently from before. Nonetheless, what is the justification for separating what we prohibit when using technology from what we prohibit in day-to-day office life? 

Stated differently, aren’t the elements that constitute harassment in paper photographs the same elements that constitute harassment in digital images? The words in a typewritten paper memorandum that can bully a co-worker, aren’t those the same words we worry about in electronic messages?

Sure, you need to take steps to make your stance on harassment and bullying clear. But that stance should be medium-agnostic, making the rules the same whether the communication is in person, through the telephone, virtual, or through paper.

Seeing these kinds of rules in a IT AUP makes me wonder how the organization managed in the days before disks and DOS. 

What did the old Desk Drawer Acceptable Use Policy look like? What — you didn’t have one? How did management ensure that people didn’t keep illegal drugs in their desk drawers if they didn’t have a Desk Drawer AUP to fall back on? 

When the organization gave out ballpoints and pads, did it make people agree to a Pens and Paper Acceptable Use Policy? Without one, how could the office quartermaster ensure that someone wouldn’t doodle a pornographic image using those office tools? 

I wonder what was in their Hat Rack Acceptable Use Policy that prohibited people from using a hat rack to hit co-workers in a fit of anger. What was clause in the Office Chair AUP that reminded people not to sit on one for nefarious purposes? Most important of all, how did they word the Paperclip AUP so it could prevent people from using one to gain illegal entry somewhere and commit robbery.

Of course, none of these Acceptable Use Policies existed. Prior to the advent of computer technology, when employee activities had to be regulated in most offices the burden fell on the Human Resources (HR) team. 

The reality is that the acceptable use of the office telephone and the typewriter was not considered to be a technology decision, but was rather a business decision. HR policies governed the business decisions that regulated employees, and told them when they could play a radio, make personal telephone calls, and so on. 

Why did that change? Somehow, with the advent of computers, the technology itself was seen to be the source of the problem. 

Most HR people didn’t understand computer technology and would not have been in a position to word their general policies to take technological innovation into account. So the burden of detailing how people should behave when using computers fell to the IT people. 

The IT accepted that burden gladly because it gave them the kind of authority around rule-making in the office that the suppliers of desks, pens, and paperclips never had.  

But now we have an absurd situation. The behaviour that happens in the hall is governed by one set of rules and the behaviour that happens online is governed by another. 

And the problem with that situation? Those are silos. Unnecessary silos, not conducive to a collaborative approach of office management.

The downside of this separation — apart from the potential of conflicting rules and divergent interpretations — is where the ownership of the problem appears to lie. Poor behaviour online is now seen as an IT problem, rather than as a business problem. 

It’s time to break down those silos. There’s no reason that rules around behaviour need to be located in different policy instruments depending on whether the medium is analog or digital. 

Take those statements that talk about conduct and move them back to the business, where they belong.


All articles in this blog are available for use under a Creative Commons Attribution 4.0 International License. Creative Commons License