Developing and implementing policy

Introduction

Policies can be strange beasts. What are they for? Does anyone read them and how can they be implemented and monitored? Some of the top table want cupboards full of policies, others want a scant page or two ‘of bullet points’. Writing policy is one thing, getting people to read and understand it and monitoring whether anyone takes any notice is something else again.

In this article, I am going to throw out a few ideas about the writing of policy, how to make it relevant and interesting and how to get people to take the contents seriously. I am going to do this in a composite way, based on – ahem – a few years of doing such things. The anecdotes are real, but they have come from different times and places. Because they are based on the type of organizations that many readers work in, they should be recognizable. When writing and implementing policy where you work, I’m sure you will be able to find some anecdotes which everyone is familiar with, based on the work which people do and the culture in which they do that.

First of all, what are you trying to achieve?

Policy is important because it sets out the rules and guidelines of how people should do things. Workplaces and organizations are often very rule-driven entities. There are all sorts of unspoken rules – manners, courtesies and etiquettes – which make a place tick. Saying ‘good morning’ and ‘good night’ to your colleagues is an example of an unwritten rule, and whilst we don’t need a policy about it, we all like it as part of the social glue which helps with the working day. Not using personal email for work purposes is an example of a rule that needs to be governed by policy and needs to be monitored for compliance.

In terms of data, information and knowledge management, policy is created to ensure legal compliance with freedom of information (FOI) and data protection, provide security, enforce good practice and define rules and standards for processes such as data sharing and data quality. The business is trying to achieve these things because otherwise it risks breaking the law which will result in fines and reputational loss, because without security it risks the loss or damage of critical data and information, without defining standards then it is difficult to integrate data and information sets and it becomes difficult to know what versions are valid, what the date of creation of a document was, who authored it and what the purpose is.

Who is the audience for policies?

Not all policy has to be read by all people. A detailed document control policy for a large construction project will have segmented audiences and they will know who they are. They do not need to read each section, but the particular areas which apply to them. The subcontractors putting in the electrical wiring will need to follow the rules for metadata about any information they create. They do not need to read the document control policy which covers the construction of the glass panels for the walls.

An Acceptable Use of IT Equipment and Information Systems Policy needs to be read by everyone. But who exactly is everyone? It can be surprisingly difficult to know who actually works in an organization. The Active Directory may not be accurate for current members of staff because for all sorts of reasons people may be on there who have left. Does this have to be defined in terms of full-time, part-time, contractors, consultants and volunteers? Or does it make more sense to define ‘everyone’ as any person who has access to equipment or any systems? But what about systems that are available in the cloud which are being used to share data and information with third parties – do they need to sign and agree to your organizations acceptable use policy? Can one organization set governance rules for another?

Clear and concise

The aim should be to write clearly and concisely but accept that not all policy will be like that. A policy which deals with data protection and FOI needs to set out what the rules are, how they will be monitored and what is expected from all members of staff. It’s difficult to skip on the words, but think about the presentation. I have sat through training sessions on data protection which I thought would never end, which dragged on with glacial speed for what seemed like weeks, only to be amazed it was only an hour and a half. Do I remember anything from that session? No, nothing at all. The examples given were so complex that all I kept thinking was that if anything so detailed did happen, we would need expert legal advice.

What do most people in the organization need to know about data protection? We told everyone that if they ever have cause to collect or use personal data, they must come and talk to information services. By continually highlighting that one message, we get all sorts of parts of the business coming to us, and we are able to find out exactly what they are doing, why they need personal data (and at times sensitive personal data) and help them manage that accordingly. We can then refer them to specific parts of the relevant policy and they are more likely to remember and learn, because it is directly relevant to what they are currently doing.

We have a detailed FOI policy, including the process of appeals, the lengths of time by which we need to respond, references to exemptions and all the rest. What do we say over and over again to the business, at inductions, team meetings, all staff meetings? One clear message: anything you say in email could be part of a response to an FOI request. Anything you say in an email could be on the front page of the newspapers. Anything written in email might have to be explained to your manager or the chief executive. How do we make them think about this? We point out that we have the technical ability to search all of the email archive and that nothing is deleted from this within certain time limits. The reality is that the archive is rarely searched at a corporate level, and there are various levels of authorization, which must happen before this can be done. But you can see people really sitting up and listening when we explain this to them. For a small number of us, the policy which deals with FOI is used on a regular basis, and we refer people to the relevant parts when we are collating responses.

It is important to write in a style – even a policy – which is professional and relevant, avoids the use of buzz words and jargon and in particular, cliches. Neither should they be personal. They are corporate documents. The more natural a style, the more likely it is that it will be read, and it can be useful to include examples and scenarios which are relevant to the type of business and organization which you work in. But be careful with the analogies and references from external places. I have seen figures quoted in relation to information management policies, which state that each member of staff spends on average two hours per day searching for information. On the basis of an average of X pounds per hour multiplied by the number of staff across the whole year, then a humungous saving can be made. I’m not convinced. If ‘searching’ was replaced by ‘drinking tea’ or ‘looking out of the window’ or ‘talking to their friends during worktime’, would we believe or accept it?

It can feel immensely satisfying and smug to ensure that policy is buzzword compliant and that all the current management speak terms are in there, but it’s worth reading Lucy Kellaway’s weekly column in the Financial Times to get an idea of how ludicrous some of that terminology can sound.

Policy must be relevant

It is widely accepted that no one reads those huge policies when installing new software or implementing upgrades. Have you ever read one from start to finish? For a while, there was a joke circulating which suggested people had in fact agreed all sorts of things which they had no idea about.

Unfortunately I was once made to read one of those policies from a supplier of Wi-Fi service. After 7 pages of the 12, I really had stopped caring what I was signing up to. Did it really need to be so detailed? Ok, there needs to be something, but this was along the lines of ‘if you are reading your smartphone and walk into a tree or lamppost whilst doing so, we are not liable, blah blah blah’. Some parts of it were so terrifying and confusing that I would have switched off any device which had the remotest chance of connecting to their service and got out of the area as quickly as possible.

Some policies will be very detailed

A records retention and disposal supports a records management policy. The organization you work for may or may not be subject to the Public Records Act, but whatever the status, it must create, maintain and manage robust business records. These will cover finances, personnel issues, health and safety and all sorts of other issues. Does everyone in the business need to be familiar with each aspect? No they don’t. Does the finance team need to understand the need for good record keeping? Yes they do and will have learned this as part of their professional training.

What policy? Wheel inventing and reinventing

The wheel has turned out to be a pretty good invention. Versatile, simple, easy to make and with a wide spectrum of uses. But not all wheels are the same. They differ in size, weight, strength and the materials they are made from. A wheel for generating power from water is different for the fly wheel in a watch. They have different functions and uses. So too with policy. The Acceptable Use of IT Policy for an organization that deals with personal data will be different from an organization that does not. A Knowledge Management Policy for a research and design team is different from that of a project-focused team, a team with a high turnover and a team that has specialist knowledge in a very particular area.

Policy needs to fit the business requirements, unless the business is doing something wrong, in which case the business needs to change. The policy and the business needs must be aligned. If the policy says ‘no one must use social media at work’ but everyone uses social media either as part of their work, for promotion of events the organization is involved in, for professional networking or as a social activity at lunchtime or after work, in one of those new grey areas where professional and social is blurred, then something has to change.

I personally don’t like ‘exceptionalism’ in terms of policy. This usually goes along the lines of ‘oh I know everyone in the organization uses application X and that’s what we pay for and get technical support but’….(it’s the but I don’t like) ‘we are an exception and everyone in our profession uses Y’.

Part of the challenge for policymakers in the developing digital age is that the relationships between the technologies, the people who use them and what they are used for are constantly changing. How old is the World Wide Web? (as opposed to the Internet – they are different things) we ask at training sessions. When did email start to be used as a business tool? How ancient are smartphones? The range of answers to these questions is staggering, revealing that (i) there isn’t much interest in the history of the office, (ii) a lot has changed very rapidly and (iii) people appropriate tools in ways that suit them. That doesn’t mean this should be allowed uncritically and that one person’s ‘open access’ is another person’s data being compromised.

Acceptance and agreement to policy

The next issue to consider is that people are aware that they are signing up to agree that they understand the terms of the policy. So how often does that need to be done? I have been in organizations that have been audited on this and someone may have been working there for years who signed a form when they first started (or it is assumed, because the form can no longer be found), but where is the evidence of the refresh? Personally I think some policies should be re-signed on an annual basis to (i) show that the monitoring and compliance is being taken seriously, (ii) keep raising awareness and understanding and (iii) pick up any gaps where people started some time ago, but have slipped into bad practice and cannot remember all that stuff they did on the first day when they started and met a bewildering mix of people and had to adjust to a new culture and at times alien working practices. This may not be agreed at a senior level, so as ever, the information services team (if there is such a thing – it might be, and often is, just one person) has to think of super – inventive and innovative ways to do this. Splash screens (do you trust IT with this?), all staff emails (which half the staff don’t read), notices in the kitchen (competing with detailed instructions about how to fill the dishwasher). And which of those will satisfy the auditors who will want to know that an acceptable use policy is actually being adhered to. And what evidence is there for monitoring?

Monitoring of policy

Let’s move on to that bit – the monitoring process – because that’s not necessarily straightforward either. In a moment of largesse, I once wrote into a policy that there would be an annual information governance report which would show the number of information security incidents, their severity and what categories they would fall into – loss of laptop, data protection breaches, unauthorized access to systems and so on. It would include the number of FOI, EIR (Environmental Information Regulations) requests and Subject Access Requests and the time frames for being answered . It would also cover records management issues such as the number of boxes in storage, how often, if ever, they were recalled and the growth in volumes of electronic data.

It was only really supposed to be an idea but was picked up by the auditors as if it were the most central thing we did. Collecting the actual statistics was the relatively easy bit – information security incidents were recorded on a register in a restricted folder with details of what happened, remedial action and lessons learned. Thankfully there were very few data protection breaches – a couple of incidents of people not using blind carbon copy (BCC) for replying to half a dozen people, someone complaining they had not been removed from a mailing list when they requested this. One laptop lost in a pub (why do people ask IT for a laptop ‘to work at home’ and then go to the pub? surely it’s one or the other?), a couple of smartphones left on buses, trains, aeroplanes (which can be remotely wiped – but only if people TELL us). Growth in data volumes is useful in some ways, but what does it actually tell us? If there’s not much growth in data, is it because people aren’t working very hard, or is it because they are preventing any duplication and writing all their reports as concisely as possible, or have moved into a much more verbal-based work process?

The report was produced, it was fine and actually quite a useful overview. But the real question it raised and has provided a lot of scope for thinking is how we actually do monitored the policies we have in a meaningful way which can be validated and checked externally through an audit process.

There are some technical controls that can help to enforce policy such as password creation rules (one thing that constantly annoys me is any Web service which only allows the use of letters and numbers – but not special characters – what’s the point of that?). So the technical control is that passwords have to be of a minimum length a mix of upper and lower case, a minimum of so many letters, numbers and special characters. But how do we enforce a rule in the policy which says that users must not share passwords? On the three occasions I have seen this done (in different organizations), one incident was ‘someone giving a colleague their own password because they couldn’t remember their own, and were in a hurry’, on another occasion, admin staff shared passwords to short circuit access to certain materials, and on another, an external contractor being given access to they could do some work on a system. Were any of these actively malicious? Not in themselves, but they clearly broke the policy and were only discovered by word of mouth, in one case, overhearing two people talking about it. What they reveal is that one of the main issues with any acceptable use policy – which must cover information security issues – is that one of the key threats is internal and that internal threat is human error and human weakness. How such things can be monitored can be very tricky.

Whilst it is possible to put in certain technical controls – password creation is one, there are others – and it is possible to monitor certain activities, the way I generally prefer to approach this is to provide a lot of training and raise a lot of awareness.

Raising awareness, providing training

Training can actually be quite a lot of fun if approached in the right way. The history of all of these technologies is fascinating and some of us can remember what the world was like before laptops and desktops, smartphones and social media, apps and the Internet of things. A world of paper memos, typing pools, Bakelite telephones, people smoking at their desks and in meetings … it wasn’t that long ago either. And this may surprise some people, but just about everyone in a contemporary workplace is using technologies and information in their social lives, as part of their hobbies and interests, to plan their holidays and to search for all sorts of esoteric goods and services which they would struggle to find in a bland, all-purpose shopping mall.

If those two areas can be brought together – the rapid change which technologies have created – and the learning which people experience through their personal use – then training can be effective and get people thinking about the use in the workplace and that’s what you need to get to happen. An information security policy can cover all sorts of technical issues about phishing and spamming and scamming, but relate that back into people’s personal lives and they get it. At just about every information security training session I’ve ever done, at least one person has had their personal email or social media hacked or tampered with, or been the victim of credit card fraud or had personal data stolen or compromised. If you relate the need for policies in the business organization to people’s personal experiences, they will take it seriously.

The key to this is to make the understanding and awareness of the policy rules and guidelines everyone’s responsibility. It is possible to lock down systems and make people use transparent plastic bags so the contents can be seen when they leave the office, to screen all incoming and outgoing emails for certain keywords, as some companies do, to prevent access to the internet during work time and heavily police the user activities. But most organizations will not have the resources or the stamina for such measures and it’s likely to be a very good way to see morale drop and resentments and grievance accumulate. What I think works much better is to make it clear to people that it is their responsibility to make sure they understand the areas of policy which they are informed of, and being aware of this, if there any breaches then they will be accountable. Not in a sense of waving a stick at people, but in making them understand the relationship between the written rules and their actual behaviours. If that can be achieved, then the policies will be worth the paper they are written on, and the organization can feel it has some credible framework for managing and organizing what it has in terms of the data, information and knowledge.

People need to be aware that by signing they understand and agree to the terms and conditions. They need to be made very aware that if they are told not to use personal email for work purposes, but do so, then they will face the penalties. People need to understand that if they are told not to take sensitive papers out of the office, but ignore this instruction and do so, and then lose those papers, then it is their responsibility. Human error is one of the major factors in policy breaches so getting people to understand the areas of policy which impact on this is a necessity, not something which should be a tick box exercise.