Technology Policies in Legal Aid Programs
A technology policy for a legal aid program? What's that?
Technology policies serve to outline acceptable uses, practices and guidelines for technology in the workplace. Some programs have invested a huge amount of time to develop computer policies, which by the time are approved, are no longer relevant. Most programs have some version of computer policies, but are on a constant path to update them. Regardless of where your program fits on this continuum, this module is designed to provide poverty law managers and techies with suggestions for their program's technology policy.
These notes are primarily compiled from ED114: Establishing Sane Technology Policies for your Program (formerly TM105). You can view the most recent materials for that training here.
Steve's Hippy Technology Zen Mantra: Open but Standardized Freedom
Open: Don't put more energy into locking down your data than you do in securing your paper files. We really don't have anything that anyone wants anyway. Too much time, energy and expense can be put into security. You need to cost-benefit this realistically. Once you staff are inside your network it should be very easy for them to get to everything they need. Don't let your sys admin go crazy.
Caveat: This doesn't apply to ports outside your firewall or accessible to the internet. Hackers want your web or email server, and they shouldn't be allowed to have it to torment others.
Standards: It is impossible to support every software application that a staff has an itch to try. For the sanity of your techie you have to pick a uniform set of core applications (email, browser, office suite) and install, support and train only those. The same goes for data storage conventions. All programs have a filing system for paper files - you need a similar, easy way for any staff or manager to find another's electronic documents.
Freedom: Program technology should not be controlled by the system administrators. The technology is present for the benefit of staff and their work. We should not lock down our systems to such a degree that staff can't try innovative or time saving ideas. We aren't guarding Fort Knox. We should err on the side of access for staff over overly restrictive security.
Your program needs to inform its people about the type of behavior it expects of those using the internet in the workplace and about the consequences for abusing internet privileges.
Areas to Consider
Monitoring: Are you going to be monitoring or filtering traffic in and out of the network? If you are people need to know that and if you aren't people need to know that their movements are probably still being logged by your firewall and your ISP and that the workstation they are using will keep track of sites and images they have viewed.
Prohibited Use: Most legal aid programs related that the primary purpose of internet access for their employees is for program related work and that they specifically prohibit things like: obscene materials, gambling, LSC restricted activity, prohibited file sharing (i.e. Kaaza or bittorrent), instant messaging and for-profit use. Some programs prohibit all non-work related use.
Personal Use: Some allow personal use on non-work time except for specifically prohibited activities.
Acceptable Downloads: Over and above prohibited items, folks can load their system up with spyware and potentially damaging viruses and clog up your internet pipeline with large downloads. You can cover this is a security section as well.
Like internet use your program needs to inform its people about the type of behavior it expects of those using email in the workplace and about the consequences for abusing email. Considerations here could equally apply to instant messaging.
Areas to Consider
Privacy: What is an employee's expectation of privacy with their email account? Most policies affirmatively state that all data on program systems is property of program and subject to management and board access. However, some also prohibit non-authorized staff from reading others' emails without permission of owner.
Personal Use: Same considerations as internet use.
Prohibited Use: Most of the same considerations as internet use. Many policies draw parallels to written paper communication and prohibit staff from doing anything in email that that they wouldn't be allowed to do in written paper form.
Etiquette: Policies ask employees to reply promptly and be aware of the communication limitations of this electronic media (i.e. humor and sarcasm don't translate well).
Although this topic is touched on some in Internet Use and Email sections it warrants further discussion. To what extent can staff use the equipment for non work related activity? In addition to internet and email considerations should staff be allowed to load games on their computer or play online games? How about music and MP3s? How about selling on eBay or making personal online purchases?
Things to Consider
In addition to prohibitions or limits on acceptable use, there are areas for which your program will want users to take affirmative responsibility. These include
Many programs have required staff to regularly check voice mail and email and to notify others in the program when they are going to be away and won't be checking in.
Users need to be using set protocols and standards for storing electronic files and putting them in a place where they are back-up regularly.
Network File Storage: Most programs don't have a desktop back-up system in place, so users need to save electronic files on a network drive that is regularly backed up.
Standardized File Saving Protocol: Programs need to have file naming and folder organization standards so that someone who needs to take over a case or project can find related documents quickly and easily. Document management software (some built in to case management systems) can help with this.
Privacy Concerns: Individual files or folders can be password protected. Also, some programs prohibit browsing of others network folders without permission or a legitimate work related purpose.
To what extent will you allow users to install software on their workstations (whether for program or personal use)?
Work-related vs. Personal Use: Some programs prohibit this entirely, while other allow with permission for work-related purposes.
Ghosting: Some programs have a standard desktop image that they use to handle this issue. If users install software that causes problems they can simply re-ghost the desktop to the program standard in a matter of minutes.
Even with the best anti-virus software and security systems users can inadvertently make a lot of work for others. Users need to be trained and then asked to take responsibility for their part in preventing security problems.
Email Attachments: Some programs prohibit them and provide alternative means for file sharing. Some prohibit opening of a specific type (i.e. exe or pif).
Passwords: Most prohibit sharing of program passwords outside the program and some have standards for user selection and changing.
Transporting Confidential Content on Electronic Media: Most apply similar policies as paper case files.
Creating a working tech policy requires collaborative effort and a regular plan to review and update the policy as use of technology changes in your program. To develop a policy,
Consider using a Wiki to develop, share and update your computer policies. Michigan uses a wiki for them, and it makes it much easier to keep track of current policies.
What is a wiki? A wiki is a website that is really easy to use and post to. It is perfect for dynamic information like computer passwords, as well as for manuals and collaborative documents. To learn more about Wikis, see Wiki Section of LStech Resource Center.
Preview Some Samples
We've posted and linked to some computer policies here. If you have some, send them to gabrielle@LSNTAP.org and we can post them here for you. Don't worry if they aren't perfect. No one's are. These are just offered as places to start, not as ideal models.
The Entech NPO Tech Policy Template is a free, online form based system that assists non-profits in creating their own program tech policy.
Editorial Note: It seems to me to be a little on the restrictive side.