Acceptable use policies (AUPs) are sets of behavioral expectations or rules adopted by college and university officials that are designed to regulate the conduct of those who use institutionally provided computer resources. At the same time, many businesses and K–12 school systems have developed such rules and policies to regulate usage, to protect the integrity of their networks, and to avoid legal problems. In educational institutions, faculty, staff members, and students are often asked to acknowledge acceptable use policies and to agree, in writing, to comply with their terms as a condition of access to computer resources. Well-drafted acceptable use policies can serve a useful purpose by helping to alleviate disagreements when improper uses are discovered, so that the consequences for such inappropriate uses can be more readily justified and evenly applied.
Acceptable use policies typically contain a statement of purpose along with an acknowledgment that computer resources and access provided by the institution are provided primarily for educational or administrative purposes. Those policies make users primarily responsible for compliance but also warn that computer users are subject to monitoring for compliance. Making individuals aware of such provisions in policies is designed to have the effect of deterring unacceptable conduct while providing warnings that individuals are primarily responsible for their conduct that fails to comply with the policies.
A common function of acceptable use policies is to advise users that their use of computer resources is subject to monitoring. Users must be told that the system will be monitored for misuse and that they should not expect that their computer use, the sites they visit, or the e-mail or instant messages they send using school computer resources will be private. In addition, educational officials should condition access to computer systems to those users who expressly agree to the acceptable use policies, including the monitoring provisions. Users who agree to comply with the provisions in acceptable use policies, in essence, consent to monitoring as a condition of access. Including such an explicit statement in acceptable use policies should help institutions to avoid liability under the Electronic Communications Privacy Act (1986), which makes it unlawful to intercept electronic messages. Put another way, reducing the expectation of privacy that users may otherwise think they have in using such technology should help institutions avoid legal issues when monitoring is required.
Most acceptable use policies also contain what is tantamount to a code of conduct for users. Codes may include rules pertaining to use of appropriate language; rules to help users avoid illegal activity; and rules regulating the downloading of copyrighted materials, including music and movies; as well as rules that are designed to protect the integrity of the system (bandwidth). The challenge for administrators in higher education is to develop policies that are broad enough to address and guide conduct that may not have even been conceived of, yet narrow enough to address specific behavior in a practical and unambiguous way. Conduct rules may also be designed to regulate harassment or disruptive conduct directed to other users. Moreover, rules designed to protect users are common, such as rules regarding the release of personally identifiable information or the sharing of access passwords.
Unacceptable uses of computer resources are frequently detailed as part of acceptable use policies. For example, the creation, storage, display, or transmission of offensive, obscene, sexually explicit, or otherwise inappropriate documents or images are frequently prohibited. Acceptable use policies often cross-reference other policies of the institution (such as antiharassment, plagiarism, and discipline policies as well as student codes of conduct).
Acceptable use policies commonly provide notice to students that insofar as their access to computing resources is a privilege, not a right, violations of AUPs can result in having their privileges withdrawn. Another common feature of acceptable use policies is that they often detail the consequences of violations of their terms. In addition to denial of access and/or referrals to law enforcement agencies, policies may note that violations will be subject to institutional disciplinary policies. Warnings, suspensions, and terminations or withdrawal of privileges are common consequences detailed in such policies. Furthermore, acceptable use policies may be an important medium to inform staff of the applicability of a state’s public records laws to their electronic communications, including any responsibility the staff member may have to preserve such records. Staff should also be reminded that communications may also be protected by the Family Educational Rights and Privacy Act (1974).
AUPs are designed to encourage responsible use of computer resources. As a guide to conduct, they are designed primarily so users can self-regulate their behavior. Acceptable use policies also serve as notices of rules and consequences in the event that users fail to live up to their own responsibilities for compliance.
AUPs present legal issues similar to issues arising under other college and university codes of conduct: First Amendment freedom of expression, Fourteenth Amendment due process, Fourth Amendment privacy, common-law, or statutory privacy claims, and Copyright issues in addition to a variety of harassment issues, such as sexual harassment and cyberbullying.
Educational officials retain regulatory authority over computer resources that the school provides for students and staff. However, officials must make sure that policy enforcement is consistent with the terms of their institutional acceptable use policies. In this regard, due process will require that students, faculty, and staff members be provided with clear notice of what is acceptable and what is not permitted. In addition, when taking disciplinary actions, officials must ensure that an apparent nexus to their institutions is identified before acting pursuant to acceptable use policies.
If officials must take disciplinary actions or other consequences flow as a result of students’ failure to comply with AUPs, sanctions must be taken in accord with an institution’s general disciplinary procedures and applicable code of conduct provisions. Disciplinary actions or other consequences taken against faculty and staff must be taken in concert with requirements of applicable personnel policies, employment handbooks, and labor contracts.
Jon E. Anderson
- Fossey, R., & Horner, J. (2003). Student misconduct involving the misuse of technology. Education Law Reporter, 179(1), 1.
- McClure, P. A. (Ed.). (2003). Organizing and managing information resources on your campus. San Francisco: Jossey-Bass.
- Electronic Communications Privacy Act, Pub. L. No. 99-508 (1986).
- Family Educational Rights and Privacy Act, Pub. L. No. 93-380 (1974).