Policy is a control by which an organization attempts to mitigate risk by ensuring that organization acts in a way that reduces the likelihood or impact of an event. However, thinks can and do go awry because policies are developed with certain facts in mind that may not be prevalent during the actual application of that policy. Let my give a few examples, one that has no privacy implications and the other than does not.
I went diving at Ginnie Springs in Florida yesterday as I have been since 1987, when my dive instructor took us there for our open water checkout dives. I dive on an NACD Intro to Cave certification which was issued in 1990. I’ve been diving on that card (at Ginnie Springs) since then, in other words 23 years. At the time, the NACD only had 3 levels of certification (Cavern diver, Intro to Cave and Full Cave). Now the NACD has 4 levels (Cavern, Intro to Cave, Apprentice to Cave, and Full Cave). Interestingly enough, my Intro to Cave card has in fine print, which I never noticed, a one year expiration. Neither has anybody else until yesterday when the cashier checking me in said my card had expired. This is no longer the case with current Intro to Cave certifications, though Apprentice to Cave does has a one year expiration. I do have a newer Intro to Cave card that does not have an expiration but I did not have that on me. Regardless, I registered under my older Cavern certification.
After diving I went to have my air tanks filled. I’m diving two 50 cu ft tanks with a cross over bar in a double tank configuration. This is an uncommon configuration and unfortunately has given me nothing but grief. I asked the air fill attendant whether he was charging me for a single or a double air fill, after a bit of negotiation he agreed to charge only a single. I only get a single dive off of the set. It is equivalent to having a single 100 cu ft tank, which though large, is doable. However, while it was filling he proceed to debate me and say that I should be diving it and they shouldn’t be allowing it. You see Ginnie has a policy that those without full cave are not allowed to use double cylinders. In fact the training organizations do have a limitation for Intro to Cave divers that they must turn the dive after 1/6th of their air supply has been used if diving double tanks as opposed to 1/3 normally. This is to prevent Intro to Cave divers from exceeding their training by going to deep or too far into the cave environment. Ginnie, because divers can’t be trusted to not exceed this limitation, restrict double tanks to only full cave divers. Fine, this is understandable. However, the air fill attendant said that I couldn’t dive my doubles because ….well they were doubles….never mind that they were HALF the size of normal tanks, the policy said you couldn’t dive two tanks and I had two tanks therefore I shouldn’t be diving with them. Now, luckily I’ve never had a problem actually diving at Ginnie with these tanks and was done for the day but this is where I’d like to point out that blind application of policy is stupid when it can’t be amended for a given factual situation. The justification for the policy is sound, don’t want divers going beyond their training limitation, but the application of this policy in this case doesn’t serve that purpose.
I’d like to give another example. While in law school, I did not supply my SSN to the school for privacy reasons. However, after two years I decided to receive financial aid and had to supply my SSN number to the school. They required that I supply my originally SSN card or a tax return showing my SSN. Why? Well I was changing my number and they needed verification. That policy makes sense when someone initially supplies one number and then supplies a new number. If you tell them one thing before they change it, they need some validation that the new number you’re supplying is the legitimate number. This wasn’t applicable in my case because I never supplied them a number in the first place. They have 10k + students enrolling every year where they accept SSNs without validation but would accept mine because I was “changing” it, only I wasn’t. Even escalating this to a vice president, she couldn’t differentiate between the policy, the justification for the policy, and the application in this scenario.
Blind application of policy is one thing, but just as bad is wholesale lying about following the policy. In the wake of NSA revelations, it’s become quite apparent that the intelligence establishment is hell bent on keeping Congress and the public in the dark about what they are doing. Laws (policies) are ineffective if you have no ability to ensure compliance. The cost of failing to comply has to exceed the benefit of non-compliance. If you tell an employee the policy is not to steal people’s identity but the cost to that employee is losing an $8/hr job where the benefit is steal hundreds of thousands of dollars, you essentially have policy by begging, begging people to do the right thing. You have to make it easy to comply with policy and hard to not comply.