When you start to look at the world through the lens of User Experience it can start to become both obsessive and sometimes somewhat depressing. Where the user experience meets organisational compliance is usually the most miserable.
A week or so I had a migraine. I get them a few times a year, and have experienced them since I was a young child. They’re usually a sign I’m tired. If you don’t experience migraines, then you can imagine they’re like a bit of a bad headache. They’re not. They’re an all-sensory attack that leave you feeling incapable of anything.
Recently I’ve found an over-the-counter medication that can remove the worst effects, and give me a chance to finish a day before getting an early night and catching up on the zees. As I felt the early signs of the migraine coming on, I headed to a high street pharmacy to get a pack of sumatriptan. I was then confronted with a bureaucratic nightmare where someone had to head off to find a badly photo-copied form that I was to fill out (two pages of A4 about medical history and wotnot) before it was countersigned by the pharmacists who then put me back in the counter queue to eventually be able to get my medication. All this whilst experiencing a migraine.
I get the need for controls, but I’m fairly certain that that whole processes is protecting the organisational reputation of the pharmacy chain much more than it is protecting my health. Being asked the list of questions by a person rather than being forced to fill out forms would have been something of an indicator that they were thinking about it a little bit more from the user’s perspective (probably starting by asking “how are you feeling at this moment?”).
In the current major project this little vignette has been bouncing around my head as a begin the task of re-writing the client’s IT Acceptable Use Policy, the sort of inspiring task for which only 25 years of working in IT could have prepared me.
If you are employed in an organisation of any size you’ll probably be signed up to such a thing. I bet you don’t know any of the details. They are usually a long list of random statements of things that you can’t do whilst at work, often involving close reference to devices and technologies that are no longer in common (if any) use. CD ROMS often get mentioned – kids, a CD ROM was what we used before the advent of fast Internet, or for impromptu frisbees or Christmas tree decorations.
The starting point for the re-write hasn’t been the existing policy. It’s one that’s not been looked at for ages, and has obviously been hacked about over the years (a particular gem is that it’s currently against staff policy to call a mobile phone number without line management permission).
Instead I started with an example of “Good but Traditional” – a template published by the government-funded charity Get Safe Online: https://www.getsafeonline.org/themes/site_themes/getsafeonline/download_centre/sample_acceptable_usage_policy.pdf
It’s pretty good, but if you look at it you’ll see pretty quickly that it’s basically a long list of things that you shouldn’t do. Any scholar of the psychologist BF Skinner will tell you, if you only tell people what they can’t do, you haven’t left them any the wiser as to what you are expecting of them. When I circulated the first draft of a proposed new policy, that was the feedback that came from colleagues.
So drawing inspiration from Rob Miller‘s recent work on creating a Service Standard for unsolicited marketing, I’ve started reworking into a format that focuses more on what people should be doing and why, as well as essential guidance on what not to do. Of course in the eternal quest to stand on the shoulders of giants (and not rework the wheel) I started talking about it. Co-incidentally Rob saw me tweeting on the subject and sent me the one that he’s been working on.
I also got a tweet from Tom Read at the MoJ, from where Adrian Warman sent me a link to theirs – https://github.com/ministryofjustice/itpolicycontent/blob/master/content/security/acceptable-use.md which appear to be as close at I’ve yet seen to my own open source, multi-purpose staff acceptable use of anything policy:
Do great things
Don’t be an idiot
… which unfortunately appears to lack nuance and detail for most of my clients.
All of this appears to me to be a great example of the distinction that a recent colleague drew for me of the distinction between being compliant and demonstrating compliance with rules and regulations. Too much of what goes on on big organisations is in the latter camp – like the pharmacy, providing a backside-covering trail of process and policy that enables the organisation to point fingers at others when things go wrong. Which inevitably they will because the policies and processes are unintelligible to the people who need to adhere to them.
Being compliant means bringing people with you, giving them good guidance on what they should, rather than what they shouldn’t do, and helping them to live that. Taking a user experience lens to such activities produces very different approaches, and hopefully much better outcomes.