As a higher education administrator, I feel safe under the umbrella of policy and procedure. Whether it’s responding to a campus emergency, relaying information to a parent or family member, or working to resolve a conduct issue with a student, I relied on my following institutional policies as a means to protect me from liability, or even litigation.

“I’ve followed my institution’s policies, I’m fine.”

But, as we’ve seen over the past few weeks for United Airlines, policies are not a shield from public scrutiny. It all started with two preteens who were not allowed to board their flight because they were wearing leggings, and came to a head with last Tuesday’s forcible removal of a paying customer in order to make room for their own flight crew.

Both times, United doubled-down. In a letter to his employees, CEO Oscar Munoz stated, “[The] employees followed established procedures for dealing with situations like this.” The backlash was swift and fierce. Stock prices fell, customers showed up to their flights wearing helmets, and Twitter was full of images of people cutting up their United Airlines credit cards. Within 48 hours, Munoz apologized.

Munoz and the United crew relied the mantra that if you stick to your policies, then you’ll be protected, that you’ve done everything correctly. There’s one problem with idea: it assumes that you are starting with good policy, and therefore the enforcement of said policy is justified.

So, what exactly is good policy?

That’s a very simple question with a very complex answer. But, we can start with understanding the purpose of policy: to solve a problem or community concern. Some policies are drafted as a result of something gone awry, and others are created as preventative measures to avoid potential issues. All policies seek to illicit some type of behavior.

But, when good policy goes bad, it often becomes a scapegoat. In higher education, institutional policies around FERPA, a statute designed to protect student educational records, can be designed and promulgated as a means to protect the university rather than its students. Faculty and staff recite, “Federal law prevents me from sharing that information with you,” even when FERPA does provide disclosure exemptions. This interpretation and implementation of FERPA distorts the spirit of the law.

Of course, the institutions do not adopt these policies maliciously or to intentionally elude students of their rights, they simply are looking for a way to protect themselves from potential litigation and investigations by the U.S. Department of Education.

So, what then is the correct balance when implementing a policy? How does an organization ensure it functionally operates in the spirit of the law without using it as a license to do to what they want without consequence?

Once again, we have a simple question with a not so simple answer, but I think one key piece in the puzzle is training. Polices are malleable, open to interpretation, and meant to solve problems, not create them.

If United had trained their employees to trouble shoot a little bit more, or if colleges and universities make a point to educate their faculty and staff not only on the letter of law, but why FERPA exists in the first place, then the employees of these organizations can use their professional experience and expertise to guide their decision making process.

Policies only provide protection when those implementing them understand the rationale behind the solution they provide, and whose problem they are meant to solve.