Information Governance (IG) is emerging as one of the most important issues confronting organizations today, particularly in this age of Big Data and data breaches. The influential Sedona Conference (Sedona) recently weighed in on this evolving dialog and released for public comment its Commentary on Information Governance (the Commentary). Sedona has joined ARMA International and other consortiums of information management experts in recognizing the need for a comprehensive approach to previously siloed disciplines — including records and information management (RIM), data privacy, information security, and ediscovery — under the IG moniker.
The goal of IG is to provide an organization with clear and uniform information policy guidelines that allow the organization to meet its information management objectives. The Commentary provides a value-based framework and emphasizes the benefits of adopting a coordinated IG program, including improved business performance and cost and risk reduction. The perils of not adopting an IG program are equally clear. They are internal (for example, a Bring-Your-Own-Device program may increase convenience and efficiency for employees, but without policies and controls that consider all repercussions, records may not be retained, secured, or collected for potential litigation, and intellectual property may be exposed) and external (including the inability to produce documents in litigation and data breaches that can costs millions and damage the organization’s reputation).
Sedona’s definition of IG encompasses and places equal weight on three principles: IG is “an organization’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.” Sedona outlined eleven Principles to give substance to this definition:
- Organizations should consider implementing an IG program to make coordinated decisions about information for the benefit of the overall organization that address information-related requirements and manage risks while optimizing value.
- An IG program should maintain sufficient independence from any particular department or division to ensure that decisions are made for the benefit of the overall organization.
- All information stakeholders should participate in the IG program.
- The strategic objectives of the IG program should be based upon a comprehensive assessment of information-related practices, requirements, risks, and opportunities.
- An IG program should be established with the structure, direction, resources, and accountability to provide reasonable assurance that the program’s objectives will be achieved.
- The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any IG program.
- When IG decisions require an organization to reconcile conflicting laws or obligations, the organization should act in good faith and give due respect to considerations such as privacy, data protection, security, records and information management, risk management, and sound business practices.
- If an organization has acted in good faith in its attempt to reconcile conflicting laws and obligations, a court or other authority reviewing the organization’s actions should do so under a standard of reasonableness according to the circumstances at the time such actions were taken.
- An organization should consider reasonable measures to maintain the integrity and availability of long-term information assets throughout their intended useful life.
- An organization should consider leveraging the power of new technologies in its IG program.
- An organization should periodically review and update its IG program to ensure that it continues to meet the organization’s needs as they evolve.
The Problem: Siloed Approaches to Information
Sedona notes that the general approach to RIM, data privacy, information security, and ediscovery has often been siloed within various corporate departments or by discipline. When an organization manages its information by silo, there can be gaps and overlaps in technology or information in relation to other silos within the organization. Without overall governance or coordination for managing information as an asset, there is no roadmap for the current and future use of information technology. To bridge across the silos and the divergent interests in managing information, support from an organization’s senior leadership is essential.
The Solution: Comprehensive Information Governance
To establish a clear and uniform IG program, an organization should ascertain its information needs and compliance requirements, which will simultaneously pinpoint the organization’s information management objectives. The central objective of most IG programs is to comply with legal and regulatory requirements for records retention, information management, and information security and protection. An IG matrix can be used to first classify the organization’s information types and then integrate all established rules governing the organization’s information types. For example, an organization’s policies for RIM, computer use, internet and social media, BYOD, information security, and legal holds – each likely adopted at a different time, addressed to limited aspects of IG, and in conflict with each other – should be reviewed against the backdrop of all applicable legal, regulatory, and contractual requirements, at all levels and across all jurisdictions, and communicated in a single IG policy. Organizations should also minimize the disclosure of information, including information considered private or confidential to third parties, by creating a policy for disposing of information within a reasonable amount of time after its usefulness to the organization has ceased. A disposal policy undertaken in good faith can meet compliance demands and minimize an organization’s long-term risk.
by Judy Selby and Jacqlyn Rovine
This post was originally published in Baker Hostetler’s Data Privacy Monitor blog