Information Governance – A Principled Framework

Gartner defines Information Governance as an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to reach its goals.  One of the core requirements of a legally defensible Information Governance program is a reasonable and consistently applied records & information management (RIM) system.  Accountability and defensibility hinge on the ability of an organization to govern its information in all formats and on all media, and to ensure or prove that it is compliant with all legal requirements.

Building an information governance framework is by necessity a cross-disciplinary effort.  In a world where virtually all information is created in digital form, IT departments are commonly given the lead.  However, even the most advanced and elegant technical solutions must be guided by at least two other disciplines: legal, and records management.  Especially in the wake of hacking scandals like Sony Pictures, the importance of Information Governance is increasingly recognized as a board level and C-Level concern.  Information is an asset and a source of risk, it must be treated with great care.

Information is an asset and a source of risk, it must be treated with great care.

Unfortunately, the development of an information governance framework does not lend itself to a single, universal, off-the-shelf solution.  Enterprises vary by industry, size, ownership (public or private), regulatory environment, culture, sunk costs in existing information technology, and numerous other important ways.  Moreover, the sheer volume of information continues to grow and technological changes in the way we work disrupt previous solutions (goodbye Blackberry, hello New Media, cloud computing, and Big Data).

Despite the complexity, there is a growing body of cross-disciplinary knowledge intended to guide enterprises in adopting solutions that do not require reinventing the wheel.  Accountability and legal defensibility are enhanced by adopting solutions based on standards and best practices.  One of the organizations involved, ARMA International, created a 2014 guideline entitled “Generally Accepted Recordkeeping Principles®” (yes – that is a registered mark).  ARMA is widely respected as one of the foremost records management organizations.  Over the past several years it has been actively addressing the need for a cross-disciplinary approach to Information Governance. More information about the Principles can be found at www.arma.org/principles.

The Principles consist of nine elements:

AccountabilityIntegrityProtectionCompliance
AvailabilityRetentionDispositionTransparency

ARMA asserts that the Principles are,

well-developed and well-understood by information governance and information management practitioners . . . and are grounded in practical experience and based on extensive consideration and analysis of legal doctrine and information theory. (They) form the basis upon which every effective information governance program is built, measured, and – regardless of whether or not an organization or its personnel are aware of them – will one day be judged.

Some key takeaways from the Principles:

AccountabilitySenior executive buy-in required. Formal oversight and monitoring by senior executive with authority to delegate program development. Processes should be documented and subject to audit for compliance.
IntegrityRecords and information generated by or managed for the organization should be authentic and reliable. Authenticity requires that the origin, time of creation, and content are what they purport to be – metadata matters. Integrity requires an audit trail sufficient for evidentiary value. Hardware and software systems should be reliable.
ProtectionProtection of information assets that are private, confidential, privileged, secret, classified, essential or embarrassing data loss or data leakage prevention (e.g., BYOD). Requires attention to technical security structure, physical security, human factors, and access controls. Rules limiting employee proliferation of data. Security classification continues to disposition. Audit program required.
ComplianceRecordkeeping must comply with many sources of duty: applicable laws, including laws requiring recordkeeping, organization’s code of conduct, ethics rules, internal policies, statements in regulatory filings, consent decrees, etc. in all jurisdictions where doing business or employing people.
AvailabilityRetrieval of information is timely, efficient, and accurate. Better availability (through more intuitive search tools) may prevent data hoarding by employees. Metadata should be accurately associated with all content. Backups, conversion and migration should be planned as part of information governance framework. Utilize automated deletion or disposition of obsolete, redundant information at the end of its information life cycle. Well-designed storage processes and properly structured information lowers costs, improves personal productivity and optimizes the reliability and speed of retrieval.
RetentionRecords and information must be maintained for the appropriate time based on legal, regulatory, fiscal, operational and historical requirements. Organizations need a retention policy program that will define what records and information to retain, how long to retain it, and at the end of its information life cycle, how to dispose of it. Organizations need to develop a records retention schedule based directly on the legal, regulatory, fiscal, operational, and historical requirements for each type of content. Organizations must conduct legal research in consultation with legal counsel to determine the applicable retention periods for records and information based on local, state, national, and international laws and regulations. Following the research requirements, and organization must conduct a risk assessment to determine the appropriate retention period for each type of record. It is essential to immediately and consistently dispose of records and information when the retention period expires
DispositionDisposition = Deleted and unrecoverable even by computer forensics specialists. Migration of information to new media may require accounting of and disposition of all versions and copies. Legal Hold suspends disposition
Transparency“An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.” Organizations should plan for outside parties that have a legitimate interest in understanding the information governance program and processes that govern an organization’s records and information assets. Those parties may include government authorities, auditors and investigators, litigants and others. Fundamentals of transparent information management: Document the principles and processes governing the system. Accurate and complete record of activities to implement the program. Clear procedures in place to segregate, encrypt or tag information that is sensitive or confidential.

The Principles provide a valuable cross-disciplinary blueprint or checklist of what an enterprise should consider in developing its Information Governance framework.  It is worth repeating that the Principle of Accountability requires buy-in by senior executives.  This is a tacit recognition that in real life recordkeeping and information management is often messy, with employees using whatever tools help them find information and perform their jobs, even if that information is in a personal Dropbox or Gmail account.  As a result, many organizations grudgingly admit that email systems (the epitome of an unstructured data system) are used as records storage systems.  The use of unstructured and unregulated data storage systems is a serious risk management problem.  The upshot of this messy reality is that the success of any new Information Governance initiative depends on effective change-management – changing the way people work. There is nothing better than a clear mandate from the board or CEO to ensure that changes are implemented.