A Practical Guide to Information Governance
Table of Contents
1. Executive Summary
Most company directors and senior company officers take their Corporate Governance responsibilities seriously, they understand the mechanisms and processes by which a corporation is controlled and directed. They also have a good understanding about the roles and relationships that are required between the business, risk and compliance, audit, HR and even Information Technology (IT), and the standards and processes that need to be put in place to establish and maintain a company’s compliance obligations.
Information Governance (IG) is a subset of Corporate Governance (which is the mechanisms and processes by which a corporation is controlled and directed), however, many of us struggle with its concepts. It is not IT (although elements of IT are a subset of Information Governance) It is an approach to managing information assets across an entire organisation to support its business outcomes involving multi- disciplinary structures, policies, business rules, procedures and controls to meet regulatory, legal, risk and operational requirements.
InfoGovANZ members have identified the common challenge for professionals operating across the various disciplines of Information Governance is the lack of a single business language to support the growth of IG as a discipline. This lack of a common business language further impacts effective communication and understanding of IG across organisations and restricts executive management from good decision making and risk mitigation processes.
To address this challenge, IG practitioners participated in a number of forums to leverage their collective experience to develop this Guide which provides an easy to read explanation of IG and the various elements, including an appendix of detailed definitions where appropriate and provides:
- A foundational definition of elements and terms used when describing the practice of Information Governance from a business perspective.
- A common, pragmatic and easily understood IG language to use within our organisations across business enterprises and government organisations.
1.2 What is Information Governance?
- Information Governance is a strategic, top-down approach to managing all aspects of information within the organisation, in line with the strategic objectives of that organisation.
- Information Governance provides the framework, systems and processes for ensuring the value of information is maximised and risks are minimised.
- Information Governance looks at all information, regardless of its format. This includes structured information such as databases and unstructured information such as documents and emails.
- Stakeholders of Information Governance include internal and external stakeholders, including internal users of data, information professionals, risk and compliance teams, executive and board members, and legal and regulatory bodies.
- Information Governance is a subset of Corporate Governance – it is a strategic rather than tactical discipline, which aligns information management with business strategy and processes.
1.3 Why do you need Information Governance?
The volume of information and the rate of growth is too large and rapid to use traditional methods of information management.
1.4 What are the elements of IG?
Click a tile below to read the term's definition.
1.5 What is the value and benefit of IG?
Protect IP, assets
Simple access to information
Decluttered and organised data
- Information explosion – typically 80% of information is unstructured
- Cost growth
- Increased risk and complexity
- Responding to Regulatory requirements
- Proliferation of systems and outsourcing of IT
- Increased Risks of cyber attacks
2. Information in the Digital Age
No industry in the modern economy has been untouched by the transformation heralded by technology.
Over the past few centuries, successive waves of industrial revolution have altered the very nature of business (see figure). Earlier phases of this revolution steadily reshaped industry over an extended period. Digitally-driven revolutions of recent decades – powered by exponential growth in computing power and the internet – have radically changed the shape of our economies and businesses in a much shorter timeframe.
As a result, global technology brands such as Facebook, Google and Amazon - formed only in recent decades - are among the largest companies in the world. Other parts of the economy are transforming just as quickly. Traditional sectors such as healthcare, transport and finance are now underpinned by digital technologies and the tools of the internet.
2.1 A Global Digital Economy
At the heart of this transformation, and increasingly a by-product of it, is digital information. In a global digital economy, information and data has become the “new oil”. Extracting it, and making best use of it, is critical to progress and success.
Entire new business models such as Airbnb and Uber, and more broadly the sharing economy itself, have emerged to capitalise on this trend.
Existing businesses in other sectors have also recognised the imperative to evolve in order to be competitive in this digitally-based economy. They have invested in platforms and capabilities that collect and make use of data – to deliver insights, efficiencies and innovative products to their customers.
The result has been an exponential explosion in the volume of data being created and managed by businesses. Some estimates predict the volume of digital data will reach 44 Zettabytes by 2020.
3. Information Governance Challenges
The increasingly large stores of data, and the potential to extract value from them, represent a tremendous opportunity for business.
However, this also present significant challenges, outlined below. Dealing with these challenges – cumulatively – now exceeds the capabilities of traditional methods of information management.
Despite its promise of efficiencies and insights, the accumulation of data can quickly become a burden. In many organisations, the explosion of information has brought a sizeable increase in storage and retrieval costs, not to mention impacts to productivity, and the need to maintain a more complex landscape of systems. In many instances, storage growth is outpacing IT budgets.
Cyber threats are growing in volume and evolving in sophistication, with breaches and cyber-attacks regularly and publicly impacting major brands. The resulting reputational damage has translated into economic impacts of affected organisations. Increasingly, the likelihood of being the target of a cyber-attack is seen as inevitable
INCREASED RISK & COMPLEXITY
Information is now collected, processed and exchanged between a growing number of internal and external systems. Understanding data flows and monitoring regulatory compliance has become increasingly difficult. Further, in order to manage the growing stores of information, businesses are shifting data to offshore locations and third parties, which further increases security and compliance risks. Assurance over the data protection and information governance capabilities of third-party service and infrastructure providers is difficult.
Stores of data are larger than ever, and growing rapidly – information volumes typically double every 12-18 months. This data is also increasingly dispersed, through growing use of mobile and cloud technologies and the geographic spread of a global technology market.
Unstructured data – which presents greater challenges in terms of risk management and extraction of value – is also increasingly prevalent. Typically 80 per cent of information in an organisation today is unstructured. There is more information today due to digitisation and huge amounts of data from smart cities, smart houses, and CCTV.
Regulatory scrutiny on protection of data is becoming more intense, in line with increased customer expectations. New data protection regulations are taking effect across the globe – including GDPR and mandatory data breach reporting – posing compliance costs and complex new challenges.
Responding to legal investigations and meeting compliance and privacy requirements has also become costlier due to the volumes of data needing to be searched.
Unmanaged, these information management challenges have the potential to substantially disrupt the operation of an organisation and undermine the benefits from its digital investments.
4. Introducing Information Governance
Traditionally, addressing the challenges associated with the management of information within an organisation has fallen to disparate disciplines. For instance, compliance teams respond to regulatory challenges, cyber security functions manage the systems and tools that protect data, while other aspects of data and information management sit elsewhere.
As the previous section outlined, in today’s digital context the growing number and complexity of challenges associated with information has outpaced traditional information management practices.
More importantly, as information has become a strategic business asset, forward-thinking organisations are demanding more than a collection of fragmented and operational approaches to the way this information is managed and governed. Instead, they require a holistic and strategic approach that better supports their need to maximise the value of information and minimise its risks.
Information Governance has emerged as a consolidated and strategic framework that meets this need. Information Governance both unites the disciplines focused on data and information, and provides strategic and executive focus to the value and cost of this information. It also allows boards and executives to better understand the value of information within their organisation, and to see how investments in technology align to strategic priorities.
As a result of the historical siloed approach to managing different components of information across organisations different people have different understandings of the elements of Information Governance and the associated terminology which is clarified below, both at a high level, and in more detail in the appendix.
Information Governance can be viewed as an umbrella concept that describes all information management activities. The information Governance Initiative (IGI) provides a definition of Information Governance as: - the activities and technologies that organisations employ to maximise the value of information while minimising associated risks and costs. It includes the following elements:
5. Benefits of Information Governance
In an information-driven economy, improved decision making around the use of information is critical to business and competitive advantage. The establishment of an Information Governance programme immediately supports this strategic imperative, by providing an organisation with:
- recognition of information as a strategic asset;
- a strategic framework to ensure technology investments align to organisational strategic objectives and priorities;
- and a clear strategy and improved accountability for information, which enables the Board and executives to have strategic oversight of the value, cost and risk associated with an organisation’s information.
More specifically, Information Governance delivers specific business benefits in three areas:
- Helps organisations avoid or mitigate information-related risk, including regulatory and legal risks.
- Supports an improved ability to proactively meet compliance obligations, by introducing the right systems, policies and processes in relation to information usage and retention.
- It understands key risks events, including growing risk of cyber attack.
- Control over the dysfunction, duplication and waste created by information silos.
- Reduction in storage and document discovery (eDiscovery) costs.
- Common approach to information management, more consistent rules.
Improved trust in the quality of information.
Drive activities that extract business value from information, including data analytics (extracting advantage from unstructured information is a promising area).
It’s also worth noting that while identifying a measurable return on investment from governance activities can be challenging, information governance delivers tangible bottom line benefits including:
- Lower storage costs – a 2015 Information Governance Initiative study found that 40% of an organisation’s network drive content is junk:
- 10% is of no business value
- 25% is superseded / out of date / older than legal retention periods / beyond technical viability
- 5% is duplicated
By deleting valueless data and only storing information that is required, information governance drives a reduction in the costs of storage.
- Increased productivity – countless hours are spent by employees locating information to do their jobs. Information Governance can support the recovery and redirection of this valuable time towards more productive activities.
Exponential Growth of Data and Information
Industry research estimates:
- Volume of data and information is doubling every 18 months - i.e. 66% growth per annum.
- Implementing an IG solution based on business rules can reduce data and information growth by up to 60% per annum.
Estimates based on:
- 50 terabytes (TB) at year 0
- $5000- $25,000 per TB average for management and storage
6. Information Governance Framework
An Information Governance Framework provides a common set of rules and processes for the management of information assets. It identifies the key stakeholders involved in Information Governance within the organisation, and the ultimate business outcomes sought.
Components of an Information Governance framework include:
7. Implementing Information Governance
As a strategic endeavour, an Information Governance program must be a holistic, organisation-wide initiative to be successful, driven by top-level sponsorship and a consistent approach.
The starting point is engagement and buy-in from the Board and senior executives. A senior executive must understand and champion the concept of information Governance, and of Information as a strategic asset.
They must participate in decision-making on important opportunities and risk mitigation issues relating to organisational information, and will ideally be skilled in an area related to information management.
Supporting this top-down leadership, the daily implementation of Information Governance should involve all key stakeholders across the business. An Information Governance Steering Committee should be established, comprising relevant executives responsible for different areas of information management (legal, compliance information management).
The steering group would set strategic priorities, and develop the programs and activities to leverage information as an asset across the organisation.
STEPS TO IMPLEMENTING INFORMATION GOVERNANCE
IN YOUR ORGANISATION
- Obtain executive support to drive an enterprise wide Information Governance Program
- Decide on Information Governance accountability structure, Steering Committee and or Chief Information Governance Officer or designated C-Suite responsible for Information Governance.
- Develop a charter on how the Information Governance program is to be implemented. Steering Committee with C-Suite responsible for cross functional group or CIGO as chair.
- Develop Information Governance policies
- Undertake an Information Asset Audit of key assets such as critical/vital business information which is mandated by operational requirements.
- Establish a baseline and measure progress on a regular basis.
- Establish processes to monitor performance of compliance with information policies, standards and procedures.
8. Information Governance Definitions
Cyber-security is the techniques of protecting computers, networks, programs, data and information from unauthorized access or attacks that are designed for theft or exploitation.
DEFINITIONS RELEVANT TO CYBERSECURITY
Application Security is the measures or counter-measures that are taken during the development life-cycle to protect applications from threats that can come through flaws in the application design, development, deployment, upgrade or maintenance.
Information Security protects data and information from unauthorized access to avoid data breaches, identity theft and to protect privacy.
Data analytics is the application of computer systems to the analysis of large data sets for the support of decisions. Data analytics is a very interdisciplinary field that has adopted aspects from many other scientific disciplines such as statistics, machine learning, pattern recognition, system theory, operations research, or artificial intelligence.
DEFINITIONS RELEVANT TO DATA ANALYTICS
Artificial intelligence (AI) is apparently intelligent behaviour by machines, rather than the natural intelligence (NI) of humans and other animals.
Augmented Reality is technology that overlays contextual information onto a user's view of the physical world. These computer-generated views are typically presented through smartphones, tablets or wearable devices in the form of eyeglasses. The viewer’s vision is not impeded which means this technology can be used while moving around.
Big Data is the term use for extremely large data sets that may be analysed computationally to reveal patterns, trends, and associations, especially relating to human behaviour and interactions.
Extended Reality is a term used to describe a collection of technologies that augment or replace a viewer’s field of vision with computer generated graphics and/or text. The three technologies considered are Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR).
Business Intelligence (BI) comprises the strategies and technologies used by enterprises for the data analysis of business information. BI technologies provide historical, current and predictive views of business operations.
Data Science is an interdisciplinary field about scientific methods, processes, and systems to extract knowledge or insights from data in various forms, either structured or unstructured, similar to data mining.
Machine Learning is a core sub-area of artificial intelligence as it enables computers to get into a mode of self-learning without being explicitly programmed. When exposed to new data, computer programs, are enabled to learn, grow, change, and develop by themselves.
Mixed Reality is a relatively new technology that blends the physical and virtual worlds where viewers can interact with both physical and virtual objects. These are presented to viewers through the use of larger head mounted displays. Viewers are free to walk around while wearing them as they can still view the physical world. The view being presented can typically be viewed by multiple viewers at the same time, facilitating group collaboration. However, due to the processing power required, the headsets are typically only meant to be worn for short periods of time.
Predictive Analytics is the branch of the advanced analytics which is used to make predictions about unknown future events. Predictive analytics uses many techniques from data mining, statistics, modelling, machine learning, and AI to analyze current data and historical facts to make predictions about future or other unknown events.
Quantum Computing (QC) is an emerging technology that leverages quantum properties (superposition, entanglement, tunnelling) to perform unique computations. This capability theoretically allows efficient solutions to complex, large-scale problems, including those considered infeasible today. Application areas include cryptography, data processing, artificial intelligence, quantum chemistry simulation, financial modelling, and machine learning.
Virtual Reality is a completely computer-generated, immersive simulation of an environment viewed through a headset and often paired with controllers that let the viewer interact with virtual objects in their field of view. The vision completely replaces the viewer’s field of view and as such they have restricted movement because they can’t see the physical environment around them.
File Analysis enables data architects, legal and security professionals, storage managers, and business analysts to understand and manage unstructured data stores, reduce risk and costs, and make better information management decisions for unstructured data.
Data governance is an emerging discipline that embodies a convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in an organisation. Through data governance, organizations are looking to exercise positive control over the processes and methods used by their data stewards and data custodians to handle and make best use of their data assets.
DEFINITIONS RELEVANT TO DATA ANALYTICS
Master Data represents the business objects which are agreed on and shared across the enterprise. It can cover relatively static reference data, transactional, unstructured, analytical, hierarchical and metadata. It is the primary focus of the Information Technology (IT) discipline of Master Data Management (MDM).
eDiscovery is the process of identifying, preserving, collecting, processing, searching, reviewing and producing data and information that may be relevant to a litigation matter, regulatory notice, Royal Commission or other formal Inquiries. It is an iterative process where the use of specialised eDiscovery technology and personnel at each stage of the process will help an organisation respond quickly to produce documents and cost effectively. eDiscovery is a substantial cost of litigation, regulatory investigations, Royal Commissions or Inquiries. An effective Information Governance program helps to minimise the costs involved in litigation by reducing the costs of identifying, preserving, collecting, processing and searching of data and information.
DEFINITIONS RELEVANT TO eDISCOVERY
Collection is the process where potentially relevant data is collected and copied onto portable hard drives. In some instances a collection may require the services of computer forensics experts, in other instances a collection a company may self-collect. For some IT systems such as email archives or cloud, they have a mechanism built into the system to enable the collection and copy of data and so you are given access to a staging area where you can download the data. Careful consideration needs to be made at this stage as to whether computer forensics are required, as Courts can impose fines/sanctions if it is shown that data was collected in a way that omitted relevant information.
Identification is a process that is undertaken to consider potential sources of relevant information. Sources include business units/departments, key people, IT systems (increasingly cloud systems, as well as IT systems that are maintained by third parties), mobile devices and paper files. Typically most litigation matters relate to events that occurred in the past, and so consideration has to be given to the identification of the potential sources throughout the relevant time period, and not just those systems that are currently in use, or those people who are currently employed.
Preservation is a legally enforceable principle where as soon as a litigation has commenced then there is a duty on the parties to implement ‘legal holds’ to ensure that potentially relevant information isn’t inadvertently destroyed by business as usual processes. Courts can and do impose fines/sanctions where it is shown that a party to a litigation has not taken appropriate steps to ensure that potentially relevant information has been destroyed after the date litigation proceedings commenced.
Processing is the extraction of documents and metadata from containers (i.e. Zip files and mailboxes), the identification and subsequent rectification of encrypted, corrupted, non-text searchable or other extraneous documents. A process is then run to identify and remove exact duplicates (it is common that 30- 50% of the documents are excluded at this step). The documents are then full text indexed. Searches and other filtering techniques are then applied. These are either inclusionary (where if a document has a hit then it is to be included) or exclusionary.
Typically there are several iterations of filtering. The remaining documents are then prepared for review in the review system (some systems are all-in-one, others are separate to the processing system. The preparing for review typically includes rendering the document to PDF, stamping a sequential page number (called a Document ID), extracting metadata and the native document and accompanying metadata. Further filters are then applied, and sub-sets of documents are allocated to lawyers to review. The legal review can encompass many things such as responsiveness, privilege, confidentiality, issue or category coding and redaction. Upon completion of this process, the subset of responsive documents are exported and provided to the other party.
Information Management is the discipline that analyses information as an organisational asset to ensure that an organisation can extract maximum value. It involves the definitions, uses, value and distribution of all data and information within an organisation to enable quicker and better business decisions. It includes the body of knowledge, professional practices and business processes that empower an organisation to effectively manage its information assets for productivity, risk and commercial advantage. Information management ensures that an organisation can extract maximum value from the data that flows into, around and out of its business operations.
DEFINITIONS RELEVANT TO INFORMATION MANAGEMENT
A Controlled Document is a reference document which, through the course of its lifecycle may be reviewed, modified and distributed several times.
An Enterprise Architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization.
Knowledge Management is a discipline that promotes an integrated approach to identifying, capturing, evaluating, retrieving, and sharing all of an enterprise's information assets.
Metadata is data that describes other data. Meta is a prefix that in most information technology usages means "an underlying definition or description." Metadata summarizes basic information about data, which can make finding and working with instances of data easier.
In the information governance context, “privacy” usually refers to data protection, and specifically, the compliance and reputational obligations on businesses and government entities to protect personal information.
Personal information is information (including opinion) about identifiable, living persons. For example, name, contact details and email addresses of individuals are each likely to be personal information, as are fingerprints and photographs. Recent debate has also centred on whether phone numbers, IP addresses and MAC addresses are personal information given that, in some cases, they would enable the identification of an individual.
In APEC member countries, including Australia and New Zealand, privacy regulation typically includes a set of privacy principles which map to the “information lifecycle” and impose obligations on businesses and government entities in relation to their collection, uses and disclosures of personal information as well as offshoring, data quality, access and correction, security and destruction. In Australia, penalties for serious interferences with privacy can now reach up to $2.1 million for bodies corporate and $420,000 for individuals. Privacy and data protection policies and processes are an important part of any information governance program.
DEFINITIONS RELEVANT TO PRIVACY
A privacy impact assessment (PIA) is a systematic assessment of an initiative that identifies the impact that the initiative might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. A PIA should be undertaken early enough to influence the initiative design or, if there are significant negative privacy impacts, reconsider proceeding with the initiative.
Personal information (also known as “personally identifiable information” or PII under various regimes) means, generally, information (including opinion) about identifiable persons. For example, name, contact details and email addresses of individuals are each likely to be personal information, as are fingerprints and photographs.
The identification, retention, accessibility and disposal of records for legal compliance and/or necessary for business operation.
DEFINITIONS RELEVANT TO RECORDS MANAGEMENT
Digitisation involves the conversion of an object, document or an image into electronic format.
A document is a piece of written, printed, or electronic matter that provides information or evidence or that serves as an official record.
An electronic record is information captured through electronic means, which may or may not have a paper record to back it up, it may also be called a machine readable record.
A record in context of Records Management is a thing constituting a piece of evidence about the past, especially an account kept in writing or some other permanent form.
Records destruction requires that records are made unreadable and irretrievable with paper records this is achieved by shredding and with electronic records this is achieved by locating all files and backup copies and removing them or by physical destruction of storage media.
RISK AND COMPLIANCE
Risk management is a discipline which purports to identify, assess and treat risks, reducing the exposure of the organisation to costs, penalties and other adverse impacts. A mature risk management framework will include methodologies and processes for identifying risks within the context of pre-determined risk tolerances and ensuring appropriate escalation and governance processes occur.Compliance is a discipline designed to hold an organisation to all applicable laws, rules, regulations and internal policies. A mature compliance function will perform an advisory, monitoring and educational role to support the organisation in achieving compliance.
This Practical Guide to Information Governance was made possible by input from the broader IG community with the following members of IGANZ providing specific contributions to the Guide:
Susan Bennett- Principal, Sibenco Legal & Advisory
Christopher Colwell- Information and Governance Manager, APRA
Marie Felsbourg- CEO , Astral Consulting Services
Carol Feuerriegel- Enterprise Information Manager, Transpower NZ
Matthew Golab- Legal Informatics Manager, Gilbert + Tobin
Andrew King- Strategic Advisor, E-Discovery Consulting
Melanie Marks- Principal, elevenM Consulting
David Moldrich- Manager, Information Management, Sydney Water
Shaun Wilson- CEO, Shoal Engineering Pty Ltd
We would also like to acknowledge the following organisations for the contribution of background material, diagrams and definitions:
Astral Consulting Services – Diagrams and background material
Gartner – File Analysis definition
International Data Corporation – Digital Universe Study diagram
Information Governance Initiative – Information Governance definition
World Economic Forum – Industrial Revolution Timeline diagram