InfoGovANZ

Information Governance Think Tank

Featured

Dark Data – the risks, costs and ESG

by

Dark data poses potentially significant risks and costs for organisations. Additionally, with an increasing focus on ESG reporting, organisations should be considering how they can measure and report on each element of ESG with respect to data being collected, generated, used and stored.

This article by Susan Bennett considers the often-overlooked energy costs of storing data, particularly as we move into the age of AI, together with the risks for organisations arising from increasing privacy and cyber security regulatory requirements. The regulatory enforcement focus on data minimisation, requires organisations to implement active data disposal and regulatory requirements to implement adequate systems and processes to protect and secure data and information. This means more than ever that organisations need to be proactive in implementing robust information and data governance and measuring the ESG of data.

The problem of dark data

Dark data is data that is collected or generated and then not utilised by the organisation. As data storage is relatively cheap compared to traditional archiving costs for hard copy records, organisations have been collecting, generating and storing exponentially increasing volumes of data. According to the Digital Decarbonisation research, up to 65% of data generated is never used and up to 15% is out of date.[I] Unless data being held is accurate, accessible and is being utilised, it is ROT. That is, data that is redundant, outdated, trivial or transitory. Data ROT poses a number of risks and potentially significant costs to organisations including:

  • Data Breaches and consequent regulatory investigations and class actions arising from:
  • Exposing personal data in breach of privacy regulations
  • Exposing personal data, which should have been destroyed or de-identified as it was no longer required and therefore, in breach of relevant privacy regulations.
  • eDiscovery costs in litigation, Royal Commission and regulatory investigations.
  • Inefficiencies arising from delays for employees in identifying and accessing up-to-date and accurate data and reliable information on which to carry out their day-to-day work and for good decision-making within the organisation.
  • Lack of data integrity, which may impact the quality of decision-making made at all levels within an organisation, including in AI and generative AI uses within organisations.
  • Storage costs and increased energy consumption.

Data Value

The focus on data is often discussed in terms that leads many executives and board directors to believe that data being collected and stored is or can be of value. However, decision-making or insights drawn from outdate, unreliable, or biased information is unlikely to produce any value and may give rise to legal risks and consequences. Data is of value when it is accurate, reliable and accessible and where insights and information produced from analysis enable good decisions to be made, deriving value for the organisation and ultimately delivering returns to the bottom line, as shown in the diagram below.

Figure 1 Data Value Delivering on Strategic Goals

To reduce the risks and costs arising from storing organisations, it is important that organisations implement robust information governance and robust data and information lifecycle management – read more about how to implement these in The Information Governance Primer here and the Information Lifecycle Management: what is it and how it reduces risk? here.

Figure 2 Information Lifecycle Management

ESG risks and costs of data

Organisations need to be taking action to manage data to minimise risks and their digital carbon footprint. A report by UTS’s Institute for Sustainable Futures Institute released in July 2023 on ‘IT & Data Centre Sustainability in Australia’ has highlighted that the data centre industry is ‘exposed to significant ESG (environmental, social, and corporate governance) risks that have largely escaped our collective attention’, including the increasing need for cooling combined with huge demands for data. The report included a survey of sustainability professionals conducted between May and June 2023. The key insights from the survey included the following:[ii]

  • Sustainability professionals rely on quality data to inform their actions. Only 5% of respondents felt that the quality of sustainability-related data received from Data Centre service operators was detailed. 46% of respondents were receiving no sustainability-related data. In total 59% of respondents either had insufficient, or no sustainability-related data from Data Centre service operators.
  • 77% of respondents either agreed, or somewhat agreed, that organisations cannot reach their sustainability goals without significantly reducing Data Centre energy usage.
  • 48% of respondents were fully aware or had some awareness of the amount of energy that data centres consume. However, 29% of respondent’s organisations did not consider Data Centre energy consumption at all. Only 22% of respondents indicated that their organisation pays sufficient attention to Data Centre energy consumption.
  • 81% of respondents thought that demand for data management would increase with 21% stating it would significantly increase whereas 19% of respondents did not think demand for data management would increase.
  • Over 70% of organisations surveyed had sustainability of data centres prioritised data centres in their practices, but only 9% were fully considering it. Only 15% of respondents indicated sustainability issues were a critical consideration for their organisation in procurement for Data Centre service providers.
  • The most cited constraints when addressing Data Centre sustainability issues were knowledge and awareness of sustainability risks (21%), insufficient budget (18%) and poor-quality data (16%).

Energy Costs of Data Storage

The Digital Decarbonisation Project, which is funded by the UKRI National Circular Economy Research Hub and involves academics from Loughborough University states that, ‘despite the media’s focus on carbon emissions from the automotive, aviation, and energy sectors, the data industry is likely to produce more emissions than these industries combined.’[iii]

The UTS report states that currently and predicted CO2 emissions from software-related activities, account for 4-5% of global emissions. The report goes on to predict that by 2040, ‘it is estimated that software-related CO2 emissions may account for 14% of the world’s carbon footprint.’[iv] In relation to data centres and data transmission networks, the International Energy Agency reports that data centres and data transmission networks accounted for 0.9% of energy-related GHG emissions and that global data centre electricity use in 2021 was around 0.9-1.3% of global final electricity demand.’[v]

The UTS report explains that one of the major reasons why data centres use so much energy is for cooling. The report also points out that: [vi]

Ireland is now home to 25% of the data centres in Europe including newly constructed hyperscale Data centres. However, the large number of Data centres, with projections for future growth, is leading to instability in Ireland’s energy grid. According to Ireland’s Central Statistics Office electricity consumption by data centres increased by 32% in 2021. Over a six-year period to December 2021 electricity consumption by data centres increased by 265%. According to EirGrid, Ireland’s energy grid manager, by 2031, 28% of all electricity demand in Ireland is expected to come from data centres and other new large energy users. EirGrid is concerned that the growth of data centres is leading to grid instability citing the amber alerts issued in 2022.

The report also points out that the growth in use of artificial intelligence and digital currencies has the potential to increase the demand for Data Centre services.[vii]

ESG mandatory reporting for companies

Several recent developments in 2023 have highlighted that organisations need to come to grips with how they will measure ESG and be prepared to meet emerging mandatory ESG reporting requirements.

The European Union’s Corporate Sustainability Reporting Directive (CSRD (EU) 2022/2464) came into force on 5 January 2023 and introduced sustainability reporting requirements for EU companies, non-EU companies meeting certain thresholds for net turnover in the EU and companies with securities listed on a regulated EU market. Companies subject to the CSRD are required to disclose information about how sustainability-related factors, covering environmental, social and human rights and governance, affect their operations and information about how their business model impacts sustainability factors.

On 26 June 2023, the International Sustainability Standards Board (ISSB) issued its inaugural standards – IFRS S1 and IFRS S2 – for sustainability-related disclosures. They include IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information and IFRS S2 Climate-related Disclosures.

The ISSB explain that the Standards are designed to ensure that companies provide sustainability-related information alongside financial statements. The Standards have been developed to be used in conjunction with any accounting requirements.

The creation of the ISSB was announced at COP26, the 2021 UN Climate Change Conference in Glasgow, with the role of creating a global baseline for sustainability reporting. The UK government has been a strong supporter of the ISSB and is aiming to make endorsement decisions on the first 2 standards to create UK Sustainability Disclosure Standards (SDS) by July 2024.

Also in June 2023, the Chair of ASIC Joe Longo made several statements highlighting the importance of ESG reporting for listed companies in Australia including that, ‘ESG reporting is simply the next stage in a long series of important moves towards greater transparency and higher disclosure standards. Highlighting that ‘good disclosure depends on good governance’, Joe Longo said companies should be asking themselves:[viii]

  • How can sustainability and financial reporting work together to function as an integrated whole?
  • How can we ensure that marketing and advertising teams work with the legal and risk teams to ensure cohesion around sustainability-related claims?
  • What assurances and processes can be put in place to ensure that the board is appropriately informed and confident about the information that is being put out?

The move towards mandatory ESG reporting, requires organisations to implement processes to ensure that the relevant and accurate data can be efficiently collected, measured and reported upon as required. This includes companies being able to identify, measure and report upon the energy costs of dark data and minimising data within the organisation. As generative AI and large language models are increasingly used within organisations the significant increase in energy consumption and environmental and social impacts (arising from the use of personal data and/or data which may be subject to copyright) should also be measured as part of the design considerations at the outset of new data-driven technology projects.

Measuring data carbon

The Digital Decarbonisation project led by academics, Professor Thomas Jackson and Professor Ian Hodkinson from Loughborough University, has designed a tool called the ‘Data Carbon Ladder’, which can be used in new data projects. The tool helps an organisation determine the appropriate size of the dataset(s) required, the optimal frequency for updates, the most suitable storage location, and the analytics necessary for a project. The Data Carbon Ladder can provide an estimated data CO2 footprint for a project, identifying areas where improvements can be made to minimise environmental impact. The Data Carbon Ladder is aimed at helping organisations make data-driven decisions, which enhance their bottom line and also align with their sustainability goals. Read more about the Data Carbon Ladder and how to use it in the article by Jackson and Hodgkinson.[ix]

The Five Essential Key Steps for Data and ESG

  1. A process for ensuring that the organisation has a continual and reliable mechanism for identifying data repositories and the types of data held within those repositories (the ‘Data Map’). Organisations need to understand what data they are collecting, why, and where it is being stored, including data held in third-party systems and cloud storage.
  2. An up-to-date Records Retention and Disposal Policy, which is enforced. This is an essential bedrock for enabling data disposal in accordance with the expiration of the retention period.
  3. Establish (or ensure) the Information and Data Governance Committee is overseeing the continual disposal of robust data and information lifecycle with reporting to the risk committee and/or board.
  4. An AI Plan and Strategy, which links the AI Framework, Information Governance Framework and the overall enterprise risks management framework. A key problem for boards and senior executives is the lack of integrated reporting in relation to data and information risks. The linking of the AI Framework and an Information Governance Framework with the enterprise Risk Management framework is essential so that boards are properly informed of the interconnected data, technology and regulatory compliance risks.
  5. Develop measurements for Data and an ongoing annual measurement and reporting of Data ESG criteria including:
    • Auditing of data and information lifecycle in accordance with privacy, IT security, AI  policies and procedures covering:
      • Collection and re-use of data including personal data and applicable ethical requirements
      • Privacy impact assessments, AI impact assessments, IT security impact assessments
    • Costs of onsite and cloud storage (as well as the maintenance/energy and storage costs of any physical hard copy archives).
    • Measuring carbon of data stored by the organisation, including data held in data stores.
    • Measuring carbon for data-intensive projects, particularly projects using AI or large language models using large data sets.

If you are interested in learning more about ESG and Data, join The Governance in ESG Workshop – September – InfoGovANZ

Author: Susan Bennett, LLM(Hons), MBA, FGIA, CIPP/E Founder of InfoGovANZ, Governance and Privacy Lawyer

Contact: susan.bennett@infogovanz.com

[i] Digital Decarbonisation, Costs of digitalisation to society, industry and the environment – Digital Decarbonisation

[ii] University of Technology Sydney, Institute of Sustainable Futures Report, 4

[iii] Digital Decarbonisation, Costs of digitalisation to society, industry and the environment – Digital Decarbonisation

[iv] University of Technology Sydney, Institute of Sustainable Futures Report, 6

[v] Ibid

[vi] Ibid 7

[vii]Ibid 6-7

[viii] ASIC, ASIC Chair’s AFR ESG Summit speech , 5 June 2023

[ix] Thomas Jackson and Ian Richard Hodgkinson (2023) Is there a role for knowledge management in saving the planet from too much data?, Knowledge Management Research & Practice, 21:3, 427-435, DOI: 10.1080/14778238.2023.2192580

 

Access to Information Day and Right to Know Week

by

Thursday, 28 September marks International Access to Information Day, which recognises citizen rights around the world to access government information. This right is encapsulated under Article 19 of the United Nations’ Declaration of Human Rights.

In recognition of this day, NSW celebrates Right to Know (RTK) Week, educating public sector agencies and citizens on the Government Information (Public Access) Act or GIPA Act and raising awareness about citizens’ rights to access government held information. RTK Week will take place from 25 September – 1 October 2023 and will celebrate the theme of: The importance of the online space for access to information.

Information Commissioner Elizabeth Tydd says that ‘Right to Know Week NSW 2023 aims to highlight how the online space empowers individuals to:

  • critically assess information
  • identify misinformation
  • ensure that government remains accountable and responsive to citizen views.’

Read Commissioner Tydd’s full statement here Right to Know Week NSW 2023

Latest Data Breach Report and Trends

by

The latest Notifiable data breaches report was released last week, highlighting the need for organisations to strengthen data security and promptly respond to suspected breaches.  The Australian Information Commissioner and Privacy Commissioner Angelene Falk said that ‘OAIC expects organisations to have robust and proactive procedures in place to protect the personal information they hold.’ The January to June 2023 period saw 409 data breaches reported to the OAIC. While that was a 16% decrease in the number of notifications compared to the previous period, there was one breach that affected more than 10 million Australians. This is the first breach of this scale for Australians since the scheme began in 2018. Cybersecurity incidents were the source of 42% of all breaches (172 notifications). The top three cyber-attack methods were ransomware (53 notifications), compromised or stolen credentials for which the method was unknown (50 notifications) and phishing (33 notifications). Contact, identity and financial information […]
Member only content (join now or login)

Wanting to access data collected by Australian Government Agencies?

by

Participation in the DATA Scheme continues to grow as shown in the Office of the National Data Commissioner’s (ONDC) Implementation Pipeline update below.

New guidance to develop a data inventory 
The ONDC has released a new guide to developing a data inventory.  There are now 56 organisations that have taken the step of onboarding to Dataplace.  Once on board, you can use Dataplace to make a request for data collected by Australian Government agencies and make a data sharing agreement. Dataplace is also the place to go if you want to apply for accreditation to participate in the DATA Scheme. If you want to see who is already accredited, check out our Register of Accredited Entities.

In upcoming events below, we have included the ONDC webinars where you can learn more about the DATA Scheme.

New guidance to help Scheme participants  – costs
Under the DATA Scheme, Australian Government agencies may charge fees for services performed when dealing with a data sharing request. The ONDC new guidance requires that any fees charged are on a cost recovery basis.

Complaints 
One of the functions of the National Data Commissioner is to handle complaints about the DATA Scheme.  To make a complaint, please go to the Contact us page or email information@datacommissioner.gov.au.  The new guidance provides information for Scheme participants and others about how the Commissioner will handle complaints.

Explaining decisions made by AI

by

The UK Information Commissioner’s Office and The Alan Turing Institute have released a guidance to provide practical advice to organisations to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. The guidance consists of three parts. Depending on your level of expertise, and the make-up of your organisation, some parts may be more relevant than others.  Read the Guidance here.

Part 1: The basics of explaining AI 

Aimed at DPOs and compliance teams, part one defines the key concepts and outlines a number of different types of explanations. It will be relevant for all members of staff involved in the development of AI systems.

Part 2: Explaining AI in practice

Aimed at technical teams, part two helps you with the practicalities of explaining these decisions and providing explanations to individuals. This will primarily be helpful for the technical teams in your organisation, however your DPO and compliance team will also find it useful.

Part 3: What explaining AI means for your organisation

Aimed at senior management, part three goes into the various roles, policies, procedures and documentation that you can put in place to ensure your organisation is set up to provide meaningful explanations to affected individuals. This is primarily targeted at your organisation’s senior management team, however your DPO and compliance team will also find it useful.

What’s happening with data from your car?

by

Mozilla released a report last week that examined the terms of service for 25 car companies and the types of data being collected.  The report states, ‘they can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!).’  Concerningly, the report provides ‘Twenty two of the car brands (88% of the ones we looked at) mentioned creating inferences — assumptions about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties.’

Included in the report is an extract from  Tesla’s Terms of Service, “if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.” [emphasis added]

Read the full report here *privacy not included Mozilla Foundation

Take part in an organisational resilience survey and global discussion 

by

Calling Senior Corporate, Legal, and Risk Management Professionals

Ansarada invites you to take a brief 6-minute survey that will serve as the cornerstone of a data-driven report. The report developed in collaboration with industry experts, will be a treasure trove of actionable insights and expert commentary, around Operational Resilience globally.

Participants will gain exclusive first access to the report’s findings and will have the opportunity to share your insights and commentary if you wish to contribute further.  Participation in this survey is anonymous. You can take the survey here: https://lnkd.in/gZiqcfun

Information Lifecycle Management: what is it and how it reduces risk?

by

Most organisations are collecting and generating exponentially increasing volumes of data each year.  However, many organisations struggle to safely and efficiently dispose of data that is no longer needed for regulatory retention requirements or for legitimate purposes, as required, for example, under the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) and the Californian Privacy Rights Act (CPRA). On top of the complexity of keeping track of data within the organisation, the perception that data is ‘the new oil’ and increasingly cheap storage costs are typical reasons why data is not actively managed and disposed of when no longer required.

The Optus Data Breach and the increasing number of decisions by regulators in the US and EU underscore the risk and consequences of over-retention of data for organisations.  Most of these decisions on over-retention of data arise from inadequate cyber security and have resulted in monetary sanctions and, in some instances, ongoing supervision by third parties of the organisation’s cybersecurity and information lifecycle management measures. With increasing regulatory focus on protection of personal information, organisations should be reviewing their overall information lifecycle management and specifically how they manage data collection, classification, retention and disposal to be compliant with applicable records, privacy and cybersecurity regulations and reducing risk.

What are the risks?

Failure to properly govern information assets and implement a robust data lifecycle management program will result in significant risks and costs for organisations.  In a data breach, the loss of historical personal data that the organisation has no legitimate reason to be holding onto compounds the reputational damage, increases the likelihood of heavier regulatory investigations and actions, and adds fuel to the fire of any potential class actions against the organisation and directors and officers arising from the breach. Additionally, retaining unsupported legacy systems to host and manage historical data also increases the chances of a breach incident and reduces the overall security posture of the organisation.

As part of due diligence on information governance, boards and senior executives need to satisfy themselves that the organisation has an effective information lifecycle management program to manage data (and paper) from collection all the way through to secure archiving and disposal.  With the volume of data being generated and collected by organisations ever increasing, this requires a collaborative and planned program carried out on an ongoing basis.

What is information lifecycle management (ILM)?

ILM is the system by which an organisation controls the collection and generation of data, storage, use and disposal of data and information.   It is important to remember it also includes management of physical records, paper documents and artifacts, which continue to be generated and stored in archives either onsite or in external storage facilities.

What are the benefits of information lifecycle management?

The benefits of robust ILM include:

  • Improved data availability and reliable access for authorised users in their day-to-day work.
  • Compliance with business requirements (i.e., policies and procedures) and legal/regulatory obligations such as record retention and disposal
  • Security, auditability and custodianship of data and information are maintained, regardless of any changes in the underlying ICT infrastructure.
  • Ensuring ICT infrastructure supports the business and business users to carry out their work efficiently.
  • Minimising risks by reducing volume of personal data collected/retained and active disposal of information no longer required for business or legal purposes.
  • Cost efficiencies through reduced storage, streamlined eDiscovery processes in legal proceedings, and decreased forensic costs in data breach investigations.

ILM Policies

Many organisations find it challenging to even initiate an ILM program, encountering significant change resistance when attempting to balance the tension between various business processes wishing to retain data (e.g. marketing and business development) and following best practices for privacy and regulatory requirements for data minimisation.  It is important to ensure that all the relevant policies and processes relating to ILM across the organisation are aligned and that there is an ongoing collaborative mechanism to improve, implement and resolve issues.

IG Alignment of Policies and Procedures Diagram

Some standard ILM policies and processes organisations should be ensuring are operating effectively and efficiently include:

  • Privacy Policies and Collection Notices which inform customers about personal data that is collected, how it is used and managed, and how long it will be retained.
  • Data Privacy and Information Security Impact Assessments for internal data analytics and business intelligence and for technology projects involving the use of third-party technology.
  • Data Standards and Processes, which inform employees about the standards for data including, data owners, metadata, data classification and data taxonomies.
  • Record Retention and Archiving, which governs retention periods of different classes of documents in accordance with regulatory and business requirements and the archiving requirements.
  • Litigation Holds and eDiscovery which governs document production in litigation, legal proceedings and investigations.
  • Decommission of systems, which governs the process for data removal and transfer and/or disposal of data.
  • Procurement policies and processes and requirements around third-party suppliers in relation to data storage and location, information security standards of the third-party supplies and auditing of security post contract.

As can be seen from the above, ILM policies typically cover a number of different organisational areas with different types of professionals responsible for implementing and overseeing the execution of these policies. For example, the records retention and archival policy is the responsibility of the Records area, which sets the retention periods for each category and type of document in accordance with the myriad of regulatory requirements with advice from the Legal Department and the requirements of the business. All data and records collected and generated should be securely disposed of in accordance with records and retention policy.

However, the action of deletion and secure disposal of electronically stored data is usually undertaken by IT specialists.  This requires the IT department to be confident in executing on disposal of data, meaning a good working relationship between Records, Legal and IT is essential to ensure that data disposal is carried out in accordance with all of the relevant policies and proceedings. A good example of how this working relationship should operate is when organisations are involved in legal proceedings or regulatory investigation. The ordinary destruction of relevant data and records is required to be halted by the placing of a ‘legal hold’.  The legal hold is generally issued at the order of the Legal Department, pursuant to the Legal Hold Policy and the cessation of data and records disposal continues until the ‘legal hold’ is lifted when the proceedings have concluded.  While the Legal Department is responsible for the issuing and lift of ‘legal holds’, the actual work to stop the ordinary destruction process of relevant data is the responsibility of the IT area.

Deletion rules can and should be coded into the technology systems holding the data to enable automatic deletion at an appropriate point in time.  This requires appropriately skilled Records and IT personnel to set the retention and deletion rules for all the different types of data within the technology system.  At the moment however, most organisations are still at the starting gate and there is very little, or no data being automatically deleted when it should be. It is far more common for data in organisations to be simply moved from primary systems to archival systems or other storage containers.

In the face of increased regulatory activity to sanction organisations that fail to have adequate systems in place to protect personal data and information, it will be increasingly important for organisations to improve on the status quo.  Implementation of effective ILM policies and processes along with appropriate oversight mechanisms through robust Information Governance to ensure ongoing best practice is essential for the effective management of data and information.

ILM – where to start?

 The starting point is to identify any gaps in the organisation’s policies and procedures and then to ensure that all the relevant policies and processes are aligned under the overarching Information Governance policy and framework.  Alignment of policies and processes across the organisation is key to ensuring that everyone within the organisation from the board and senior executives down to each user within the organisation is both able to understand and comply their obligations to protect the organisation’s data and manage it in accordance the policies and procedures.

A collaborative mechanism to improve, implement and resolve issues is necessary. Ideally, this should be the Information Governance Committee, which can provide oversight on the adequacy and compliance of all policies and procedures relevant to the overarching Information Governance framework, which includes ILM. Where gaps are identified, the Information Governance Committee should ensure that adequate action is taken to remedy the gap on an ongoing basis.

The role of Information Governance and ILM

Information Governance provides an overarching mechanism for boards and governing authorities of organisations to control and effectively manage enterprise-wide information assets so that value is maximised and risk is reduced to acceptable levels.  As the diagram below illustrates, there are many different parts of the organisation with different drivers around data and information, including ILM.

For example, innovation, AI and use of innovative technologies may lead to personal data being over collected and stored on an ongoing basis.  Retention and use of this data, particularly if it is personal or sensitive in nature, needs to be balanced against the risks of ensuring compliance with changing and growing privacy regulations.  This example would also require consideration of ethical use of AI in light of reputational issues that may arise.

The InfoGovANZ Model highlights that while different areas across the organisational silos are responsible for different aspects data, information and technology, effective governance will ensure they are also co-ordinated and aligned so that overarching organisational objectives can be achieved. ILM is a core part of the overall Information Governance model, sitting along the bottom row as a foundation element along with records management, archiving and long-term preservation and risk and compliance.

Traditionally, record retention and archiving has been the responsibility of Records and Information Managers who traditionally reported to the General Counsel, and in many organisations continue to do so.  However, the modern reliance on IT systems to carry out the execution of ILM policies have skewed responsibilities increasingly towards the IT Department. Regardless of where responsibility resides, these processes need to be co-ordinated between records, legal and IT.  Where organisations are not actively managing their information lifecycle, implementation of these processes will require substantial effort to overcome change resistance and bring departments together. It often will require further investment in upskilling of staff to both understand and given them confidence to actively manage data through its lifecycle and across the organisational silos.

A robust information governance framework implemented from the top-down and an overarching Information Governance Steering Committee are key factors which can help organisations to implement and drive ongoing ILM.

Read more here in the Information Governance Primer

AuthorSusan Bennett, LLM(Hons), MBA, FGIA, CIPP/E                                                                                                                                                                          Founder of InfoGovANZ, Governance and Privacy Lawyer