Data and information are increasingly becoming the lifeblood of organisations. However the exponential amounts of data being collected by companies and government alike, together with the risks and costs of holding and securing this information, have created a new set of issues for those responsible for organisational governance.
A healthy circulatory system increases overall health and improves our ability to function. Likewise, the optimal use of data and information will improve the effectiveness of an organisation. This article explains why identifying and co-ordinating the areas, people and technologies responsible for keeping the lifeblood of your organisation in good health is key to effective information governance (IG).
IG provides a unified strategic framework for the control, security, optimisation and effective use of information. It is an essential part of good corporate governance, assisting organisations to maximise the value of information while minimising risks and costs by providing a mechanism to align policies and processes, people and technologies across an organisation.
The IG diagram below shows different areas and activities within an organisation responsible for the security, control, optimisation and risk management of data and information. There may be more or fewer areas according to the type and size of the organisation. The key to implementing an effective information governance framework is to first identify all the areas and professionals responsible to ensure the areas are aligned and can collaborate to deliver on organisational objectives. With this in place, policies and processes also need to be aligned across the organisation in accordance with overarching organisational strategic goals.
With a strong IG framework in place, IG projects can then be prioritised within the purview of the senior executive with overall responsibility for information governance and/or the IG steering committee with the involvement of appropriate cross-function professionals. Projects involving data and technology are planned and executed addressing the needs of business users, technology and cybersecurity, legal/privacy regulatory compliance, lifecycle management, records compliance and long-term preservation.
The InfoGovANZ Elements of Information Governance diagram depicts the alignment and coordination required between different IG areas and activities. This visualisation, which can be adjusted as necessary to align with the areas within your organisation, provides a clearer understanding of how an overarching IG Framework enables alignment of policies, procedures, people and technologies.
Figure: The Elements of Information Governance diagram
Each area of IG is like an organ in the body of the organisation – each with its own purpose, and together they combine to form the life-supporting systems which carry out the organisation’s vital functions. Just like the body, the functions of these essential systems overlap, interact and rely on each other to support life. Understanding the interrelationships and dependencies of the system as a whole:
· Provides a useful framework for implementing a cohesive and comprehensive IG framework;
· Helps to prioritise and guide projects that link to information governance;
· Makes it easy to recognise and adapt to technology trends and best practice IG;
· Ensures organisations have a strong IG framework that protects them, their employees and the customers they serve.
Often organisations focus on only a few elements or areas of the information quagmire. Enhancing the value of data being optimised through the use of technology and data analytics to deliver value and returns directly to the bottom line is a common driver due to the financial benefits. Investment in enhanced cybersecurity to prevent cyberattacks and data breaches has also increased over recent years due to mandatory notification regulatory requirements and more visible cyber-threats.
However, more than a third of data breaches are caused by human error rather than a technology-based exploit. When phishing attacks are included, about half of data breaches can be attributed to human error. These breaches are entirely preventable but remain a significant risk to organisations. Privacy-by-design, security-by-design and privacy impact assessments (PIAs) are core to the best practice of managing personal information. Effective IG can assist organisations to ensure that personal information breach risks, which can be life threatening to an organisation, as a hemorrhage is to us, are identified and resolved.
Getting to Know the Information Governance Elements
The Elements of Information Governance diagram is a tool for organisations to use when establishing information governance for the first time or to ensure all aspects of information governance have been included in an existing information governance framework.
Information Governance (IG) is front and center and is represented by a digital pine cone, ‘the third-eye’.[i] In IG, the pine cone analogy is fitting as it represents the center or navigation starting point of all activities. It demonstrates how a robust IG framework provides the structure and mechanism to enable insights and effective guidance and control.
Six Icons surround the IG centre – here’s what they represent in relation to information governance:
The People icon highlights effective IG is impossible without the involvement of the right people. It is situated in the upper left position of the IG centre next to elements that demonstrate the important role people play in an organisation, both internally and externally. Internally, the people icon represents the collaboration across organisational silos and the effective innovation with security by design and privacy by design, and importantly the protection and security of information by employees. Externally, people in an organisation must protect consumers’ and citizens’ privacy by ensuring compliance with privacy regulations, act socially responsible and adhere to the ethical use of data.
The Lightbulb icon is located above the IG centre just under the top line connection of elements. It denotes new, innovative and impactful activities and technologies.
The Dollar Sign icon is in the upper right position from the IG centre, parallel to the people icon. It is close to those elements that identify the value from data optimisation (i.e., data analytics), as well as controlling and minimising costs by reducing risks.
The Cog/Gear icon is at the lower right of the IG centre near those elements that are largely procedural functions. This icon represents the internal workings and processes of the organisation, meaning the data and information being used across the organisation and the need for collaboration and alignment with strategic organisational goals.
The House icon is directly under the IG centre and atop the bottom line connection of elements. The house icon serves as a reminder that robust IG requires a top-down strategic approach built on a strong foundation of clear policies and procedures.
The Lock icon is in the lower left position of the IG centre, parallel to the cog/gear icon. Its protective function symbolises the importance of security of data and information.
The Elements link to the icons and the IG centre in a continuous chain. All of the elements must combine and connect to provide an effective information governance system. This requires the interaction and collaboration of relevant professionals in order for an organisation to have a complete information governance framework.
The elements on the top and middle rows to the left reflect people-focused activities, while those to the right are data-focused activities. The elements on the bottom row are information-focused and reflect foundation services.
Cybersecurity & Info Security – cybersecurity focuses on the perimeter, while information security secures the information within the system
AI & Ethics – implementing artificial intelligence through an ethical-based process based on a data impact assessment
Data Analytics & Infonomics – deriving the value of information from data analytics
Business Intelligence – the hardware, software, staffing and strategy used to glean intelligence from data
Legal & eDiscovery – the identification and retrieval of documents for litigation and ensuring such documents can be readily identified and produced to reduce costs; incorporating the use of AI in eDiscovery
Privacy & Data Protection – privacy by design and robust privacy policies as part of the overall governance framework
Risk & Compliance – a coordinated strategy for managing the organisation’s risk and corporate compliance with regard to regulatory requirements
Content Services – preserving and protecting content; information access, sharing and collaboration
Information & Records Management – how information is being managed and the activities to systematically control the creation, distribution, use, maintenance and disposition of information
Information Lifecycle Management – best practices for managing data and information throughout its lifecycle
Archiving & Long-term Digital Preservation – storing information in ways that can be readily retrieved many years into the future
Taken together, all the icons and elements represent the different interlocking areas and activities that deal with data and information in organisations.
A systematic approach to information governance begins with an Information Governance Framework that encompasses policies, procedures, people and technology. This includes:
· Identifying all the areas and technologies within your organisation – that is, the IG Elements in your organisation;
· Putting strategic objectives and priorities in place for managing, controlling and securing the data and information your organisation collects, uses and stores;
· Implementing measures to protect the organisation’s intellectual property;
· Complying with regulatory and legal obligations including record keeping obligations and, in particular changing privacy regulations;
· Optimising the value of information to support the organisation’s objectives while managing risks and costs, such as those associated with a data breach and eDiscovery.
The key to ensuring the effectiveness of information governance is top-down board and senior executive leadership that supports robust policies and procedures that are aligned across the organisation and with overarching organisational goals, which deliver value to the organisation. Top-down board leadership setting the overall IG framework is the ‘brain’, leading a data driven organisation with an ethical and privacy culture.
The senior executive with overall responsibility for information governance and/or the IG steering committee are the organisational ‘third-eye’. They set IG project priorities, provide guidance and encourage cross-functional collaboration, oversee implementation and review outcomes. Policies, processes, technologies and people all work together to enable efficient data flow including optimisation, regulatory compliance and appropriate data and information disposal. When information is effectively governed with data optimised and associated risks and costs minimised, then the overall performance of the business will increase – delivering the benefits of a healthy data and information circulatory system.
Susan Bennett, Executive Director, Information Governance ANZ
Principal, Sibenco Legal & Advisory
[i] Throughout history, the pine cone has been a sacred symbol of human enlightenment, viewed as an eye of higher consciousness – the ancient symbol for the third eye – and non-dualistic thinking. Many believe the third eye is at the geometric center of the brain and a symbolic representation of navigation.