Information governance fundamentals

It seems like every day we see headlines about data breaches or the inappropriate collection and use of personally identifiable information (PII). Just recently, NBC News reported on another Facebook transgression, by which leaked internal documents showed that senior executives had discussed selling access to user data for years without personal privacy considerations.

Outside of social media networking, which comes with unique privacy concerns, corporations and law firms increasingly base vital decisions of all kinds on the results of data analytics. Yet, in their headlong rush to capitalize on the meaningful insights yielded by that data, many have overlooked information governance (IG) and the need to make it a priority.

To call information governance a big topic would be a big understatement. It certainly can’t be addressed in one article, but I can take a step back to cover some of the fundamentals.

Where data ends and information begins

Let’s first clarify the difference between data and information, and then we can approach the difference between data governance and information governance.

Laymen might use the words “data” and “information” interchangeably, but it’s helpful to remember that what separates them is organization and meaning. Data by itself consists of isolated facts and measurements in a raw, unstructured form. It’s not until data is processed, analyzed, interpreted and presented that it takes on the form of information with context and meaning. Information is derived from data; data serves as the input and information is the output.

What differentiates data governance from information governance?

Just as data is an elemental component of information, so too is data governance a subset of information governance. Data governance uses a set of defined roles, processes and policies to help manage data assets and ensure their integrity, accuracy and security. Without effective data governance, no one can be certain about what data assets an organization has, who controls them, what information they can provide and how they should be protected. Activities around data cleansing and wrangling fall under data governance, as does the use of either human teams or artificial intelligence to enhance data quality.

Information governance also relies on roles, processes and policies, but ones that are targeted toward the protection, valuation, storage, retention and deletion of information assets in accordance with laws and regulations, risk assessments and business needs. Protection includes security, which is a critical component of IG, since the loss of intellectual property, financial projections and business strategies could be just as catastrophic as the loss of customer and employee data. Protection also includes ensuring that only authorized personnel within the organization have access, especially in professional services firms such as law and investment banking. Information governance seeks to control the treatment and handling of information throughout its entire lifecycle to enforce compliance, reduce risk and maximize return.

Getting started with information governance

The first place to get started with governance is to determine which information must fall under governance structures. It might be tempting to say “all of it” and, in some cases, that may be the default position. But prioritizing is always a smart beginning.

Look at what you are required to do under the laws and regulations that affect your industry, type of business or customer base. Many of today’s regulations focus on privacy protection, records retention and audit trails, such as:

• General Data Protection Regulation (GDPR) that cover the European Union.
• Health Insurance Portability and Accountability Act (HIPAA) for patient information.
• Payment Card Industry Data Security Standard (PCI DSS) for payment transactions.
• Code of Federal Regulations Title 49 for the transportation industry.
• Sarbanes-Oxley for auditing and financial regulations for publicly-held companies.

This is just a sampling of some of the more encompassing regulations. A plethora of regional, local and other industry-related rules and regulations may apply.

The next level of governance involves information that could cause ruin or reputational damage if mishandled, including:

• Professions that operate under confidentiality agreements, such as law and accounting firms, have a legal or fiduciary responsibility to carefully protect client information.
• The entertainment industry puts considerable effort into segmenting and concealing plot line information, even from actors themselves, to prevent the leakage of spoilers ahead of a movie or show release. Look no further than the secrecy around the Game of Thrones final season!
• Pharmaceutical and biotechnology firms must ensure that formulas and clinical trial results don’t fall into the wrong hands.

Identify the types of information that must be governed

The policies, processes and procedures of your IG framework will depend on the type of information you need to control. You may have a mix of digital and physical formats such as software programs, engineering drawings, designs, inventions, algorithms, formulas, schemes, flowcharts, manufacturing processes, marketing intelligence, trade secrets, pricing and financial data—the list is extensive.

You may also find that your information contains both structured and unstructured data, again highlighting the close connection between these two forms of governance. Recall that structured data is typically stored and organized in a way that machines can access it, such as in relational databases. Unstructured data is oriented toward human communication and understanding. While both structures are growing exponentially, the volume of unstructured data is practically infinite as it can be created and published by anyone.

Unstructured data is relatively disorganized, and occurs in many forms such as email and text messages; image, audio and video files; PDFs and other documents; social media updates.

Sensitive information can reside anywhere; information governance requires assessing the nature and value of both structured and unstructured data assets and controlling them accordingly.

Adopt an information classification taxonomy

Obviously, not all information requires the highest levels of control. That’s where a consistent classification taxonomy and scheme becomes useful for indicating how different types of information must be treated. We’re all familiar with the US Government’s classification hierarchy that designates information as Top Secret, Secret, Confidential and Unclassified. While the private sector is not required to use a particular taxonomy, standard ones have come into use. One that is widely used classifies information into categories for confidential, private, sensitive and public. To govern retention schedules, more detailed taxonomies are typically required.

Consistent and visible classification has the immediate effect of communicating exactly how a particular information asset should be treated under the IG framework. It contributes to the bigger picture of all data within an organization’s control, where data is stored, how to access it and the best way to protect it from potential security risks. Once implemented, data classification facilitates data protection measures and promotes employee compliance with security policies.

Something is better than nothing

Because information governance can be an enormous undertaking, it’s important not to let the size and scope cause the kind of paralysis that results in taking no action. Get started by determining roles and responsibilities, assessing the kind of data and information assets you have and where they reside, understanding their value and identifying the risks. This cannot be isolated to your IS or IT silo; it must encompass cross-functional input and effort, especially those charged with risk management.

Regardless of your operating environment, all entities should be giving information governance serious consideration and attention for consistently valuing and classifying information so it can be managed and protected in the most effective way.