As Information Governance and Data Governance becomes increasingly important for organisations seeking to control and secure information, it is important to understand what each one does and achieves.
What exactly is their purpose, and how do they differ from one another?
Information Governance is a fundamental part of good Corporate Governance. Its mission is to maximise the value of information while minimising the costs and risks of holding it. Data Governance is a key subset of this model. It aims to control information at the data level, ensuring the maintenance of accurate and high-quality data through the implementation of appropriate systems and processes.
This article looks at the roles Information Governance and Data Governance play within an organisation and how they are interlinked.
Information Governance
Information Governance provides a strategic framework for organisations seeking to control company information. It recognises the value and opportunity of data as ‘the new oil’ and identifies the risks and costs involved in the event of non-compliance with legal requirements and the consequences of a serious data breach.
Information Governance is defined by the Information Governance Initiative (a think tank and community of IG professionals) as:
‘The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs.’
In other words, Information Governance encompasses the systems (including policies, processes, and technology) by which information is controlled and secured.
Organisations should consider information as an asset and measure both the value and costs of the data they hold. This means quantifying the financial benefits of data as well as the costs (and subsequent savings) resulting from risk management investments.
To derive value from information, companies need to invest in technology and systems that can be used to gain a competitive advantage and deliver benefits directly to the bottom line. This includes the implementation of data analytics to improve or develop new services or products, or data sharing systems to enhance, for example, the allocation of resources for the delivery of health services in the public sector.
Reducing costs and risks of holding information
Minimising the risks and costs of holding information is one of the main objectives of an Information Governance program. Further strategic investments are needed to achieve this, specifically in technology, systems and people.
Organisations incur significant costs in holding information that is either required for the running of the business (RIM) and/or by law. Legal requirements include:
- Record keeping obligations.
- Data protection and privacy obligations.
- Document/data production in litigation – eDiscovery.
Well managed organisations have an active defensible disposition of records program, which eliminate documents no longer required by law and governs the ongoing removal of redundant, outdated and trivial documents (ROT) from the business.
Decreasing data storage costs can be counterproductive, because it encourages data retention. Holding large data volumes can create a significant financial burden – especially when the following are considered:
- The costs of managing large volumes of data including additional resources (personnel) and storage costs.
- The costs of ‘back ended’ services – for example, analytics services to find documents, information audits and other forensic services that may be required from time to time.
- The cost of producing documents/data for litigation and regulators – eDiscovery – which has grown into a $10 billion per annum global industry due to the exponential rise in data volumes held by organisations.
Minimising data breach costs in the event of a cyberattack
An effective Information Governance program can also help mitigate the costs of a serious data breach, which include:
- Business interruption costs.
- Costs of data breach notification.
- Costs of responding to regulators.
- Ongoing lost revenue and profit due to brand and reputation damage where personally information is disclosed, such as customer and employee information.
- Costs of litigation including class actions.
A comprehensive Information Governance program that ensures an effective response to a potential data breach includes:
- A privacy framework with policies and processes aligned with the Information Governance program, protecting personally identifiable information and upholding a culture of privacy through training and auditing.
- Ensuring the implementation of appropriate cyber incident reporting, both internally and to external regulators, as required under mandatory notification breach legislation, cyber incident response and business continuity plans.
- Training of all relevant personnel (including IT, privacy and legal) to equip them to respond quickly and adequately in the event of a data breach.
Data Governance
Data Governance is a key subset of Information Governance. Its objective is to control data at the data level and to ensure integrity through appropriate systems and processes.
According to the Data Governance Institute, Data Governance is defined as follows:
‘Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.’
The American Health Information Management Association (AHIMA) provide the following explanation:
‘Data governance (DG) is the sub-domain of information governance (IG) that provides for the design and execution of data needs planning and data quality assurance in concert with the strategic information needs of the organization. Data governance includes data modeling, data mapping, data audit, data quality controls, data quality management, data architecture, and data dictionaries. DG collaborates with enterprise information management (EIM) in functional components essential to the enterprise plans for information organization and classification.’
The purpose of Data Governance is to implement effective data management, ensuring that data is of high quality, accurate and reliable. Data Governance programs rely on the implementation of specific data policies and processes within an organisation, where the management, cleansing and storing of data follow strict standards and procedures.
Increasingly Data Governance is managed by a Chief Data Officer (CDO) or equivalent who is responsible for setting data governance policies and procedures and implementing and monitoring systems to ensure that data is reliable and of high-quality.
The relationship between Information and Data Governance
Barclay T. Blair, Executive Director of the US-based think tank Information Governance Initiative (we saw their definition of IG above) explains the difference between Information Governance and Data Governance as follows:
“The two are executed in different parts of the company, by different people, with different tools, with different practical goals. Whereas Information Governance is mostly concerned with risk mitigation, Data Governance is mostly concerned with things like data quality, master data management, and dashboards enabled by a common schema. Of course, in concept both disciplines encompass both risk and value, but in practice this is what it typically looks like.”
Typically, information and data is managed by various owners throughout an organisation including:
- Data – Chief Data Officer
- Privacy – Chief Privacy Officer or General Counsel
- Cybersecurity – Chief Information Security Officer
- Risk & Compliance – Chief Compliance Officer
- Records – RIM Manager
- eDiscovery – eDiscovery Counsel or General Counsel
In recent years, a new role of Chief Information Governance Officer (CIGO) for overall responsibility of information has emerged to ensure Information Governance and organisational objectives are met.
Whether the leader is an Information Governance steering committee, a designated C-level executive within their current existing role or a CIGO, the task is to successfully align Information Governance systems (including technology), processes and people to meet the organisation’s overall strategic business objectives.
Information Governance requires top down leadership. Boards and senior management are responsible for ensuring that an appropriate Information Governance framework, systems, and policies for information management activities are in place and being adhered to.
It also requires those responsible for information across the various silos to work collaboratively to ensure that information strategic objectives are met and risks managed appropriately.
In summary
Information Governance and Data Governance are both increasingly important as the volumes of data held by organisations continue to increase at exponential rates.
In summary, effective Information Governance ensures that the business value of information is maximised and the risks and costs of information are minimised while an effective Data Governance program ensures that the data being held is accurate and reliable.
Susan Bennett LLM(Hons), MBA
Principal of Sibenco Legal & Advisory and co-founder of Information Governance ANZ.
Susan is a lawyer and business advisor with twenty-five years of experience and works closely with corporate and government clients to deliver tailored legal and risk management solutions that meet client needs and strategic objectives.
If you would like assistance reviewing your current Information Governance ecosystem, please contact Susan on +61 2 8226 8682 or email susan.bennett@sibenco.com.
__________________
Connect with Susan on LinkedIn and follow Sibenco to receive updates.
__________________
This article was also published in the September 2017 issue of Governance Directions.
This article is for reference purposes only and does not constitute legal advice.