Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with

legal discovery Discovery, in the law of common law jurisdictions, is a pre-trial procedure in a lawsuit in which each party, through the law of civil procedure, can obtain Evidence (law), evidence from the other party or parties by means of discovery devices ...

. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created ( ESI). Information governance encompasses more than traditional

records management Records management, also known as records and information management, is an organizational function devoted to the information management, management of information in an organization throughout its records life-cycle, life cycle, from the time of ...

. It incorporates

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

and protection, compliance, data quality,

data governance Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data govern ...

electronic discovery Electronic discovery (also ediscovery or e-discovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often refe ...

, risk management, privacy, data storage and archiving,

knowledge management Knowledge management (KM) is the collection of methods relating to creating, sharing, using and managing the knowledge and information of an organization. It refers to a multidisciplinary approach to achieve organisational objectives by making ...

, business operations and management, audit, analytics, IT management,

master data management Master data management (MDM) is a technology-enabled discipline in which business and information technology work together to ensure the uniformity, accuracy, stewardship, semantic consistency and accountability of the enterprise's official shared ...

, enterprise architecture,

business intelligence Business intelligence (BI) comprises the strategies and technologies used by enterprises for the data analysis and management of business information. Common functions of business intelligence technologies include reporting, online analytical pr ...

big data Though used sometimes loosely partly because of a lack of formal definition, the interpretation that seems to best describe Big data is the one associated with large body of information that we could not comprehend when used only in smaller am ...

data science Data science is an interdisciplinary field that uses scientific methods, processes, algorithms and systems to extract or extrapolate knowledge and insights from noisy, structured and unstructured data, and apply knowledge from data across a br ...

, and finance.

History

Records management

Records management deals with the creation, retention and storage and disposition of records. A record can either be a physical, tangible object, or digital information such as a database, application data, and e-mail. The

lifecycle Life cycle, life-cycle, or lifecycle may refer to: Science and academia * Biological life cycle, the sequence of life stages that an organism undergoes from birth to reproduction ending with the production of the offspring *Life-cycle hypothesis ...

was historically viewed as the point of creation to the eventual disposal of a record. As data generation exploded in recent decades, and regulations and compliance issues increased, traditional records management failed to keep pace. A more comprehensive platform for managing records and information became necessary to address all phases of the lifecycle, which led to the advent of information governance. In 2003 the Department of Health in England introduced the concept of broad-based information governance into the National Health Service, publishing version 1 of an online performance assessment tool with supporting guidance. The NHS IG Toolkit is now used by over 30,000 NHS and partner organisations, supported by an e-learning platform with some 650,000 users. In 2010 Logan and Lomas took up the theme of IG more holistically, publishing on how different disciplines needed to come together to better manage information. Lomas produced teaching in this domain, with Smallwood later providing a key textbook in this domain. Professionally, in this context 2008,

ARMA International __NOTOC__ ARMA International (formerly the Association of Records Managers and Administrators) is a not-for-profit (charitable) membership association for information professionals, primarily information management (including records management) ...

introduced the Generally Accepted Recordkeeping Principles®, or "The Principles" and in 2015 the subsequent "The Principles" Information Governance Maturity Model. "The Principles" identify the critical hallmarks of information governance. As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use "The Principles" to establish consistent practices across a variety of business units. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" ("The Principles") would guide: * CEOs in determining how to protect their organizations in the use of information assets; * Legislators in crafting legislation meant to hold organizations accountable; and * Records management professionals in designing comprehensive and effective records management programs. Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. In electronic discovery, or e-discovery, relevant data in the form of electronically stored information is searched for by attorneys and placed on legal hold. IG includes consideration of how this data is held and controlled for e-discovery, and also provides a platform for defensible disposition and compliance. Additionally,

metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...

often accompanies electronically stored data and can be of great value to the enterprise if stored and managed correctly. With all of these additional considerations that go beyond traditional records management, IG emerged as a platform for organizations to define policies at the enterprise level, across multiple jurisdictions. IG then also provides for the enforcement of these policies into the various repositories of information, data, and records. A coalition of organizations known as Electronic Discovery Reference Model (EDRM), which was founded in 2005 to address issues related to electronic discovery and information governance, subsequently developed, as one of its projects, a resource called the Information Governance Reference Model (IGRM). In 2011, EDRM, in collaboration with ARMA International, published a white paper that describes ''How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles ("The Principles")'' The IGRM illustrates the relationship between key stakeholders and the Information Lifecycle and highlights the transparency required to enable effective governance IGRM v3.0 Update: Privacy & Security Officers As Stakeholders. In 2012, Compliance, Governance and Oversight Council (CGOC) developed the Information Governance Process Maturity Model, or (IGPMM). The model outlines 13 key processes in electronic discovery (e-discovery) and

information management Information management (IM) concerns a cycle of organizational activity: the acquisition of information from one or more sources, the custodianship and the distribution of that information to those who need it, and its ultimate disposal throug ...

. Each process is described in terms of a maturity level from one to four – completely manual and ad hoc to greater degrees of process integration across functions and automation. In 2017, it was updated to include an emphasis on legal, privacy, information security, cloud security issues and evolving data privacy concerns, including the impact of The General Data Protection Regulation (GDPR)(EU).

Organizational structure

In the past, records managers owned records management, perhaps within a compliance department at an enterprise. In order to address the broader issues surrounding records management, several other key stakeholders must be involved. Legal, IT, and Compliance tend to be the departments that touch information governance the most, though certainly other departments might seek representation. Many enterprises create information governance committees to ensure that all necessary constituents are represented and that all relevant issues are addressed.

Tools

To address retention and disposition, Records Management and Enterprise Content Management applications were developed. Sometimes detached search engines or homegrown policy definition tools were created. These were often employed at a departmental or divisional level; rarely were tools used across the enterprise. While these tools were used to define policies, they lacked the ability to enforce those policies. Monitoring for compliance with policies was increasingly challenging. Since information governance addresses so much more than traditional records management, several software solutions have emerged to include the vast array of issues facing records managers. Other available tools include: * ARMA International Information Governance Implementation Model * ARMA Generally Accepted Recordkeeping Principles * CGOC Information Governance Process Maturity Model * EDRM Information Governance Reference Model (IGRM) * NHS Information Governance Toolkit

Laws and regulations

Key to IG are the regulations and laws that help to define corporate policies. Some of these regulations include:

United States

*The Foreign Account Tax Compliance Act, or FATCA *

Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and its use i ...

, or PCI Compliance *

Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...

, or HIPAA *Financial Services Modernization Act of 1999, or

Gramm–Leach–Bliley Act The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, () is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers i ...

(GLBA) *

Sarbanes–Oxley Act The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, (), also known as the "Public Company Accounting Reform and Investor Protecti ...

of 2002, or Sarbox or SOX *

Federal Rules of Civil Procedure The Federal Rules of Civil Procedure (officially abbreviated Fed. R. Civ. P.; colloquially FRCP) govern civil procedure in United States district courts. The FRCP are promulgated by the United States Supreme Court pursuant to the Rules Enabling ...

General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...

, or GDPR *

California Consumer Privacy Act The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jer ...

, or CCPA

European Union

NIS Directive A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Tro ...

United Kingdom

Data Protection Act 2018 The Data Protection Act 2018 (c. 12) is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data P ...

- GDPR will be incorporated directly into domestic law immediately after the UK exits the European Union * NIS Regulations - The EU NIS Directive was transposed into UK law by DCMS, in May 2018 via the NIS regulations.

Guidelines

* MoReq2 *MoReq2010 * ISO 15489 Information and Documentation - Records Management *DoD 5015.2, or Design Criteria Standard for Electronic Records Management Software Applications

References

{{reflist, 30em

External links

EPA 10 Reasons for RM
Content management systems Public records Data management