Information Governance

The terms ‘information’ and ‘data’ are often used interchangeably but there are differences in meaning. This article provides an overview of why both Information and Data Governance are important for organisations seeking to control and secure information and an understanding of what each discipline does and achieves for an organisation.

Read the Full Article

As Information Governance and Data Governance becomes increasingly important for organisations seeking to control and secure information, it is important to understand what each one does and achieves.

What exactly is their purpose, and how do they differ from one another?

Information Governance is a fundamental part of good Corporate Governance. Its mission is to maximise the value of information while minimising the costs and risks of holding it. Data Governance is a key subset of this model.  It aims to control information at the data level, ensuring the maintenance of accurate and high-quality data through the implementation of appropriate systems and processes.

This article looks at the roles Information Governance and Data Governance play within an organisation and how they are interlinked.

Information Governance

Information Governance provides a strategic framework for organisations seeking to control company information. It recognises the value and opportunity of data as ‘the new oil’ and identifies the risks and costs involved in the event of non-compliance with legal requirements and the consequences of a serious data breach.

Information Governance is defined by the Information Governance Initiative (a think tank and community of IG professionals) as:

‘The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs.’

In other words, Information Governance encompasses the systems (including policies, processes, and technology) by which information is controlled and secured.

Organisations should consider information as an asset and measure both the value and costs of the data they hold.  This means quantifying the financial benefits of data as well as the costs (and subsequent savings) resulting from risk management investments.

To derive value from information, companies need to invest in technology and systems that can be used to gain a competitive advantage and deliver benefits directly to the bottom line. This includes the implementation of data analytics to improve or develop new services or products, or data sharing systems to enhance, for example, the allocation of resources for the delivery of health services in the public sector.

Reducing costs and risks of holding information

Minimising the risks and costs of holding information is one of the main objectives of an Information Governance program. Further strategic investments are needed to achieve this, specifically in technology, systems and people.

Organisations incur significant costs in holding information that is either required for the running of the business (RIM) and/or by law. Legal requirements include:

• Record keeping obligations.
• Data protection and privacy obligations.
• Document/data production in litigation – eDiscovery.

Well managed organisations have an active defensible disposition of records program, which eliminate documents no longer required by law and governs the ongoing removal of redundant, outdated and trivial documents (ROT) from the business.

Decreasing data storage costs can be counterproductive, because it encourages data retention.  Holding large data volumes can create a significant financial burden – especially when the following are considered:

• The costs of managing large volumes of data including additional resources (personnel) and storage costs.
• The costs of ‘back ended’ services – for example, analytics services to find documents, information audits and other forensic services that may be required from time to time.
• The cost of producing documents/data for litigation and regulators – eDiscovery – which has grown into a $10 billion per annum global industry due to the exponential rise in data volumes held by organisations.

 Minimising data breach costs in the event of a cyberattack

 An effective Information Governance program can also help mitigate the costs of a serious data breach, which include:

• Business interruption costs.
• Costs of data breach notification.
• Costs of responding to regulators.
• Ongoing lost revenue and profit due to brand and reputation damage where personally information is disclosed, such as customer and employee information.
• Costs of litigation including class actions.

A comprehensive Information Governance program that ensures an effective response to a potential data breach includes:

• A privacy framework with policies and processes aligned with the Information Governance program, protecting personally identifiable information and upholding a culture of privacy through training and auditing.
• Ensuring the implementation of appropriate cyber incident reporting, both internally and to external regulators, as required under mandatory notification breach legislation, cyber incident response and business continuity plans.
• Training of all relevant personnel (including IT, privacy and legal) to equip them to respond quickly and adequately in the event of a data breach.

Data Governance

Data Governance is a key subset of Information Governance.  Its objective is to control data at the data level and to ensure integrity through appropriate systems and processes.

According to the Data Governance Institute, Data Governance is defined as follows:

‘Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.’

The American Health Information Management Association (AHIMA) provide the following explanation:

‘Data governance (DG) is the sub-domain of information governance (IG) that provides for the design and execution of data needs planning and data quality assurance in concert with the strategic information needs of the organization. Data governance includes data modeling, data mapping, data audit, data quality controls, data quality management, data architecture, and data dictionaries. DG collaborates with enterprise information management (EIM) in functional components essential to the enterprise plans for information organization and classification.’

The purpose of Data Governance is to implement effective data management, ensuring that data is of high quality, accurate and reliable. Data Governance programs rely on the implementation of specific data policies and processes within an organisation, where the management, cleansing and storing of data follow strict standards and procedures.

Increasingly Data Governance is managed by a Chief Data Officer (CDO) or equivalent who is responsible for setting data governance policies and procedures and implementing and monitoring systems to ensure that data is reliable and of high-quality.

The relationship between Information and Data Governance

Barclay T. Blair, Executive Director of the US-based think tank Information Governance Initiative (we saw their definition of IG above) explains the difference between Information Governance and Data Governance as follows:

“The two are executed in different parts of the company, by different people, with different tools, with different practical goals. Whereas Information Governance is mostly concerned with risk mitigation, Data Governance is mostly concerned with things like data quality, master data management, and dashboards enabled by a common schema. Of course, in concept both disciplines encompass both risk and value, but in practice this is what it typically looks like.”

Typically, information and data is managed by various owners throughout an organisation including:

• Data – Chief Data Officer
• Privacy – Chief Privacy Officer or General Counsel
• Cybersecurity –  Chief Information Security Officer
• Risk & Compliance – Chief Compliance Officer
• Records – RIM Manager
• eDiscovery – eDiscovery Counsel or General Counsel

In recent years, a new role of Chief Information Governance Officer (CIGO) for overall responsibility of information has emerged to ensure Information Governance and organisational objectives are met.

Whether the leader is an Information Governance steering committee, a designated C-level executive within their current existing role or a CIGO, the task is to successfully align Information Governance systems (including technology), processes and people to meet the organisation’s overall strategic business objectives.

Information Governance requires top down leadership. Boards and senior management are responsible for ensuring that an appropriate Information Governance framework, systems, and policies for information management activities are in place and being adhered to.

It also requires those responsible for information across the various silos to work collaboratively to ensure that information strategic objectives are met and risks managed appropriately.

In summary

Information Governance and Data Governance are both increasingly important as the volumes of data held by organisations continue to increase at exponential rates.

In summary, effective Information Governance ensures that the business value of information is maximised and the risks and costs of information are minimised while an effective Data Governance program ensures that the data being held is accurate and reliable.

Susan Bennett LLM(Hons), MBA

Principal of Sibenco Legal & Advisory and co-founder of Information Governance ANZ.

Susan is a lawyer and business advisor with twenty-five years of experience and works closely with corporate and government clients to deliver tailored legal and risk management solutions that meet client needs and strategic objectives.

If you would like assistance reviewing your current Information Governance ecosystem, please contact Susan on +61 2 8226 8682 or email susan.bennett@sibenco.com.

__________________
Connect with Susan on LinkedIn and follow Sibenco to receive updates.



__________________

This article was also published in the September 2017 issue of Governance Directions. 

This article is for reference purposes only and does not constitute legal advice.

The Information Governance Imperative

Information Governance is a key issue for organisations in today’s security conscious world.

 The imperative driving this surge in interest is twofold, but is essentially all about risk management:

1. The fast pace of the evolving digital world can disrupt existing businesses that don’t have a proactive Information Governance program; and
2. Effective leadership of Information Governance is the key to ensuring appropriate strategies, priorities, policies and processes are successfully embedded in an organisation to maximise the opportunities and minimise the risks arising from the information it holds.

The value for organisations is to enable the delivery of better outcomes by minimising the risk and maximising the value of the information they hold.

The value to individual Information Governance professionals is to keep them up to date with the latest developments and international global thinking and ensure the professional discipline of Information Governance is recognised as a key component to managing the exponential rise in data in the information age.

What is Information Governance?

While the concepts of information and governance are not new, the discussion around Information Governance has emerged as a necessary discipline to deal with the vast amounts of information being generated everyday by organisations. The challenge for organisations, whether in business, government or non-for-profit, is in developing a strategic, top-down approach to managing all aspects of information within the organisation.

This includes:

• What information is required to be held?
• What information the organisation can use to deliver benefits to the bottom line?
• Security of information – how it is and will be kept secure and how personally identifiable information is securely managed.

In short, Information Governance:

• Ensures that information is managed to achieve the strategic objectives of the organisation; and
• Provides the framework, systems and processes for ensuring the value of information is maximised and risks are minimised.

Cybersecurity and Information Governance

Relentless cyberattacks, the potential of data and privacy breaches and the ever increasing volume of information present an enormous risk to organisations.

 Significant cybersecurity investment, including the latest technology and best systems in place, is unlikely to prevent all breaches. And even if your cybersecurity technology and systems are first rate, there is always the issue of human failure – for example, employees leaving laptops or mobile phone in public places, or employees who download unauthorised software, or the problem of rogue employees and increases in information theft from within organisations.

In the event of a successful data breach the issues become – what information will be accessible to a cybercriminal, and what safeguards have you put in place in relation to sensitive data or data containing personal identifiable information? A holistic and strategic approach to cybersecurity, privacy, records and information management is critical to ensure that data and privacy breaches are minimised.

Information as an Organisational Asset

Organisations need to consider information as an asset and measure both the value and costs of the data they hold. This means measuring the financial benefits derived from the value of data held as well the costs and subsequent savings from risk management investments.

On the value side

This includes investments in technology tools that can be used for competitive advantage and deliver benefits directly to the bottom line – such as:

• Data analytics to improve or develop new services or products;
• Data analytics to increase efficiencies in manufacturing processes;
• Data analytics to improve delivery of services by government to citizens; or
• Contract management technology to maximise financial returns of contracts;
• Analytic tools for auditing to prevent or detect early fraudulent activity.

On the risk side

This includes strategic investments in technology and systems to minimise the risks and costs of data and privacy breaches arising from the exponential rise in the amount of data that is being held and stored by organisations, such as:

• Systems and technology tools to reduce the amount of data being stored by organisations – that is, minimising the amount of redundant, outdated and trivial (ROT) data so there is less overall data;
• Systems and technology to ensure that sensitive business data and information containing personally identifiable information has enhanced security and is more difficult to locate or access in the event of a successful cyberattack; and
• Technology to search, identify, and review information in the discovery and production process in litigation and regulatory inquiries.

The Cost of Information

Is often only fully understood after the event, such as:

• Following a cyberattack and a data and/or privacy breach – with costs including business interruption costs, damage to reputation, potential regulatory investigation and litigation, including the costs of responding to regulatory investigations, potential sanctions and the cost of any litigation and subsequent pay-outs;
• Implementation of new technology system – with the additional costs incurred in dealing with excessive amounts of ROT, stored at additional cost. This is likely to delay implementation of a new system and impede management of information going forward unless addressed to accord with best practice information management;
• Litigation or regulatory investigations or commission of Inquiries – where the costs of document production are enormous due to the vast amount of data that needs to be searched, identified as relevant, reviewed and produced in accordance with legal requirements, or the potential sanctions and costs of not being to produce all documents that were required to be kept either in accordance with legal obligations or Legal Holds.

Susan Bennett LLM(Hons), MBA

Principal of Sibenco Legal & Advisory and co-founder of Information Governance ANZ.

Susan is a lawyer and business advisor with over twenty years’ experience and has worked closely with corporate and government clients to deliver tailored legal and risk management solutions that meet client needs and strategic objectives.

If you would like assistance reviewing your current IG ecosystem, please contact Susan on +61 2 8226 8682 or email susan.bennett@sibenco.com.

__________________
Follow us to receive updates on LinkedIn


__________________

This article is for reference purposes only and does not constitute legal advice.

Effective leadership of information governance (IG) is key to ensuring that appropriate strategies, priorities, policies and processes are successfully embedded in an organisation, both to maximise the opportunities and minimise the risks arising from the information it holds.

A robust IG framework enables organisations to manage proactively the exponentially growing data and information they have. IG’s main drivers are:

• the value to the organisation derived from the data held within the organisation, which leads to improved performance and profitability – e.g., using data analytics to mine ‘big data’, to create new or improved products or services; and
• minimising potential risks, which may otherwise lead to significant legal issues, business interruption, loss of productivity, costs and reputational damage – e.g., cyber security attacks and privacy breaches.

What is IG?

IG is defined as:

The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs. [i]

This definition recognises that IG is about delivering value to the business’s bottom line, as well as minimising risk and costs. Organisations are now continually facing both threats and opportunities from the ever-increasing growth of digital data (‘big data’) and digital disruption (e.g., online shopping, online education). This is causing organisations to find new ways to compete in the marketplace and to develop new business opportunities to drive profits; conversely, the exponential growth in data being held poses increased risks and costs to organisations.

The challenge is how to implement an effective IG framework, which will deliver both value and minimise risk, when information management activities are carried out by different business areas within an organisation and with different ‘owners’ within each of those areas.

Who is responsible?

Typically, an organisation’s data and information is managed by various ‘owners’ – e.g.:

• compliance – risk and compliance director or chief risk officer;
• eDiscovery/document production – eDiscovery counsel or general counsel;
• information communication and technology security – chief security information officer, chief technology officer or chief information officer;
• legal – general counsel;
• privacy – chief privacy officer or general counsel; and
• records and information management – records and information manager.

The table below illustrates the broad range of the different types of technologies used in information management activities, and highlights the different areas and senior managers typically responsible for information management across an organisation.

Where do the risks and costs arise?

The vast amounts of data held pose increased risks and costs to organisations, arising from:

• legal and compliance, particularly in relation to privacy obligations, with the growing focus on privacy arising from high-profile cyber security attacks and thefts of customer records;
• information communication and technology (ICT) systems that prevent privacy and ICT security breaches;
• the cost of production of documents in litigation and regulatory investigations; and
• record and information management (RIM) complying with legal and business requirements, where data is increasing exponentially, and retention policies may not be keeping pace with business operations and legal requirements.

Governance for information complexity

Boards and senior management are responsible for ensuring that appropriate governance frameworks, policies and processes for information management activities are in place and being adhered to, in order to manage risk appropriately. However, with the exponential growth of data, and changes to the way businesses operate caused by digital disruption, not only is it a challenge for governance to keep pace with new developments, it can be a challenge for boards and senior management to fully understand the opportunities and risks arising from all the information management activities throughout an organisation.

Organisations are increasingly concerned with preventing security breaches of enterprise systems, and are aware of the penalties for failing to comply with regulatory requirements such as customer privacy, as well as the potential for significant reputational damage to their brand.

Cyber breaches

There is general awareness of the increase in cyber security attacks on organisations and the significant risks that this poses for them. It is regularly reported that cyber attacks and theft of data are increasing. Telstra’s Cyber Security Report[ii] states ‘nearly a quarter of all the organisations we surveyed had suffered some kind of business interruption due to an IT security breach during the last 12 months. When that time frame was stretched to five years the figure climbed to nearly 60%. Furthermore, 41% of organisations reported that they had detected a major security breach in the last three years. … The majority of Australian organisations we surveyed reported that they detected some sort of attempt to breach their IT security on a weekly or monthly basis. …. 38% of organisations reported that their most recent attack was due to cyber-crime, with viruses accounting for 31%, suggesting malicious hackers are becoming more active.’

High-profile cyber security attack incidents include:

• Sony Pictures cyber attack in late 2014, in which vast amounts of data was stolen, including personal information of employees such as salaries, social security numbers, birth dates, medical records; emails; contracts; copies of unreleased films; and reports that hard drives were wiped leading to the shut down of Sony’s computer systems for more than a week[iii]. The attack was condemned by the US, Australian and other governments;
• eBay – the theft of 145 million eBay user accounts;
• Adobe – the theft of 153 million customer records from Adobe; and
• Target – the malware attack that compromised 70 million Target customer accounts and 40 million credit cards at its point of sale systems.

In light of the significant risks posed to organisations, it is essential that IG include the information technology architecture and system risks to ensure that:

• risks of breaches of organisations’ information technology systems (i.e., cyber security attacks) are minimised;
• appropriate cyber incident and response plans are in place; and
• the relevant personnel are trained, and able, to respond adequately in the event of cyber breach – this will include IT, privacy and legal personnel.

Privacy breaches

Privacy breaches may occur as a result of a cyber attack where personal information is stolen, as in the above examples, or by the breaches within an organisation exposing it to regulatory and legal issues and costs. Organisations need to have in place effective policies and processes for the management of data breaches, including making notifications where required by regulatory bodies such as the Office of the Australian Information Commission (OAIC).

The Australian Privacy Principles (APP) regulate the handling of personal information for government agencies, and businesses with a turnover of more than $3 million (as well as some smaller businesses, such as health care providers). The APPs cover the collection, use, disclosure and storage of personal information.[iv] The powers of the OAIC include: conducting assessments of privacy compliance; accepting enforceable undertakings; and seeking civil penalties, in the case of serious or repeated breaches of privacy, of up to $1.7 million.

The first enforceable undertaking under the new privacy laws that came into effect in Australia in March 2014 was entered into by Optus in March 2015, following a lengthy investigation by the OAIC. It was concerned that Optus did not have reasonable steps in place to safeguard the personal information held in its systems at the time the three significant incidents occurred, and as required by APP 11. One of the incidents arose from a change made to Optus’s website, resulting in the names, addresses and mobile numbers of about 122,000 Optus customers who had elected not to have their details listed in a telephone directory being published in the White Pages. The Privacy Commissioner referred to the positive way in which Optus worked with the OAIC to address the incidents, and considered ‘the enforceable undertaking was an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act’.[v]

Data analytics for marketing and product development

Another way in which organisations need to be mindful of and embed privacy is through the growing use of data analytics for mining of ‘big data’.

Organisations now have a strategic focus on the use of digital technology as a tool to better service customers to meet market competition and improve profitability. They may use data analytics to improve business performance: e.g., analysing data to improve logistics, or to improve or create new products or services. The importance of this focus is reflected in new roles such as chief data officer, chief digital officer and digital marketing manager.

However, if data analytics are carried out without regard to the privacy obligations of the information the organisation holds (in relation to its customers, students, patients, etc), there is a serious risk of privacy breaches and, potentially, reputational issues for the organisation. An effective IG framework will enable and embed effective cross-function information management processes and people, to ensure that value can be maximised while risks are minimised – e.g., by ensuring that a new product team includes a privacy expert at a very early stage of a new product development, to make sure that privacy obligations are factored in and future privacy breaches minimised. This is in contrast to a situation where products are developed without privacy considerations being taken into account (either partially or fully at the time of development), so that the privacy compliance and risks are managed through retrospective fixes at significantly increased costs.

The benefits of an IG framework

A sound IG framework is the critical foundation that enables organisations to govern and manage properly the information they hold. The benefits of a holistic approach to IG are:

• senior-executive-level engagement and decision making on important strategic opportunities and risk mitigation issues concerning organisational information;
• increasing revenue and profits through the use of data analytics to develop or improve products or services, or through developing strategies to improve efficiencies and reduce costs;
• improved management of data, with more efficient retrieval of retained data;
• defensible destruction of redundant, outdated and trivial data/information, with an audit trail that can be relied upon in litigation;
• improved selection and return on investment (ROI) on new technology, appropriate to the organisation’s legal, compliance and business needs;
• comprehensive and aligned policies, processes and response plans – including comprehensive ICT security and privacy frameworks and breach response plans; and
• reduced costs and increased efficiencies arising from the implementation of an aligned strategy and policies, in contrast to the inefficiencies of the traditional fragmented siloed approach.

IG framework and leadership

The key to addressing and managing information/data throughout an organisation is to take a holistic approach driven from the board and the C-level down.

In order for an IG framework to be successfully implemented and embedded in an organisation, there needs to be strong leadership and championing of IG from those in the key areas currently responsible for information activities.

In developing or reviewing a current IG framework, careful consideration needs to be given to the organisation’s strategy and current situation, balanced against technology security priorities and legal and compliance obligations.

Board

To optimise the board’s performance, it is essential that directors have a mix of skills and expertise.  This includes one or more directors with skills in the following areas: cybersecurity architecture and systems; the relevant skills to contribute to the organisation’s current and future strategy regarding digital disruption threats and opportunities; and legal and compliance expertise regarding information activities throughout the organisation, including privacy and record and information management.

Executive leadership

While it is important that boards and senior executives have a broad understanding, and be champions, of a robust IG framework, equally important is who will be responsible day to day for driving and implementing IG. This will vary between organisations, and is likely to depend on its strategic priorities, size, resources, and the current position of information management within it.

Examples of IG leadership are:

• Steering committee – a committee made up of the relevant C-level executives responsible for different areas of information management – e.g., chief operating officer (COO), GC, CIO/CISO/CTO, CMO/CDO, CPO, RIM. A chair would be appointed to lead monthly meetings, and the committee would be responsible for setting overall strategic priorities, deciding on pilot projects, reviews of implementation, etc.
• Current C-level executive – an IG leader who is a current C-level executive, such as a CIO or GC with the appropriate leadership skills, and some cross-functional expertise, to enable them to effectively lead IG – e.g., a CIO with significant experience in – preventing and responding to cyber attacks and cyber security breaches, responding to regulatory and litigation production of electronic documents and data; as well as data analytic technologies for areas such as marketing, or a GC who has extensive experience in strategy and implementation of new technology systems and responses to major crisis or incidents such as cyber attacks and cyber security breaches. Whether an existing C-level executive is able to adequately lead IG will depend upon how their other responsibilities are managed (e.g., by delegating more) and the organisation’s strategic priorities, size, structure and resources.
• Designated new C-level position – a new C-level role as the chief information governance officer, as proposed by the Information Governance Initiative (IGI), a US IG think-tank. The IGI describes the CIGO’s role as ‘to balance the stakeholder interests from each facet of IG and develop the right operational model for the organization.’[vi] In building the case for a CIGO, the report explains that ‘Chief Information Officers at most organizations are in fact only responsible for technology infrastructure, and not the information itself. Responsibility for the information is the raison d’être of the CIGO.’ [vii]

Leadership skills for effective IG governance

Whether the leader is an IG steering committee, a designated C-level executive within their current existing role or a CIGO, the task is to successfully align IG systems, processes and people to meet the organisation’s overall strategic business objectives. For a robust and effective IG regime, the following is required:

• Strategic – IG leaders need to be strategic thinkers, to implement an IG framework that will effectively respond to the increasing complexity of business and the interaction of technology and risk management. The chair of the committee or designated executive should be able to provide wise counsel (to a CEO or board committee or board) on business opportunities, information technology architecture and system risks, and the risks impacting information management activities within the organisation.
• Alignment – IG leaders need to align the IG framework to meet the organisation’s strategic objectives. With rapid changes in technology requiring rapid changes to business processes in order to compete in the market, IG leaders will need to promptly review and adapt policies and processes, and ensure there is appropriate employee training and awareness, so that strategic business objectives are met and risks continue to be minimised.
• Influence – the steering committee or designated executive should be an effective influencer in all directions – up (e.g., to CEO and board), across (to other C-level executives, e.g., COO, CFO) and down the organisation (e.g., to marketing, business units) – so that stakeholders understand the reason for decisions, and support and implement IG priorities, systems, policies and processes.
• Innovation – the steering committee or designated executive will need to recognise, assess, and support, where appropriate, innovative opportunities that create value for the organisation, as well as managing risk. This may include new models or policies for IG that better facilitate the achievement of business objectives while managing organisational risk. It is likely to include shifts from traditional structured policies and processes to better manage risk – e.g., increased and different ways of engaging and training employees on appropriate use of social media, mobile devices (including BYOD), to reduce risk more effectively than outdated policies, draft policies or policies that are not yet universally agreed upon.
• Collaboration – the steering committee or designated executive is likely to embed a robust IG framework where people work collaboratively within teams and cross-functionally through the organisation on information management activities. This will happen where consensus is built, with the relevant stakeholders all working towards the same overall business objectives. Where rapid technological or business changes require a steering committee or designated C-level executive to get IG changes implemented quickly, it will require prompt buy-in and active support of the changes and the implementation actions required. This is more likely to be achieved and sustained in the long term when a culture of co-operation exists and there is an understanding of the need to align IG with business objectives to enable those objectives to be achieved.

• Change management – arguably, the most important skill a steering committee or designated executive will need for effective IG is effective change management. This is particularly the case where new business strategies are set that involve implementation of new technologies and/or new ways of doing business that impact information management activities and IG. For example, setting a digital strategy may involve a significant transformation in the way business is done – this is likely to require a number of leaders with strong change management skills to drive and implement the necessary changes.

This article was first published in the May 2015 issue of Governance Directions, the official journal of Governance Institute of Australia.

Click here for the pdf version of this article

Download the Information Governance Checklist

__________________

If you would like assistance reviewing your current IG ecosystem, please contact Susan Bennett, Principal, on +61 2 8226 8682 or email susan.bennett@sibenco.com.

__________________
Follow us to receive updates on LinkedIn


__________________

This article is for reference purposes only and does not constitute legal advice.

__________________

i Independent Commission Against Corruption (NSW), ‘Knowing Your Risks’

[i] Information Governance Initiative Annual Report 2014.

[ii] Telstra’s Cyber Security Report, December 2014, p30.

[iii] ‘US investigators suspect North Korea hired hackers for Sony hack’, The Age, 31 December 2014.

[iv] The 13 Principles are contained within Schedule 1 of the Privacy Act 1988 (Cth).

[v] Office of the Australian Information Privacy Commission media release, 27 March 2015.

[vi] Information Governance Initiative, Annual Report 2014, p28.

[vii] Information Governance Initiative, Annual Report 2014, p28.