The terms ‘information’ and ‘data’ are often used interchangeably but there are differences in meaning. This article provides an overview of why both Information and Data Governance are important for organisations seeking to control and secure information and an understanding of what each discipline does and achieves for an organisation.
Information Governance
As Information Governance and Data Governance becomes increasingly important for organisations seeking to control and secure information, it is important to understand what each one does and achieves.
What exactly is their purpose, and how do they differ from one another?
Information Governance is a fundamental part of good Corporate Governance. Its mission is to maximise the value of information while minimising the costs and risks of holding it. Data Governance is a key subset of this model. It aims to control information at the data level, ensuring the maintenance of accurate and high-quality data through the implementation of appropriate systems and processes.
This article looks at the roles Information Governance and Data Governance play within an organisation and how they are interlinked.
Information Governance
Information Governance provides a strategic framework for organisations seeking to control company information. It recognises the value and opportunity of data as ‘the new oil’ and identifies the risks and costs involved in the event of non-compliance with legal requirements and the consequences of a serious data breach.
Information Governance is defined by the Information Governance Initiative (a think tank and community of IG professionals) as:
‘The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs.’
In other words, Information Governance encompasses the systems (including policies, processes, and technology) by which information is controlled and secured.
Organisations should consider information as an asset and measure both the value and costs of the data they hold. This means quantifying the financial benefits of data as well as the costs (and subsequent savings) resulting from risk management investments.
To derive value from information, companies need to invest in technology and systems that can be used to gain a competitive advantage and deliver benefits directly to the bottom line. This includes the implementation of data analytics to improve or develop new services or products, or data sharing systems to enhance, for example, the allocation of resources for the delivery of health services in the public sector.
Reducing costs and risks of holding information
Minimising the risks and costs of holding information is one of the main objectives of an Information Governance program. Further strategic investments are needed to achieve this, specifically in technology, systems and people.
Organisations incur significant costs in holding information that is either required for the running of the business (RIM) and/or by law. Legal requirements include:
- Record keeping obligations.
- Data protection and privacy obligations.
- Document/data production in litigation – eDiscovery.
Well managed organisations have an active defensible disposition of records program, which eliminate documents no longer required by law and governs the ongoing removal of redundant, outdated and trivial documents (ROT) from the business.
Decreasing data storage costs can be counterproductive, because it encourages data retention. Holding large data volumes can create a significant financial burden – especially when the following are considered:
- The costs of managing large volumes of data including additional resources (personnel) and storage costs.
- The costs of ‘back ended’ services – for example, analytics services to find documents, information audits and other forensic services that may be required from time to time.
- The cost of producing documents/data for litigation and regulators – eDiscovery – which has grown into a $10 billion per annum global industry due to the exponential rise in data volumes held by organisations.
Minimising data breach costs in the event of a cyberattack
An effective Information Governance program can also help mitigate the costs of a serious data breach, which include:
- Business interruption costs.
- Costs of data breach notification.
- Costs of responding to regulators.
- Ongoing lost revenue and profit due to brand and reputation damage where personally information is disclosed, such as customer and employee information.
- Costs of litigation including class actions.
A comprehensive Information Governance program that ensures an effective response to a potential data breach includes:
- A privacy framework with policies and processes aligned with the Information Governance program, protecting personally identifiable information and upholding a culture of privacy through training and auditing.
- Ensuring the implementation of appropriate cyber incident reporting, both internally and to external regulators, as required under mandatory notification breach legislation, cyber incident response and business continuity plans.
- Training of all relevant personnel (including IT, privacy and legal) to equip them to respond quickly and adequately in the event of a data breach.
Data Governance
Data Governance is a key subset of Information Governance. Its objective is to control data at the data level and to ensure integrity through appropriate systems and processes.
According to the Data Governance Institute, Data Governance is defined as follows:
‘Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.’
The American Health Information Management Association (AHIMA) provide the following explanation:
‘Data governance (DG) is the sub-domain of information governance (IG) that provides for the design and execution of data needs planning and data quality assurance in concert with the strategic information needs of the organization. Data governance includes data modeling, data mapping, data audit, data quality controls, data quality management, data architecture, and data dictionaries. DG collaborates with enterprise information management (EIM) in functional components essential to the enterprise plans for information organization and classification.’
The purpose of Data Governance is to implement effective data management, ensuring that data is of high quality, accurate and reliable. Data Governance programs rely on the implementation of specific data policies and processes within an organisation, where the management, cleansing and storing of data follow strict standards and procedures.
Increasingly Data Governance is managed by a Chief Data Officer (CDO) or equivalent who is responsible for setting data governance policies and procedures and implementing and monitoring systems to ensure that data is reliable and of high-quality.
The relationship between Information and Data Governance
Barclay T. Blair, Executive Director of the US-based think tank Information Governance Initiative (we saw their definition of IG above) explains the difference between Information Governance and Data Governance as follows:
“The two are executed in different parts of the company, by different people, with different tools, with different practical goals. Whereas Information Governance is mostly concerned with risk mitigation, Data Governance is mostly concerned with things like data quality, master data management, and dashboards enabled by a common schema. Of course, in concept both disciplines encompass both risk and value, but in practice this is what it typically looks like.”
Typically, information and data is managed by various owners throughout an organisation including:
- Data – Chief Data Officer
- Privacy – Chief Privacy Officer or General Counsel
- Cybersecurity – Chief Information Security Officer
- Risk & Compliance – Chief Compliance Officer
- Records – RIM Manager
- eDiscovery – eDiscovery Counsel or General Counsel
In recent years, a new role of Chief Information Governance Officer (CIGO) for overall responsibility of information has emerged to ensure Information Governance and organisational objectives are met.
Whether the leader is an Information Governance steering committee, a designated C-level executive within their current existing role or a CIGO, the task is to successfully align Information Governance systems (including technology), processes and people to meet the organisation’s overall strategic business objectives.
Information Governance requires top down leadership. Boards and senior management are responsible for ensuring that an appropriate Information Governance framework, systems, and policies for information management activities are in place and being adhered to.
It also requires those responsible for information across the various silos to work collaboratively to ensure that information strategic objectives are met and risks managed appropriately.
In summary
Information Governance and Data Governance are both increasingly important as the volumes of data held by organisations continue to increase at exponential rates.
In summary, effective Information Governance ensures that the business value of information is maximised and the risks and costs of information are minimised while an effective Data Governance program ensures that the data being held is accurate and reliable.
Susan Bennett LLM(Hons), MBA
Principal of Sibenco Legal & Advisory and co-founder of Information Governance ANZ.
Susan is a lawyer and business advisor with twenty-five years of experience and works closely with corporate and government clients to deliver tailored legal and risk management solutions that meet client needs and strategic objectives.
If you would like assistance reviewing your current Information Governance ecosystem, please contact Susan on +61 2 8226 8682 or email susan.bennett@sibenco.com.
__________________
Connect with Susan on LinkedIn and follow Sibenco to receive updates.
__________________
This article was also published in the September 2017 issue of Governance Directions.
This article is for reference purposes only and does not constitute legal advice.
The Information Governance Imperative
Information Governance is a key issue for organisations in today’s security conscious world.
The imperative driving this surge in interest is twofold, but is essentially all about risk management:
- The fast pace of the evolving digital world can disrupt existing businesses that don’t have a proactive Information Governance program; and
- Effective leadership of Information Governance is the key to ensuring appropriate strategies, priorities, policies and processes are successfully embedded in an organisation to maximise the opportunities and minimise the risks arising from the information it holds.
The value for organisations is to enable the delivery of better outcomes by minimising the risk and maximising the value of the information they hold.
The value to individual Information Governance professionals is to keep them up to date with the latest developments and international global thinking and ensure the professional discipline of Information Governance is recognised as a key component to managing the exponential rise in data in the information age.
What is Information Governance?
While the concepts of information and governance are not new, the discussion around Information Governance has emerged as a necessary discipline to deal with the vast amounts of information being generated everyday by organisations. The challenge for organisations, whether in business, government or non-for-profit, is in developing a strategic, top-down approach to managing all aspects of information within the organisation.
This includes:
- What information is required to be held?
- What information the organisation can use to deliver benefits to the bottom line?
- Security of information – how it is and will be kept secure and how personally identifiable information is securely managed.
In short, Information Governance:
- Ensures that information is managed to achieve the strategic objectives of the organisation; and
- Provides the framework, systems and processes for ensuring the value of information is maximised and risks are minimised.
Cybersecurity and Information Governance
Relentless cyberattacks, the potential of data and privacy breaches and the ever increasing volume of information present an enormous risk to organisations.
Significant cybersecurity investment, including the latest technology and best systems in place, is unlikely to prevent all breaches. And even if your cybersecurity technology and systems are first rate, there is always the issue of human failure – for example, employees leaving laptops or mobile phone in public places, or employees who download unauthorised software, or the problem of rogue employees and increases in information theft from within organisations.
In the event of a successful data breach the issues become – what information will be accessible to a cybercriminal, and what safeguards have you put in place in relation to sensitive data or data containing personal identifiable information? A holistic and strategic approach to cybersecurity, privacy, records and information management is critical to ensure that data and privacy breaches are minimised.
Information as an Organisational Asset
Organisations need to consider information as an asset and measure both the value and costs of the data they hold. This means measuring the financial benefits derived from the value of data held as well the costs and subsequent savings from risk management investments.
On the value side
This includes investments in technology tools that can be used for competitive advantage and deliver benefits directly to the bottom line – such as:
- Data analytics to improve or develop new services or products;
- Data analytics to increase efficiencies in manufacturing processes;
- Data analytics to improve delivery of services by government to citizens; or
- Contract management technology to maximise financial returns of contracts;
- Analytic tools for auditing to prevent or detect early fraudulent activity.
On the risk side
This includes strategic investments in technology and systems to minimise the risks and costs of data and privacy breaches arising from the exponential rise in the amount of data that is being held and stored by organisations, such as:
- Systems and technology tools to reduce the amount of data being stored by organisations – that is, minimising the amount of redundant, outdated and trivial (ROT) data so there is less overall data;
- Systems and technology to ensure that sensitive business data and information containing personally identifiable information has enhanced security and is more difficult to locate or access in the event of a successful cyberattack; and
- Technology to search, identify, and review information in the discovery and production process in litigation and regulatory inquiries.
The Cost of Information
Is often only fully understood after the event, such as:
- Following a cyberattack and a data and/or privacy breach – with costs including business interruption costs, damage to reputation, potential regulatory investigation and litigation, including the costs of responding to regulatory investigations, potential sanctions and the cost of any litigation and subsequent pay-outs;
- Implementation of new technology system – with the additional costs incurred in dealing with excessive amounts of ROT, stored at additional cost. This is likely to delay implementation of a new system and impede management of information going forward unless addressed to accord with best practice information management;
- Litigation or regulatory investigations or commission of Inquiries – where the costs of document production are enormous due to the vast amount of data that needs to be searched, identified as relevant, reviewed and produced in accordance with legal requirements, or the potential sanctions and costs of not being to produce all documents that were required to be kept either in accordance with legal obligations or Legal Holds.
Susan Bennett LLM(Hons), MBA
Principal of Sibenco Legal & Advisory and co-founder of Information Governance ANZ.
Susan is a lawyer and business advisor with over twenty years’ experience and has worked closely with corporate and government clients to deliver tailored legal and risk management solutions that meet client needs and strategic objectives.
If you would like assistance reviewing your current IG ecosystem, please contact Susan on +61 2 8226 8682 or email susan.bennett@sibenco.com.
__________________
Follow us to receive updates on LinkedIn
__________________
This article is for reference purposes only and does not constitute legal advice.
Preventing data privacy breaches is becoming increasingly important, with the increasing costs of dealing with cyber attacks, IT security breaches, and the subsequent legal actions and regulatory investigations. Strong IG, including privacy governance, is the most effective way to put in place robust systems to prevent and minimise privacy breaches, as well as respond to any privacy breaches that may occur.
Cyber attacks and privacy breaches
There is general awareness of the increase in cyber security attacks on organisations, and the significant risks that this poses to enterprise information security, legal and regulatory obligations, as well as the significant costs and reputational issues that result.
It is regularly reported that cyber attacks and data breaches are on the rise. The Identify Theft Resource Center Breach reported that US data breaches hit a record high of 783 in 2014, which was a 27.5% increase over the previous year, with over 85 million records exposed.[i]
Telstra’s Cyber Security Report[ii] states ‘nearly a quarter of all the organisations we surveyed had suffered some kind of business interruption due to an IT security breach during the last 12 months. When that time frame was stretched to five years the figure climbed to nearly 60%. … The majority of Australian organisations we surveyed reported that they detected some sort of attempt to breach their IT security on a weekly or monthly basis.’
High-profile cyber security attack incidents include:
- Anthem – in February 2015 the second-largest health insurer in the US reported that stolen data included names, addresses, dates of birth, social security numbers and employment and histories of 80 million current and former customers;
- Sony Pictures cyber attack in late 2014, in which vast amounts of data was stolen, including personal information of employees, such as salaries, social security numbers, birth dates, medical records; emails; contracts; copies of unreleased films; and reports that hard drives were wiped leading to the shut down of Sony’s computer systems for more than a week[iii]. The attack was condemned by the US, Australian and other governments;
- JP Morgan Chase – in late 2014 the names, addresses, phone numbers and email addresses of 83 million households and small business accounts were stolen;
- Home Depot – in 2014 the theft of 56 million customer email addresses and payment card details;
- Adobe – in late 2013 the theft of 153 million customer records; and
- Target – in late 2013 the malware attack that compromised 70 million Target customer accounts and 40 million credit cards at its point of sale systems.
Costs of privacy breaches
The costs of a data breach will depend upon on its type and scale. However, for some large-scale breaches, the costs may run into hundreds of millions of dollars.
The direct costs of data breaches include the following:
- cost of investigating the breach;
- cost of wages through overtime and/or increased number of staff to deal with IT issues around security breach identification and remediation;
- costs of external advisors, such as IT security experts and lawyers;
- business interruption costs, particularly where access to computer systems is limited, either because of damage to systems or systems being shut down for remediation;
- costs of dealing with breaches – e.g., new replacements credit cards being issued where customer details of credit cards are stolen, and legal claims and pay-outs for data breaches; and
- costs of new IT and new processes and systems to prevent future privacy and data breaches.
There are also the indirect costs arising from data breaches, such as loss of reputation and potential loss of future customers, due to a lack of trust that customers’ personal information will be kept safe.
Direct cost – case examples
In the US, Target reported in late 2014 that it had incurred $248 million in data-breach-related expenses and would receive $90 million from insurance policies.[iv] This included costs for defending or settling more than 100 legal actions against it. Independent sources estimated that fraudulent charges ranged from $240 million to $2.2 billion. [v] In March 2015 a US court gave preliminary approval to a $10 million settlement of a class action to enable customers affected by the breach to be awarded up to $10,000 each in damages.[vi] In April 2015, Target announced it had reached agreement with Mastercard to fund up to $19 million in payments to Mastercard issuers affected by the data breach, conditional on at least 90% of card issuers accepting the offer.[vii]
Home Depot reported it had paid $43 million in data-breach-related expenses and anticipated $15 million in insurance payments, and that at least 44 legal actions had been filed in the US and Canada.[viii]
Regulatory sanctions
Globally regulators are imposing stiff sanctions and fines for data and privacy breaches. In addition to fines, regulators often impose requirements for organisations to conduct reviews, audits and provide ongoing compliance reports to the regulator. This can be a substantial ongoing cost, particularly where it may involve the unbudgeted expense of new or improved IT, increased cost of appropriately qualified personnel, particularly privacy experts and/or independent third-party audits, and ongoing compliance reporting.
United States
In the US, in April 2015, AT&T was fined $25 million for a data breach by the Federal Communication’s Commission in its ‘largest privacy and data security enforcement action to date’.[ix The data breaches involved the unauthorised disclosure of almost 280,000 of customer names, full or partial security numbers, due to employees accessing without authorisation customer records at AT&T call centres in Mexico, Colombia and the Philippines. Under the terms of settlement, AT&T is required to appoint a senior compliance manager, who is a certified privacy professional, to conduct a privacy risk assessment, implement an information security program and provide regular training to employee’s on AT&T’s privacy policies. AT&T is required to file regular compliance reports with the FCC.
United Kingdom
In the UK in 2012, the Brighton and Sussex University Hospitals NHS Trust received the largest-ever fine imposed by the Information Commissioner’s Office (ICO), of £325,000. A contractor had been retained to destroy data on around 1000 computer hard drives containing confidential patient information. An individual sub-contractor removed some of the hard drives and without wiping the drives sold them on eBay.
In 2013, the ICO imposed a fine of £250,000 on Sony Computer Entertainment Europe, following a cyber attack on the Sony PlayStation Network Platform in April 2011 that compromised the personal information of millions of customers.
In 2013/2014 the ICO issued £1.97 million civil monetary fines.[x] The fines levied in the UK are set to increase once the new EU General Data Protection Regulations are enacted.
European Union
The draft Data Protection Regulation was issued in 2012, and the EU’s European Council is aiming for its adoption in late 2015 or early 2016. After a transition period of two years, it will have immediate effect on all EU member states.
The draft EU Data Protection Regulation provides for sanctions and fines as follows:
- a written warning of cases of first and non-intentional non-compliance;
- regular periodic data protection audits; and
- fines of up to 5% of annual global revenue or €100 million, whichever is greater.[xi]
Australia
The powers of the Office of the Australian Information Commissioner (OAIC) include:
- conducting assessments of privacy compliance;
- accepting enforceable undertakings; and
- seeking civil penalties, in the case of serious or repeated breaches of privacy, of up to $340,000 for individuals and $1.7 million for organisations.
The first enforceable undertaking under the new privacy laws that came into effect in Australia in March 2014 was entered into by Optus in March 2015, following a lengthy investigation by the OAIC. It was concerned that Optus did not have reasonable steps in place to safeguard the personal information held in its systems at the time the three significant incidents occurred, and as required by Australian Privacy Principle (APP) 11. The three incidents were:
- a change made to Optus’s website, resulting in the names, addresses and mobile numbers of 122,000 of its customers who had elected not to have their details listed in a telephone directory being published in the White Pages;
- Optus made a change to its network that meant customers using the relevant modems it had provided who did not change the default user name and password were vulnerable, potentially allowing a person to make and charge calls as though they were the Optus customer; and
- a flaw in Optus’s security processes led to certain customers whose voicemail was not password protected being vulnerable to ‘spoofing’ attacks, including accessing and using customer voicemail account messages, and preferences and settings being changed.
The Privacy Commissioner referred to the positive way in which Optus worked with the OAIC to address the incidents, and considered ‘the enforceable undertaking was an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act’.[xii] The enforceable undertaking required Optus to:[xiii]
- Engage a qualified independent third party to complete specified reviews and certifications. This included, for example,
‘a. review of the additional security measures Optus adopted in response to the Privacy Incidents (‘Review A’). These additional security measures include:
- Enhancing Optus’s monitoring program of change management that has the potential to affect the security of its customers’ personal and sensitive information;
- Enhancing Optus’s penetration testing: for fixed and mobile services; on all major IT projects as part of Optus’s Security Risk Assessment process; and as part of its annual monitoring program.
- a review of Optus’s vulnerability detection processes across the organisation concerning the security of personal information;’
- provide copies of those reviews and certifications to the OAIC;
- implement any recommendations and rectify deficiencies identified in those reviews and certifications; and
- provide a report by an independent third party to the OAIC certifying that the specified actions had been completed.
Privacy governance framework
In light of the costs and time involved in responding to data breaches and the subsequent ongoing consequences and expense, there is a strong incentive for organisations to ensure they have an appropriate privacy framework in place, both to prevent privacy breaches and to respond to any data and privacy breaches that may occur. As part of good corporate governance to manage risk, the privacy framework should be part of a robust overall information governance framework to manage all information and data throughout an organisation.
The New South Wales Information and Privacy Commission, which covers state public sector agencies, has published a Privacy Governance Framework.[xiv] The framework enables a holistic organisational approach to the management of personal information, draws upon the ‘privacy by design’ principles, and consists of five elements (as shown in the diagram below): setting leadership and governance; planning and strategy; program and service delivery; complaint incident management; and evaluation and reporting.
Privacy by design – the seven principles
The objectives of ‘privacy by design’, developed by Dr Ann Cavoukian, former Information and Privacy Commissioner in Ontario, are aimed at ensuring privacy and gaining personal control over one’s information, and, for organisations, gaining a sustainable competitive advantage. The benefits of the ‘privacy by design’ approach has been recognised by information and privacy regulators, including in the United Kingdom and Australia. The seven foundation principles are: [xv]
Proactive, not reactive
The privacy by design approach is about proactive, rather than reactive, measures. It anticipates and prevents privacy-invasive events.
Privacy as the default setting
It seeks to deliver maximum privacy, by ensuring that personal data is automatically protected in any IT system or business practice. No action is required by an individual to protect their privacy – it is built into the system, by default.
Privacy embedded in design
Privacy is embedded in the design and architecture of IT systems and business practices, rather than being an add-on. Therefore, it is an essential component of the functionality.
Full functionality – positive-sum, not zero-sum
Privacy by design seeks to accommodate all legitimate interests and objectives in a positive-sum ‘win-win’ manner, not through a zero-sum approach, with unnecessary trade-offs. It demonstrates it’s possible to have both privacy and security.
End-to-end security
Having been embedded in the system before the first element of information being collected, privacy by design extends throughout the entire lifecycle of the relevant data. This ensures that at the end of the process, all data is securely and quickly destroyed.
Visibility
Privacy by design means that, whatever business practice or technology is involved, it is operating according to the stated promises and objectives, subject to independent verification. Its components and operations remain visible to users and providers alike.
Keeping user privacy user-centric
Architects and operators are required to keep individuals’ interests uppermost, by offering, e.g., strong privacy defaults, appropriate notice, and user-friendly options.
Benefits of ‘privacy by design’
The ICO has set out the benefits of designing projects, processes, products or systems with privacy as a consideration at the outset:[xvi]
- Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
- There is increased awareness of privacy and data protection across organisations.
- Organisations are more likely to meet their legal obligations, being less likely to breach relevant legislation or regulations, such as the Data Protection Act 1988 (UK), the Privacy Amendment Act 2012 (Aus)(C’th) or the EU’s Data Protection Directive.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Privacy at the outset
It is clear that the most efficient way to ensure privacy protection is for it to be included and embedded in the early stages of any project or new product or service, and for this to continue throughout its lifecycle. The ICO recommends that privacy and data protection be considered when: [xvii]
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.
Privacy as part of IG
While it is important to have a strong privacy framework, it needs to be supported by robust information management and governance throughout the organisation. The NSW Privacy Commissioner states, ‘[p]rivacy is easiest when it is the organisation’s standard mode of operation and monitoring is mainstreamed through existing governance mechanisms such as the Board, Executive of Senior Management meetings. Monitoring and review can be achieved through existing mechanisms such as the Audit and Risk Committee or Customer or other Advisory Committees.’[xviii]
The Information Governance Initiative describes IG as a co-ordinating list of information activities, including information security, compliance, data governance, risk management and privacy.[xix] IG is defined as: ‘the activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs’.[xx]
The Information Governance Reference Model (IGRM) provides a framework for defining a unified governance approach to information, including privacy[xxi]. It shows information is a cross functional challenge, requiring collaboration between the various stakeholders within an organisation (i.e., privacy, information technology, legal, records management and business units), and highlights the intersection and dependence across these stakeholders.
Benefits of IG
The benefits of a holistic approach to IG, including privacy governance, are:
- senior-executive-level engagement and decision-making on important strategic opportunities and risk mitigation issues concerning organisational information, including privacy considerations;
- improved management of data, with more efficient retrievability of data retained;
- defensible destruction of redundant, outdated and trivial data/information, with an audit trail that can be relied upon in litigation. In the privacy context, it means old or outdated customer records are disposed of and are no longer held by an organisation;
- improved selection and return on investment on new technology, appropriate to the organisation’s legal, compliance and business needs. This means technology investment is a strategic priority, with appropriate budgets and investment plans leading to long-term cost efficiencies. This is in contrast to a reactive unplanned expensive plug to a data and privacy breach crisis, with the consequent legal and IT costs of responding to a data breach, as well as increased costs of ongoing compliance that may be imposed by a regulator;
- comprehensive and aligned policies, processes, people and response plans. This includes comprehensive ICT security and privacy breach response plans, as well as awareness training of policies and processes, and training to deal with a cyber attack and privacy and data breaches; and
- reduced costs and increased efficiencies arising from the implementation of an aligned strategy and policies, in contrast to the inefficiencies of the traditional fragmented siloed approach. A good example in the privacy context is including ‘privacy by design’ principles at the outset of projects, new processes, new products or services, or when using data for new purposes.
Conclusion
Having a strong privacy and information governance framework properly embedded in an organisation should prevent and minimise privacy and data breaches. To have robust governance, consider:
- reviewing current privacy and information governance frameworks and assessing whether they are aligned to achieving organisational objectives and meeting best practice standards in information management, including data and privacy protection;
- reviewing and updating privacy policies and processes;
- embedding ‘privacy by design’ for projects, processes, new products and services;
- embedding privacy and data protection when developing new IT systems for storing or accessing personal information;
- developing or reviewing privacy and data breach incident response plans to ensure they are current, including notification processes to regulators – such as, the OAIC Data Breach Notification Guide; and
- training of relevant personnel to enable the organisation to respond adequately in the event of privacy and data breach – this will include IT, communications, privacy and legal personnel.
If you would like assistance reviewing your current privacy and information governance ecosystem, please contact Susan Bennett, Principal, on +61 2 8226 8682 or email susan.bennett@sibenco.com.
Download a pdf of this article here
__________________
Follow us to receive updates on LinkedIn
__________________
This article is for reference purposes only and does not constitute legal advice.
__________________
[i] Data Breach Reports, Identify Theft Resource Center, 31 December 2014.
[ii] Telstra’s Cyber Security Report, December 2014, p30.
[iii] ‘US investigators suspect North Korea hired hackers for Sony hack’, The Age, 31 December 2014.
[iv] Weiss, Miller, ‘The Target and Other Financial Data Breaches: Frequently Asked Questions’, Congressional Research Service Report, 4 February 2015, p6.
[v] Weiss, Miller, ‘The Target and Other Financial Data Breaches: Frequently Asked Questions’, Congressional Research Service Report, 4 February 2015, p6
[vi] Tabuchi, ‘$10 million Settlement in Target Data Breach Gets Preliminary Approval’, The New York Times, 19 March 2015.
[vii] ‘Target Announces Settlement Agreement with MasterCard; Estimated Costs Already Reflected in Previously Reported Results’, media release, 15 April 2015.
[viii] Weiss, Miller, ‘The Target and Other Financial Data Breaches: Frequently Asked Questions’, Congressional Research Service Report, 4 February 2015, p7.
[ix] ‘AT&T to Pay $25 Million to Settle Consumer Privacy Investigation’, Federal Communications Commission media release, 8 April 2015.
[x] Information Commissioner’s Officer Annual Report and Financial Statements 2014/14, p24.
[xi] Article 79 of Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Inofficial consolidated version GDPR, Rapporteur Jan Albrecht, October 2013.
[xii] Office of the Australian Information Privacy Commission media release, 27 March 2015.
[xiii] Singtel Optus: enforceable undertaking, Office of the Australian Information Privacy Commission, Enforceable Undertakings www.oaic.gov.au
xiv] Privacy Governance Framework Resources, www.ipc.nsw.gov.au
[xv] Dr Ann Cavoukaian, ‘Privacy by Design, The 7 Foundational Principles’, revised January 2011 www.privacybydesign.ca
[xvi] Information Commissioner’s Office, Guide to Data Protection, www.ico.org.uk
[xvii] Information Commissioner’s Office, Guide to Data Protection, www.ico.org.uk
[xviii] Dr Elizabeth Coombs, NSW Privacy Commissioner, ‘Why Privacy Governance?’, Privacy Governance Framework Resources, www.ipc.nsw.gov.au
[xix] Information Governance Initiative Annual Report 2014, p13.
[xx] Information Governance Initiative Annual Report 2014.
[xxi] Information Governance Reference Model (IGRM) Guide, E.D.R.M, www.edrm.net
Effective leadership of information governance (IG) is key to ensuring that appropriate strategies, priorities, policies and processes are successfully embedded in an organisation, both to maximise the opportunities and minimise the risks arising from the information it holds.
A robust IG framework enables organisations to manage proactively the exponentially growing data and information they have. IG’s main drivers are:
- the value to the organisation derived from the data held within the organisation, which leads to improved performance and profitability – e.g., using data analytics to mine ‘big data’, to create new or improved products or services; and
- minimising potential risks, which may otherwise lead to significant legal issues, business interruption, loss of productivity, costs and reputational damage – e.g., cyber security attacks and privacy breaches.
What is IG?
IG is defined as:
The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs. [i]
This definition recognises that IG is about delivering value to the business’s bottom line, as well as minimising risk and costs. Organisations are now continually facing both threats and opportunities from the ever-increasing growth of digital data (‘big data’) and digital disruption (e.g., online shopping, online education). This is causing organisations to find new ways to compete in the marketplace and to develop new business opportunities to drive profits; conversely, the exponential growth in data being held poses increased risks and costs to organisations.
The challenge is how to implement an effective IG framework, which will deliver both value and minimise risk, when information management activities are carried out by different business areas within an organisation and with different ‘owners’ within each of those areas.
Who is responsible?
Typically, an organisation’s data and information is managed by various ‘owners’ – e.g.:
- compliance – risk and compliance director or chief risk officer;
- eDiscovery/document production – eDiscovery counsel or general counsel;
- information communication and technology security – chief security information officer, chief technology officer or chief information officer;
- legal – general counsel;
- privacy – chief privacy officer or general counsel; and
- records and information management – records and information manager.
The table below illustrates the broad range of the different types of technologies used in information management activities, and highlights the different areas and senior managers typically responsible for information management across an organisation.
TECHNOLOGIES | AREA(S) RESPONSIBLE | POSITION(S) RESPONSIBLE |
Data storage and archiving | Information technology | Chief technology officer (CTO) or information technology leader |
Data mining (for marketing – e.g., improved customer service, development of new products) |
|
|
Data mining (to improve business processes – e.g., reduce logistic costs) | Business units | Senior managers |
eDiscovery | Legal | Discovery counsel/litigation counsel |
Information, communications, technology security | Information technology | Chief information security officer (CISO), chief information officer (CIO) or chief technology officer (CTO) |
Records and information management | Records | Records and information manager (RIM) |
Risk and compliance | Risk and compliance or legal | Senior manager/GC |
Where do the risks and costs arise?
The vast amounts of data held pose increased risks and costs to organisations, arising from:
- legal and compliance, particularly in relation to privacy obligations, with the growing focus on privacy arising from high-profile cyber security attacks and thefts of customer records;
- information communication and technology (ICT) systems that prevent privacy and ICT security breaches;
- the cost of production of documents in litigation and regulatory investigations; and
- record and information management (RIM) complying with legal and business requirements, where data is increasing exponentially, and retention policies may not be keeping pace with business operations and legal requirements.
Governance for information complexity
Boards and senior management are responsible for ensuring that appropriate governance frameworks, policies and processes for information management activities are in place and being adhered to, in order to manage risk appropriately. However, with the exponential growth of data, and changes to the way businesses operate caused by digital disruption, not only is it a challenge for governance to keep pace with new developments, it can be a challenge for boards and senior management to fully understand the opportunities and risks arising from all the information management activities throughout an organisation.
Organisations are increasingly concerned with preventing security breaches of enterprise systems, and are aware of the penalties for failing to comply with regulatory requirements such as customer privacy, as well as the potential for significant reputational damage to their brand.
Cyber breaches
There is general awareness of the increase in cyber security attacks on organisations and the significant risks that this poses for them. It is regularly reported that cyber attacks and theft of data are increasing. Telstra’s Cyber Security Report[ii] states ‘nearly a quarter of all the organisations we surveyed had suffered some kind of business interruption due to an IT security breach during the last 12 months. When that time frame was stretched to five years the figure climbed to nearly 60%. Furthermore, 41% of organisations reported that they had detected a major security breach in the last three years. … The majority of Australian organisations we surveyed reported that they detected some sort of attempt to breach their IT security on a weekly or monthly basis. …. 38% of organisations reported that their most recent attack was due to cyber-crime, with viruses accounting for 31%, suggesting malicious hackers are becoming more active.’
High-profile cyber security attack incidents include:
- Sony Pictures cyber attack in late 2014, in which vast amounts of data was stolen, including personal information of employees such as salaries, social security numbers, birth dates, medical records; emails; contracts; copies of unreleased films; and reports that hard drives were wiped leading to the shut down of Sony’s computer systems for more than a week[iii]. The attack was condemned by the US, Australian and other governments;
- eBay – the theft of 145 million eBay user accounts;
- Adobe – the theft of 153 million customer records from Adobe; and
- Target – the malware attack that compromised 70 million Target customer accounts and 40 million credit cards at its point of sale systems.
In light of the significant risks posed to organisations, it is essential that IG include the information technology architecture and system risks to ensure that:
- risks of breaches of organisations’ information technology systems (i.e., cyber security attacks) are minimised;
- appropriate cyber incident and response plans are in place; and
- the relevant personnel are trained, and able, to respond adequately in the event of cyber breach – this will include IT, privacy and legal personnel.
Privacy breaches
Privacy breaches may occur as a result of a cyber attack where personal information is stolen, as in the above examples, or by the breaches within an organisation exposing it to regulatory and legal issues and costs. Organisations need to have in place effective policies and processes for the management of data breaches, including making notifications where required by regulatory bodies such as the Office of the Australian Information Commission (OAIC).
The Australian Privacy Principles (APP) regulate the handling of personal information for government agencies, and businesses with a turnover of more than $3 million (as well as some smaller businesses, such as health care providers). The APPs cover the collection, use, disclosure and storage of personal information.[iv] The powers of the OAIC include: conducting assessments of privacy compliance; accepting enforceable undertakings; and seeking civil penalties, in the case of serious or repeated breaches of privacy, of up to $1.7 million.
The first enforceable undertaking under the new privacy laws that came into effect in Australia in March 2014 was entered into by Optus in March 2015, following a lengthy investigation by the OAIC. It was concerned that Optus did not have reasonable steps in place to safeguard the personal information held in its systems at the time the three significant incidents occurred, and as required by APP 11. One of the incidents arose from a change made to Optus’s website, resulting in the names, addresses and mobile numbers of about 122,000 Optus customers who had elected not to have their details listed in a telephone directory being published in the White Pages. The Privacy Commissioner referred to the positive way in which Optus worked with the OAIC to address the incidents, and considered ‘the enforceable undertaking was an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act’.[v]
Data analytics for marketing and product development
Another way in which organisations need to be mindful of and embed privacy is through the growing use of data analytics for mining of ‘big data’.
Organisations now have a strategic focus on the use of digital technology as a tool to better service customers to meet market competition and improve profitability. They may use data analytics to improve business performance: e.g., analysing data to improve logistics, or to improve or create new products or services. The importance of this focus is reflected in new roles such as chief data officer, chief digital officer and digital marketing manager.
However, if data analytics are carried out without regard to the privacy obligations of the information the organisation holds (in relation to its customers, students, patients, etc), there is a serious risk of privacy breaches and, potentially, reputational issues for the organisation. An effective IG framework will enable and embed effective cross-function information management processes and people, to ensure that value can be maximised while risks are minimised – e.g., by ensuring that a new product team includes a privacy expert at a very early stage of a new product development, to make sure that privacy obligations are factored in and future privacy breaches minimised. This is in contrast to a situation where products are developed without privacy considerations being taken into account (either partially or fully at the time of development), so that the privacy compliance and risks are managed through retrospective fixes at significantly increased costs.
The benefits of an IG framework
A sound IG framework is the critical foundation that enables organisations to govern and manage properly the information they hold. The benefits of a holistic approach to IG are:
- senior-executive-level engagement and decision making on important strategic opportunities and risk mitigation issues concerning organisational information;
- increasing revenue and profits through the use of data analytics to develop or improve products or services, or through developing strategies to improve efficiencies and reduce costs;
- improved management of data, with more efficient retrieval of retained data;
- defensible destruction of redundant, outdated and trivial data/information, with an audit trail that can be relied upon in litigation;
- improved selection and return on investment (ROI) on new technology, appropriate to the organisation’s legal, compliance and business needs;
- comprehensive and aligned policies, processes and response plans – including comprehensive ICT security and privacy frameworks and breach response plans; and
- reduced costs and increased efficiencies arising from the implementation of an aligned strategy and policies, in contrast to the inefficiencies of the traditional fragmented siloed approach.
IG framework and leadership
The key to addressing and managing information/data throughout an organisation is to take a holistic approach driven from the board and the C-level down.
In order for an IG framework to be successfully implemented and embedded in an organisation, there needs to be strong leadership and championing of IG from those in the key areas currently responsible for information activities.
In developing or reviewing a current IG framework, careful consideration needs to be given to the organisation’s strategy and current situation, balanced against technology security priorities and legal and compliance obligations.
Board
To optimise the board’s performance, it is essential that directors have a mix of skills and expertise. This includes one or more directors with skills in the following areas: cybersecurity architecture and systems; the relevant skills to contribute to the organisation’s current and future strategy regarding digital disruption threats and opportunities; and legal and compliance expertise regarding information activities throughout the organisation, including privacy and record and information management.
Executive leadership
While it is important that boards and senior executives have a broad understanding, and be champions, of a robust IG framework, equally important is who will be responsible day to day for driving and implementing IG. This will vary between organisations, and is likely to depend on its strategic priorities, size, resources, and the current position of information management within it.
Examples of IG leadership are:
- Steering committee – a committee made up of the relevant C-level executives responsible for different areas of information management – e.g., chief operating officer (COO), GC, CIO/CISO/CTO, CMO/CDO, CPO, RIM. A chair would be appointed to lead monthly meetings, and the committee would be responsible for setting overall strategic priorities, deciding on pilot projects, reviews of implementation, etc.
- Current C-level executive – an IG leader who is a current C-level executive, such as a CIO or GC with the appropriate leadership skills, and some cross-functional expertise, to enable them to effectively lead IG – e.g., a CIO with significant experience in – preventing and responding to cyber attacks and cyber security breaches, responding to regulatory and litigation production of electronic documents and data; as well as data analytic technologies for areas such as marketing, or a GC who has extensive experience in strategy and implementation of new technology systems and responses to major crisis or incidents such as cyber attacks and cyber security breaches. Whether an existing C-level executive is able to adequately lead IG will depend upon how their other responsibilities are managed (e.g., by delegating more) and the organisation’s strategic priorities, size, structure and resources.
- Designated new C-level position – a new C-level role as the chief information governance officer, as proposed by the Information Governance Initiative (IGI), a US IG think-tank. The IGI describes the CIGO’s role as ‘to balance the stakeholder interests from each facet of IG and develop the right operational model for the organization.’[vi] In building the case for a CIGO, the report explains that ‘Chief Information Officers at most organizations are in fact only responsible for technology infrastructure, and not the information itself. Responsibility for the information is the raison d’être of the CIGO.’ [vii]
Leadership skills for effective IG governance
Whether the leader is an IG steering committee, a designated C-level executive within their current existing role or a CIGO, the task is to successfully align IG systems, processes and people to meet the organisation’s overall strategic business objectives. For a robust and effective IG regime, the following is required:
- Strategic – IG leaders need to be strategic thinkers, to implement an IG framework that will effectively respond to the increasing complexity of business and the interaction of technology and risk management. The chair of the committee or designated executive should be able to provide wise counsel (to a CEO or board committee or board) on business opportunities, information technology architecture and system risks, and the risks impacting information management activities within the organisation.
- Alignment – IG leaders need to align the IG framework to meet the organisation’s strategic objectives. With rapid changes in technology requiring rapid changes to business processes in order to compete in the market, IG leaders will need to promptly review and adapt policies and processes, and ensure there is appropriate employee training and awareness, so that strategic business objectives are met and risks continue to be minimised.
- Influence – the steering committee or designated executive should be an effective influencer in all directions – up (e.g., to CEO and board), across (to other C-level executives, e.g., COO, CFO) and down the organisation (e.g., to marketing, business units) – so that stakeholders understand the reason for decisions, and support and implement IG priorities, systems, policies and processes.
- Innovation – the steering committee or designated executive will need to recognise, assess, and support, where appropriate, innovative opportunities that create value for the organisation, as well as managing risk. This may include new models or policies for IG that better facilitate the achievement of business objectives while managing organisational risk. It is likely to include shifts from traditional structured policies and processes to better manage risk – e.g., increased and different ways of engaging and training employees on appropriate use of social media, mobile devices (including BYOD), to reduce risk more effectively than outdated policies, draft policies or policies that are not yet universally agreed upon.
- Collaboration – the steering committee or designated executive is likely to embed a robust IG framework where people work collaboratively within teams and cross-functionally through the organisation on information management activities. This will happen where consensus is built, with the relevant stakeholders all working towards the same overall business objectives. Where rapid technological or business changes require a steering committee or designated C-level executive to get IG changes implemented quickly, it will require prompt buy-in and active support of the changes and the implementation actions required. This is more likely to be achieved and sustained in the long term when a culture of co-operation exists and there is an understanding of the need to align IG with business objectives to enable those objectives to be achieved.
- Change management – arguably, the most important skill a steering committee or designated executive will need for effective IG is effective change management. This is particularly the case where new business strategies are set that involve implementation of new technologies and/or new ways of doing business that impact information management activities and IG. For example, setting a digital strategy may involve a significant transformation in the way business is done – this is likely to require a number of leaders with strong change management skills to drive and implement the necessary changes.
INFORMATION GOVERNANCE CHECKLIST |
|
|
|
|
|
|
|
|
|
|
|
|
|
This article was first published in the May 2015 issue of Governance Directions, the official journal of Governance Institute of Australia.
Click here for the pdf version of this article
Download the Information Governance Checklist
__________________
If you would like assistance reviewing your current IG ecosystem, please contact Susan Bennett, Principal, on +61 2 8226 8682 or email susan.bennett@sibenco.com.
__________________
Follow us to receive updates on LinkedIn
__________________
This article is for reference purposes only and does not constitute legal advice.
__________________
i Independent Commission Against Corruption (NSW), ‘Knowing Your Risks’
[i] Information Governance Initiative Annual Report 2014.
[ii] Telstra’s Cyber Security Report, December 2014, p30.
[iii] ‘US investigators suspect North Korea hired hackers for Sony hack’, The Age, 31 December 2014.
[iv] The 13 Principles are contained within Schedule 1 of the Privacy Act 1988 (Cth).
[v] Office of the Australian Information Privacy Commission media release, 27 March 2015.
[vi] Information Governance Initiative, Annual Report 2014, p28.
[vii] Information Governance Initiative, Annual Report 2014, p28.
Organisations globally are struggling to manage both the opportunities and risks posed by the explosion of data they hold, which is increasing at an exponential rate each year. Strong information governance is an effective way to maximise the opportunities arising from data mining and extract value from the data held. As well, effective implementation of clear policies and processes to minimise the risks arising from information held will result in cost efficiencies.
Where do the risks and costs arise?
The vast amounts of data held pose increased risks and costs to organisations, arising from:
- legal and compliance, particularly in relation to privacy obligations, with the growing focus on privacy arising from high-profile cyberattacks and thefts of customer records;
- information communication and technology (ICT) systems that prevent privacy and ICT security breaches;
- the cost of production of documents in litigation and regulatory investigations; and
- record and information management (RIM) complying with legal and business requirements, where data is increasing exponentially, and retention policies may not be keeping pace with business operations and legal requirements.
Who is responsible?
Typically, an organisation’s data and information is managed by various ‘owners’ – for example:
- compliance – risk and compliance director or chief risk officer;
- eDiscovery/document production – eDiscovery counsel or general counsel;
- ICT security – chief technology officer or chief information officer;
- legal – general counsel;
- privacy – chief privacy officer or general counsel; and
- records and information management (RIM) – RIM manager.
What is information governance?
Information governance (IG) is defined as:
The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs. [i]
IG – a critical foundation for effective governance
The key to addressing and managing information/data throughout the organisation is to take a holistic approach that is driven from the board/CEO/C-suite level down.
A sound IG framework is the critical foundation that then enables organisations properly to govern and manage the information held. The benefits of a holistic approach to IG are:
- senior-executive-level engagement and decision-making on important strategic opportunities and risk mitigation issues concerning organisational information;
- improved management of data with more efficient retrievability of data retained;
- defensible destruction of redundant, outdated and trivial data/information with an audit trail that can be relied upon in litigation;
- improved selection and return on investment (ROI) on new technology, appropriate to the organisation’s legal, compliance and business needs;
- comprehensive and aligned policies, processes and response plans – including comprehensive ICT security and privacy breach response plans; and
- reduced costs and increased efficiencies arising from the implementation of an aligned strategy and policies, in contrast to the inefficiencies of the traditional fragmented siloed approach.
Technology – tool and solution?
While the proliferation of data has been caused by technology, it is also technology that is providing rapidly evolving tools to manage the exponentially increasing data. However, technology is only part of the solution, as IG strategy, policies, processes, people and technology all need to be aligned, to deliver on the objective of maximising the value of the information and minimising risks and costs.
There is a rapidly growing market for technology solutions in the IG sphere for the wide spectrum of information management needs. And there are many technology options for managing ICT security, eDiscovery, RIM and compliance, etc. Types of technology that are dramatically changing the ways in which information is managed within organisations include:
- Auto-classification technology, enabling automatic identification, classification, retrieval, archival and disposal of information, based on an organisation’s classification rules. This type of technology enables defensible disposal of data and should enable better adherence to IG policies.
- Analytic technology, which identifies relevant data and data patterns from large data sets. Analytics can be used across a number of the traditionally siloed areas within organisations. For example, analytics and relevance ranking are used extensively in discovery for litigation, and provide substantial cost and time savings. Analytics is used with traditional RIM as well as increasingly being used to better understand customers, so as to tailor products, and/or develop new products, with the ultimate aim of increasing profits.
- eDiscovery technology is increasingly being brought in-house by major organisations, as a way to increase efficiency and reduce costs by:
- pre-litigation review of information, early case assessment and managing responses to regulatory investigations in-house; and
- maintaining control over the data, preserving confidentiality and ensuring sensitive data is not removed from the organisation’s network.
Technologies such as those outlined above should be selected and implemented within the context of the overarching IG strategy, policies and priorities.
Technology and privacy
One of the greatest challenges and risks facing organisations is dealing with privacy issues concerning data containing personally identifiable information, medical records and other sensitive details. Some organisations are proactively addressing privacy by embedding:
- privacy controls and mechanisms in ICT systems before they are implemented within an organisation – i.e., ensuring there is compliance with core organisational values and privacy obligations prior to implementation, which, in the longer term, is more cost efficient; and
- privacy lawyers in new product development teams, so that products not only meet legal obligations but are designed to meet the growing concerns about privacy and enable customers/users more control over the use of their information – e.g., with online social media products, allowing users to determine the level of privacy, which they may vary from time to time.
IG – is your organisation achieving best practice?
Whether information management achieves best practice, so that risks are minimised and the opportunities and value of information are maximised, comes down to four factors. Ask yourself:
- Are your leaders embedding IG as a foundation of good corporate governance?
- Do you have a clear and comprehensive IG framework with current policies and processes in place?
- Are those responsible for information management able to work collaboratively across functions to ensure that IG strategic objectives are met and achieve best practice with resulting efficiencies?
- Is data being used effectively for multiple business-value-creating purposes?
If the answer to any of these questions is ‘no’, there is probably an opportunity for greater alignment of the IG framework, policies, processes and people.
If you would like assistance reviewing your current IG ecosystem, please contact Susan Bennett, Principal, on +61 2 8226 8682 or email susan.bennett@sibenco.com.
Click here for the pdf version of this article
__________________
Follow us to receive updates on LinkedIn
__________________
This article is for reference purposes only and does not constitute legal advice.
__________________
i Information Governance Initiative Annual Report 2014.