When information governance (IG) first came into vogue a few years ago, it was generally considered to be just an updated form of records management (RM), extended to take account of the US legal discovery rules, and to an extent, Freedom of Information (FOI) requests.
If all electronically stored information can be requested prior to a court case or FOI application, not just content that has been specifically declared as a record, then work-in-progress, content on laptops and mobiles, back-ups and in particular, email archives, are all discoverable, and need to be ‘governed’.
However, in the past twelve months, data leaks and security breaches, most especially the Edward Snowdon activities, have brought the security and privacy elements of information governance strongly into play. Metadata has become an issue for front-page news and heads-of-state discuss individuals’ rights to data privacy and information deletion. Meanwhile, massive data leaks of personal information have damaged corporate reputations and hardened already strong views in some jurisdictions.
Risks & Benefits With IG
AIIM recently explored the current issues around information governance in its report ‘Automating Information Governance – assuring compliance’. In recent years the rules and the risks have changed and we now need to keep all electronically-stored information securely, compliantly and available to the compliance process, whether its work-in-progress documents, emails, collaboration tools, or any other repository of content.
We asked our research survey participants to rank the three biggest risks from IG failures. Excess litigation costs or damages (41 per cent) heads the list, followed by loss of intellectual property (IP) or confidential company information (35 per cent) and then loss of customer confidence / bad publicity from data loss (31 per cent) – all of which would be considered major business disasters.
On the positive side, users saw many benefits from good information governance, the most significant of which is to reduce storage and infrastructure costs (55 per cent). Next came exploitation and sharing of knowledge (50 per cent), followed by faster response to events, accidents, press activities, etc (47 per cent). In the modern era of 24 hour news and social media comment, this can be vitally important in preventing reputational damage.
Of course, the basis of good information governance is a sound and solid information governance policy. It needs to be comprehensive and to cover different types of content, including content-in-motion – on USB sticks, in the cloud, on mobiles, and so on.
Creating such a policy is not easy. The biggest difficulty reported in our survey was getting senior management endorsement, but there is also a problem of getting the right people at the table and freeing up time from their day jobs. There are three main steps to achieve information governance in 2014:
1. Metadata Is Key
As long as the correct metadata attached to a piece of content, whether it’s an email, an office document, or a scanned inbound letter, it can be managed. We may have to delve a little into the content of a document to tell if it contains sensitive personal information, but having done so, we can add a security classification, and from that we can set an appropriate level of access. In the past we have expected humans to do all this, but given the volume of content coming at them, the likely hood of achieving accurate and above all, consistent classification is slim.
2. Revitalise Your ECM/RM System
As a result of poor initial planning and policy setting, many ECM and records management system projects reach a point where users have lost faith, and the content within the system is as chaotic as it was before. Many automated classification concepts can be applied as batch agents or filters to existing content, detecting and removing duplicate files, correcting or adding metadata, re-allocating security levels, and deleting content beyond its useful life or its statutory retention period.
3. Automated Classification
Once the data is in a better state, automated classification can be injected into various places in the system – on capture or ingestion of inbound content, as part of the business process, or at the point of archive. Here there may be a choice – let the machine take care of it completely, or use the rules-based intelligence to prompt the operator for appropriate tagging and metadata. 47 per cent of survey respondents felt that automated classification is the only way to keep up with information volumes. I would agree, but people must remember they still need to set the rules for the computer, and to do that they need to have a sound and agreed information governance policy in place.