What is Information Governance? Why Do I Need It?

The explosive growth of information has been the defining characteristic of our era, the Age of Information. The amount of data, the number of data sources, the uses for data, and the routes that data travel have all been growing at an exponential rate, creating new industries for defining, processing, collecting, accessing, and curating information. In such an environment, everyone recognizes the importance of information Governance, but how to go about this massive task is harder to grasp.

What is Information Governance (IG)? How does it differ from IT Governance, Information Management, or Data Governance? In this article, we will try to shed a little light on Information Governance an emerging area of data management that focuses specifically on business processes and compliance issues.

What is Information Governance?

Information governance is a set requirement of rights and responsibility to allow suitable function of different aspects of information ranging valuation, creation, storage, use, archiving and deletion. To use information effectively, information governance includes purposes, policies, standards, processes that helps organization to achieve its goals.

Here, the requirement of decision rights is the determination of ownership of data, and who makes the decisions about it. By defining the decision-makers and owners, we can now assign responsibility, and therefore accountability, to data decisions probably the most important concept to implement when creating an IG policy. This accountability is so important because as data dependence grows, decisions made by default, usually by choosing the easiest path, and usually in isolation from other data considerations in other areas of the organization. IT departments, concerned with the technology of data, often made business process decisions driven by the needs of technology rather than of the organization. Other accidental decision-makers were people who happened to be in possession of data at a particular point in its cycle; these decisions also usually made independently of other stakeholder needs. And often, although we dont like to admit it, no decisions were made, but vague data policies grew out of the need of a worker or a department to deal with a particular data-related issue.

The next important piece of the definition is to ensure appropriate behavior regarding data in all of its lifecycle states: acquisition, creation, transportation, storage, use, curation, and deletion. Under an IG strategy, data usage is policy-based and not haphazard, which ensures that an organization has policies in place to minimize risks to the organizations data, avoid noncompliance with government regulations, and high costs associated with storing too much unnecessary data or storing it incorrectly so that it is difficult to retrieve and use.

In addition, IG includes processes, roles and policies, standards and metrics. From this, we see that IG has a broad area of oversight, requiring input from all parts of the organization to ensure that all aspects of a companys data policy support the governance model.

The key point here is that Information Governance is about business needs. Policies enacted in the interests of IG are business-driven, and the role of IT is to support those business requirements.

In short, Information governance related to the enhancement of the value of information along with lessening the associated risks and cost, organizations utilize activities and technologies.

Information Governance vs Data Governance

Many similar industry terms exist, causing some confusion around the definition. IT Governance, Information Management, and Data Governance are all similar terms, but the distinctions between them are important to recognize.

IT Governance as opposed to IT Management creates the policies that IT Management meets in its architecture and infrastructure, as well as in its processes and procedures. IT Governance is a part of Information Governance, but is focused on the information technology that supports the business processes.

Information Management is one of the goals of Information Governance IG provides the policies by which an organization manages its information, much as IT Governance sets policies to guide the activities of IT Management. While IT departments own the systems that create and store information, they do not have to understand its context, only its characteristics. Business owners and stakeholders who understand the significance of information must provide the defining requirements of an information system.

The difference between Data Governance and Information Governance, however, seems to be the muddiest of all, but the most useful definition we were able to find comes from Susan White, PhD, CHDA, and Associate Professor at Ohio State University. As a panelist at AHIMAs Health Information Integrity Summit in September 2013, she made this very useful distinction: Data governance is keeping garbage from getting in. Information governance is the decisions we make in using that data.

There is some overlap, as both are concerned with protecting critical information and managing data growth, but IG addresses business needs such as ensuring information can be retrieved in case of investigations, FOIA requests, and other business, productivity, and compliance situations.

John Schmidt provides a useful concept in his Informatica blog – Information = Data + Context. This puts IG squarely in the context of business process. Policies those are not relevant to the context of the data, such as which encryption system to use, or defining a good storage and retrieval system, it is Data Governance. Policies that rely on context for example, appropriate for certain types of data, and even defining those types of data, are Information Governance. However, as the following list tells us, the Data Governance policy must work with and be in support of the Information Governance policy.

Information Governance focuses on such topics as:

• Appropriate data usage: What constitutes appropriate and inappropriate use of data by employees, vendors, and partners?
• Value. Is the data being kept of value either directly to the business or for compliance purposes?
• Data definitions. How do we classify and curate our information to facilitate its use?
• Information lifecycle. What policies are in place for acquiring, storing, retaining, and purging information?
• Access policies. Who can access the data, and under what circumstances?
• Ownership/Stakeholders. Who creates the policies for storage and usage, and are they accountable for their decisions? Who has a non-ownership interest in it?

Data Governance focuses on such topics as:

• Data Management. What data does an organization have, how do they store it, and how do they secure it?
• Validity and verification. How does the organization collect and move data between systems? How are they ensuring the integrity of data once its collected?
• Security. Is the data securing in any state: in transit, at rest, or in use by an application or system?
• Access policies. How data accessed, and how access accounts managed?
• Stakeholders. Who, in addition to the owners, has a stake in overseeing data policies?

Information Governance for Government Agencies

Government agencies have a greater need than most organizations for an IG policy, as there are more regulatory considerations that must be taken into account. For instance, in a government agency, all digital communication, including documents, emails, texts, and social media posts must documented and retained according to the Federal Records Act.

President Obama signed the Presidential Directive on Managing Government Records in November of 2011, which laid out requirements for managing government records. In response, the Office of Management and Budget (OMB) and the National Archives worked together to provide guidance on how to meet the new standards. In essence, agencies need to digitize all records, current and past, by 2019. The best way for agencies to comply with this and other directives and mandates regarding records and information is to institute a sound IG policy.

Information Governance Implementation

Governance policies are large, and implementing them is difficult. The best approach is to take it systematically. Engage stakeholders from relevant departments to identify their information pain points, taking careful note of the areas of highest risk and value. When you know your critical areas, prioritize them and address them one at a time, starting with the biggest issues and working down, rather than trying to address them all at once.

However, in the course of the systematic process, a larger strategy should be developed that can be described explicitly, documented, shared, and trained.

Here, an example-planning chart for an IG policy considers information risk and value side by side in four principle areas:

Key Areas of Information Governance:

The following are key areas that should considered when creating an Information Governance policy:

• Usage Policy. Much security risk can contained by having a well-defined usage policy, specifically detailing who can access what data in what circumstances.
• Records Management. Gartner estimates that it costs $5 million per year to manage one petabyte of information, including storage. Since a large organization could have 10 petabytes of information, it would cost them $50 million per year to maintain that data. Elsewhere, research from the Compliance, Governance, and Oversight Council in 2012 showed that 69% of retained enterprise data has no legal, business, or regulatory value. Calculating this out, it means that over $34 million is spent needlessly, on data that has no value and does not need to be retained.
• Accountability. Most data management evolved as a response to an immediate requirement. Creating a position such as Chief Data Officer or dedicating a department to create standard policies means that someone has the responsibility for data- and information-handling policies across the organization.
• Compliance. Regulations, laws, and business needs including risk assessments govern how long information should keep. After that it should be discarded according to an established lifecycle schedule based on context legal requirements, regulatory requirements, and business requirements.
• Classification scheme / Data modeling. In order to know what data you have, you need to have a classification scheme or data model. Without a roadmap, all data gets treated equally, leading to excess costs and inefficiencies. Worse, it can increase opportunities for malicious attacks. Knowing what you have allows you to establish policies based on data types and classes, and apply security measures intelligently.
• Technology. A complete Information Governance policy also will address IT Governance, and provide policies on which IT specialists can act, such as creating effective storage hierarchies and obtaining appropriately-scaled access schemes.
• Education. As with all company policies, training employees, vendors, and partners in your IG requirements completes the circle and without that training, all the good policy work an organization might do could come to naught.

Benefits of Information Governance:

1. Safer and More Secure Data. An effective IG policy will require the creation of rules, responsibilities, standards, and regulations, which are geared toward keeping data secure.
2. Efficient Access to Data. Accessing usable, meaningful data is most easily done when the data is classified, secure, and current clear policies that support enterprise and organizational goals.
3. Productivity. Productivity is increased when collaboration can be facilitated by intelligent sharing of information.
4. Lifecycle Efficiencies. The better organized the data is, the less repeat work has to be performed, and the more value can be gained from data at every point in the lifecycle.
5. Reduced Costs. As discussed above, having a clear information policy allows an organization to save money by being more discerning in what data is stored in what media for how long.
6. Risk Management. Information policies that classify data allow risk to be scaled to the data type, focusing high security where its appropriate.
7. Improved Customer Service. Customer Service Representatives can get the information they need quickly and efficiently, resulting in better customer experiences.
8. Business Intelligence. Efficient, easy access to historical and trending data allows marketers and developers to make better-informed decisions.
9. Regulatory Compliance. Without well-classified, easily accessed data, gathering information for regulatory requirements can be a nightmare.

There are clear benefits to having an Information Governance policy at work for your organization, and clearly one of the most salient is the fact that by having one, your organization will come to better know its data what information does it really have? And being able to answer this question is one of the first steps in making the best use of that information. Like any other asset your organization possesses, there is a policy for use, and if that policy is one of omission, neither your business nor your IT needs are properly met.