This month the Sedona Conference published its commentary on Information Governance. This is an update of the first edition published in 2014. Here's a quick outline of the contents.
The Sedona Conference emphasizes the importance of buy-in from senior management for a successful information governance program. Siloed approaches to information governance should be avoided where separate departments such as Human Resources; Information Technology; Legal; and Finance each have their own policies for the retention of records. Sedona also warns against siloed approaches to data privacy, electronic discovery and data governance, which allow for the aims of these individual areas to take precedence over the goals of the organization. An information governance program will prove its return on investment (ROI) by optimizing the value of information to an organization; reducing risk (from privacy breaches and by allowing for assessment of the risk from litigation); and minimizing both hard costs (certain costs for storage; backup media; personnel; and e-discovery [reducing the available data]) and soft costs (pursuing economies of scale, and reducing inefficiencies).
The Sedona Conferences has established 11 principles for information governance:
1. Organization Wide Information Governance Program -
- transparency, efficiency, integrity, compliance and accountability.
- comprehensive data classification.
- resolve differences between stakeholders.
2. Independence from any Particular Department
- input from IT, Legal, Compliance, RIM, and the business units.
- balancing of interests.
3. Program Should Represent All Stakeholders Views
- not necessarily control by each department.
- identify groups with common interests.
4. Strategic Objections of Info Gov Program
- identity various types of information
- assess if information is held for third parties.
- assess if its information is held by third parties.
- information lifecycle practices
- determine compliance requirements for ePHI, PHI, and PII.
5. Reasonable Assurance that Objectives will be Achieved
- framework to categorize information types according to business needs.
- use of policies, contracts, retention schedules, Information Governance matrices, procedures and protocols.
- accountability - objectives should be linked to observable and measurable outcomes.
6. Disposal of Information
- information with no business value should be disposed of if no statutory or regulatory obligation to retain.
- perform a hold/preservation analysis.
- hold and release capability incorporated into records disposition process.
7. Reconcile Conflicting Laws and Obligations
- e.g. EU data protection laws and U.S. court discovery orders.
- if compliance with all laws not possible, document efforts to reconcile the conflict.
8. A Court Should Review Efforts to Reconcile Conflicts Under a Standard of Reasonableness
- unfair to judge a party that acts in good faith.
- business judgment rule - made on an informed basis in honest belief that it was in the best interests of the company.
9. Integrity of Long Term Information Assets
- long term digital assets.
- assess likely failure rate of storage medium as configured.
- contractual agreements with cloud storage and SaaS providers.
- continued availability of technologies to access and read.
10. Leverage Power of New Technologies
- machine learning, auto-categorization, and predictive analytics
- limits on email account sizes; automatic deletion of emails.
11. Periodically Update Info Gov Program
- changes in lifecycle practices.
- changes in compliance requirements.
- changes in organization's strategic objectives.
- results from monitoring the program.