Many articles focused around information governance (IG) discuss the framework in terms of data collections, legal holds, and other eDiscovery related tasks. By limiting IG to a specific eDiscovery focus however, these commentaries lose the full strategic scope of what information governance really entails. In actuality, every IT process that touches electronically stored information (ESI) falls under the domain of a comprehensive information governance program. Diverse fields such as security, usage policy, privacy controls, compliance audits, regulatory reporting, and data analytics are all part of information governance.
There is no doubt that an effective eDiscovery policy plays a big part of the corporate IG picture. There is a strong impression that eDiscovery is, as noted by the Sedona Conference, “the tail that wags the Information Governance dog.” EDiscovery matters are often urgent and reactive. They tend to be the most visible and, for many companies, the most impactful in terms of potential for risk and disruptive burden. Additionally, these requests, along with the policies to facilitate them, influence areas far outside the direct search and collection mandates.
Gartner describes information governance as “an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.” It is made up of the “…processes, roles and policies, standards and metrics that ensure the effective and efficient use of information…” When established, a well thought-out IG strategy influences an entire organization, helping to achieve its goals, fulfil its obligations and reduce inherent dangers. This understanding is correlated by the definition from the IG Initiative describing IG as “activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”
With these broad designations, it becomes clear that information governance is not just based on narrow eDiscovery requirements, rather, it is a business necessity with many intersecting policies covering a vast array of disciplines. These overlapping areas include the following:
Records Management coordinates the creation, classification, preservation, retrieval and disposition of information assets. It should be a large part of any corporate policy and procedure and underpins many other key deliverables of good IG strategy.
Usage Policy defines what is acceptable and unacceptable for usage of computers, internet, and email. This topic can include personal use of company resources, handling of confidential or proprietary information, suitable language for business communications, use and ownership of company social media accounts, and much more.
Search & Collection is a key component of finding value in ESI– being able to find and retrieve information in both structured and unstructured data. Good records management and classification policies help in this area and it is a foundation for eDiscovery planning.
Storage Management covers the reliability, scalability, backup, and accessibility of electronic information. It is a critical element in supporting the infrastructure for effective information management/governance.
Policy Enforcement with frequent auditing helps a number of IG tasks such as defensible deletion as well as removing ROT (redundant, outdated or trivial) information from corporate systems.
Analytics help companies extract value from their information assets, locate key information and understand how their ESI is deployed throughout the organization.
Disaster Recovery is vital to keep a business running during all types of disruptions. It is a crucial component of continuity planning.
Compliance is essential to fulfill legal, governmental, or organizational responsibilities. Reporting, auditing, and response mechanisms are needed to ensure swift adherence to obligations from a variety of requirements. Depending on industry, this could include strictures dealing with data regulated by health care, privacy, personally identifiable information (PII), payment card industry (PCI), or other standards.
Security is essential to protect the information assets of an organization from unwanted or illegal intrusion, theft, or distribution. This ranges from defending websites from hacker attacks, combating malware and ensuring effective password policies, and updated anti-virus and spam filters.
All of these areas have an impact on the valuable information assets of an organization. The management of those assets and the establishment of a strong framework to utilize and protect this ESI falls under the same framework and overall policy. Call it what you will: cybersecurity, privacy, storage, enforcement or analytics. A rose by any of these names still needs to be managed under one umbrella – your information governance strategy.