The Sedona Conference is a widely known institute that is focused on the study of law and policy in many areas including Information Governance (IG). The Sedona Conference Commentary on Information Governance provides 11 IG principles that allow organizations to make decisions on how they handle their information.
This article is the first in a series of articles centered on the 11 IG principles. We outline here the first three principles and the corresponding questions an organization can ask to assess their IG posture, and then identify privacy management activities that an organization can implement to align themselves with these principles.
The First Three Principles
Principle 1: Organizations may consider implementing an Information Governance program to make coordinated, proactive decisions about information for the benefit of the overall organization that addresses information-related requirements and manages risks while optimizing value.
- An organization’s senior leadership should be in full support of an IG program in order to find success.
- An IG program should include the ability to classify data (Public, Internal, Confidential, Highly Confidential, etc.) and should also include a records retention schedule.
- An IG program should include an information risk assessment that measures information security and ensures risks are understood throughout the organization so proper controls are in place.
Principle 2: An Information Governance program should maintain sufficient independence from any particular department or division to ensure that decisions are made for the benefit of the overall organization.
- An IG program should have equal input from departments such as IT, Legal, Compliance, RIM (Records and Information Management), and other business units.
- An IG program can include a committee of people that represent impacted stakeholders. This committee can solve disagreements as well as elevate issues up to the suite level.
Principle 3: All stakeholders’ views/needs should be represented in an organization’s Information Governance program.
- As mentioned from the second principle, An IG program should have equal input from an organization’s departments and business units.
- If an organization is too big, then equal input from all departments and business units may seem unfeasible and may even cause disagreements. To solve this issue, organizations can identify groups that share a common interest or goals and appoint committee members that act as a proxy for this larger group.
Assessing an Organization’s IG Program Based on the First Three Principles
Organizations could consider the following questions to properly assess their current privacy posture relative to the first three principles provided by The Sedona Conference:
- Has an information risk assessment been performed?
- Has data classification been defined?
- Does the organization maintain a data map/inventory?
- Does the IT department maintain an application inventory?
- How does the organization manage the deletion of data when such data is held past its legal and operational life?
- Does the organization maintain IG procedures, and have such procedures been implemented?
- What is the highest level of dedicated IG ownership within the organization?
- Is there a dedicated IG executive council or is IG addressed by an executive council with a broader agenda?
- Have IG roles and responsibilities been defined?
- Are there lines of business IG resources? If yes, are they part-time or full-time?
- Are there IT IG resources? If yes, are they part-time or full-time?
- Are there IG program resources? If yes, are they part-time or full-time?
- What is the level of RIM involvement in IG?
- What is the level of data privacy involvement in IG?
- What is the level of information security involvement in IG?
- What is the level of data governance involvement in IG?
- What is the level of legal involvement in IG?
Privacy Management Activities to Align with Principles 1-3
After assessing an organization’s governance maturity level based on these principles, organizations may consider implementing privacy management activities like those outlined below in order to align and remediate gaps towards privacy maturity.
- Create a data inventory or data mapping of personal information
- Implement privacy impact assessments into system, process, product life cycles
- Develop an Incident Response Plan
- Work internally to identify access roles for employees based on their department and their job function
- Document roles and responsibilities for privacy governance including organizational charts, job descriptions, etc.
- Implement roles-based data privacy training, particularly for individuals responsible for managing or handling personal information.
The privacy management activities within these first three principles are critical for organizations to ensure they effectively manage information with sufficient granularity to identify and mitigate privacy risks. An organization should consider assessing and implementing these principles as it progresses toward a higher level of information governance.