The Sedona Conference is a widely known institute that is focused on the study of law and policy in many areas including Information Governance (IG). The Sedona Conference Commentary on Information Governance provides 11 IG principles that allow organizations to make decisions on how they handle their information.
This article is the second in a series of articles centered on the 11 IG principles. We outline here the next three principles (principles 4-6), the corresponding questions an organization can ask to assess their IG posture, and the privacy management activities that an organization can implement to align themselves with these principles. Our first article in the series focused on principles 1-3 can be found here.
What are Principles 4-6 of the Sedona Conference’s Information Governance Principles?
The strategic objectives of an organization’s IG program should be based upon a comprehensive assessment of information-related practices, requirements, risks, and opportunities. An organization should:
- Identify the various types of information it controls and determine if the information is held by the organization, third parties on behalf of the organization, or both.
- Identify its information lifecycle practices including, but not limited to creation and/or receipt of information, identification of the location (active and inactive) for storing information, retention of information in these locations, and disposal/destruction of information.
- Assess identified information types and practices for information opportunities, risks, and compliant requirements.
An IG program should be established with the structure, direction, resources, and accountability to provide reasonable assurance that the program’s objectives will be achieved. An organization should:
- Create a uniform framework for categorizing its various types of information based on business needs, information-related compliance requirements, and risk controls.
- Communicate the IG requirements to all information consumers.
- Devote the people, technology, and implementation resources necessary to support its IG program and achieve its strategic goals.
- Establish the importance of strategic objectives, expected standards of conduct, and accountability.
The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any IG program. An organization should:
- Dispose of information that no longer provides value if that information is not required for statutory, regulatory compliance, or legal hold purposes.
- Assess whether private or confidential information should be disposed of within a reasonable time after it ceases to be valuable to the company to reduce the risk of disclosure.
Assessing an Organization’s Information Governance Program Based on Principles 4-6
Organizations could consider the following questions to properly assess their current privacy posture relative to principles 4-6 provided by The Sedona Conference:
- Has a comprehensive assessment of key stakeholders been performed?
- Have program objectives been established?
- Has a compliance crosswalk been established?
- Does the organization conduct an annual review of policies, procedures, retention schedules, data maps, and contractual agreements?
- Does the organization offer IG training?
- Does the organization maintain a records or information retention schedule?
- Does the organization have information architecture?
- Has global compliance metadata been defined?
- Does the organization maintain a data map/inventory?
- Does the IT department maintain an application inventory?
- Does standard contractual language reflect IG requirements?
- Does the organization maintain a Disaster Recovery/Business Continuity program?
- Are there security controls in place for sensitive data?
- How does the organization manage the deletion of data when such data is held past its legal and operational life?
- Does the organization maintain IG procedures, and have such procedures been implemented?
- Does the organization maintain a legal hold process?
- Have IG roles and responsibilities been defined?
- Are there IR resources for each line of business? If yes, are they part-time or full-time?
- Are there IT IG resources? If yes, are they part-time or full-time?
- Are there IG program resources? If yes, are they part-time or full-time?
- What is the level of senior leadership support for IG?
- What is the level of management support for IG?
- How widely are shared drives used across the organization?
- Are IG audits being performed (periodically or randomly)?
Privacy Management Activities to Align with Principles 4-6
After assessing an organization’s governance maturity level based on these principles, organizations may consider implementing privacy management activities like those outlined below to align and remediate gaps towards privacy maturity.
- Create a data inventory or data mapping of personal information. Review all personal data elements collected to confirm that they are needed for the relevant processing activities and stop collecting and processing data that is not needed.
- Update records or information retention schedules to get away from “records” and move more broadly to personal information stores, keeping in mind data minimization and limitation principles.
- Update privacy notices to reflect retention schedules based on applicable regulations.
- Implement privacy impact assessments into system, process, product life cycles.
- Develop an Incident Response Plan.
- Develop a defensible disposition process and procedure.
- Implement a Data Backup and Disaster Recovery Program.
- Perform routine vulnerability scanning and penetration tests on the network and cloud environments.
- Conduct routine testing of resiliency and incident response processes.
- Work internally to identify access roles for employees based on their department and their job function.
- Document roles and responsibilities for privacy governance including organizational charts, job descriptions, etc.
- Implement roles-based data privacy training, particularly for individuals responsible for managing or handling personal information.
The privacy management activities within these three principles are critical for organizations to ensure they effectively manage information with sufficient granularity to identify and mitigate privacy risks. An organization should consider assessing and implementing these principles as it progresses toward a higher level of IG.