Information governance

Records management deals with the creation, retention and storage and disposition of records. A record can either be a physical, tangible object, or digital information such as a database, application data, and e-mail. The lifecycle was historically viewed as the point of creation to the eventual disposal of a record. As data generation exploded in recent decades, and regulations and compliance issues increased, traditional records management failed to keep pace. A more comprehensive platform for managing records and information became necessary to address all phases of the lifecycle, which led to the advent of information governance.{{Cite web |url=http://www.arma.org/pdf/WhatIsRIM.pdf |title=Archived copy |access-date=2011-12-28 |archive-url=https://web.archive.org/web/20091119170245/http://www.arma.org/pdf/whatisrim.pdf |archive-date=2009-11-19 |url-status=dead }}

In 2003 the Department of Health in England introduced the concept of broad-based information governance into the National Health Service, publishing version 1 of an online performance assessment tool with supporting guidance. The NHS IG Toolkit{{cite web|url=https://www.igt.hscic.gov.uk/|title=Home|access-date=2014-06-03|archive-date=2014-06-02|archive-url=https://web.archive.org/web/20140602030843/https://www.igt.hscic.gov.uk/|url-status=dead}} is now used by over 30,000 NHS and partner organisations, supported by an e-learning platform with some 650,000 users. In 2010 Logan and Lomas took up the theme of IG more holistically, publishing on how different disciplines needed to come together to better manage information. Lomas produced teaching in this domain, with Smallwood later providing a key textbook in this domain.

Professionally, in this context 2008, ARMA International introduced the Generally Accepted Recordkeeping Principles®, or "The Principles" and in 2015 the subsequent "The Principles" Information Governance Maturity Model.{{cite web |title=The Principles |url=https://www.arma.org/page/principles |website=ARMA International |access-date=25 March 2023}} "The Principles" identify the critical hallmarks of information governance. As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use "The Principles" to establish consistent practices across a variety of business units. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" ("The Principles") would guide:

• CEOs in determining how to protect their organizations in the use of information assets;
• Legislators in crafting legislation meant to hold organizations accountable; and
• Records management professionals in designing comprehensive and effective records management programs.

Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. In electronic discovery, or e-discovery, relevant data in the form of electronically stored information is searched for by attorneys and placed on legal hold. IG includes consideration of how this data is held and controlled for e-discovery, and also provides a platform for defensible disposition and compliance. Additionally, metadata often accompanies electronically stored data and can be of great value to the enterprise if stored and managed correctly.

With all of these additional considerations that go beyond traditional records management, IG emerged as a platform for organizations to define policies at the enterprise level, across multiple jurisdictions. IG then also provides for the enforcement of these policies into the various repositories of information, data, and records.

A coalition of organizations known as Electronic Discovery Reference Model (EDRM), which was founded in 2005 to address issues related to electronic discovery and information governance, subsequently developed, as one of its projects, a resource called the Information Governance Reference Model (IGRM).{{cite web|author=EDRM|url=http://www.edrm.net/what-is-edrm|title=About EDRM|access-date=2015-01-21|archive-date=2015-02-12|archive-url=https://web.archive.org/web/20150212071835/http://www.edrm.net/what-is-edrm|url-status=dead}} In 2011, EDRM, in collaboration with ARMA International, published a white paper that describes How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles ("The Principles"){{cite book|last=White Paper|title=How the Information Governance Reference Model (IGRM)Complements ARMA International's Generally Accepted Recordkeeping Principles|year=2011|publisher=EDRM and ARMA International|pages=15|url=http://www.edrm.net/wp-content/uploads/downloads/2011/12/White-Paper-EDRM-Information-Governance-Reference-Model-IGRM-and-ARMAs-GARP-Principles-12-7-2011.pdf|editor-last=Ledergerber|editor-first=Marcus}} The IGRM illustrates the relationship between key stakeholders and the Information Lifecycle and highlights the transparency required to enable effective governance IGRM v3.0 Update: Privacy & Security Officers As Stakeholders.{{Cite web |url=http://www.edrm.net/download/all_projects/igrm/The-Final..-IGRM_v3.0Update-Whitepaper_Oct_2012.pdf |title=IGRM v3.0 Update: Privacy & Security Officers As Stakeholders |access-date=2013-09-20 |archive-date=2013-09-21 |archive-url=https://web.archive.org/web/20130921053701/http://www.edrm.net/download/all_projects/igrm/The-Final..-IGRM_v3.0Update-Whitepaper_Oct_2012.pdf |url-status=dead }}

In 2012, Compliance, Governance and Oversight Council (CGOC) developed the Information Governance Process Maturity Model, or (IGPMM).{{Cite news|url=http://www.corporatecomplianceinsights.com/new-igpmm-essential-in-confronting-data-challenges/|title=New IGPMM Essential in Confronting Data Challenges - Corporate Compliance Insights|date=2017-03-03|work=Corporate Compliance Insights|access-date=2018-07-12|language=en-US}} The model outlines 13 key processes in electronic discovery (e-discovery) and information management. Each process is described in terms of a maturity level from one to four – completely manual and ad hoc to greater degrees of process integration across functions and automation.{{Cite web|url=https://www.edrm.net/frameworks-and-standards/information-governance-reference-model/using-the-igrm-model/|title=Using the IGRM Model|website=www.edrm.net|language=en-US|access-date=2018-07-12}} In 2017, it was updated to include an emphasis on legal, privacy, information security, cloud security issues{{Cite web|url=http://www.hfma.org/Templates/leadership/Content.aspx?Pageid=28003&id=60103|title=Hospitals, Health Plans Should Treat Information as a Prime Asset {{!}} HFMA|website=www.hfma.org|language=en|access-date=2018-07-12|archive-date=2018-07-12|archive-url=https://web.archive.org/web/20180712122159/http://www.hfma.org/Templates/leadership/Content.aspx?Pageid=28003&id=60103|url-status=dead}} and evolving data privacy concerns, including the impact of The General Data Protection Regulation (GDPR)(EU).

In the past, records managers owned records management, perhaps within a compliance department at an enterprise. In order to address the broader issues surrounding records management, several other key stakeholders must be involved. Legal, IT, and Compliance tend to be the departments that touch information governance the most, though certainly other departments might seek representation. Many enterprises create information governance committees to ensure that all necessary constituents are represented and that all relevant issues are addressed.{{Cite web|url=https://www.law.com/corpcounsel/almID/1202533945005/|title=From the Experts: Information Governance and Its Impact on Litigation|website=Corporate Counsel}}

A chief information governance officer (CIGO) is a senior executive of a business, organization or government entity who oversees the management and coordination of all information on an enterprise-wide scale. Unlike a chief marketing officer or chief technology officer, whose roles focus on narrower areas, the CIGO is in charge of implementing, facilitating, and improving information governance strategies across all facets of an organization. The CIGO helps other executives make decisions based on the values, costs, and risks associated with information.

In past decades, information governance responsibilities might have fallen under the purview of the chief information officer (CIO). But somewhere along the line, the CIO job description changed to focus solely on the information systems and associated technology that power a company—not the information itself.

In today's age of big data, organizations have more information under their control than ever before.{{Cite news |title=Companies have more data than ever. That's risky. |language=en-US |newspaper=Washington Post |url=https://www.washingtonpost.com/news/the-switch/wp/2015/01/07/companies-have-more-data-than-ever-thats-risky/ |access-date=2022-04-29 |issn=0190-8286|date=2015-01-07|first=Andrea|last=Peterson}} To extract the maximum value from that data while simultaneously protecting an organization from its associated risks, business leaders have turned toward the CIGO because of the role's independence from other departments. CIGOs are tasked with neutrally balancing the needs of all departments with respect to an entire organization's top priorities.{{Cite web |title=Commentary on Information Governance|url=https://thesedonaconference.org/publication/Commentary_on_Information_Governance |access-date=2022-04-29 |website=The Sedona Conference}}

Though the position is an emerging one, support for the CIGO continues to rise as business leaders increasingly understand the implications of information governance (and more importantly, the lack thereof). While many organizations have information governance projects in place, such initiatives are much more likely to succeed with top-down management.{{Cite web|url=http://www.sibenco.com/why-information-governance-needs-top-down-leadership/|title = Why information governance needs top-down leadership|date = May 2015}}

Since the CIGO is a relatively new position, the role's responsibilities are not set in stone and continue to evolve. For the most part, today's CIGOs:

• Manage all of an organization's information, tapping into as much value from it as possible (e.g., better-targeted marketing) while reducing exposure to its associated risks (e.g., lawsuits)
• Coordinate information governance efforts across all stakeholders within an organization
• Prioritize the information-related needs of all departments
• Advocate for those needs on behalf of relevant stakeholders
• Collaborate with the various information governance facets to continually improve processes
• Identify and execute information-related synergies
• Expunge non-critical data

To address retention and disposition, Records Management and Enterprise Content Management applications were developed. Sometimes detached search engines or homegrown policy definition tools were created. These were often employed at a departmental or divisional level; rarely were tools used across the enterprise. While these tools were used to define policies, they lacked the ability to enforce those policies. Monitoring for compliance with policies was increasingly challenging. Since information governance addresses so much more than traditional records management, several software solutions have emerged to include the vast array of issues facing records managers.

Other available tools include:

• ARMA International Information Governance Implementation ModelARMA International, [http://www.arma.org/igim Information Governance Implementation Model], ARMA International
• ARMA Generally Accepted Recordkeeping PrinciplesARMA International, [http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles "The Principles"] {{Webarchive|url=https://web.archive.org/web/20130731231253/http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles |date=2013-07-31 }}, ARMA International
• CGOC Information Governance Process Maturity Model{{Cite news|url=https://www.cgoc.com/resource/information-governance-process-maturity-model/|title=CGOC: Information Governance Process Maturity Model|work=CGOC - Compliance, Governance and Oversight Council|access-date=2017-08-08|language=en-US|archive-date=2017-08-09|archive-url=https://web.archive.org/web/20170809052330/https://www.cgoc.com/resource/information-governance-process-maturity-model/|url-status=dead}}
• EDRM Information Governance Reference Model (IGRM)EDRM, [http://www.edrm.net/projects/igrm "Information Governance Reference Model"], EDRM
• NHS Information Governance ToolkitNHS, [https://www.igt.hscic.gov.uk/ "NHS Information Governance Toolkit"] {{Webarchive|url=https://web.archive.org/web/20140602030843/https://www.igt.hscic.gov.uk/ |date=2014-06-02 }}, NHS

Key to IG are the regulations and laws that help to define corporate policies. Some of these regulations include:

• The Foreign Account Tax Compliance Act, or FATCA{{Cite web|url=https://www.irs.gov/businesses/corporations/article/0,,id=236667,00.html|title=Foreign Account Tax Compliance Act}}
• Payment Card Industry Data Security Standard, or PCI Compliance{{Cite web|url=https://www.pcisecuritystandards.org/|title=Official PCI Security Standards Council Site|website=PCI Security Standards Council}}
• Health Insurance Portability and Accountability Act, or HIPAA{{cite web|url=https://www.hhs.gov/hipaa/|title=Health Information Privacy|date=26 August 2015}}
• Financial Services Modernization Act of 1999, or Gramm–Leach–Bliley Act (GLBA){{cite web|url=https://www.congress.gov/bill/106th-congress/senate-bill/900|title=S.900 - Gramm-Leach-Bliley Act|date=12 November 1999}}
• Sarbanes–Oxley Act of 2002, or Sarbox or SOX{{Cite web|url=https://www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry|title=The Laws That Govern the Securities Industry | Investor.gov|website=www.investor.gov}}
• Federal Rules of Civil Procedure
• California Consumer Privacy Act, or CCPA{{Cite web|url=https://www.cgoc.com/blog-how-to-prepare-for-the-ccpa-here-are-the-resources-you-need/|title=How to Prepare for the CCPA – Here Are the Resources You Need|date=2019-10-01|website=CGOC|access-date=2019-11-21|archive-date=2019-10-09|archive-url=https://web.archive.org/web/20191009055717/https://www.cgoc.com/blog-how-to-prepare-for-the-ccpa-here-are-the-resources-you-need/|url-status=dead}}
• Children’s Online Privacy Protection Rule (COPPA){{Cite web |title=FTC |url=https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions#A.%20General%20Questions |website=Federal Trade Commission|date=20 July 2020 }}

• General Data Protection Regulation
• NIS Directive

• Data Protection Act 2018
• General Data Protection Regulation - GDPR will be incorporated directly into domestic law immediately after the UK exits the European Union
• NIS Regulations - The EU NIS Directive was transposed into UK law by DCMS, in May 2018 via the NIS regulations.{{Cite web|url=https://www.ncsc.gov.uk/collection/caf/nis-introduction|title = NIS introduction}}

• New Information Governance ISO regulation - ISO 24143

• MoReq2{{Cite web|url=https://www.moreq2.eu/|title=Moreq2.eu|website=www.moreq2.eu}}
• MoReq2010{{cite web|url=http://moreq2010.eu/|title=Account Suspended|url-status=dead|archive-url=https://web.archive.org/web/20120223001443/http://moreq2010.eu/|archive-date=2012-02-23}}
• ISO 15489 Information and Documentation - Records Management{{Cite web|url=https://www.iso.org/standard/31908.html|title=ISO 15489-1:2001|website=ISO}}
• DoD 5015.2, or Design Criteria Standard for Electronic Records Management Software Applications{{cite web|url=https://www.archives.gov/records-mgmt/initiatives/dod-standard-5015-2.html|title=DoD Standard 5015.2|date=15 August 2016|access-date=1 September 2017|archive-date=16 May 2021|archive-url=https://web.archive.org/web/20210516224001/https://www.archives.gov/records-mgmt/initiatives/dod-standard-5015-2.html|url-status=dead}}

Information Governance Initiative

On May 20–21, 2015, the hosted the first annual CIGO Summit in Chicago, Illinois.

; Compliance Governance Oversight Council (CGOC) Regional Meetings

: Regional meetings are held twice a year throughout USA and in Europe for legal, IT, records and CIGO professionals.{{Cite web|url=https://www.cgoc.com/home/events/|title=CGOC Regional Meetings|last=|first=|date=2019-09-26|website=CGOC The Council|archive-url=|archive-date=|access-date=2019-09-26}}

• JoAnn Stonier, Chief Information Governance & Privacy Officer, MasterCard

{{portal|Business}}

• Data defined storage
• Data governance
• Data science
• Electronic discovery
• Enterprise content management
• Information management
• Information technology governance
• Knowledge management
• National archives
• Records management

{{reflist|30em}}

• [http://www.epa.gov/records/what/quest1.htm EPA 10 Reasons for RM]
• [http://cigosummit.com/ CIGO Summit]
• [http://infogov.com/ Information Governance Advisory Firm]

Category:Content management systems

Category:Public records

Category:Data management