With GDPR becoming a four-letter word, are you tired of being bombarded with calls pushing you to address General Data Protection Regulation or perish? This is leading some organisations to bury their heads and close their ears. But there is a word, or in this case two, that you must hear: Information Governance.
Information Governance (IG) is a term used to describe how organisations ensure that statutory and regulatory information management requirements are met, and how information is controlled, protected and exploited to benefit employees and customers. Get your IG right, and you are well on the way to GDPR compliance.
Information Governance consists of six main components:
An Information Strategy sets out a holistic approach to how information will support an organisation’s objectives and reduce risk and cost, whilst increasing efficiency and compliance. A strategy is critical to define the principles and direction for document and records management and how information quality will be delivered, for example to support Freedom of Information requests and evidential weight of information.
2. Policies and Procedures
When asked about Information Governance, most people think of policies and procedures. Policies are essential to describe the information and data protection rules for an organisation relating to how information is collected, processed, stored, shared and ultimately destroyed. Procedures underpin policies and provide organisation specific instructions on how to implement the policies. It is important to note that policies and procedures are only effective when the other IG elements are implemented, such as roles, training and monitoring.
Four main controls are needed in a fit for purpose Information Governance Framework.
Business Classification Scheme
Business classification schemes provide a function based view of information across an organisation, broken down by key activities within each function. They can be browsed to locate information, and support the implementation of retention schedules and access controls.
Retention and Disposal Schedule
A retention and disposal schedule provides guidance and authority for the disposal of organisational records, based on legislative and business requirements. It defines retention periods, disposal triggers, and disposal actions for classes of records.
Information Asset Register
An information asset register documents an organisation’s information assets and is recommended by the Information Commissioner’s Office as a foundation for GDPR compliance (for personal data related information).
Access Control Model
Access controls deliver information protection where needed. The model should define:
- The principles on which access is determined
- Who determines the access that should be set
- Who is responsible for ensuring the appropriate access is implemented
- How the access controls will be implemented and documented
- A procedure for auditing access on a periodic basis.
There are many roles needed to effectively deliver an Information Governance Framework. These can include:
- Information and Records Manager
- Senior Information Risk Owner (SIRO)
- Data Protection Officer (DPO)
- Information Asset Owner
- Information Champion
These roles deliver ownership and accountability for many elements of Information Governance, along with advice for employees on their legal data protection obligations and the management of internal improvement initiatives.
Training builds knowledge of good information governance practices and enhances employee information capabilities. The success of an Information Governance Framework relies on staff recognising information as an asset of strategic and operational value, and handling it in a manner that is transparent and accountable. IG training should be delivered to all staff, to ensure they are aware of the organisations policies and procedures, and have the skills to confidently use information systems and tools.
Left unmonitored, an information environment will become unstructured with disparate repositories, high levels of re-work, an inability to find information and end user frustration. A monitoring and audit programme ensures there are processes in place to check the Information Governance Framework is being successfully implemented. Practices and processes can be assessed and adjusted as needed to leverage good practice and successfully deliver the framework.
While the ‘acronym which must not be named’ may be the driving force behind your organisation’s interest in Information Governance, the benefits of an IG programme go far beyond May 2018.
In-Form Consult can help you create an IG solution that will realise a range of benefits including cost savings, reduced risk, increased compliance – unlocking potential and turning your information into a valuable business asset.
Contact us today by calling 08456 80 40 47 or email: firstname.lastname@example.org