Abstract
The shocking downfall of large ‘unbreakable’ organisations has led to the evolution of a now, well-recognised term: ‘Information Governance’. It emerged during the aftermath of Barings Bank in 1995 and again in 2001, when Enron filed for bankruptcy.
The statement that “Information Governance is a “rather new multidisciplinary field that is still being defined”1 is an accurate assessment of the term. I will explain why this is the case and will also show why the Information Governance framework for organisations must be bespoke and not simply mentioned as a ‘one size fits all’ Information Governance model.
I will examine in detail, what Information Governance is and how some academics have attempted to define it. I will explore whether it has been defined at all and compare it to the principles of data protection.
I will discuss the strengths and weaknesses of the two statements from Smallwood and Pistor and will attempt to draw the key points which I believe support the concept of Information Governance.
I will challenge the concept of ‘Information Governance’, by raising the very important question “have you ever nailed jelly to a tree?” and see how this relates to the dilemmas that may exist.
Finally, I will look at the structure of an Information Governance framework, what should lie under the umbrella of an Information Governance framework and how Organisations should approach good, transparent information governance.
My findings conclude that Information Governance cannot and should not be defined as a standard process for organisations to follow as a set model. I will show it as a dynamic and evolving entity that must be allowed the freedom to react to the changing environment in which big data is handled, in an ethical and efficient way.
Introduction
In the process of packing to move house I came across a 3 ?” floppy disc. “What’s that?” my daughter said with bemusement. When I explained, she rolled around laughing saying “You really are old dad!”. I looked at this marvel of what I thought back then was technology and thought, how did we survive? It had a total memory size of 1.44 megabytes; nothing in comparison to today’s needs.
In this assignment I have been asked to look at two statements that define Information Governance (IG), one by Smallwood R F and the other by Katherina Pistor. Before I examine those statements, I feel it is important to look at what IG is now and where it came from.
The data we share today compared to the 70’s is enormous. IG started to raise its head around the 20th century when organisations started to develop the concept of effective management of the data they processed.
Like anything in life, while things are going well, there are no thoughts about how this happens or control about what makes it work. When failures start to appear, lessons are learned, guidance and best practice is promoted, often followed by regulation.
The first Data Protection Act2 was introduced into the United Kingdom in 1984, followed by the first Misuse of Computer Law3 in 1990 followed by the Freedom of Information Act 20004, which gave people access to relevant information held by Public Authorities.
These laws set a standard on the protection of personal data and the confidentiality of a person’s information. They placed responsibilities on the custodians of that data, to act ethically and responsibly, to protect it with organisational and technical measures in place.
It is apparent that IG is a term that was born out of failure and the need for an overhaul on the way that organisations handled data. The laws mentioned above not only address those failures, but also the technological developments of society and the need to protect the privacy of the information collected from individuals, which began to gather pace at an enormous rate.
What is Information Governance (IG)?
The failure of Baring Bank in 1995, Enron 2001, Parmalat 2005 (Europe’s Enron), and the list could go on to name companies operating globally, where the Senior leadership teams have previously acted in an unethical – or even criminal – manner, by the way they handled, manipulated or altered data in some way for their own gain or for the benefit of others. Some have received a custodial sentence for fraud; for example, Jeffrey Skilling, former CEO Enron5 and Calisto Tanzi founder of Parmalat6.
The phrase ‘Corporate Governance’ emerged following these failures, which is the structure of self and independent examination of how a senior leadership team manages a business and makes decisions. Sir Adrian Cadbury defined Corporate Governance simply as “the system by which companies are directed and controlled’7 (Cadbury Committee, 1992).
The evolution of the ‘internet of things’ made it easier for organisations to obtain their customer’s data, thus the blind collection of data began. Suddenly, Organisations obtained vast amounts of data that, either they did not know what to do with or, misused, creating additional failures.
The Misuse of Computers Act regulated the standards of how computers were to be used legally, for the common good. The law defined clear breaches which resulted in criminal offences.
Subsequently, the Data Protection Law introduced a first attempt at controlling the electronic data age, in addition to paper-produced data. This law was based on principles, such as lawfulness, data storage, minimisation etc. and gave ordinary people rights to access their data or to object to their data being processed by a data controller.
Furthermore, data protection laws gave data custodians responsibilities as Data Controllers, with enforcement by way of fines or other sanctions, like preventing a data controller from processing data.
The law outlined the expected standards and when a breach of those standard would occur, described as a ‘Data Breach’. Parts of the Law and any misuse of the data would also result in a criminal act, for which an individual could be prosecuted.
IG is a term used when an organisation satisfies and applies all the elements of the relevant laws which the organisation must comply with including principles, ethical standards, guidance and best practice, thereby ensuring that the data processed is managed appropriately, ethically and securely.
Like all other methods of improvement or governance which are modelled to ensure they can be understood and followed by organisations, IG is no exception. There are several IG models for a number of different business sectors.
2005 saw the development of the Electronic Discovery Reference Model (EDRM)[1]. Shortly afterwards, this was followed by the Information Governance Reference Model (IGRM)[2]. These models enhanced efficiency of the management of data within organisations and building the IG environment. Both models helped to identify weaknesses in the inefficiency of the data storage systems used by organisations and, how those organisations retrieved the necessary data.
[1] https://nationalparalegal.edu/uploads/19The%20Electronic%20Discovery%20Reference%20Model.pdf visited January/February 2022
[2] https://edrm.net/resources/frameworks-and-standards/information-governance-reference-model/ visited January/February 2022
With the application of IG, came the discovery that data ‘leakage’ was a major issue. It highlighted the problem of having vast amounts of data and a lack of control over the governance of data. It was clear that organisations had no way of knowing how to handle or manage data. Subsequently, the IG framework and a more comprehensive understanding of the different elements, enabled organisations to gain more control over their data handling.
Once technology developed further, the inefficiency of data storage and the retrieval of data allowed for a proper “structured filing system”[1] that could be searched and categorised.
Janssen, Wimmer & Deljoo said in 2015 that.
“A close analysis of the management of electronically stored information (ESI) was crucial for the elimination of some of the recurrent inefficiencies in enterprises.”[2]
Data storage is just one element in the life cycle of data that IG must consider or govern for proper protection.
[1] Data Protection Act 2018 s.3 (7) “Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
[2] Janssen, M, Wimmer, M., A. & Deljoo, A. (2015). Policy Practice and Digital Science. New York: Springer.
Has IG been defined?
Smallwood R. F. said “that it is still being defined”[1], with which I concur. Many academics disagree. There is a plethora of definitions in existence.
Most of the IG definitions follow the Principles of Data Protection:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitations
- Integrity and Confidentiality
- Accountability
[1] Smallwood R F ‘Information Governance – Concepts Strategies and Best Practices’ Willey 2020, p. 8
The following two definitions cover the main principles of data protection, collection, purpose limitation, accuracy, storage, control, and responsibility. The first definition I will examine uses words like environment, rules, and decision-making. This creates a culture within an organisation to jointly protect data and have a good IG system in place.
The second definition states “capabilities and practices for the creation”[1] which alludes to a culture of best practice and a good IG system.
Kooper, Maes & Roos Lindgreen states IG is;
establishing an environment and opportunities, rules and decision-making rights for the valuation, creation collection, analysis, destruction, storage, use and control of information; it answers the question ‘what information do we need, how do we make use of it and who is responsible for it?[1]
[1] Kooper, Maes & Roos Lindgreen, On the governance of information: Introducing a new concept of governance to support the management of information 2011 Int. J. Inf. Manage p. 195
Whereas Tallon, Ramirez and Short states;
“a collection of capabilities or practices for the creation, capture, valuation, storage, usage, control, access, archival [sic], and deletion of information over its life cycle”[1]
[1] Tallon, Ramirez & Short, (2013) The Information Artifact in IT Governance: Toward a Theory of Information Governance p. 142
Both definitions recognise the need to structure the process of the life cycle of the data from collection of data to its destruction. The middle part of the IG sets the decision-making process around what organisations do with the data. In addition, IG sets the standard regarding the ethical approach taken.
Katharina Pistor describes how she sees the steps of IG being defined, in her book ‘The business with human data: improving governance in the information age’[1]. Some of the statement is self-explanatory;
“Identifying the core principles for governing data is, of course, only the first step in the design of a governance regime that seeks to maximise social welfare. Taking elements from existing structures and recombining them to fit the challenges and potential of data governance is a second step.”[1]
[1] Katharina Pistor, ‘The business with human data: improving governance in the information age’ (2021) 3 JIBFL 196
Without identifying the principles of an IG regime, there would be no IG regime. Any project manager who commences a project identifies the steps and objectives. There are tried and tested methods of approaching projects, but all projects have different purposes, so the method must be bespoke – otherwise failure is inevitable if the ‘one size fits all’ approach is adopted. The approach to setting up an IG framework or regime is exactly the same.
The following phase of Pistor’s definition has no real substance or meaning towards defining IG:
“The corporate form, which in Roman times served public, not private purposes, or the public trust can serve as useful building blocks. Sovereign wealth funds, at least the more accountable ones among them, offer lessons for what works and what does not when a common resource is monetized for the benefit of all.”[1]
The final step is about technology, but she states it is “potentially most critical”. The employment of encryption is not always the answer to good IG. It is a technical measure to protect the data, but it is not a critical step to IG. Pistor continues:
“The third, and potentially most critical step is employing digital technologies, including encryption technologies to ensure that data can in fact be governed as a common good”[1]
[1] Katharina Pistor, ‘The business with human data: improving governance in the information age’ (2021) 3 JIBFL 196
Out of the definitions I have referred to, Pistor’s is the one that presents most challenges. The introduction leads onto a philosophical point which concludes with a misleading statement about encryption and digital technologies. This is an over-ambitious attempt at over-simplifying IG to be a single element, which is clearly not the case.
I disagree with the attempt to define IG and encapsulate its meaning in such a restrictive manner when it is such a fluid process. Pistor’s attempt demonstrates no appreciation for this fluid state and the bespoke business needs. This is demonstrated by the comment:
“Taking elements from existing structures and recombining them to fit the challenges and potential of data governance”[1]
In direct contrast, Smallwood identifies that a one size model does not fit all, by stating
“Information governance is a “rather new multidisciplinary field that is still being defined”[2]
This is a much more accurate statement regarding IG.
[1] Ibid
[2] Smallwood R F ‘Information Governance – Concepts Strategies and Best Practices’ Willey 2020, p. 8
It is reasonable to bear in mind that we are still learning the lessons of past events with regard to unethical practices of the Enron era and trying to catch up with the ever-changing advances in technology, the vast amount of data collected daily and criminality which will continue to find ways to steal and misuse data or hold organisations to ransom, by threatening to permanently delete data. How long this statement will remain accurate is the question one should be asking
Can IG be defined?
Have you ever tried to nail jelly to a tree? Well, it is impossible. The same could be said for defining IG. Having thought about IG and what it means or constitutes, I am more certain about what it is not, than I am about what it is. It is not a regulation, it is not guidance, it is not a manual, it is not a checklist. Plenty of books and articles explain how to do it, what model to use, what it means and so on.
In fact, it is rather like the name of a department store, that encompasses necessary and valuable items. IG is the headline – portraying a set of specialist areas that exist within its make-up, defining and delivering quality assurance. In accordance with current legislation, it will encompass the Data Protection Officer, Freedom of Information Officer (If a Public Authority), Information Security, Cyber Security, Records Management, Risk Management, Asset Management, and other data management areas needed within the organisation. The size of the IG department will vary depending on the business type. For a financial institute, this would encompass AMLO, Compliance etc. With Law Enforcement, it would include Disclosure, Police National Computer records, Intelligence Bureau, Forensic capabilities and more.
IG is modelled on the business needs, the business sector, and the relevant Regulations. It is a reactive tool business that must protect data that is held by the organisation entrusted to hold it. The technology employed to protect the data is reactive in the way it is developed and deployed within the organisation.
A good example of this is Phishing. Five years ago, if you got an email from your mate in the IT department about phishing, you would have arranged to pack some food, beers, maybe a BBQ and look forward to a good day out – in the sun. Nowadays, this conjures the possibility of an attachment on an email that has been clowned by some criminal trying to obtain data illegitimately, from another country.
We know about Phishing because of criminality, rather than any proactive IT department. Criminals are, by nature, proactive and opportunistic when it comes to IG, and they must be seen as such.
IG can be very effective, even if it is different for different businesses and business sectors. It is, in the main, reactive to the data environment and must continually evolve and adapt to the way business handles, processes, stores and deletes data. This dictates how it is defined. Indeed, it is the preverbal ‘attempting to nail jelly to a tree’. It has an ever-changing definition.
Conclusion
I agree with Smallwood when he say that IG is “rather new multidisciplinary field that is still being defined.”[1]. I do not think it is because it is rather a new multidisciplinary field, it is because the world of data and the technological advances in the way data is collected, stored, and processed moves so quickly, it is impossible to define it.
I have already explained that I feel IG is a reactive field, reacting to the advances in technology, the way data is collected, the laws, guidance, best practice and even the way the data controller wants the data stores and used. It reacts to the way criminals try and get hold of it, hold it to ransom or delete it.
The data subjects who own the data are the proactive party in the IG world. They control when the data controller can have the data, how the get it, and how long they can keep it, in most cases.
The other influencer on this is the criminal element, who are proactive in their methods to get past the protective measures and either steal the data or hold the organisation to ransom.
So, defining IG is not possible, it is an umbrella covering a multifunctional section of specialists like data protection, cyber security, risk management, data management, data storage and the list goes on.
IG is a department or section of an organisation that is vital to the smooth and ethical running of the business to ensue the data collected and processed is done in a way that is not only lawful, fair and transparent, but also done in a way that protects the rights and freedoms of the data subjects who entrusted the organisation to process their data on their behalf.
IG keeps the wheels of good data processing running and with the reactive state continuing to keep pace with the proactive world it will remain an important part of business for a long time.
So, my ending sentence is Smallwood is correct, it is still being defined and I will say it will never truly be defined. The definition is the ‘nail trying to put the IG jelly to the tree’. Go on, give it a go.
[1] Smallwood R F ‘Information Governance – Concepts Strategies and Best Practices’ Willey 2020, p. 8
