Integrating Privacy & Information Governance Programs

Integrating Privacy & Information Governance Programs

Brenda Barnhill, JD, LL.M.

Information governance (IG) programs and information privacy programs share many common components, goals, and personnel. Many organizations are finding that integrating privacy and information governance and coordinating both of these initiatives – despite relatively disparate goals – can minimize work duplication on either end and improve efficacy for both. Let’s take a look at some of the commonalities and explore how privacy and IG can help one another.

Program Foundational Requirements

The requirements for information governance and information privacy are very similar, though that is not to say they are identical. Both begin with policies and procedures – in essence, the base modus operandi of the programs and how they function on a day to day level. In addition to these, information governance requires a records retention schedule – a policy document that defines an organization’s legal compliance and recordkeeping requirements. Information management roles are also required, which have a counterpart in privacy roles in information privacy programs. Both must deal with legal audits and establish data maps to carry out those audits, although those data maps look different.

Understanding Governance

Information governance and privacy governance are also fundamentally very similar. Both require an orientation towards the users of the given program, and certain procedures along those lines. By integrating the two areas, an organization can ensure that their users, as well as their own business interests, are protected from bad actors and legal repercussions. A solid privacy policy and information management policy serves as the foundation for governance, and is supported by detailed and clear procedures for certain day-to-day and rare situations, like opt-in/opt-out privacy policies, or information distribution standards.

Of course, all of these policies and procedures must also align in practice with a variety of privacy laws from the different nations in which your organization operates.

Roles and Responsibilities

A clear command structure and a system of accountability are also essential for both information management and privacy programs. Chief information officers (CIOs) and chief privacy officers (CPOs) manage the overall department and are considered accountable for the departments. Records managers and analysts ensure that records are safely managed and secured on a broad policy basis, and records stewards ensure that the day-to-day use of records is secure. Likewise, on the privacy side, there should be privacy analysts and stewards working to ensure privacy compliance in all its nuances.

These groups must also work with other parts of the organization; namely:

Audits

Internal audits of records and privacy departments can be extremely helpful in identifying weaknesses internally before they become a problem. By quickly identifying these weaknesses, losses and breaches of security and privacy can be avoided before they even happen.

Information Governance Audits

Information governance audits occur in several steps. The first is to identify the context of the audit. This is your “measuring stick” – it’s where you define the standards and nature of the audit, and what policies and methods you’re reviewing. This is followed by conducting the audit itself, seeing if the current methods match up with the standard required for the organization. Then, the auditors must analyze the findings, noting the strengths and weaknesses of the current information governance program, and where policies within the program must be changed. The auditors then workshop a set of mitigation strategies and provide recommendations for their implementation, ensuring that new policies are put in place smoothly and with minimal risk to the organization and those affected by the changes.

Privacy Audits

Privacy audits require several steps, like information government audits. Firstly, one sets the context of the audit. This is a comprehensive analysis of current privacy laws and best practices to ensure the audit goes smoothly and efficiently identifies issues in the current privacy policy and programs. The next step is to conduct a privacy risk assessment. This is a cross-sectional analysis of all places where information is being distributed and privacy risks are involved. Then, one must identify the categories of privacy, like minor vs non-minor, financial, medical or education records, and non-identifiable vs. identifiable information. By effectively identifying these categories and risks around them, plans of action can be created to mitigate risk for the organization. The flow of data can then be mapped; this allows identification of the key points of vulnerability for the organization’s privacy policy. Lastly, the above steps can be linked together to identify where information privacy is impacted by the policies in place.

Merging the Audits

By combining the audits, a more efficient and comprehensive audit can be created, reducing the cost and efficiency impacts of both. The results can then be reported together, with separate issues highlighted so that the mitigation strategies can remain in close alignment.

Data Maps

Data mapping is a method of determining risk for clients and parts of your organization by identifying the flow of information, how information is stored, and all the points at which it is accessed. By doing this, an organization can efficiently identify areas where privacy or information security might be breached, and can make new strategies to mitigate those risks.

comprehensive data map might include:

  • Information type
  • Record series application / PII type classification
  • Storage location
  • Jurisdictional requirements for records retention
  • Personal information captured
  • Method and means of capture
  • Access and access controls
  • System of creation
  • Storage locations
  • Inter-linked and impacted systems
  • Risks (as in a privacy risk assessment)

Training and Education

Education around audits, information management, and information privacy must be continual and emphasized for good policy to work. If people aren’t educated on the “how and why” of the policy, it naturally becomes weaker and easier to exploit by bad actors. Annual training should be created so that updates to the information and privacy policy can be easily disseminated throughout the organization. This content can also be integrated into other training methods with the organization, especially those that are recently or initially involved with the organization.

Integrating Privacy and IG

For information management and privacy policy to function, it must be an ingrained part of the organization’s culture, from the ground-up. It must also be continuous and adaptive to the needs of the organization and those that it serves. Integrating the two programs enhances their overall effectiveness by addressing each other’s weaknesses and accelerating the audit process. With correct management of both parts, the organization’s legal, financial, and informational risks can be vastly minimized and reduced.


For more on privacy and information governance, download our whitepaper: Data Privacy for the Information Professional