Information governance programs and information privacy programs share many common components, goals, and personnel. Many organizations are finding that integrating privacy and information governance and coordinating both of these initiatives – despite relatively disparate goals – can minimize work duplication on either end and improve efficacy for both. Let’s take a look at some of the commonalities and explore how privacy and IG can help one another.

Program Foundational Requirements

The requirements for information governance and information privacy are very similar, though that is not to say they are identical. Both begin with policies and procedures – in essence, the base modus operandi of the programs and how they function on a day to day level. In addition to these, information governance requires a records retention schedule – a policy document that defines an organization’s legal compliance and recordkeeping requirements. Information management roles are also required, which have a counterpart in privacy roles in information privacy programs. Both must deal with legal audits, and both establish data maps to carry out those audits, though those data maps look different. 

Understanding Governance

Information governance and privacy governance are also fundamentally very similar. Both require an orientation towards the users of the given program, and certain procedures along those lines. By integrating the two areas, an organization can ensure that both their users as well as their own business interests are protected from bad actors and legal repercussions on all ends. A solid privacy policy and information management policy serves as the foundation for governance, and is supported by detailed and clear procedures for certain day-to-day and rare situations, like opt-in/opt-out privacy policies, or information distribution standards. 

Of course, all of these policies and procedures must also align in practice with a variety of privacy laws from the different nations in which your organization operates. 

Roles and Responsibilities 

A clear command structure and a system of accountability is also essential for both information management and privacy programs. Chief information officers (CIOs) and chief privacy officers (CPOs) manage the overall department and are considered accountable for the departments. Records managers and analysts ensure that records are safely managed and secured on a broad policy basis, and records stewards ensure that the day-to-day use of records is secure. Likewise, on the privacy side, there should be privacy analysts and stewards working to ensure privacy compliance in all its nuances. 

These groups must also work with other parts of the organization; namely, legal teams who ensure that the organization is compliant with privacy and records management related laws, senior executives who deal with strategic management and coordination within the organization, ethics and risk compliance experts who help the company deal with ethical issues relating to privacy, and information technology stakeholders who may be tasked with ensuring that electronic records, especially those with privacy considerations involved, are stored effectively and securely while maintaining appropriate accessibility.

Audits

Internal audits of records and privacy departments can be extremely helpful in identifying weaknesses internally before they become a problem. By quickly identifying these weaknesses, losses and breaches of security and privacy can be avoided even before they happen. 

Information Governance Audits

Information governance audits occur in several steps. The first is to identify the context of the audit. This is your “measuring stick” – it’s where you define the standards and nature of the audit, and what policies and methods you’re reviewing. This is followed by conducting the audit itself, seeing if the current methods match up with the standard required for the organization. Then, the auditors must analyze the findings, noting the strengths and weaknesses of the current information governance program, and where policies within the program must be changed. The auditors then workshop a set of mitigation strategies, and provide recommendations for their implementation to ensure that they new policies are put in place smoothly and with minimal risk to the organization and those affected by the changes.

Privacy Audits

Privacy audits require several steps, like information government audits. Firstly, one sets the context of the audit. This is a comprehensive analysis of current privacy laws and best practices to ensure the audit goes smoothly and efficiently identifies issues in the current privacy policy and programs. The next step is to conduct a privacy risk assessment. This is a cross-sectional analysis of all places that information is being distributed in cases where there are privacy risks involved. Then, one must identify the categories of privacy, like minor vs non-minor, financial, medical or education records, and non-identifiable vs. identifiable information. By effectively identifying these categories and risks around them, plans of action can be created to mitigate risk for the organization and their subjects and clients. The flow of data can then be mapped; this allows identification of the key points of vulnerability for the organization’s privacy policy. Lastly, the above steps can be linked together to identify where information privacy is impacted by the policies in place. 

Merging the Audits

By combining the audits, a more efficient and comprehensive audit can be created, reducing the cost and efficiency impacts of both. The results can then be reported together, with separate issues highlighted so that the mitigation strategies can remain in close alignment. 

Data Maps

Data mapping is a method of determining risk for clients and parts of your organization by identifying the flow of information, how information is stored, and all the points at which it is accessed. By doing this an organization can efficiently identify areas where privacy or information security might be breached, and can make new strategies to mitigate those risks. A comprehensive data map might include:

  • Information type
  • Record series application / PII type classification
  • Storage location 
  • Jurisdictional requirements for records retention
  • Personal information captured
  • Method and means of capture
  • Access and access controls
  • System of creation
  • Storage locations
  • Inter-linked and impacted systems
  • Risks (as in a privacy risk assessment) 

Training and Education

Education around audits, information management and information privacy must be continual and emphasized for good policy to work. If people aren’t educated on the hows and whys of the policy, it naturally becomes weaker and easier to exploit by bad actors. Annual training should also be created so that updates to information and privacy policy can be easily disseminated throughout an organization. This content can also be integrated into other training methods with the organization, especially those that are recently or initially involved with the organization. 

Integrating Privacy and IG

For information management and privacy policy to function, it must be an ingrained part of the organization’s culture, from the ground-up, and it must be both continuous and adaptive to the needs of both the organization and those that it serves. The two programs benefit greatly from being integrated into one another to shore up the weaknesses of both parts, and to speed up audits of their weaknesses. With correct management of both of these parts, the organization’s legal, financial and informational risks can be vastly minimized and reduced. 

For more on integrating privacy and information governance, check out this webinar recording: Webcast: Integrating Privacy into Your IG Program