Information governance programs and information privacy programs share many common components, goals, and personnel. Many organizations are finding that integrating privacy and information governance and coordinating both of these initiatives – despite relatively disparate goals – can minimize work duplication on either end and improve efficacy for both. Let’s take a look at some of the commonalities and explore how privacy and IG can help one another.
Program Foundational Requirements
The requirements for information governance and information privacy are very similar, though that is not to say they are identical. Both begin with policies and procedures – in essence, the base modus operandi of the programs and how they function on a day to day level. In addition to these, information governance requires a records retention schedule – a policy document that defines an organization’s legal compliance and recordkeeping requirements. Information management roles are also required, which have a counterpart in privacy roles in information privacy programs. Both must deal with legal audits, and both establish data maps to carry out those audits, though those data maps look different.
Of course, all of these policies and procedures must also align in practice with a variety of privacy laws from the different nations in which your organization operates.
Roles and Responsibilities
A clear command structure and a system of accountability is also essential for both information management and privacy programs. Chief information officers (CIOs) and chief privacy officers (CPOs) manage the overall department and are considered accountable for the departments. Records managers and analysts ensure that records are safely managed and secured on a broad policy basis, and records stewards ensure that the day-to-day use of records is secure. Likewise, on the privacy side, there should be privacy analysts and stewards working to ensure privacy compliance in all its nuances.
These groups must also work with other parts of the organization; namely, legal teams who ensure that the organization is compliant with privacy and records management related laws, senior executives who deal with strategic management and coordination within the organization, ethics and risk compliance experts who help the company deal with ethical issues relating to privacy, and information technology stakeholders who may be tasked with ensuring that electronic records, especially those with privacy considerations involved, are stored effectively and securely while maintaining appropriate accessibility.
Internal audits of records and privacy departments can be extremely helpful in identifying weaknesses internally before they become a problem. By quickly identifying these weaknesses, losses and breaches of security and privacy can be avoided even before they happen.
Information Governance Audits
Information governance audits occur in several steps. The first is to identify the context of the audit. This is your “measuring stick” – it’s where you define the standards and nature of the audit, and what policies and methods you’re reviewing. This is followed by conducting the audit itself, seeing if the current methods match up with the standard required for the organization. Then, the auditors must analyze the findings, noting the strengths and weaknesses of the current information governance program, and where policies within the program must be changed. The auditors then workshop a set of mitigation strategies, and provide recommendations for their implementation to ensure that they new policies are put in place smoothly and with minimal risk to the organization and those affected by the changes.
Merging the Audits
By combining the audits, a more efficient and comprehensive audit can be created, reducing the cost and efficiency impacts of both. The results can then be reported together, with separate issues highlighted so that the mitigation strategies can remain in close alignment.
Data mapping is a method of determining risk for clients and parts of your organization by identifying the flow of information, how information is stored, and all the points at which it is accessed. By doing this an organization can efficiently identify areas where privacy or information security might be breached, and can make new strategies to mitigate those risks. A comprehensive data map might include:
- Information type
- Record series application / PII type classification
- Storage location
- Jurisdictional requirements for records retention
- Personal information captured
- Method and means of capture
- Access and access controls
- System of creation
- Storage locations
- Inter-linked and impacted systems
- Risks (as in a privacy risk assessment)
Training and Education
Integrating Privacy and IG
For more on integrating privacy and information governance, check out this webinar recording: Webcast: Integrating Privacy into Your IG Program