Information governance is a concept that has appeared fairly recently, and perhaps because of this recency it is somewhat difficult to define what ‘information governance’ actually is, and how it differs from information management. A common theme in the literature is that information governance is the treatment of information as a business asset. DeMaine describes it as “a holistic business approach to information” that has developed as a result of factors including technological developments and electronic discovery. Earley believes that information governance “must have a stated goal for exploiting information as an enterprise resource”, while Hulme calls it “the discipline of treating information as a strategic corporate asset.” Taking a broader view, Maclennan claims that the term “describes the activities and practices which have developed around people’s attempts to control the use of information, including, but not limited to, practices mandated by law.” Similarly, Hagmann defines information governance “simply as principled decisions about information and information management”, while Kooper, Maes and Roos Lindgren feel that “it answers the question ‘what information do we need, how do we make use of it and who is responsible for it?’”. Brown and Toze explicitly separate information governance from information management, arguing that information governance:
…seeks to encourage behaviours in people and institutions that foster an information-centred organizational culture. The focus is on the body of information available to an institution, complementing information management’s more traditional focus on individual records and items of information.
Taking the above literature into account, for the purposes of this essay I will treat information governance as the practices and policies (including legal requirements) that govern and control how people use information in general, particularly in businesses and public sector organisations. I feel that to focus simply on corporate approaches to information and its potential as a business asset ignores the importance of information governance in organisations such as the National Health Service, which places a high value on governing information in a way that maintains confidentiality and reduces risks to patients particularly as technological changes make patient information more accessible. In the UK, legal requirements involve legislation such as the European Union General Data Protection Regulation 2018 (GDPR), which governs how organisations may store and use data and defines the rights of data subjects (the people whom the data is about), and the Freedom of Information Act 2000 (FOI) which gives the public right of access to information held by public authorities such as government departments or the NHS. Information management, meanwhile, will be treated as the practices used to manage a particular collection of information. This essay will then explore the relationship between information governance and information management, and whether information governance is essential for good information management.
Effective management and organisation of information contributes to good information governance by making the information easier to access and, simultaneously, information governance requirements provide a good incentive for organisations to manage their information well. If information and data is well managed and organised, it is easier to retrieve for information governance and compliance purposes. For example, in their study of information governance in English local authorities, Shepherd, Stevenson and Flinn found that FOI requests “put a focus on the ability of the authority to retrieve information from its systems”, with interviewees commenting that “better records management will help you find the information more quickly” and that it saves both time and money. We see that the legal requirement to comply with FOI requests can be easier met if information is well managed and organised, and so easy to retrieve and access. While good information management and records management is useful to organisations for many other reasons besides information governance, this case suggests that information governance contributes to good information management by encouraging good practice and benefits from this good practice in turn.
Good information organisation and governance are especially important in the digital age, as enormous amounts of data and information are generated by individuals and organisations every day. ‘Big Data’, characterised by its “volume, veracity and velocity”, has created new challenges for businesses and organisations who wish to analyse it and exploit its potential. For example, the sheer amount of data being created so quickly leads to the risk that relevant data could get lost in the stream and become irretrievable:
…the volume of Big Data relative to its traditional counterpart, as well as the high velocity with which it arrives, dramatically increases the risk of irretrievability and the resulting importance of information governance of data storage. To address this risk, an organization should implement consistent storage practices to ensure that instead of being siloed, disorganized or inaccessible, all business data is organized according to a company standard, rendering it catalogued and retrievable.
Metadata, ‘data about data’, plays an important role in ensuring this organisation of information. It provides key information about a piece of data or information, such as its author or date of creation, and so allows data and information managers to appropriately categorise and organise the file. As Maclennan argues:
Metadata… is really how we keep any kind of control over the data we deal with.
If a set of data comprising a document can be assigned the correct metadata, we ‘have a handle on it’ – we have controlled the routes by which it may be edited, stored, retrieved, archived or deleted. So, as simple a process as providing a selection of potentially useful metadata from which to choose at a data input stage can reduce inaccuracy.
In turn, information governance principles and policies can contribute to good information management by encouraging organisations to dispose of information that is unlikely to be required again. By following an appropriate retention schedule, organisations can reduce the amount of information in their systems: this makes the remaining information easier to find and organise, reduces storage costs, and reduces the chance that “somewhere in that mountain of data an organization stores is a piece of information that represents a significant legal liability”. This also works in reverse, as if information is well organised and managed, it is much easier to find the information that needs to be disposed of. A digital retention schedule should consider not just how long information should be retained for and how it should be disposed of, but also the ways in which it is stored throughout its life cycle and how it can be ensured that the information remains “accessible, understandable and usable” throughout its life cycle. There is not much point in keeping the information in storage if it is inaccessible should it be required. It should comply with legal requirements – for example, under the GDPR, data controllers and processors “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” posed to the data while in storage.
Legal requirements such as GDPR- and FOI-compliance add another incentive for businesses and organisations to practice good information governance and management: they could face heavy penalties if they are found not to do so. For example, a company that breaches the GDPR may face fines of up to €20 million or 4% of annual global turnover (whichever is higher), depending on the specific articles of the Regulation breached. Clearly, non-compliance represents a large risk for businesses. Information governance can help to ensure compliance, and as seen above this is made simpler if good information management strategies are in place, such as effective information organisation and retention policies. Thus, information governance and information management feed into each other, and good practice in one of these areas encourages it in the other.
As well as helping companies and organisations to avoid legal issues and penalties for non-compliance with information-related legislation, information governance policies can also contribute to good information management practice by encouraging ethical practice, as there is some overlap between professional ethics principles and some of these laws and regulations. Professional bodies in the information profession have published codes of ethics or ethical standards that their members are expected to follow. For example, the CILIP Ethical Principles include a commitment to upholding human rights and intellectual freedom. These human rights include the right to privacy, identified as a human right in both the UN Universal Declaration on Human Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Internationally, the IFLA Code of Ethics for Librarians and Other Information Workers states that: “Librarians and other information workers respect personal privacy, and the protection of personal data, necessarily shared between individuals and institutions.” People could become very distressed or even be put at risk if their personal information falls into the wrong hands, or becomes publicly available. Custodians of information have a responsibility, then, to make sure that any sensitive or personal data is protected and used appropriately. In the National Health Service, the ‘Caldicott Principles’ (named after Dame Fiona Caldicott, who chaired the review panel in 1997) were developed to ensure that identifying information about patients is handled appropriately. This illustrates the way in which the NHS responds to its responsibilities with regards to patients’ information, particularly important to reassure patients that their information, including sensitive information such as medical records, will not be misused.
At times, ethical conduct may clash with business strategy or requests from management, and information professionals have to make decisions on how they deal with this:
Just as a soldier may be held to account for accepting an unlawful order, so may the information security professional be held to account for acceding to management requests if they would violate professional ethics.
If a well-considered information governance policy is in place, it can provide a basis for information management practice that is in line with ethical standards related to personal information. This policy can be based in data protection law. As we have seen, there is a legal imperative to protect people’s personal information under the GDPR:
- Personal data shall be:
…(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
As Maclennan puts it, “prevention rather than cure is what we must aim for, because breaches of security are irreversible, as regards the data that are lost, leaked or damaged.” If a data breach does occur and there may be a risk to the “rights and freedoms” of data subjects, data processors are obligated to inform the supervisory authorities and the data subjects as soon as possible, giving details of the breach and how to mitigate any potential negative consequences. Arguably, this is an ethical obligation as well as legal, as people have a right to know what is happening to the personal data they have chosen to share. By ensuring compliance with data protection and security legislation like the GDPR, information governance therefore contributes to ethical information management. Likewise, by following codes of professional ethics such as protecting privacy and personal data, information workers may well find themselves practicing information governance and complying with the relevant laws. Again, we see that the two are intertwined.
In conclusion, then, I would argue that information governance is not just essential to good information management, but that information management is also essential to good information governance. In a business or organisation that successfully governs its information, that information must also be well managed and organised. If called upon to prove compliance with information-related legislation (for example, by effectively answering a FOI request) or to produce an information risk assessment document, an information or data manager must be able to locate all of the relevant data and information. If this has been disposed of, they should be able to provide a sensible retention and disposal policy that explains why. An information professional who believes in protecting the privacy and personal data of the users they work for should take into consideration legislation such as GDPR, and assessing the risk of data security breaches. Just as the concepts of information management and information governance are difficult to separate, it is hard to see how one could possibly be successfully put into practice without considering and implementing the demands of the other.
Bawden, David & Robinson, Lyn, Introduction to Information Science (London: Facet, 2012)
Brown, David C.G. and Toze, Sandra, ‘Information governance in digitized public administration’, Canadian Public Administration Vol.60 No.4 (2017) pp.581-604 https://doi.org/10.1111/capa.12227
Chartered Institute of Library and Information Professionals, ‘Ethical Framework’ [www.cilip.org.uk/resource/resmgr/cilip/policy/new_ethical_framework/cilip_s_ethical_framework.pdf] (accessed 23rd Dec 2018)
Coyne, Emily M., Coyne, Joshua G. and Walker, Kenton B., ‘Big Data information governance by accountants’, International Journal of Accounting & Information Management, Vol.26, No.1 (2018) pp.153-170, https://doi.org/10.1108/IJAIM-01-2017-0006
deMaine, Susan David, ‘Preparing Law Students for Information Governance’, Legal Reference Services Quarterly Vol.35 No.2 (2016) pp.101-123 https://doi.org/10.1080/0270319X.2016.1177422
Directive 2004/38/EC of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. L119/1, [http://data.europa.eu/eli/reg/2016/679/oj]
Earley, Seth, ‘Metrics driven information governance’, IT Professional Vol.18, No.2 (2016) p17-21 https://doi.org/10.1109/MITP.2016.26
Givens, Cherie L., Information Privacy Fundamentals for Librarians and Information Professionals (Lanham: Rowman & Littlefield, 2015)
Hagmann, Juerg, ‘Information governance – beyond the buzz’, Records Management Journal Vol.23, No.3 pp.228-240 https://doi.org/10.1108/RMJ-04-2013-0008
Hulme, Tony, ‘Information Governance: Sharing the IBM approach’, Business Information Review Vol.29, No.2 (2012) pp.99-104 https://doi.org/10.1177/0266382112449221
IT Governance Ltd., ‘GDPR Enforcement and Penalties’ [https://www.itgovernance.co.uk/dpa-and-gdpr-penalties] (accessed 27th Dec 2018)
IT Governance Ltd., ‘GDPR Enforcement and Penalties’ [https://www.itgovernance.co.uk/dpa-and-gdpr-penalties] (accessed 27th Dec 2018)
Kooper, M.N., Maes, R. and Roos Lindgren, E.E.O., ‘On the governance of information: Introducing a new concept of governance to support the management of information’ International Journal of Information Management Vol.31, No.3 (2011) pp.195-200 https://doi.org/10.1016/j.ijinfomgt.2010.05.009
Maclennan, Alan, Information Governance and Assurance (London: Facet, 2014)
McDonald, John and Léveillé, Valerie, (2014) ‘Whither the retention schedule in the era of big data and open data?’, Records Management Journal, Vol.24, No.2 (2014) pp.99-121, https://doi.org/10.1108/ RMJ-01-2014-0010
Poore, Ralph Spencer, ‘Ethics and the Information Security Profession’, Information Systems Security Vol.8, No.1 (1999) p15
Shepherd, Elizabeth, Stevenson, Alice and Flinn, Andrew, ‘Information governance, records management, and freedom of information: A study of local government authorities in England’ Government Information Quarterly 27 (2010) pp.337-345 https://doi.org/10.1016/j.giq.2010.02.008
Smallwood, Robert F., Information Governance: Concepts, Strategies and Best Practice (Hoboken: Wiley, 2014)
 David Bawden & Lyn Robinson, Introduction to Information Science (London: Facet, 2012) p263
 Susan David deMaine, ‘Preparing Law Students for Information Governance’, Legal Reference Services Quarterly Vol.35 No.2 (2016) p101
 Seth Earley, ‘Metrics driven information governance’, IT Professional Vol.18, No.2 (2016) p17
 Tony Hulme, ‘Information Governance: Sharing the IBM approach’, Business Information Review Vol.29, No.2 (2012) p99
 Alan Maclennan, Information Governance and Assurance (London: Facet, 2014) p1
 Juerg Hagmann, ‘Information governance – beyond the buzz’, Records Management Journal Vol.23, No.3 (2013) p230
 M.N. Kooper, R. Maes and E.E.O. Roos Lindgren, ‘On the governance of information: Introducing a new concept of governance to support the management of information’ International Journal of Information Management Vol.31, No.3 (2011) p196
 David C.G. Brown and Sandra Toze, ‘Information governance in digitized public administration’, Canadian Public Administration Vol.60, No.4 (2017) p582
 Tobias Keyser and Christine Dainty, The Information Governance Toolkit: data protection, Caldicott, confidentiality (Abingdon: Radcliffe, 2005) p.vi
 Information Commissioner’s Office, ‘What is the Freedom of Information Act?’ [https://ico.org.uk/for-organisations/guide-to-freedom-of-information/what-is-the-foi-act/] (accessed 27th Dec 2018)
 Elizabeth Shepherd, Alice Stevenson and Andrew Flinn ‘Information governance, records management, and freedom of information: A study of local government authorities in England’ Government Information Quarterly 27 (2010) p344
 John McDonald and Valerie Léveillé, ‘Whither the retention schedule in the era of big data and open data?’, Records Management Journal, Vol. 24, No.2 (2014) p102
 Emily M. Coyne, Joshua G. Coyne and Kenton B. Walker, ‘Big Data information governance by accountants’, International Journal of Accounting & Information Management, Vol. 26, No.1 (2018) p161
 Maclennan p52
 Robert F. Smallwood, Information Governance: Concepts, Strategies and Best Practice (Hoboken: Wiley, 2014) p4
 McDonald & Léveillé p106
 Directive 2004/38/EC of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. L119/1 [hereafter General Data Protection Regulation] Art.32
 IT Governance Ltd., ‘GDPR Enforcement and Penalties’ [https://www.itgovernance.co.uk/dpa-and-gdpr-penalties] (accessed 27th Dec 2018)
 Chartered Institute of Library and Information Professionals’, ‘Ethical Framework’ [www.cilip.org.uk/resource/resmgr/cilip/policy/new_ethical_framework/cilip_s_ethical_framework.pdf] (accessed 23rd Dec 2018)
 Cherie L. Givens Information Privacy Fundamentals for Librarians and Information Professionals (Lanham: Rowman & Littlefield, 2015) pp6-7
 International Federation of Library Associations and Institutions, ‘IFLA Code of Ethics for Librarians and other Information Workers’ [https://www.ifla.org/publications/node/11092] (accessed 23rd Dec 2018)
 Ralph Spencer Poore, ‘Ethics and the Information Security Profession’, Information Systems Security Vol.8, No.1 (1999) p15
 General Data Protection Regulation Art.5
 Maclennan p82
 General Data Protection Regulation at (85)-(86)