Data Governance Principles and Management of Risks

The correct management of data in any organisation, is paramount. It is therefore important to know what data you have on hand, where it exists in your organisation, and what rules apply to its use, reference, and destruction. This is called Information Governance and its principles allow an organisation to explore, understand and analyse information, and to apply the appropriate framework around behaviour in the valuation, creation, storage, use, and deletion of data. These policies are important in managing the risks associated with data lineage and in adhering to enterprise governance requirements, through operational transparency and reducing expenditures associated with legal discovery obligations, regardless of whether the data is physically or electronically created.

At the very least, there are three considerations that should be addressed in the practice of good information governance: a top-down approach, fluidity to a solution on a case-by-case basis, and preparedness for potential future obligations.

A top-down approach to good information governance

A top-down approach occurs when the development of principles, strategies, and goals are determined by senior leadership and filtered down through the organisational structure. This traditional management style leaves little room for ambiguity as the leadership team sets the company’s direction for major projects, which is important when managing information assets across an entire organisation, in ways that are more detailed than simple record-keeping or data management. A solid approach will traverse a wide range of disciplines and business areas including information technology, physical and cyber security, records management, eDiscovery, and data analysis, as its principles will apply to all data types, and range across many operational platforms and applications. Any process reaching into these areas requires uniform direction from the top down as whilst these areas are part of the same underlying framework, the advice will vary across different data and information types, and therefore needs to be acknowledged in slightly different ways.

The change in working arrangements following the covid pandemic have seen a huge rise in cyber threats and organisational health checks. Knowing what data you have on hand, where that data is located, and the classification of the data (if it is of a sensitive or confidential nature), is a huge first step in bolstering your data security measures.

TIMG help our clients to invest in proactive frameworks which allows them to mitigate risk and exposure of cyber warfare. If there is no sanity check of the data you have on hand, identifying and reporting the loss to clients or authorities, becomes an entirely other ballgame.

In the event of a data breach, how can you be confident in identifying what data has or hasn’t been leaked, if you don’t know what data you are storing? Engaging with experts early on will help organisations be proactively in charge of their data. Having information governance plans in place also proves to be more cost efficient when compared to taking reactive action. This can be a hard sell to organisations that aren’t well versed in this type of data management, however, a top-down approach acknowledges the seriousness of the act and assists in moving the organisation forward.

Creation of customised and seamless data management solutions that makes responding to regulation requirements quick, efficient, defensible, and repeatable

Generally, an organisation that is required to store large amounts of sensitive and confidential data should follow appropriate legislative sentencing schedules. Sentencing is a specialty skill that requires qualified and experienced people to determine if the record has temporary value or if it is required to be retained permanently. Where the record is temporary, the sentencer also identifies and records the date in which the record may be destroyed, noting the Record Disposal Schedule (“RDS”), or the General Disposal Schedule (“GDS”) on the actual record itself, or by noting it in a proprietary recordkeeping system, such as Electronic Document and Records Management Software (“EDRMS”). RDS’s are developed to cover records common to all agencies or councils, or to a specific sector, and the GDS’s are developed to cover records common to all agencies or councils, or to a specific sector.

TIMG’s Governance Team work closely with government departments to implement proactive information governance programs, to remediate inappropriately stored private data and minimise the risk of breaches and inadvertent loss. Whilst different record types carry different handling requirements, the underlying framework is still the same. The way this task is approached and the process for every business is really the differentiating point. No two businesses are the same and whilst the procedure is still as detailed, being able to tailor a solution to each different space is paramount in effecting a suitable change management plan that will stick after the initial task has been completed. To this end, a discussion with the organisation and review of their data repositories is necessary.

Data that becomes subject to legal review for document disclosure purposes

More and more, Royal Commissions and Inquiries are becoming the norm. Organisations and departments that have never been required to prepare for document production, have needed to upskill quickly to meet Commission production deadlines. The challenge for these departments has been to firstly identify what records they have on hand, determine if they are relevant to the response, and to get senior body sign off before producing a response within the sometimes very narrow turnaround times.

Due to the very nature of a Commission or Inquiry, documents in scope to the response almost always contain confidential and sensitive information. In order to protect sensitive information, third party suppliers have been required to assist with the treatment of sensitive material, including the actual document review. In this sense, TIMG supports government and private bodies to protect their sensitive information in large volumes. Tools such as the ability to auto-redact keywords, phrases, and patterns of sensitive data such as email addresses, phone numbers and credit card details, is more valuable than ever. Our clients are finding this particularly useful when not only responding to Notices, but also at the actual inventory stage of the internal record population. The real game changer is that we can help our clients redact video and audio files, which also make this ideal for compliance.

The quick and easy way to identify, redact, and disclose sensitive or confidential data saves on time and money, and can open the review of such material to analysts of all technical levels, from seasoned data professionals to non-technical analysts.

Conclusion

With cyber warfare on the rise, it pays to ensure you have a clean data catalogue, and whilst the information governance space was only briefly touched on in this article, following the above recommendations will have organisations and their data obligations a couple of steps in the right direction towards a safer and more secure data experience.