Information Governance

Information governance (data governance; information management) is the discipline and practice of establishing a framework of processes, standards and protections to ensure the effective, efficient and secure use of information within an organization.  Information governance addresses all aspects of the management of information and records collected, used, maintained, disclosed and disposed of by an organization.

Policies and procedures within an information governance framework address organizational responsibilities, asset management, security, relevant processes (e.g. records retention and destruction) and training.  An information governance framework reflects applicable legal requirements (to collect, use, disclose, maintain and potentially delete information), recognized standards, relevant regulatory requirements and best practices.

Generally, information governance is not a discipline that is mandated by legislation but is one that organizations may adopt to ensure compliance with diverse applicable rules and laws as well as the broader purpose of protecting their valuable information assets, ensuring those assets are available when needed and when no longer needed are disposed of securely.  Organizations that are mandated by legislation to maintain and protect information to support their operations – financial institutions and public company issuers of securities are examples –may determine that adoption of an information governance framework is the most effective and efficient means to establish due diligence evidencing compliance with such regimes.  Underlying all information governance is the understanding that management of information is critical for organizational efficiency and effectiveness, for compliance, as well as for preparedness in dispute resolution matters.

Governmental organizations may be mandated by accountability legislation or simply internal directives to establish information management or information governance regimes. . 

Privacy and access rules relating to personal information held by private sector organizations and similar rules relating to personal information and (more generally) records maintained by public sector organizations are specific– legislatively mandated – subsets of an information governance framework. 

Records retention and destruction policies and schedules represent a further distinct sub-discipline within information governance – reflecting operational and legal criteria applicable to an organization’s management of its internal records. 

A number of internationally-recognized standards and principles for information governance frameworks have been articulated.  ARMA International (a professional association of records managers) has developed its Generally Accepted Recordkeeping Principles (link) under the following headings:

  • Accountability
  • Integrity
  • Security
  • Compliance
  • Availability
  • Retention
  • Disposition
  • Transparency.

ARMA has linked these Principles to a “Maturity Model” whereby organizations can evaluate where they stand currently in reference to the Principles and identify required steps to full compliance.

EDRM LLC (EDRM being an acronym for “Electronic Document and Records Management”), an industry collaborative organization that focuses on e-discovery within the context of information governance, has developed an “Information Governance Reference Model” (link) that articulates the relationships among duties, values and information assets within an organization.  The Model highlights the respective roles of the business, legal, records management and information technology areas in relation to information governance.