COVID-19 changed how organizations interact with their workforce and customers. It also extended the reach and tested the boundaries of shared data and complicated the control and governance of information.
Consumers now make appointments, stream movies, visit doctors, and order meals and groceries, more frequently via online or mobile devices with little understanding of where their personal information resides. Businesses, adjusting in the moment, work remotely to complete deals and interact with employees, sometimes over unencrypted lines.
That is why this is a good time for all organizations to catch their breath and reassess information governance.
Defining Information Governance
Information governance (IG) is an emerging “super discipline” applied to electronic document and records management, email, social media, cloud and mobile computing, and the management and output of information organization-wide, according to Robert F. Smallwood, who literally wrote the book about IG in 2014. [1]
Research and advisory firm Gartner defined information governance as: “The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.”[2]
Data governance and information governance, sometimes used interchangeably, are not identical. Data governance involves businesses controlling information and comprises measures to control data accessibility, consistency, usability and safekeeping.
IG, the umbrella overarching data governance, manages information usage including employee records, customer info, and intellectual property. Information governance accounts for how organizations oversee the data lifecycle including processing, data exchange and privacy protection, compliance audits, e-discovery, and records retention.
While data governance is usually solely an IT responsibility, information governance contains broader organizational accountability.
Understanding the Rules
With the increasing list of data privacy laws and regulations and because remote workforces have created greater disconnect and information silos among departments, it is even more important for organizations to not treat data privacy as a one-department task. Instead, they must work as an organization to break through organizational data silos to ensure compliance is part of the entire culture.
Though no specific national privacy regulation currently exists, any nationwide rules would likely follow the standards set forth by the European Union’s General Data Protection Regulation and the California Consumer Privacy Act (CCPA). Complicating matters further, online privacy laws, which differ widely from state to state, could expose companies to potential fines, reputational risk and damages resulting from data incidents. The California attorney general, for example, can impose penalties up to $2,500 for non-willful violations and $7,500 for intentional violations of the CCPA.
Other key data regulations include the Sarbanes–Oxley Act of 2002, which standardizes record management practices, and the Gramm–Leach–Bliley Act (1999), which entails financial institutions shielding the nonpublic personal information of customers.
Some questions businesses could ask themselves: How is personal information such as customer names utilized and stored, especially with the greater use of artificial intelligence and machine learning? Is data scrubbed after a number of years? How are online signatures stored and used?
IG in the COVID-19 Era
An article in Law.360, “Adapting Information Governance for the COVID-19 Era”[3] describes organizational life during the pandemic: “COVID-19 has caused employers to rethink workplaces. A majority of the workforce now working remotely, [which] presents a myriad of governance and compliance issues. As employers embrace this change, they should consider whether information governance and related employment and discovery compliance practices should be adapted to address this new reality.”
Employers concerned about confidentiality and compliance issues might instruct remote employees to[4] :
- Not to use unapproved sites, applications or alternatives.
- Turn off voice-activated virtual assistants.
- Log out of social media sites while working.
- Preventing household members or roommates from viewing company files.
- Not to use personal text or messaging platforms for work-related purposes.
- Read up on methods for appropriately storing and disposing of business records and documents.
Employers may also face further challenges with information governance and data loss if they furlough or lay off workers, including potential data theft, damage or alterations to files by remote employees impacted.
Any organization also needs to consider the potential value of preserving information critical as evidence in cases involving lawsuit, liability and reputational damage for not following safety protocols for customers and employees. Hunton Andrews Kurth LLP, which maintains a comprehensive database litigation involving COVID-19 claims,[5] tallied almost 5,000 complaints through Sept. 10, 2020. Claims involved insurers, loans, refunds, personal injury, and workplace health and safety claims.
“A proactive alternative to the challenges of data proliferation requires an approach that gives stakeholders control of data before a lawsuit lands or a compliance obligation triggers the need for an involved response,” according to an American Bar Association article.[6] “Properly designed, information governance addresses how information assets are created, preserved, classified, secured, retrieved, and (ultimately) deleted.”
Information Governance Becomes Priority
Alt + F0 (the author’s company) comprehends how IG goes beyond outmoded records-administration and holds the key to leveraging future growth, risk management, data asset-value and competition. Company leaders must also recognize the intricacies of information management.
Privacy and security are important aspects of information governance. When organizations extract data from customers and send it to third-party providers, the company must ensure it also has third-party vendor risk management, data mapping and monitoring, certain documentations and information preserved, and audit holds for examiners.
The traditional ‘records management’ and ‘data management’ seen over the past several years will not cut it for addressing increasingly sophisticated compliance needs and regulatory demands.
Sources
[1] Robert F. Smallwood, “Information Governance: Concepts, Strategies, and Best Practices” (Wiley, 2014).
[2] “Information Governance,” https://www.gartner.com/en/information-technology/glossary/information-governance
[3] Scott Milner, Stephanie Sweitzer, Brian Herman, Carrie Gonell and Jennifer Williams, “Adapting Information Governance for the COVID-19 Era” https://www.law360.com/articles/1268668/adapting-information-governance-for-the-covid-19-era.
[4] “Adapting Information Governance for the COVID-19 Era” https://www.law360.com/articles/1268668/adapting-information-governance-for-the-covid-19-era.
[5] COVID-19 Complaint Tracker, https://www.huntonak.com/en/covid-19-tracker.html
[6] Lucas Newcomer and Johnny Lee, “E-Discovery Challenges and Information Governance Solutions” https://www.americanbar.org/groups/litigation/committees/pretrial-practice-discovery/articles/2019/winter2019-e-discovery-challenges-and-information-governance-solutions/
