A Government Librarian’s Guide to Information Governance and Data Privacy

By Phyllis L. Elin and Max Rapaport

This book provides a concise and usable overview of the practical implications of important public sector United States federal, state, and municipal laws and standards related to information governance, as they pertain to librarians, research staff, universities, corporate regulatory managers, and public-sector information governance professionals. It is the first in a series of two volumes addressing public sector information governance compliance matters from the perspective of our target audience.

Topics addressed in the book include:

• the evolving role of librarians and the need for librarians and legal researchers to understand the principles of information governance,
• the importance of broad-based regulatory IG principles such as the Federal Records Act, the Paperwork Reduction Act of 1980 and 36 CFR Chapter XII, Subchapter B – Records Management, that have been promulgated by various federal government agencies in framing public-sector IG principles,
• a survey of interpretive surveys from the Office of Management and Budget (OMB) that further elucidate the core IG principles applicable to public sector stakeholders,
• case studies detailing the application of important IG principles by federal agencies and bodies, and
• a survey of important IG issues facing state and local governments.

• Language: English
• Publisher: Business Expert Press
• Release date: May 31, 2022
• ISBN: 9781637422441

Phyllis L. Elin

Phyllis L. Elin, CEO of Knowledge Preservation, LLC, is an experienced information governance leader with 30+ years of expertise in implementing enterprise-wide strategies in regulated industries like finance, pharmaceuticals, manufacturing, healthcare, law, education, and the public sector. She holds a master's degree from Seton Hall University and completed her undergraduate studies at NYU. Phyllis has taught library, records, and information governance sessions at prominent institutions, served as a former ARMA chapter president, and chaired the Board Governance Committee of the New Jersey Sharing Network Foundation. In 2021, she became the CEO of The Knowledge Preservation Group and was appointed as a Fellow of the Institute for Information Management (IIM).

Book preview

Introduction

I have been a global consultant in the field of information governance (IG) and compliance for over 40 years. During that time, the metamorphosis of Records Management to Information Governance has given me a somewhat unique perspective. My education began in Cincinnati, Ohio, in the 1970s where, along with a small group of women, I was schooled in the tenets of best practices for Records and Information Management (RIM). My professors were formidable women who cut their teeth working for the U.S. Federal Government during World War II. So, eager for a career as a perpetual student, and combining my curiosity with my admiration, the teaching methods of my two mentors played beautifully into my scholarly inclinations.

Though RIM basics were not in my wheelhouse as an English major and Political Science minor, as the training began, it immediately appealed to my sense of reason and organization. RIM spoke to me. I was enthralled by it. As I absorbed these learning sessions, I felt the same academic excitement as I did for my classes at New York University. In addition to the building blocks of my education, I also nurtured traits of patience, meticulousness, and logic. These were paramount to this career path, and I was encouraged in believing that I possessed these skills.

My IG and compliance career has taken me to many countries and continents, all of which, for better or worse, treat RIM at least a little differently. My journeys have also allowed me to see and understand many organizations in most vertical markets and jurisdictions. I also interviewed subject matters experts (SMEs) in all functional areas to verify their record keeping requirements, workflow perils and pitfalls, and many a parade of horribles.

With the expansion of technology and governance, our industry has often changed very dramatically and abruptly. The shift in data privacy rules and regulations is just the most recent example. Still, there are standards and best practices which transcend the sudden vicissitudes of the day, and these more enduring, universal principles will be the focus of this volume.

That said, the foundation of my observations generally begins with ISO 15489, established in 2001 as the first globally recognized requirement for RIM. And thus, the workflows will more or less adhere to the following protocol: Capture, Check, Record, Consolidate and Review, and Act, coupled with Accountability, Transparency, Integrity, Protection, Compliance, Accessibility, Retention, and Disposition. We will also touch on Archives Management and the two principles of Providence and Original Order.

Thereafter, I will cover a number of general subject areas from the perspective of people, process, and technology utilizing Control Objectives for Information and Related Technologies (COBIT), IT Infrastructure Library (ITIL), and 40 years of experience in management and consulting. These areas will include inter alia, strategic alignment, management principles, continuous improvement, organizational continuity, metrics, and risk and operations management.

Finally, in Parts II and III, we will take a deeper look at the principles and implications of IG as they pertain to U.S. federal and state government entities. The first portion of this section focuses on Federal Law and practice, and the second part shifts toward a discussion of best practices for state and local governments. This portion of the book was written by my collaborator, Max Rapaport, an attorney with expertise in the areas of records management and data privacy.

PART I

A Guide to Information Governance—General Principles

Governance Overview

As its name implies, information governance (IG) is a comprehensive strategy for managing an enterprise’s people, process, and technology, with an emphasis on risk, legal compliance, information management, and business intelligence. Governance also subsumes a number of disciplines such as eDiscovery, data privacy, big data, architecture, operations, organizational continuity, and audit.

The goal of a governance strategy and framework is to ensure that the organization understands and is able to work together to execute leadership’s strategic goals and objectives, and that the enterprise and all of its employees and resources are operating as judiciously and harmoniously as possible to achieve those ends. In that regard, it is useful to view the organization as much as a physical mechanism than an amalgamation of disparate parts and services.

Leadership sets the strategy and tone and establishes the organizational culture. Depending on the enterprise, it will be subject to more or less regulation, which will in turn influence the governance frameworks, privacy requirements, best practices, and infrastructure. The organization will establish appropriate technology, third-party systems, and operational structures to support its organizational goals, resource according to need, and monitor and extract metrics for every facet of the enterprise to ensure the whole is greater than the sum of its parts.

The success of an organization is often be measured by its ability to achieve strategic alignment across these areas, but especially leadership, budget, technology, operations, and legal. Program management is essential to planning, executing, and resourcing executive leadership’s core strategies; organizations drive the specific requirements and core competencies that ultimately determine success in the marketplace; IT and operations build the processes, procedures, and infrastructure on which the organization’s strategy is based; and legal and compliance outline and enforce policies and mitigate risk to keep the organization in good standing, with regulators, shareholders, and the public.

Records and Information Management

Information management is focused on the efficient operation of an organization’s governance program by ensuring that information needed is secure and available to meet organizational obligations. It should endeavor to deliver services in a consistent and equitable manner and provide continuity in the event of a disaster. It should protect records from inappropriate and unauthorized access and meet statutory and regulatory requirements for archiving and audit and oversight activities. Good governance also provides protection and support during litigation; enables quicker storage and retrieval of documents and information; and improves efficiency and productivity from an operational perspective.

Naturally, the technology on which an enterprise relies to store and access information is critical. Failure to maintain a proper records and document management platform could result in a direct threat to the security, integrity, and availability of data, which could lead to any number of problems, including questions of veracity or authenticity due to a degradation of data quality. Considering the many legal and regulatory requirements records management and the security required to safeguard it have become integral to a company’s or government entity’s legal compliance structure.

We are often reminded of the vital importance of an up-to-date IG program through press reports about companies or government agencies who failed to protect data and information assets. There is indeed a defensive aspect to retaining records but also an affirmative obligation to transparency. Litigation and the possibility of litigation are also primary drivers. So, the overall effectiveness of compliance is directly proportional to the quality and success of any IG program.

High level, there are three phases to responsible records retention compliance: identification and retention, preservation and safekeeping, and destruction and disposal of records that have fulfilled their life cycle and outlived their usefulness. An up-to-date, comprehensive RIM Program documents the organization’s intent and commitment to compliance, thus reducing potential punitive and compensatory damages that can result from litigation or regulatory fines.

Thus, it is exceptionally important to maintain updated policies and procedures for the systematic control of records. Without proper records management, companies and government agencies or local governments may be storing records too long, not long enough, or not at all. Worse, they may be prematurely destroying or spoliating vital documents. Failing to maintain records and data necessary for regulatory auditing, Securities and Exchange Commission (SEC) reporting and other valid organizational requirements present great risk which, this day and age, are mostly unreasonable if not negligent.

Any of the aforementioned risks could lead to penalties for noncompliance with records retention regulations, a blemished public reputation, and any number and variety of legal liabilities. So, RIM controls are needed to demonstrate proactive and transparent efforts to satisfy compliance requirements. Consistent records management processes, policies, and practices can also dramatically reduce litigation costs, both in terms of improved efficiency and in terms of mitigating or eliminating risk.

Ultimately, a proper records management function ensures that an enterprise’s records of vital historical, fiscal, and legal value are identified and preserved, and that nonessential records are discarded in a timely manner according to established rules or guidelines, as we will discuss in the following.

Records Management Life Cycle

The definition of a records management life cycle varies, but our model tends to highlight seven key phases, which we will address here and in subsequent sections. They include creation and capture, collaboration and use, taxonomy and classification, version control and management, retention and archiving, preservation and hold, and disposition and destruction.

Before we return to the life cycle phases, first a brief introduction to metadata, which is basically data about data and essential to the entire aforementioned data life cycle. It is the reason a document can be indexed and searched and enhanced and grouped with or separated from other similar documents. It describes the document, who created or modified it, and when they created or modified it. An e-mail includes server information and senders and recipients and whether it has attachments. It describes where it came from and where it resides and includes unique technical information, which ensure its uniqueness. It is used to determine access rights and whether it is related to other documents or clusters of documents. It can be hashed to create a unique fingerprint to identify it or eliminate duplicative copies. And over time, it will be enhanced to include everything that can be known about its journey during that life cycle, most importantly, when it was created, which retention rules or legal hold requirements apply to it, and whether or when it can be destroyed.

Creation and capture represent the date, time, and file type the moment a document comes into existence. Once it exists, it can be used by one or many individuals who have the right to access it. If a number of individuals collaborate on a document, it will be subject to version control, which will track and preserve changes among multiple users. Depending on the status of our users, whether they be on a legal hold or subject to regulatory retention, the document will be retained and archived with a set of rules to prevent it from being destroyed or spoliated. And finally, if the document should outlive its retention requirements, legal holds, and usefulness, it will be subject to destruction.

So, records need to be identified, organized, and classified using a taxonomy and retention schedule so that they can be managed, retained, retrieved, and disposed of in accordance with the laws and regulations which govern them. They must be securely stored to ensure that they are protected, accessible, and reliable until they are no longer of value to the organization or required due to regulations or legal holds. They should be inventoried in tandem with asset management and data mapping to ensure their accessibility and efficient access. Some modern tools enable and empower this process with automation. Their data quality and metadata should be preserved and enhanced over time to increase their value to the organization. They should be migrated and consolidated when it makes sense to improve security, availability, and searchability or to reduce duplicative costs. And again, a proactive destruction or disposition program reduces the risk of over-retention, unnecessary storage costs, and improved bandwidth.

Data quality and records inventories are essential to quality records management and should be revisited by operations and compliance on a periodic basis. A completed record inventory can also provide each organization unit with information to enable better management and organizational intelligence. There are six important concepts to keep in mind when creating the Records Inventory: Identifying required records to add to the inventory is likely to highlight duplicates and unnecessary retention of information. Adding records to the inventory will instigate discussions about whether efficiencies can be made in the volumes of information held and replicated. A data map will also be useful. Classification of records sets out clearly why records are held, what value they provide, and how they fit into the wider context of the organization.

Over time, the retrieval of records is improved when there is an accurate inventory of where they are stored. Use of records over time may change, including ownership and storage location. The inventory will help track those changes making long-term management of records easier. Understanding whether there is an ongoing requirement to retain records will in part be supported by the record inventory and the record classes that have been identified, which will help hedge against resignation in the form of the keep everything approach.

Confidence in disposing of records starts with a clear link between records and retention schedules. The record inventory will make that link with structured and consistent governance. It will make for more effective management of data. It will help reduce and eliminate redundancies. It will reduce costs for storage and duplicative systems. It will reduce legal liability and monetary risk by avoiding spoliation. It can even hedge against cybersecurity breaches since you cannot hack what does not exist.

Data Governance

With the proliferation of electronically stored information (ESI), data governance has naturally grown in criticality. Above all, how to manage, archive, access, and control the exponential growth of data and data types, which now extend to literally thousands of platforms and organizational applications. Large government agencies and municipalities can face an influx of up to tens of millions new records a day, including, though certainly not limited to, e-mail, messaging platforms, trading data, office documents, drawings, audio and video files, and the list goes on and on.

Big data management requires meticulous planning, from scope and architecture to policies, asset management, and operational frameworks, which serve organizational needs while meeting with compliance or regulatory standards. With volume comes an almost natural degradation leading to an increase in redundant, obsolete, or trivial (ROT) data. Between backups, multiple users, and inefficient data management, most organizations unwittingly store dozens of copies of the same documents. This redundancy is generally curable, or at least dramatically improved, through deduplication, classification methods, and singleinstance storage.

Single-instance storage is the process of preserving a single version of a record that retains all of its one-to-many relationships with a reference pointer to the e-mails, documents, or file systems from where the file(s) originated. Obsolete data are simply that which have outlived their legal, regulatory, or organizational usefulness and can be destroyed or deprioritized. Trivial data tend to be public or other low sensitivity records which provide null or negative value to an organization by virtue of simply occupying bandwidth and resources. Some executives and senior managers hide behind the solace of plummeting storage costs. But that provides false comfort because of the cascade of risks and inefficiencies that come with it.

An essential component of good data governance starts with asset management and data mapping. First the physical assets, along with their health and age, must be protected and backed up, as many legacy systems become unstable or outdated, or even experience catastrophic failure. Old systems, storage devices, and applications, among others, present substantial risk and should be replaced and migrated from as a part of the process of data life cycle management. Migrations further provide a good opportunity to port only those records which are still subject to retention requirements while leaving behind and destroying those which have outlived their retention schedules or usefulness. When legacy systems fail, it is very often the case that the employees or vendors who managed them are long gone. This is a surprisingly common issue in enterprises that fail to provide proper redundancy or data life cycle management. Extracting