There are many important reasons why organizations have created data and information governance programs, a subject that includes but is not limited to the more familiar areas of records and information management (RIM) and RIM programs. First, information and data sources have increased exponentially over the past 20 years and, therefore, the need to properly manage them is greater than ever before. Second, records and information document critical business activity and access to them is necessary for effective business operations. Third, records and information are often required by local, state and federal agencies for licenses and other government filings. Fourth, records are necessary for the prosecution or defense of litigation or claims. Fifth, the storage of data and information can be costly. Sixth, records and information can be a major source of clues about potential ethics and compliance and privacy issues and violations.
A well-defined and well-executed data and information governance program can capture and categorize the types of data and information an organization has and ensure that the data and information necessary to run the business remain available, that the data and information needed for local, state and federal authorities and litigation are accessible, and that only necessary data and information are retained in an efficient and accessible manner for the required periods. In addition, a well-defined data and information governance program can provide invaluable support for the ethics and compliance and privacy functions with critical information about the types of data that are regularly created in the business, how the data flows, and whether there are any unusual activities that might cause concerns or require further investigation.
Key Reasons for a Data and Information Governance Program
Data and information governance programs allow companies to:
Manage data/information explosion and simplify access to data
Document business activities
Comply with government requirements
Prosecute/defend litigation or claims
Manage storage costs
Support ethics & compliance and privacy functions
An effective data and information governance program can therefore be a key component of any workplace ethics & compliance and privacy program. Core components of an effective data and information governance program should include, at a minimum:
An understanding of the tools, platforms, and applications that the business uses to generate, store, retain, and protect information;
A clear and easy-to-use records retention policy, schedule and procedures;
A well thought-out and documented claim, audit and litigation hold process; and
Educational materials and training on the data and information governance program.
Each will be discussed in greater detail below.
Data and Information Governance
To begin building a program, the first consideration on which a business should focus is what the business is, does, and/or makes and sells. Next, an organization should identify the types of data and information the organization generates (e.g. personnel files, contracts, purchase orders, marketing collateral, client records, product development files, etc.). Next, the organization should determine the forms and formats its data, records and information take (e.g. paper, electronic, and other form such as prototypes, models, discs, microfilm).
Initial Considerations for Launching a Program
What is the business of the organization?
What types of data and information does the organization generate or process?
What form and format does the data and information of the organization take?
The Life Cycle of Recorded Information
First and foremost, an organization must identify the scope of the data and information governance program. Generally, a program needs to address the entire life cycle of all recorded information generated by, at, or on behalf of the organization from the moment of creation or receipt through use and management, storage/archiving and, ultimately, destruction. A program should address both official business data and information, as well as that data and information that are personal or for convenience of the organization’s workers.
Creating an Effective Data and Information Governance Program Infrastructure
The goals of any data and information governance program should be to: 1) ensure all business data is identified and has an appropriate life cycle, 2) ensure that all workers know when they are acting as a custodian for data and know how they are expected to manage that data, including where to store it, who and how to grant access to the data, and when and how to delete it, and 3) ensure that as data and information types and forms change, the program evolves and is appropriately updated. In order to accomplish these goals, there are several components for consideration, including:
An effective team working collaboratively in departments, groups and functions such as IT, Privacy and Legal;
A clear and appropriate policy or set of policies;
A clear and well-defined retention schedule;
Custodian assignment and identification;
Effective tools and systems and processes to monitor and manage changes;
Effective training and awareness for all workers at the right level about the program; and
A well-defined process for issuing and managing records holds (and discovery for U.S. litigation).
Each will be discussed in turn.
Data and Information Governance Program Components
Data and information governance team
Data retention policy
Data retention schedule
Data custodian identification
Tools and systems
Education and training
Hold management process for audits, investigations and litigation
Data and Information Governance Team
A key to the success of any program is the team. It is important to ensure that there are sufficient resources dedicated to the data and information governance program for the size and complexity of the organization. One size will not fit all. An organization of 1,000 employees located across three sites in the United States with six business areas will have different resource needs than an organization with 20,000 employees located across 10 sites in four countries and three business areas. Likewise, a business that deals in generating and selling data will have different needs than a business that makes and sells food products. At a minimum, it is recommended that every organization have a lead person who is responsible (whether full-time or otherwise) for data and information governance.
The following records and information management roles and responsibilities may be necessary:
Assessment of current state of data and information governance.
This should include the nature of business, types of data and information, forms of data and information, and current practices for data storage, retention and destruction. This assessment will require interaction with every business group and a close working relationship with information technology experts and, in many cases, with the legal department and privacy subject matter experts.
Data policy and retention schedule development.
This task can be assigned to a project team, committee, or single person (consultant or employee) as appropriate. Development of the appropriate retention periods may require consultation with in-house or outside legal counsel regarding local, state, federal, and country regulations.
Business Area data coordinators/subject matter experts.
These people can liaise with the program office or personnel and assist with ensuring personnel in their specific business area understand the applicable portions of the data retention policy, follow the policy and retention schedule, and see that all new developments are fed back for program updates.
Hold management and coordination.
Audits, investigations, and litigation (actual and potential) bring a host of specific retention requirements that may conflict with the general data and information management process. It is therefore important to have personnel in the program office, legal department, and IT groups who understand these issues and are prepared to mitigate the risks with appropriate issuance of data hold notices, systems holds, and review and collection of information potentially relevant to litigation.
Data and Information Management Policy
Development of the data and information management policy and a retention schedule is at the heart of most programs. The policy is where an organization should clearly articulate expectations with regard to the creation, management, storage and destruction of data and information. At a minimum a policy should:
Identify and distinguish business records from convenience records;
Provide compliance expectations and the potential consequences for failure to comply;
Identify where employees can find the appropriate retention periods;
Direct employees on how to manage electronic data and information;
Direct employees on how to manage physical records onsite;
Direct employees on how to store records and information offsite (if applicable);
Provide details on any process required prior to destruction of official business records;
Educate employees about the potential for litigation or other holds and the process for managing those holds; and
Notify people where they can seek guidance or additional information.
Refer to the sample policy in the appendices at the end of this article.
Data Retention Schedule
In addition to the policy, or as a component of it, organizations should also create and adopt a data retention schedule identifying the length of time each category of information should be retained. Retention requirements are a mix of legal, regulatory, business and best practices rules applied to different categories of records and information. There are some clear legal/regulatory mandates for how long certain types of records/ information must be kept (e.g. The Occupational Safety and Health Administration, or OSHA, requires copies of records and information related to employee hospitalizations related to work-related injuries or illnesses be maintained for 30 years). The statute of limitations for certain types of legal claims can also drive some retention dates (i.e. contract claims generally have no more than a three-year statute of limitations, so records related to contracts are often kept three or more years from the termination date to ensure availability in the event of a dispute that arises during the statute of limitations). Further, contractual agreements of an organization generally have a term and/or termination date and possibly some continuing obligations which may drive retention periods. The business area(s) may also have their own vision and desires for retention periods based on the way the business runs. Regardless of the driver of the retention period(s), it is important to supplement the data management policy with a data retention schedule. This schedule should advise how long different types of data and information must be retained and the trigger date for the running of the retention period and provide concrete examples of records that fall into each record class. A sample retention schedule excerpt is included in the appendices at the end of this article.
In creating the data retention schedule, organizations must consider how many different retention codes and periods they want to create and enforce. Some businesses may opt to retain all records for only the minimum period required for legal, regulatory, or business reasons, which may result in hundreds of different retention categories and periods. Other businesses may opt to adopt fewer retention categories with retention periods that might be longer than specifically required, in favor of simplicity of the program. Such considerations are important decisions for each organization to make based on the risk profile of their records and their risk appetite.
Identifying Data Custodians
Another critical component in a data and information governance program is identifying data custodians; that is, those persons who are responsible for maintaining the single official business copy or information. For example, a human resources manager may be tasked as the company custodian for all official company personnel files, while an IT manager may be tasked as custodian for all electronic systems, servers and backups. Given the electronic tools and mobile devices in abundance today, as well as copiers, scanners, email and other technology, there are almost inevitably multiple copies of any single piece of information. Identifying and publicizing single data custodians can therefore help create efficiencies and reduce costs and ensure that duplicates are retained only as convenience records so long as needed, but do not become part of the business records and information archive. In addition to official custodians, litigation will also involve specific witness custodians who may have relevant information (official business or convenience records) by virtue of their role in the company or interactions on a specific matter.
Data and Information Governance Tools
There are a variety of different records and information management tools to consider. This section will address the following: data inventories and maps, systems issues, electronic, on-site and offsite storage, and a process to ensure changes get incorporated into a program.
Data Inventory. One important tool to consider in any data and information governance program is a data inventory: an inventory of the tools, records and custodians of an organization. It requires identifying specific types of data and the systems or locations and custodians for those records/information. Data inventories can be done in a variety of ways, from the creation of a simple spreadsheet to the use of more complex applications. While a data inventory can be useful in many aspects of a data and information governance program, from the retention schedule to and through litigation management, retaining an inventory is a continuous process that requires dedicated resources who provide updates on changes.
Sample Data Inventory Excerpt
|Document Type||Custodian||Type/System||Location||Retention Code||Retention Period|
|Personnel File(s)||HRIS Mngr.||
|Server 1||HR100||Act+7 yrs|
|Payroll Information (i.e. earnings, W2, bonuses)||Payroll Mngr.||
|Server 4||HR210||Act+25 yrs|
|Time and Attendance Information||HRIS Mngr.||
|Server 9||HR150||Act+7 yrs|
|Leave of Absence Records||HRBPs||Hard Copies||
|Benefits Plan Documents||Benefits Admin||Hard Copy||
|Immigration (I-9) Data||Talent Acquisition Mgr.||Hard Copy||
|Job Accommodation Information||ADA Coordinator||Hard Copy||
Data Maps. Another important tool to consider in any data and information governance program is a data map. A data map is a map of how data flows in, through and out for the organization. Data mapping may be necessary in order to comply with certain data privacy laws. Like maintenance of a data inventory, data mapping is a continuous process that requires dedicated resources who provide updates on changes so that the map can be updated.
Systems. Technology continues to improve and offer advancement in the field of data information management. Organizations should evaluate their current and future electronic systems, repositories, and processes to understand the current tools available, and limitations and issues. Systems are becoming an increasingly effective way to manage data and information, and can be especially helpful in managing retention based on event triggers (i.e., a system may be enabled to automatically delete items created seven years from today’s date). Systems can also be used as a gatekeeper to create control points, which may eliminate some of the traditional tedium of records and information management. For example, there can be systems rules that ensure records/information cannot be sent offsite without the appropriate associated detail (e.g., dates, custodians, records category and retention period). Systems can also be used to generate reports, metrics and create automatic reminders or ticklers for retention period expiration or other events. The technology for data and information governance continues to improve with time. It is important that, as systems are retired and new systems created and utilized, the data and information governance program actively manages the process of retiring data, porting data (as may be needed), and updating the program to account for the decisions.
Electronic Information Storage. With the rise in cloud tools, services, and solutions, electronic storage of data must be addressed in the data and information governance program. Electronic storage may be priced in bits or bytes, and data security and maintenance costs must be factored into any electronic storage to ensure that data is safe from loss and/or theft.
Offsite and Onsite Information Storage. Storage of records and information on- and offsite still must be addressed in any data and information governance program. This includes decisions related to the storage capacity employees may have in their work area, in common areas, and on their computing and other systems. On-site storage may include notebooks, workstations, file rooms, central storage facilities and other physical locations. Offsite storage can also be physically secure locations (which are safe from fire, flood, and pests). Each of these locations—on- or offsite—has certain benefits and risks that should be assessed. Further, any type of storage also has costs associated with it that must be considered.
Changes. A data and information governance program is and must be dynamic. With the ever-expanding tools, devices and applications, businesses must continually assess what data and information tools are being phased out and which are gaining usage, and address those in the policy, retention schedule, and systems issues accordingly. Consider, for example, the different challenges and issues presented by changes in operating systems, use of mobile devices with or without storage, digital voice mail, instant messages, team sites/collaborative workspaces, portals, and software as a service. It is important for the program office to be working with the business and information technology to understand the sun-setting of any systems and the implementation of any new systems or changes in the system to ensure the program remains relevant. With the continued changes in the tools and information, there is also a need to continue to educate employees as these systems phase out or come online.
Training and Awareness
Once an organization has established a data and information governance team, policy and retention schedule, the team should decide who and how to educate on the issues, policies, processes, and expectations, including how to provide the training (i.e. in person, online, as part of several other courses, on demand, as part of new employee orientation, as part of manager training, other).
Consider whether every employee in an organization needs to be exposed to and trained on the entire retention schedule, or whether the schedule can be parsed into discreet portions that are applicable to specific business areas or roles and responsibilities. Providing only a lengthy retention schedule to all employees may result in overload and increase compliance failures, while sharing only bite-sized portions of the whole as applicable and having fewer retention categories can increase understanding and encourage compliance.
The more ways that a data and information governance program can be presented and described to workers, the more likely workers will understand and comply. Consider, therefore, using a written policy, diagrams, decision trees, summary documents, fliers, frequently asked questions and various live and electronic training options when rolling out aspects of the program. See a sample decision tree in the appendices following this article.
A major risk in every data and information governance program relates to having and retaining what is needed in the event of litigation, investigation, and audit or inspection. Therefore, a critical part of every program must include how, when and who will issue retention holds (which will essentially prevent destruction of potentially relevant data in the normal course application of the policy and retention schedule). Probably the most significant consideration in the issuance of holds is the fact that litigation holds (and usually investigation holds) apply not just to the official business records, but to all records and information. Therefore, if convenience records have been retained and are relevant to these types of holds, there must be a process to ensure such records are retained (and not deleted in accordance with a standard deletion protocol) until the matter is sufficiently resolved (including exhaustion of appeals).
Issuing Information Holds
Information holds are essentially a stop sign that prohibit data and information from being destroyed in the normal course. Organizations should identify a person or group of persons who will have the authority to issue any type of retention hold, suspending both the destruction of potentially relevant official business records and any potentially relevant convenience records. Often this responsibility will be with the legal department for preservation related to actual or threatened litigation, the tax group for tax-related or audit matters, and the audit and/or investigations groups to ensure records necessary for internal audits or investigations do not get destroyed. Regardless of who authorizes a hold, an organization needs an effective process to initiate such a hold of records and information and prevent destruction which would otherwise occur. Best practice continues to be the issuance of a hold memorandum to custodians or potential custodians with specific instructions. A sample litigation hold notice is provided as an attachment at the end of this article.
In making decisions related to retention holds, consider providing guidance on who has the authority to issue holds, when such holds should be issued, how the holds will be monitored, and what systems support can be provided. For example, holds may need to be issued to custodians of relevant convenience records, as well as custodians of official business records, and possibly personnel with greater systems access who can ensure that automatic deletion normally entrusted to the custodians are disabled until the hold is lifted.
The exponential growth of data and information has become a major challenge in today’s organizations. To address the many concerns and needs associated with this growth, an effective data and information governance program has proven a key tool for organizations to understand and utilize as part of an overall ethics & compliance and privacy program. Organizations should consider the core components of such a program, establish the relevant pieces, and document the process adopt for managing their data and information.