Would the Real Information Governance Please Stand Up (Part 1/3)

As we build our archives and records management program here at the King Abdullah University of Science and Technology (KAUST) I’ve been gauging progress since the university was founded in 2009 based on a maturity model. ARMA offers one such tool for this assessment (ARMA International Information Governance Maturity Model) but staff members found that it frequently confuses records management with information governance. What follows are some observations on the emerging but nebulous information governance.

This is the first in a three-part series on information governance; in this first post I begin with a bird’s-eye view of the topic.

At first glance the phrase seems strange. How exactly does one govern information? Will this eventually lead to Information Governor roles akin to Ministers of Information (or even Privacy Commissioners)? When I first encountered this notion I scratched my head and asked, How is this new? Isn’t this what records management has been trying to do all along? Since then I’ve also had to ask, How does this differ from Data Governance in IT?

Google is not much help in this regard. The most common definition cited is Gartner’s:

[Information governance is] the specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. (The Gartner Group)

That definition is too broad to be meaningful for me. Who specifies what and how? Which particular rights are involved and for whom? Accountable how? I like the emphases on “decision rights” and “accountability framework” but let’s face it, even organizations low on a maturity model are likely to have some key policies in place (HR policies, privacy policy, etc.). And if an organization’s policies together constitute its decision-making and accountability framework, what is the problem? What is everyone on about?

The University of Western Australia offers a surprisingly comprehensible definition:

Information governance relates to the way in which information is managed as an asset to support University outcomes. It ensures that risk and compliance standards, and policies and legislation issues, are identified and addressed to ensure the information we create and keep is retained and can be accessed for as long as required. Information governance, therefore, is an essential part of University governance.

Eventually I came to realize that my difficulty in understanding why information governance is the “latest and greatest” is due to my previous roles as an access and privacy specialist. We are blessed in Canada to have been early adopters of personal information rights legislation. To give an example, the Federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), grew out of the Canadian Standards Association “Model Code for the Protection of Personal Information” published in the nineties which, in turn, great out of the “Fair Information Principles” developed by the OECD in the eighties. This latter consists of ten principles that I believe we have since come to internalize (accountability, limited use, safeguards, etc.).

This is worth repeating: Canada’s early information rights legislation grew out of a set of core principles. Put differently, the “Fair Information Principles” were codified into omnibus privacy laws at the provincial and federal levels. And I believe this is why I have been slow to view information governance as anything truly new because I have been approaching information management from this vantage point all along. I would suggest that all information professionals in the Canadian public sector have very likely also internalized this “omnibus” approach.

To my mind, this is what information governance is really about: codifying value.

It isn’t about a definition (any more than we have successfully answered the question, What is information? data? a record?). Rather, information governance is what Canadians have been doing at least since the eighties: take some basic values and principles and codify them into a cohesive and coordinated strategy to manage organizational information in its many forms. The only difference now is that we are starting to ask how can we broaden this line of governance beyond personal information to include other types of information at our disposal.

I like this approach because it focuses on the value of information to an organization rather than the risks of not doing records management (or data management, audit, etc.).

So what are the values? In my next post I will look at some of these and also ideas about the way forward.

But before closing I want to return to the distinction between information governance and records management, on the one hand, and data governance on the other. In simple terms, there is obviously overlap between them. In the case of records management, the overlap may not lie with day-to-day records keeping but surely there is common ground in policies on the proper management of information. This is why the ARMA tool gets a bit confusing because it moves unevenly between high level governance and low level (for lack of a better term) records keeping. But the contrast with data governance is even more telling.

In simple terms, data governance asks, “How can we leverage more data?” while information governance asks, “How do we get better control over what we already have?

Information Governance

Chris Graves is the Associate University Archivist / Records Manager at the King Abdullah University of Science and Technology (KAUST) in Saudi Arabia. The Red Sea Dispatches column documents Chris’ experience in a new job in a new place. The views expressed in this article are those of the author and do not necessarily represent the views of, and should not be attributed to, the King Abdullah University of Science and Technology (KAUST).

Editor’s Note: This is the first in a three-part series on information governance:

Part 1: Would the Real Information Governance Please Stand Up
Part 2: Transformational Governance by Design
Part 3: Policy Driven Integrated Decisions