A Government Librarian's Guide to Information Governance and Data Privacy
eBook - ePub

A Government Librarian's Guide to Information Governance and Data Privacy

  1. 150 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

A Government Librarian's Guide to Information Governance and Data Privacy

About this book

This book provides a concise and usable overview of the practical implications of important public sector United States federal, state, and municipal laws and standards related to information governance, as they pertain to librarians, research staff, universities, corporate regulatory managers, and public-sector information governance professionals. It is the first in a series of two volumes addressing public sector information governance compliance matters from the perspective of our target audience.

Topics addressed in the book include:

  • the evolving role of librarians and the need for librarians and legal researchers to understand the principles of information governance,
  • the importance of broad-based regulatory IG principles such as the Federal Records Act, the Paperwork Reduction Act of 1980 and 36 CFR Chapter XII, Subchapter B ā€“ Records Management, that have been promulgated by various federal government agencies in framing public-sector IG principles,
  • a survey of interpretive surveys from the Office of Management and Budget (OMB) that further elucidate the core IG principles applicable to public sector stakeholders,
  • case studies detailing the application of important IG principles by federal agencies and bodies, and
  • a survey of important IG issues facing state and local governments.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access A Government Librarian's Guide to Information Governance and Data Privacy by Phyllis L. Elin,Max Rapaport in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.
PART I
A Guide to Information Governanceā€”General Principles
Governance Overview
As its name implies, information governance (IG) is a comprehensive strategy for managing an enterpriseā€™s people, process, and technology, with an emphasis on risk, legal compliance, information management, and business intelligence. Governance also subsumes a number of disciplines such as eDiscovery, data privacy, big data, architecture, operations, organizational continuity, and audit.
The goal of a governance strategy and framework is to ensure that the organization understands and is able to work together to execute leadershipā€™s strategic goals and objectives, and that the enterprise and all of its employees and resources are operating as judiciously and harmoniously as possible to achieve those ends. In that regard, it is useful to view the organization as much as a physical mechanism than an amalgamation of disparate parts and services.
Leadership sets the strategy and tone and establishes the organizational culture. Depending on the enterprise, it will be subject to more or less regulation, which will in turn influence the governance frameworks, privacy requirements, best practices, and infrastructure. The organization will establish appropriate technology, third-party systems, and operational structures to support its organizational goals, resource according to need, and monitor and extract metrics for every facet of the enterprise to ensure the whole is greater than the sum of its parts.
The success of an organization is often be measured by its ability to achieve strategic alignment across these areas, but especially leadership, budget, technology, operations, and legal. Program management is essential to planning, executing, and resourcing executive leadershipā€™s core strategies; organizations drive the specific requirements and core competencies that ultimately determine success in the marketplace; IT and operations build the processes, procedures, and infrastructure on which the organizationā€™s strategy is based; and legal and compliance outline and enforce policies and mitigate risk to keep the organization in good standing, with regulators, shareholders, and the public.
Records and Information Management
Information management is focused on the efficient operation of an organizationā€™s governance program by ensuring that information needed is secure and available to meet organizational obligations. It should endeavor to deliver services in a consistent and equitable manner and provide continuity in the event of a disaster. It should protect records from inappropriate and unauthorized access and meet statutory and regulatory requirements for archiving and audit and oversight activities. Good governance also provides protection and support during litigation; enables quicker storage and retrieval of documents and information; and improves efficiency and productivity from an operational perspective.
Naturally, the technology on which an enterprise relies to store and access information is critical. Failure to maintain a proper records and document management platform could result in a direct threat to the security, integrity, and availability of data, which could lead to any number of problems, including questions of veracity or authenticity due to a degradation of data quality. Considering the many legal and regulatory requirements records management and the security required to safeguard it have become integral to a companyā€™s or government entityā€™s legal compliance structure.
We are often reminded of the vital importance of an up-to-date IG program through press reports about companies or government agencies who failed to protect data and information assets. There is indeed a defensive aspect to retaining records but also an affirmative obligation to transparency. Litigation and the possibility of litigation are also primary drivers. So, the overall effectiveness of compliance is directly proportional to the quality and success of any IG program.
High level, there are three phases to responsible records retention compliance: identification and retention, preservation and safekeeping, and destruction and disposal of records that have fulfilled their life cycle and outlived their usefulness. An up-to-date, comprehensive RIM Program documents the organizationā€™s intent and commitment to compliance, thus reducing potential punitive and compensatory damages that can result from litigation or regulatory fines.
Thus, it is exceptionally important to maintain updated policies and procedures for the systematic control of records. Without proper records management, companies and government agencies or local governments may be storing records too long, not long enough, or not at all. Worse, they may be prematurely destroying or spoliating vital documents. Failing to maintain records and data necessary for regulatory auditing, Securities and Exchange Commission (SEC) reporting and other valid organizational requirements present great risk which, this day and age, are mostly unreasonable if not negligent.
Any of the aforementioned risks could lead to penalties for noncompliance with records retention regulations, a blemished public reputation, and any number and variety of legal liabilities. So, RIM controls are needed to demonstrate proactive and transparent efforts to satisfy compliance requirements. Consistent records management processes, policies, and practices can also dramatically reduce litigation costs, both in terms of improved efficiency and in terms of mitigating or eliminating risk.
Ultimately, a proper records management function ensures that an enterpriseā€™s records of vital historical, fiscal, and legal value are identified and preserved, and that nonessential records are discarded in a timely manner according to established rules or guidelines, as we will discuss in the following.
Records Management Life Cycle
The definition of a records management life cycle varies, but our model tends to highlight seven key phases, which we will address here and in subsequent sections. They include creation and capture, collaboration and use, taxonomy and classification, version control and management, retention and archiving, preservation and hold, and disposition and destruction.
Before we return to the life cycle phases, first a brief introduction to metadata, which is basically data about data and essential to the entire aforementioned data life cycle. It is the reason a document can be indexed and searched and enhanced and grouped with or separated from other similar documents. It describes the document, who created or modified it, and when they created or modified it. An e-mail includes server information and senders and recipients and whether it has attachments. It describes where it came from and where it resides and includes unique technical information, which ensure its uniqueness. It is used to determine access rights and whether it is related to other documents or clusters of documents. It can be hashed to create a unique fingerprint to identify it or eliminate duplicative copies. And over time, it will be enhanced to include everything that can be known about its journey during that life cycle, most importantly, when it was created, which retention rules or legal hold requirements apply to it, and whether or when it can be destroyed.
Creation and capture represent the date, time, and file type the moment a document comes into existence. Once it exists, it can be used by one or many individuals who have the right to access it. If a number of individuals collaborate on a document, it will be subject to version control, which will track and preserve changes among multiple users. Depending on the status of our users, whether they be on a legal hold or subject to regulatory retention, the document will be retained and archived with a set of rules to prevent it from being destroyed or spoliated. And finally, if the document should outlive its retention requirements, legal holds, and usefulness, it will be subject to destruction.
So, records need to be identified, organized, and classified using a taxonomy and retention schedule so that they can be managed, retained, retrieved, and disposed of in accordance with the laws and regulations which govern them. They must be securely stored to ensure that they are protected, accessible, and reliable until they are no longer of value to the organization or required due to regulations or legal holds. They should be inventoried in tandem with asset management and data mapping to ensure their accessibility and efficient access. Some modern tools enable and empower this process with automation. Their data quality and metadata should be preserved and enhanced over time to increase their value to the organization. They should be migrated and consolidated when it makes sense to improve security, availability, and searchability or to reduce duplicative costs. And again, a proactive destruction or disposition program reduces the risk of over-retention, unnecessary storage costs, and improved bandwidth.
Data quality and records inventories are essential to quality records management and should be revisited by operations and compliance on a periodic basis. A completed record inventory can also provide each organization unit with information to enable better management and organizational intelligence. There are six important concepts to keep in mind when creating the Records Inventory: Identifying required records to add to the inventory is likely to highlight duplicates and unnecessary retention of information. Adding records to the inventory will instigate discussions about whether efficiencies can be made in the volumes of information held and replicated. A data map will also be useful. Classification of records sets out clearly why records are held, what value they provide, and how they fit into the wider context of the organization.
Over time, the retrieval of records is improved when there is an accurate inventory of where they are stored. Use of records over time may change, including ownership and storage location. The inventory will help track those changes making long-term management of records easier. Understanding whether there is an ongoing requirement to retain records will in part be supported by the record inventory and the record classes that have been identified, which will help hedge against resignation in the form of the ā€œkeep everythingā€ approach.
Confidence in disposing of records starts with a clear link between records and retention schedules. The record inventory will make that link with structured and consistent governance. It will make for more effective management of data. It will help reduce and eliminate redundancies. It will reduce costs for storage and duplicative systems. It will reduce legal liability and monetary risk by avoiding spoliation. It can even hedge against cybersecurity breaches since you cannot hack what does not exist.
Data Governance
With the proliferation of electronically stored information (ESI), data governance has naturally grown in criticality. Above all, how to manage, archive, access, and control the exponential growth of data and data types, which now extend to literally thousands of platforms and organizational applications. Large government agencies and municipalities can face an influx of up to tens of millions new records a day, including, though certainly not limited to, e-mail, messaging platforms, trading data, office documents, drawings, audio and video files, and the list goes on and on.
Big data management requires meticulous planning, from scope and architecture to policies, asset management, and operational frameworks, which serve organizational needs while meeting with compliance or regulatory standards. With volume comes an almost natural degradation leading to an increase in redundant, obsolete, or trivial (ROT) data. Between backups, multiple users, and inefficient data management, most organizations unwittingly store dozens of copies of the same documents. This redundancy is generally curable, or at least dramatically improved, through deduplication, classification methods, and singleinstance storage.
Single-instance storage is the process of preserving a single version of a record that retains all of its one-to-many relationships with a reference pointer to the e-mails, documents, or file systems from where the file(s) originated. Obsolete data are simply that which have outlived their legal, regulatory, or organizational usefulness and can be destroyed or deprioritized. Trivial data tend to be public or other low sensitivity records which provide null or negative value to an organization by virtue of simply occupying bandwidth and resources. Some executives and senior managers hide behind the solace of plummeting storage costs. But that provides false comfort because of the cascade of risks and inefficiencies that come with it.
An essential component of good data governance starts with asset management and data mapping. First the physical assets, along with their health and age, must be protected and backed up, as many legacy systems become unstable or outdated, or even experience catastrophic failure. Old systems, storage devices, and applications, among others, present substantial risk and should be replaced and migrated from as a part of the process of data life cycle management. Migrations further provide a good opportunity to port only those records which are still subject to retention requirements while leaving behind and destroying those which have outlived their retention schedules or usefulness. When legacy systems fail, it is very often the case that the employees or vendors who managed them are long gone. This is a surprisingly common issue in enterprises that fail to provide proper redundancy or data life cycle management. Extracting data from backup tapes or legacy systems can also be excruciatingly slow and expensive and thus challenge operationā€™s ability to maintain service level agreements (SLAs), as well as support litigations, regulatory matters, and investigations. It further contributes to risk with the potential for under-collection of data, which could lead to costly remediations.
The more systems an entity has, the more subject matter experts they will require, not to mention an ever-increasing number of inconsistent processes, many of which fail the interoperability standard. As noted earlier, this is where the value of data consolidation into a single or federated archive offers the potential to improve a great number of governance challenges. It reduces risks associated with compliance and security; reduces the potential for spoliation or unintended destruction; allows for more efficient retention and disposition; eliminates duplicative resources and risks; reduces the inefficiency in maintaining an array of systems and subject matter experts; reduces the likelihood of data remediations; and facilitates a more defensible, efficient, and reliable process overall. And finally, it offers the potential for more accurate and reliable analytics and organizational intelligence.
While organizations are beginning to realize they need to be more proactive, it is a long, grueling work in progress. But the longer an organization waits, the more pain and expense they will face when they finally confront what is as inevitable as it is unavoidable. In a well-managed data governance program, custodians and responsive data can be searched and extracted in hours and days. In organizations with poorly designed, integrated, and managed systems, the same process can often drag on for weeks and months. Failure to identify, search, or extract data can be a major frustration to stakeholders, particularly in legal or compliance, who must review data or evidence and pass it on to regulators, investigators, or opposing counsel. The longer they must wait for data, the more abbreviated their time to perform legal due diligence. Only one of many risks and challenges must be considered in building a reliable and defensible enterprise data governance program.
Gap Analyses and Needs Assessments
Gap analysis or needs assessment is used to determine the distance between a current state and desirable future state. The ultimate goal is to bridge differences by highlighting deficiencies in order to build and prioritize an action plan for remediation or improvement. Gap analyses can go from the general and nontechnical to the highly technical and specific. For example, one may interview key stakeholders about an organizational chart or roles and responsibilities and then delve deeper into specific functions, locations, technical platforms, workflows, ending up with detailed functional, legal, and regulatory requirements.
From a governance perspective, we would inquire about records, retention schedules, IG policies, procedures, and any documentation material to functional or strategic requirements, including disaster recovery and organizational continuity plans. It is also important to work closely with IT to develop an understanding of their IG best practices and frameworks, and especially the manner in which they identify and eliminate redundant, obsolete, or trivial ESI. We would also likely want details concerning best practices for accessing and maintaining shared drives, intranet and Internet site content, media retention, and backup policies.
What are their offsite storage policies or vendors? What are some of the key compliance rules that drive their practice? What platforms, document management systems, and/or automated processes do they employ to efficiently manage and improve data quality? What are the standard e-mail retention policies and what are the procedures for suspending those policies for legal holds or regulated custodians?
In many cases, there should also exist a role which bridges the gap between IG and IT. As noted, to achieve strategic alignment, the key stakeholders must work hand in glove, which is a theme familiar in COBIT and information security management. For example, new IT applications and services should be assessed to determine how they will fit into the overall IG process from a strategic perspective. IT should speak to which IG and content services applications the organization is running and how the data are preserved or destroyed. And collectively, IT and IG should spot opportunities for consolidating overlapping deployments and replacing duplicative or noncompatible applications and services, as will be further addressed in the following. Finally, a proper gap analysis scoring scheme also helps establish baselines for an IG program, and failing to achieve minimal scores virtually always demands immediate, specific, and aggressive attention.
Records Management Surveys
The record survey is the primary source of information necessary to develop classification schemes, to associate retention schedules, and to understand oneā€™s organization. These surveys will also capture the information needed for our gap analysis, risk assessment, and vital records documents. These surveys consist of interviewing appropriate staff.
Essential elements of our approach are as follows:
ā€¢ Data collection includes record types, activity patterns, and other related information.
ā€¢ Surveys and file evaluations: The scope of the survey process will include interviews with users from departments that are significant generators of the previously mentioned captioned records (in a scheduled series of meetings). During these meetings, any of our questions relevant to our projects should be answered.
ā€¢ Validation: Review of survey data by oneā€™s staff will ensure validation by the data source.
Legal Research
The objective of this task is to identify the specific legal retention requirements, legal citations, and governing authorities for each record class.
The Legal Research Project involves these subtasks:
ā€¢ Legal group classification: linking record classes to legal groups of records that are viewed similarly by the law or regulatory bodies
ā€¢ Legal research: a database of legal and compliance research is reviewed and updated to relate the law to the legal group and hence the record classes
ā€¢ Auditing: interpreting a...

Table of contents

  1. Cover
  2. Half-Title Page
  3. Title Page
  4. Copyright
  5. Description
  6. Contents
  7. Introduction
  8. Part I A Guide to Information Governanceā€”General Principles
  9. Part II Important Principles of Government Information Governanceā€”A U.S. Federal Law Perspective
  10. Part III Records Management Principles for State Agencies and Local Governments
  11. Excerpts From Next Book: Information Governance Complianceā€”An International Perspective
  12. About the Authors
  13. Index
  14. Backcover