Background Image

Information Management January/February 2017 : Page 36

FELLOWS FORUM Information Lifecycle Management Effective ILM – from creation or collection/receipt to use, management (e.g., transfer, storage), and disposition (i.e., transfer for long-term protection or destruction) – is dependent on all organizational entities applying the relevant IG policies, procedures, standards, and guidance. Because these processes are non-linear, iterative, and com-plex, especially for electronic data, there are many points of integration that will provide maximum benefit. The hold responsibilities mentioned above, especially the release of holds, are intrinsically connected with the ability to oversee and perform ILM. This is because when information is not disposed of after its retention require-ments have been met, risk and cost are typically increased. For example, the cost of litigation increases because all relevant information must be produced for discovery even if it could have been disposed of legitimately prior to legal discovery. The following scenarios represent several recommend-ed points of IG integration for ILM. RIM puts processes in place for organizational entities (businesses, internal oversight, and support teams) to iden-tify potential secondary and additional uses for informa-tion assets they maintain, are responsible for (including third parties), or could collect as part of their work. RIM also captures recommendations for enhanced data collection and use during inventory and retention scheduling processes for ILM. RIM, IT, and Business Units RIM, Privacy, and Information Security As mentioned above, privacy reviews all RIM pro-cesses and retention schedules to identify PII. Information security provides security classifications for listed records – including PCII. These, and specific requirements, are reflected in RIM’s retention schedules. Conversely, privacy and information security procedures reference the records retention schedule, which addresses privacy requirements and considerations. When there are conflicts in retention requirements, privacy and RIM reach consensus about the appropriate disposition and document it for defensibility, in order to reduce risk. Business units must know what information exists within the department and across the enterprise that could create new business opportunities if it were shared. For instance, results of surveys conducted by one business unit could provide valuable marketing information for another business entity. These potential opportunities are reliant upon RIM, IT, and their business inventories and directo-ries to provide this information. IT, therefore, ensures that the systems they develop and administer include requirements (e.g., fields, data analysis capability, reporting, interfaces with other applica-tions) to enable organizational entities to better leverage information assets. All IG Components RIM and IT IT needs information from RIM to know when it is permissible to dispose of data. This should be a welcome collaboration, as disposing of obsolete data supports an IT goal to increase operational cost-effectiveness through: reduced back-up requirements and the need to purchase additional servers; increased efficiency in managing data for backups, migration, e-discovery, and other processes; and more strategic use of IT capacity and expertise, which also provides competitive advantage All IT applications and business projects are reviewed to determine if PII is included in any stage of the business process and, if so, undergo a thorough privacy review to ensure compliance with privacy requirements. Similarly, information security reviews IT projects to ensure compli-ance with all information security requirements. Finally, all stakeholder IG functions review and approve informa-tion security questionnaires (or equivalent) and vendor responses. All of these processes should be consistently docu-mented across applicable functions and – to the extent possible – automated. The IG Professional Imperative RIM and Business Units The enterprise is reliant on business units to imple-ment records disposition and on RIM to enforce it. IG professionals have a responsibility and opportunity to provide leadership in establishing and sustaining a truly integrated IG program – one that reflects collabora-tive efforts among all IG component function across the enterprise. Success begins with their ability to demonstrate to executive leadership the value of having an overarching IG structure that supports and contributes to the optimal success of each IG function, to business units, and to the organization as a whole. About the Author: Susan Goodman, IGP, CRM, CIPP-US, CIPM, CIP, FAI, is the chief privacy officer of the City of Seattle. She has directed and had other key leadership roles in IG, RIM, and privacy pro-grams across diverse industry sectors, in-house and as a consultant. She is a frequent speaker and author and former RIM adjunct faculty member. Goodman can be contacted at . Note: The views expressed in this article are the author’s and do not represent those of her employer. 36 January/February 2017

Previous Page  Next Page

Publication List
Using a screen reader? Click Here