Privacy and security managers should participate actively in the development of corporate information governance policies, two data management organizations declared last week.

Data privacy and security have been listed as necessary assets in the Information Governance Reference Model (IGRM) since its 2009 development by the Minnesota-based Electronic Discovery Reference Model organization. But previous versions of the model (which includes business and technology processes) did not prescribe that managers who are dedicated to privacy and security functions should be on the teams shaping these policies.

The IGRM Project started in 2010 “to help organizations struggling to meet legal e-discovery obligations and control legal costs in the face of growing data volume,” the group states on the EDRM website. EDRM developed the revised IGRM in parternship with the Compliance, Governance and Oversight Council, formed and led by IBM, which has 1,900 corporate practitioner members, it says. There was also collaboration with members of ARMA International, formerly the Association of Records Managers and Administrators, EDRM stated.

“The updated model now includes privacy and security as primary functions,” the EDRM announcement states. (See Figure 1.) “When these stakeholders are not working in concert, information accumulates rapidly and indefinitely, which adds significant cost and risk and undermines the ability to get value,” the EDRM announcement stated.

Click image to enlarge
Figure 1: The updated Information Governance Reference Model. Click image to enlarge.

The need for a change became clear at a February meeting in Cambridge, Md., when IGRM was discussed by CGOC members, explained IBM e-discovery executive Deidre Paknad, who holds overlapping roles as a CGOC founder and IGRM co-chair. “The stakeholders that came together for the summit were a broad group of corporate leaders, legal records managers, IT, and privacy. It was the first time privacy leaders had come full-force into the CGOC meetings,” Paknad explained.

“If you go back to early 2010 and late 2009, there was a slightly different climate with respect to privacy,” because it wasn’t the omnipresent topic that it is now, Paknad noted. Ubiquitous social media and the bring-your-own-device trend changed that, she said.

In addition to expanding the role of privacy and security managers, the updated IGRM, now in version 3.0, includes a 12-page white paper as a starting document. Paknad’s CGOC team preceded that with a 36-page process document this summer, titled Information Lifecycle Governance Leader Reference Guide.

“Access, transport, and use limitations are not understood by employees with information custody or collections responsibility, and customer’s or employee’s rights are impacted,” the document states. “The type and nature of data in a system or process is poorly understood, leading to incomplete or inaccurate application of retention, preservation, privacy, and collection and disposition policy.”

The document also defines the role of privacy officers in information governance. Their responsibilities include establishing a catalog of laws and policies, and making that catalog accessible to legal, records, and IT staff; coordinating with records managers to associate privacy requirements during retention phases; coordinating during litigation in advance of data preservation and collection; educating all relevant business, legal, records, and IT staff on current and emerging privacy regulations; and enabling internal audits to test the effectiveness of privacy procedures, the document states.

Currently, the majority of leaders on the IGRM project are from e-discovery companies, while most CGOC committee leaders are from large law firms. However, both organizations have support from mainstream corporations. Dell Inc., Microsoft Corp., Siemens AG, United Healthcare Services Inc., and Xcel Energy Inc. are cited by the IGRM project, while Paknad said Exxon Mobil Corp., JPMorgan Chase & Co., Novartis International AG, Swiss Reinsurance Company Ltd., The Travelers Companies, and Volkswagon Group have been involved with CGOC.

Such large corporations acknowledge that information governance, and adherence to the IGRM itself, are constant works in progress — there is no finish line.

David Yerich, an IGRM project member and directory of e-discovery at UnitedHealth Group Inc., said his employer has had a records management and retention schedule for many years. “You had to make sure that you met your regulatory requirements for what you kept,” but there wasn’t as much control for what to delete, he explained. “It’s much more holistic now,” said Yerich, based in Minnetonka, Minn. “When you look at data, it’s no longer just how we keep it for the right amount of time.”

In addition to tighter rules for what to delete, including litigation rules, there are also considerations for documents relevant to partner companies, and still other rules for working with overseas partners, Yerich noted.

Yerich, who is also involved in an evolving e-discovery user group, added that he foresees the need for additional evolution in future versions of the IGRM model. “It needs to be customizable. This is something that if I had the technology, I would happily put it out there,” he said. “I would love to be able to add additional stakeholders to it … I’d like to see other use cases for it. It would help to me to have a dynamic model that you could repurpose.”

IGRM committees members have shown enthusiasm for Yerich’s ideas, but, “There is some concern that the model’s new, and if you put it out in so many different use cases, that might dilute it,” he noted.

Big Blue has similar visions, Paknad observed. “IBM itself has made great process toward coordinated privacy, legal, and records policy and interoperability across stakeholders,” Paknad said, although with 400,000 employees, the IBM journey will be a long one, she acknowledged.

To help, CGOC will devote its efforts in 2013 to convincing members to implement IGRM 3.0, Paknad said. There are also informal plans for various working groups to expand and refine the process definitions, she said. Working with additional organizations that focus on privacy and security may also be considered, she said.

Paknad added that people in information governance roles need to understand that privacy and security are distinct fields from each other, and that IT professionals should accept information governance’s role as an ongoing journey, not a one-time project.