Records & Information Officers’ Forum - "Top 10 Takeaways"

There were two full days of discussion, thought leadership and reflection on the topics of records keeping, information management and data governance at this week’s “Records & Information Officers’ Forum, hosted by Liquid Learning. (As well as chairing the event, I had the doubtful honour of introducing myself to give an expert commentary presentation on "The ABC of Data Governance".)

The event featured participants from both commercial and public sectors (though government agencies predominated), and featured contributions from Comsuper, Public Records Officer Victoria, Department of Human Services, Department for Health & Ageing South Australia, the Australian Sport Commission and Veda. Vendor and service provider contributions included presentations from Delib, HP Autonomy and Deloitte. Their though-provoking content provided stimulus for a highly interactive forum with some great debate.

A particular highlight was the keynote presentation from John McMillan, the Australian Information Commissioner, who addressed themes including data privacy, open data and cultural shift within both public and private sectors.

In addition to the “hot topic” themes for information management that I identified pre-conference (all of which were discussed and validated to a greater or lesser degree) and the issues I touched upon during my own presentation, some other factors were cropping up consistently throughout the various sessions. Here are my own personal “Top 10 Takeaways” from the conference:

1. Information Management Standards:

Standards are beneficial, valuable and worthwhile – as long as they don’t proliferate. Standards developed collaboratively are more likely to be of better quality and more pervasive. It is important to consider requirements and perspectives outside of the core mandate – however this takes courage.

Key standards for Information Managers to give consideration to include:  ISO16175 (Principles & Functional Requirements for Electronic Office Environments), ISO15489, (Records Management), ISO30300 (Management Systems for Records), ISO21281 (Metadata for Records),  ISO26122 (Work Process Analysis for Recordkeeping), ISO13028 (Implementation Guidelines for Digitisation of Records), ISO9000 (Quality Management), ISO31000 (Risk Management), ISO27001 (Information Security) and the forthcoming AS5478 standard for Recordkeeping Reference Metadata.

See also www.adri.gov.au for more information.

2. Information Privacy Implications:

With 78 different pieces of legislation within Australia that have a bearing on data privacy, the challenge is to ensure that everyone is aware of their obligations. Policies, procedures, education & ongoing updates are all necessary.

With respect to the new Australian Privacy Principles (APPs), APP #8 is likely to be the most impactful (accountability for data in cross-border transfers). With a diverse stakeholder group, regulatory change looks more like cultural change. (See also this article on SearchDataManagement.)

Note that the legislative standard of obligation for organisations is that “reasonable steps” are being taken to protect personal information, not “ensure” that privacy is protected.

3. Developing the Information Culture:

“Transparency is an idea whose time has come.” With recent legislative changes, the default policy position within Australian government is now “open access by default” (e.g. per Principle #1 of the Open Public Sector Information Principles). The language shift from “Government Information” to “Public Information” reflects this. There are new opportunities created for improved efficiency and effectiveness of government services, based on proactive publication and open data (e.g. NSW Open Data Policy,  the Victorian Data Directory, the South Australian Declaration of Open Data and the continuing expansion of the International Open Government Partnership).

There are still practical limitations, however. Accessibility, Open Data licensing, metadata standards, de-identification and compliance with the Australian Privacy Principles all need to be addressed. The move to a culture of “open by default” also needs active leadership and promotion (and hasn’t yet been fully embraced).

4. Inter-organisational co-operation and information exchange:

The establishment of “Single Main Contact” roles creates a focal point for inter-organisational co-operation. Such roles enable filtering of non-compliant information requests at source, as well as ensuring the scope of inter-agency information requests are properly controlled.

Information sharing agreements are becoming more prevalent.

5. Information Security: Information Security is all about managing risk – the degree to which you will act depends upon your appetite for risk. Even in the face of proliferating data sources and devices, the biggest exposure to information breaches are still people – you need to keep educating.

Four key tools are required to support a functional Information Security regime: 1. System/Info Asset Register 2. Identity Register 3. Risk Register 4. Incident Register. A basic three-step approach applies to developing Information Security controls: 1. Catalogue the inventory 2. Classify the contents based on sensitivity & privacy risks 3. Treat any exposure to data leakage.

6. Managing Data Breaches:

The Data Breach Policy, Information Security Policy and Whistleblower Policy all need to align and support each other.

A standing response team should be established, working to a four-step incident management protocol:

1. Report the breach 2. Keep information relating to the breach 3. Assist investigation 4. Monitor the situation, including root-cause analysis and remedial action.

7. Information As An Asset:

Building upon the requirement for a Systems Asset Register to support Information Security process, there are four key steps to establishing the vision of information as an asset (and the associated information services):

1. Map the key Information Domains 2. Map the Information Subject Areas. 3. Map the Information Containers 4. Map the business usages of data.

Only populate the data warehouse with well-modelled, cleansed data.

8. Key “non-IT” skills for the Information Governance team:

Skilled resources to look for include Data Scientists, digital archivists, Information Managers, legal professionals, linguists, social anthropologists.

Also reference the SFIA model for additional guidance.

9. Building the Information Management Business Case:

There are three factors that underpin the basis a Business Case – fear, faith or fact. (We can aspire to have business cases that are fact-ish…)

Build the narrative up front before embarking on a project:

Assess the current state > Establish a target vision > identify a compelling event > link to and leverage any strategic objectives > identify influencers and detractors > measure the ROI.

10. The concept of “Dark Data”:

Up to 69% of data stored by organisations is “dark data”; human readable, unstructured, unindexed, unmanaged and inactive. As such, it has no real business value and should be candidate for defensible disposal.

Do these issues resonate with you? What action are you taking to enhance the utility and value of information within your organisation? Please share your stories….