DATA/INFORMATION GOVERNANCE

• BUY  The Data Governance Imperative for a practical guide to this key subject. 

The board of every oganisation is directly responsible for ensuring that it complies with applicable laws and regulations relating to data security, data retention and records management. Penalties for failure range from massive reputation and share price damage to criminal charges and customer desertion.

Information Governance in the UK Public Sector

The UK public sector is subject to a growing range of information governance challenges. One key challenge is managing the overlap between the Data Protection Act (DPA) and the Freedom of Information Act (FOI). Read the Data Protection vs Freedom of Information for handy, practical guidance of tackling these issues.

Other useful resources include:

• The Information Governance Toolkit: Data Protection, Caldicott, Confidentiality
• Data Protection Compliance in the UK
• ISO27799 - Health Infomatics & Information Security in the Health Sector

Data Protection

Around the world, data protection and privacy legislation is increasingly important, and increasingly onerous. It is in this field, in particular, that new laws are emerging on a regular basis. Many of of these overlap, or contradict existing laws, and for few of them is there any detailed regulatory implementation guidance or meaningful case law.

US legislation such as HIPAA, GLBA, SB 1386, OPPA, the Fair Credit Reporting Act (FCRA), Canada's PIPEDA, the EU's Data Protection Directive (implemented slightly differently in each of the EU countries) - and the EU Safe Harbor regulations which enable US companies to escape prosecution under EU regulations - as well as UK legislation such as the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures combine to make compliance a significant challenge for all organizations.

Very specific guidance exists for the UK's Data Protection Act ('DPA'). All UK organizations must comply with the DPA and all public sector ones with the FOIA. This website provides comprehensive books and tools for achieving DPA Compliance - the most useful and comprehensive book, worth every penny, is the BSI Data Protection Guide.

Implementing and maintaining an ISO27001-certificated Information Security Management System is the obvious way of complying with DPA, particularly with the 7th principle, which requires organizations to take appropriate technical and organizational steps to secure personal data.

Freedom of Information

In the UK, public sector organizations must also comply with the Freedom of Information Act ('FOIA'). Again, you can obtain valuable books on on FOIA guidance.

International compliance

 it is not easy for North American and international companies to identify what steps might help them meet this broad range of compliance requirements. This is where ISO/IEC 27002 can be particularly useful. It contains international best practice on information security, and the concepts of confidentiality, integrity and availability of data, which are at the heart of ISO 27002, are also contained in most information-related regulation.  

Litigation

In today's increasingly litigious world, preparedness for litigation is a sensible way to manage a basic business risk. Electronic documents (which include all emails) are always critical to any court case, and organizations need to take appropriate action to ensure that they can comply with court requirements for the production of evidence. Best practice in this field is contained in BIP 008, the "Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically", which is contained in a Legal Admissibility Guidance Kit.  

Email, Information and Records Management

Email is fundamental to organizational communication. There are potentially significant costs and risks associated with the business use of email, and this includes operational, regulatory, and litigation risk.  These risks are changing and evolving and organizations should use best-practice frameworks to guide their response to these risks. Organizations need end-to-end email management, retention, maintenance and archiving solutions that will enable them to simultaneously meet current and emerging business and regulatory requirements. Email solutions should merge with information and records management solutions. Apart from the general information security guidance of ISO/IEC 17799:2005, organizations can turn to the best-practice records management framework contained in ISO 15489. A more detailed specification for electronic records management is contained in Model Requirements for Management of Electronic Records ('MoReq').

Data Retention Periods

Data retention periods are an area that most companies give insufficient attention to. The fact is, for most companies there is a myriad of laws and regulations that determine how long data should be retained - and data includes email and instant messaging information. Of course, this whole area gets more and more complicated when you consider that some emails might contain financial or personnel information and might, therefore, have to be retained for periods different to those for ordinary emails. The Data Retention website gives an overview of data retention requirements for the UK and emerging issues. The picture is similar for most companies in their local jurisdictions and much more complicated for multinational companies, or organizations operating in more than one jurisdiction.