We have been reading with interest the debate currently under way in the Information Governance community about whether IG efforts should continue to focus on the classic “classify and delete” concept or instead take a “save and search” approach.
U.S. e-Discovery lawyer Ralph Losey is of the view that the current IG preoccupation with classification, retention and destruction of data will soon stop being a viable and efficient activity. Instead, Mr. Losey advocates paring IG down to a “save everything and search” approach on the basis that “storage costs are now negligible and search is far more efficient, or soon will be”. See Mr. Losey’s two-part blog: “Hadoop, Data Lakes, Predictive Analytics and the Ultimate Demise of Information Governance – Parts One and Two” (http://e-discoveryteam.com/2014/10/26/hadoop-data-lakes-predictive-analytics-and-ultimate-demise-of-information-governance-part-one/) and (http://e-discoveryteam.com/2014/11/02/hadoop-data-lakes-predictive-analytics-and-the-ultimate-demise-of-information-governance-part-two/?relatedposts_hit=1&relatedposts_origin=29661&relatedposts_position=2).
Dean Gonsowski of Recommind recently blogged the counter argument in: “The Death of Information Governance is Greatly Exaggerated” (http://www.recommind.com/blog/2014/11/20/death-information-governance-greatly-exaggerated). Mr. Gonsowski points out that the “keep everything, find everything” philosophy is based on the flawed presumption that “all data has value (potential or real) and that value outweighs the risks and liabilities associated with ESI”. The concept of managing risk and optimizing value is core to IG. Mr. Gonsowski notes that the save and search approach is not “inherently wrong, but it does fail to consider the security, privacy and regulatory risks attendant with those same pieces of information.”
Wortzmans thoughts on this debate: Improving search capabilities is crucial. Classifying information is challenging. While improving search capabilities and developing ways to classify information are both challenging, that does not mean that they are not worthy goals that organizations should strive to achieve. There is clear merit in classifying information and disposing of data that has no business value. Saving everything forever is simply not the best option for many businesses. Our clients tell us that their data storage costs are steadily increasing. Saving data also increases risk. Cyber breaches are becoming more prevalent – the more information that is stored, the more that can be stolen. Data security and protection of privacy are concerns for individuals and businesses. The benefits to managing risk by classifying valuable information and deleting the rest, outweigh the risk of the “keep everything” approach.
Yesterday, the CBC reported on their website (http://www.cbc.ca/news/politics/canada-revenue-agency-privacy-breach-leaks-prominent-canadians-tax-details-1.2849336?cmp=rss) that it had obtained a copy of a CRA spreadsheet listing donations of manuscripts, photographs and fine art to Canadian galleries and museums, and the associated claims for tax credits. The spreadsheet included personal information, such as the names and home addresses of the individuals, many of whom are very well known people. According to the CBC, the spreadsheet was inadvertently provided, in unredacted form, as part of an access to information request.
This is just the latest in a string of recent information management errors by the CRA and other federal government agencies. In the past eight months, the government has reported 168 incidences where private information was accessed without authorization or inadvertently provided. Privacy breaches by the CRA accounted for 22 of these (averaging almost three per month).
Although the latest breach appears to be due to a mistake on the part of one or more CRA employees, it highlights a lack of sufficient information governance controls. Had this document been classified as containing personal information, and had proper information governance rules been set up with respect to access to information request, this document would have automatically been flagged for additional attention, reducing the possibility of a person incorrectly identifying and producing it.
Information governance is not just a fancy term for records management. It encompasses many aspects, including identifying those records that contain personal data. Every organization, private and public, can benefit from implementing an information governance plan.
Read what Kathryn Manning has to say about information governance in law firms in the November issue of Canadian Lawyer magazine. “Litigators within firms are very well versed with what can happen when client’s records are a big mess,” says Manning. “Whether or not that translates into law firms themselves having their records in good order is probably hit and miss.” Building a business case will help build buy-in for IG initiatives in any organization, including law firms. Manning says that “what matters to partners is ease of access and costs. If you can show through the cost-benefit analysis that they are going to be a more profitable partnership, they are going to want to do it.”
To read the full article, click here: