Email has occupied the news lately, especially in light of the recent revelations that former Secretary of State, Hillary Clinton exclusively used a private email account to conduct government business. Moreover, during this time, Mrs. Clinton did not have a government email address during her time at the State Department, and her aides did not preserve her personal emails on department servers at that time, as required by the Federal Records Act.

This revelation spotlights a big challenge facing employers in both private and public sectors. Organizations could be at great risk if they don’t have information governance policies addressing data retention and access in the event of a lawsuit, investigation or other requests for information like Freedom of Information Act (FOIA) that gives citizens the right to access information from the federal government.

Why Information Governance is Important

Information governance is critical to reducing organizational risk whether dealing in the realm of compliance, operational transparency, or reducing expenditures associated with e-discovery and litigation response. It is important to create a high-level policy that is focused on organization-wide strategic goals. Through an organization’s information governance policies and procedures it can establish a consistent and logical framework for employees to handle data. These policies guide appropriate behavior regarding how organizations and their employees handle electronically stored information including creating, storing, and using, archiving and defensibly destroying information.

How Organizations Should Implement Information Governance

First of all, it is important to recognize that information governance is not just about IT disposing old information. According to Cheryl McKinnon of Forrester Research, information governance is,

“A holistic strategy for using and managing information to meet business objectives. Information governance assures the quality of content and data, maximizes its value, and ensures that security, privacy, and life-cycle requirements are met.”

The key to developing an effective information governance policy is to bring all relevant stakeholders to the table in order to fully take stock of the organization’s needs including: legal and regulatory issues, technology, data challenges, as well as an organization’s operational goals.

Some goals could include: access to information, ability to provide accurate and timely answers to regulators, improved and more cost-effective response for e-discovery, and purging redundant information.

Monitoring Risk

As organizations collaborate to establish policies, they will need to assess and monitor the risk of the data. For example, some organizations have a very controlled infrastructure with the same desktop tools, where IT tightly manages the eco-system. In contrast, other organizations may allow BYOD or the use of applications where data is stored outside organizational control, in support of creativity and business efficiency. There is no one way to manage an organization’s data, but it is important that key departments are involved to help evaluate risk vs. reward with data. For example, legal should be involved to assess the legal risk associated with these various tools and help identify preservation requirements.

Invest in Employee Training and Education

Another key piece to creating effective information governance policies is to create a “culture of compliance” through employee training and education. This information should be clear, thorough, timely and repeated regularly to ensure all employees who are bound by the policies are fully aware of them, what is required, and completely understand the importance of adhering to the information governance policies. Furthermore, there must be an accounting of who has received the information so that trainings can be refreshed on specific intervals so that everyone has up-to-date knowledge.

Information Governance to Empower Organizational Transparency

In conclusion, establishing meaningful policies, procedures and practices helps organizations create a “culture of compliance” which supports the organization in addressing key goals. Policies must address what data is kept, the devices and applications that are to be used, where the data can be stored, and the retention time and procedure for this information. Policies must evolve to address changing technologies and organizational goals. They may even dictate a standard for preservation, managing risk, and communication requirements to employees.