INFORMATION GOVERNANCE FOR PRIVACY...

INFORMATION GOVERNANCE FOR PRIVACY

COMPLIANCE

Access and Privacy Conference

Edmonton, June 13, 2012

Rick Klumpenhouwer, MA, MAS, CIAPP-M

Partner, Cenera

Click to edit Master title style

Click to edit Master subtitle style

Course Objectives

Understand the principles of information governance and how it can be used to implement

health information privacy compliance;

Analyze and apply this knowledge and methodology within the context of your own

jurisdictional setting



What is a good privacy program?

operates on some clear principles and values about information;

requires intense involvement in how information systems and practices operate “on the

ground”;

more proactive than reactive;

an program with ongoing functions, maintenance, goals, assessment and improvement;

runs as an information management/governance program



Information Management

Organization of and control over the structure, processing and delivery of information.

Answers the questions:

• What kind of information do I need to create/receive?

• How and what do I retain and why?

• How do I find and use information that I’ve stored?



Elements of Information Management

Support Business Functions

Preserve Evidence for

Accountability

6. TRACKING/RETRIEVAL

2. RM FRAMEWORK

10. ASSESSMENT/IMPROVEMENT

8. ACCESS/SECURITY

7. STORAGE/PRESERVATION

9. DESTRUCTION 3. TRAINING/CHANGE MGMT

1. INFORMATION POLICY

5. RECORD CAPTURE

4. SYSTEM DESIGN



What do you need to understand a record?

Content

• The intellectual substance of a document, including text, data, symbols, numerals, images, and

sound.

Structure

• The manner in which elements are organized, interrelated, and, displayed.

Context

• The organizational, functional and operational circumstances surrounding records' creation or

use.



Information Governance

Concept used by UK NHS to integrate patient privacy into the new EHRs they were

developing;

• Manage solutions overlap – reduce redundancy of effort

• Quality measurement – need to track progress

• Participation – compliance on issues integrated with, not opposed to, health care objectives

A need to bring together privacy and functional requirements operationally, manage

development, and measure progress



Why IG?

two main drivers:

electronic information systems • Use/reuse

• Stuctured/unstructured data

• Integrity/accuracy

• Transaction/Data analysis

• Digital continuity

information regulation • Access to information

• Privacy/Security

• eDiscovery

• SOX/C-SOX




2005- 1990-2005 1960-1990

Transactional Applications

Enterprise Repository Systems

Policy Application

Winston Chen, A Brief History of Data Governance (2010)



Why IG?

Digital IM requires more planning, accountability, application of

value.

Governance Elements

• Surveillance and assessment

• Decision-making

• Accountability

Counter-intuitive: governing information, not information for governing.



IG Defined

Collaboration of interests

Information Governance is the enterprise wide framework that includes the people, processes, and procedures

necessary to ensure the preservation, availability, security, confidentiality , and usability an enterprise’s

information. (David Hill, EMC2)

Government by IT:

Digital Governance is often referred as Egovernance, E-governance or Electronic Governance. In simple terms,

it refers to governance processes in which Information and Communications Technology (ICT) play an active

and significant role.



IG Defined

Governance Framework

The specification of decision rights and an accountability framework to encourage desirable behavior in the

valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards

and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its

goals.

(Gartner)



How?



How?

Wonderful sentiments, but the real problem is how to implement

Still working with existing IM implementation systems:

• IT development/maintenance

• Records management

• Access to Information

• Privacy/Security

• Enterprise risk management

• Archives

Just work together harder?



How? Managing Assets Model

Fixed assets that need to be inventoried, controlled, and made available as need

arises

IT and records management lifecycle or “supply chain”

Automated workflow, transaction, logistics solutions

Compliance to standards regime/audit and enforcement key



IBM Supply Chain Management

IBM is leading the way by approaching information governance from a supply chain

perspective – think of information as goods and services in a physical supply chain.



Managing Assets Model – Problems

Is information really a fixed asset?

How do you measure success?

Forcing a system through compliance rather than contributing to quality

outcomes

Access and Privacy just one of many competing interests in governance

decision-making and assessment



Managing Assets Model – Problems

Is compliance to standards deployment effective?

• Information management happens at each workstation– how do you control that?

• IG seen as a “barrier” or even a “brake” to operations

• What are the benefits? How do you measure?

• How do you engage executive sponsors?




Functional Records Management/Archives

• Records retention/destruction/integrity control

– Capture

– schedules/destruction processes

– storage and retrieval

– preservation/continuity

Information about information (metadata)

• Based on records description (classification)

• Functional context is a key component of records description and control

Policy on collection, use, disclosure, access and security based on function



Function-Based Information Governance

Functional purpose and context of information the key to organizing, assessing,

retrieving, and maintaining information to meet IG needs.



Function as Informaiton Policy Interface

IM Function Activities Policy Determinant

IT IT systems development, maintenance Functional needs

Records management Information capture, availability, and retention Functional needs

Access to information Locating, retrieving, and making available information

relevant/important to citizen right of access need Functional context as part of relevancy and

status decision-making

Privacy Appropriate personal information collection, use, disclosure Function (purpose)

Security Protecting sensitive information from unauthorized access, loss Functional context

Enterprise risk management Identify and mitigate risk to organization and others Functional context

Archives Preserve/make available information of long-term value Functional context



Function-Based Information Governance

Segregate information (schedules, registries) about policy, business functions and

information/information systems

Apply policy to functions; relate functions to Information

Many to many relationships

Functions

(Taxonomy)

Information

Information Policy

A A A

D D D

C C C

B B B



OBJECTS

Topics, Clients

Organization Infrastructure Support Functions: HR, Finance, Facilities,

Supplies/Services, Information Management

Function, Activity or

Transaction

PLANNING/DESIGN

ENGAGING/SERVICING



Functional Language

FRUIT LEVEL SHOWS DESCRIPTION RANGE SOURCES EXAMPLE

FUNCTION Why Area Scope, Subject of Activity

Open-ended

Legislation, Mandates Organization charts, administrative history, job descriptions

Human Resources

SUB-FUNCTION (optional)

Why Role/ Program within Function

Open-ended

Compensation

ACTIVITY How Action, triggered by Transaction with topic or client

Closed Standards, job descriptions interviews, organization charts

Review

TASK (optional)

How Specific Task within Activity

Closed Benchmarking

TRANSACTION with TOPIC OR CLIENT

What Object of Activity Static, open-ended

Interviews, records inventory, annual reports

Pay Scales, Managers, Joe Smith



Functional Language

Planning/Design Engaging Servicing Accountability/ Documentation Significance

Function, Activity or Transaction by which the methods, policies, and design of the function are chosen, developed, evaluated and improved

Function, Activity or Transaction by which eligibility, status, and terms of client or object engagement are set or ended.

Function, Activity or Transaction by which services are actually delivered to clients or objects, based on terms of engagement

FUNCTIONAL EXAMPLES HUMAN RESOURCES Compensation

Developing and evaluating compensation plan;

Establishing level/Terminating

Delivery/ Maintenance of compensation

COMMUNITY CARE Long Term Care

Planning, developing program and evaluating program;

Referrals, placement, scheduling, care planning

Resident Care

MATERIAL MANAGEMENT Equipment Maintenance

Planning, designing and reviewing equipment maintenance system

Referrals, site or shop scheduling

Diagnosing problem, repairing, updating



26




27




Functional IG Perspective/Approach

Continuum vs. lifecycle

Design in function-based policy to systems

Support of function vs. compliance

Access and privacy participates in system design to support functional documentation and

compliance analysis



IG Happy Land

From fixed asset to changing product and tool attached to functional context.

Success=How well does information support functional needs?

From compliance to participation in a function-based policy

Access and Privacy as isolated problem to essential expertize in the solution.

INFORMATION GOVERNANCE FOR PRIVACY...

Documents

Transcript of INFORMATION GOVERNANCE FOR PRIVACY...