INFORMATION GOVERNANCE FOR PRIVACY
COMPLIANCE
Access and Privacy Conference
Edmonton, June 13, 2012
Rick Klumpenhouwer, MA, MAS, CIAPP-M
Partner, Cenera
Click to edit Master title style
Click to edit Master subtitle style
Course Objectives
Understand the principles of information governance and how it can be used to implement
health information privacy compliance;
Analyze and apply this knowledge and methodology within the context of your own
jurisdictional setting
Click to edit Master title style
Click to edit Master subtitle style
What is a good privacy program?
operates on some clear principles and values about information;
requires intense involvement in how information systems and practices operate “on the
ground”;
more proactive than reactive;
an program with ongoing functions, maintenance, goals, assessment and improvement;
runs as an information management/governance program
Click to edit Master title style
Click to edit Master subtitle style
Information Management
Organization of and control over the structure, processing and delivery of information.
Answers the questions:
• What kind of information do I need to create/receive?
• How and what do I retain and why?
• How do I find and use information that I’ve stored?
Click to edit Master title style
Click to edit Master subtitle style
Elements of Information Management
Support Business Functions
Preserve Evidence for
Accountability
6. TRACKING/RETRIEVAL
2. RM FRAMEWORK
10. ASSESSMENT/IMPROVEMENT
8. ACCESS/SECURITY
7. STORAGE/PRESERVATION
9. DESTRUCTION 3. TRAINING/CHANGE MGMT
1. INFORMATION POLICY
5. RECORD CAPTURE
4. SYSTEM DESIGN
Click to edit Master title style
Click to edit Master subtitle style
What do you need to understand a record?
Content
• The intellectual substance of a document, including text, data, symbols, numerals, images, and
sound.
Structure
• The manner in which elements are organized, interrelated, and, displayed.
Context
• The organizational, functional and operational circumstances surrounding records' creation or
use.
Click to edit Master title style
Click to edit Master subtitle style
Information Governance
Concept used by UK NHS to integrate patient privacy into the new EHRs they were
developing;
• Manage solutions overlap – reduce redundancy of effort
• Quality measurement – need to track progress
• Participation – compliance on issues integrated with, not opposed to, health care objectives
A need to bring together privacy and functional requirements operationally, manage
development, and measure progress
Click to edit Master title style
Click to edit Master subtitle style
Why IG?
two main drivers:
electronic information systems • Use/reuse
• Stuctured/unstructured data
• Integrity/accuracy
• Transaction/Data analysis
• Digital continuity
information regulation • Access to information
• Privacy/Security
• eDiscovery
• SOX/C-SOX
Click to edit Master title style
Click to edit Master subtitle style
Information Governance
2005- 1990-2005 1960-1990
Transactional Applications
Enterprise Repository Systems
Policy Application
Winston Chen, A Brief History of Data Governance (2010)
Click to edit Master title style
Click to edit Master subtitle style
Why IG?
Digital IM requires more planning, accountability, application of
value.
Governance Elements
• Surveillance and assessment
• Decision-making
• Accountability
Counter-intuitive: governing information, not information for governing.
Click to edit Master title style
Click to edit Master subtitle style
IG Defined
Collaboration of interests
Information Governance is the enterprise wide framework that includes the people, processes, and procedures
necessary to ensure the preservation, availability, security, confidentiality , and usability an enterprise’s
information. (David Hill, EMC2)
Government by IT:
Digital Governance is often referred as Egovernance, E-governance or Electronic Governance. In simple terms,
it refers to governance processes in which Information and Communications Technology (ICT) play an active
and significant role.
Click to edit Master title style
Click to edit Master subtitle style
IG Defined
Governance Framework
The specification of decision rights and an accountability framework to encourage desirable behavior in the
valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards
and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its
goals.
(Gartner)
Click to edit Master title style
Click to edit Master subtitle style
How?
Click to edit Master title style
Click to edit Master subtitle style
How?
Wonderful sentiments, but the real problem is how to implement
Still working with existing IM implementation systems:
• IT development/maintenance
• Records management
• Access to Information
• Privacy/Security
• Enterprise risk management
• Archives
Just work together harder?
Click to edit Master title style
Click to edit Master subtitle style
How? Managing Assets Model
Fixed assets that need to be inventoried, controlled, and made available as need
arises
IT and records management lifecycle or “supply chain”
Automated workflow, transaction, logistics solutions
Compliance to standards regime/audit and enforcement key
Click to edit Master title style
Click to edit Master subtitle style
IBM Supply Chain Management
IBM is leading the way by approaching information governance from a supply chain
perspective – think of information as goods and services in a physical supply chain.
Click to edit Master title style
Click to edit Master subtitle style
Managing Assets Model – Problems
Is information really a fixed asset?
How do you measure success?
Forcing a system through compliance rather than contributing to quality
outcomes
Access and Privacy just one of many competing interests in governance
decision-making and assessment
Click to edit Master title style
Click to edit Master subtitle style
Managing Assets Model – Problems
Is compliance to standards deployment effective?
• Information management happens at each workstation– how do you control that?
• IG seen as a “barrier” or even a “brake” to operations
• What are the benefits? How do you measure?
• How do you engage executive sponsors?
Click to edit Master title style
Click to edit Master subtitle style
Information Governance
Functional Records Management/Archives
• Records retention/destruction/integrity control
– Capture
– schedules/destruction processes
– storage and retrieval
– preservation/continuity
Information about information (metadata)
• Based on records description (classification)
• Functional context is a key component of records description and control
Policy on collection, use, disclosure, access and security based on function
Click to edit Master title style
Click to edit Master subtitle style
Function-Based Information Governance
Functional purpose and context of information the key to organizing, assessing,
retrieving, and maintaining information to meet IG needs.
Click to edit Master title style
Click to edit Master subtitle style
Function as Informaiton Policy Interface
IM Function Activities Policy Determinant
IT IT systems development, maintenance Functional needs
Records management Information capture, availability, and retention Functional needs
Access to information Locating, retrieving, and making available information
relevant/important to citizen right of access need Functional context as part of relevancy and
status decision-making
Privacy Appropriate personal information collection, use, disclosure Function (purpose)
Security Protecting sensitive information from unauthorized access, loss Functional context
Enterprise risk management Identify and mitigate risk to organization and others Functional context
Archives Preserve/make available information of long-term value Functional context
Click to edit Master title style
Click to edit Master subtitle style
Function-Based Information Governance
Segregate information (schedules, registries) about policy, business functions and
information/information systems
Apply policy to functions; relate functions to Information
Many to many relationships
Functions
(Taxonomy)
Information
Information Policy
A A A
D D D
C C C
B B B
Click to edit Master title style
Click to edit Master subtitle style
OBJECTS
Topics, Clients
Organization Infrastructure Support Functions: HR, Finance, Facilities,
Supplies/Services, Information Management
Function, Activity or
Transaction
PLANNING/DESIGN
ENGAGING/SERVICING
Click to edit Master title style
Click to edit Master subtitle style
Functional Language
FRUIT LEVEL SHOWS DESCRIPTION RANGE SOURCES EXAMPLE
FUNCTION Why Area Scope, Subject of Activity
Open-ended
Legislation, Mandates Organization charts, administrative history, job descriptions
Human Resources
SUB-FUNCTION (optional)
Why Role/ Program within Function
Open-ended
Compensation
ACTIVITY How Action, triggered by Transaction with topic or client
Closed Standards, job descriptions interviews, organization charts
Review
TASK (optional)
How Specific Task within Activity
Closed Benchmarking
TRANSACTION with TOPIC OR CLIENT
What Object of Activity Static, open-ended
Interviews, records inventory, annual reports
Pay Scales, Managers, Joe Smith
Click to edit Master title style
Click to edit Master subtitle style
Functional Language
Planning/Design Engaging Servicing Accountability/ Documentation Significance
Function, Activity or Transaction by which the methods, policies, and design of the function are chosen, developed, evaluated and improved
Function, Activity or Transaction by which eligibility, status, and terms of client or object engagement are set or ended.
Function, Activity or Transaction by which services are actually delivered to clients or objects, based on terms of engagement
FUNCTIONAL EXAMPLES HUMAN RESOURCES Compensation
Developing and evaluating compensation plan;
Establishing level/Terminating
Delivery/ Maintenance of compensation
COMMUNITY CARE Long Term Care
Planning, developing program and evaluating program;
Referrals, placement, scheduling, care planning
Resident Care
MATERIAL MANAGEMENT Equipment Maintenance
Planning, designing and reviewing equipment maintenance system
Referrals, site or shop scheduling
Diagnosing problem, repairing, updating
Click to edit Master title style
Click to edit Master subtitle style
26
Information Governance
Click to edit Master title style
Click to edit Master subtitle style
27
Information Governance
Click to edit Master title style
Click to edit Master subtitle style
Functional IG Perspective/Approach
Continuum vs. lifecycle
Design in function-based policy to systems
Support of function vs. compliance
Access and privacy participates in system design to support functional documentation and
compliance analysis
Click to edit Master title style
Click to edit Master subtitle style
IG Happy Land
From fixed asset to changing product and tool attached to functional context.
Success=How well does information support functional needs?
From compliance to participation in a function-based policy
Access and Privacy as isolated problem to essential expertize in the solution.
Top Related