IG for Me but Not for Thee?

The need for a comprehensive and cross-functional language of Information Governance.

Let’s face it.  Whether we are Information Governance (IG) practitioners, records managers, Data Governance experts, lawyers, technologists, privacy professionals, consultants, or any other combination of Information Management (IM) or adjacent professionals, we often play fast and loose with terms that are essential to understanding information governance. This is part due to falling prey to the latest hot topic or buzz word in the industry, or because we think everyone understands what we mean, even when it’s not what we actually say. 

Words are important.  Not just for us as the Subject Matter Experts (SMEs) of an IM discipline, but for those we are trying to inform and convince – most importantly stakeholders – that IG is not only important, but needed, in today’s data and information-centric world. The challenge is, when the ‘experts’ from the related IG disciplines speak differently about basic terms, confusion and frustration ensues. As a result, policies and procedures are unclear and poorly understood, one discipline’s projects and initiatives do not align with or even conflict with strategic goals of another, and time and resources are potentially misaligned and wasted.

To complicate the issue further, even when looking to ‘authoritative’ sources for guidance, there is a lack of alignment, let alone agreement, on the meaning of essential terms, such as:

• Data
• Information
• Record
• Metadata
• Information Governance
• Records Management
• Defensible Disposition

There are many sources that could be relied upon, but simply looking at three, one sees where problems can creep into the discussion. The three sources that will be referenced are:

ARMA International is a leading membership organization serving almost 5,000 professionals who manage and govern information. ARMA provides resources, education, certification, and networking opportunities. It sets standards and best practices that professionals leverage to address the full information lifecycle.

• Glossary of Records and Information Management Terms, 5th Ed.

The Sedona Conference (TSC) is a nonpartisan, nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation, intellectual property rights, and data security and privacy law. The mission of TSC is to move the law forward in a reasoned and just way through the creation and publication of nonpartisan consensus commentaries and through advanced legal education for the bench and bar.

• The Sedona Conference Glossary: eDiscovery & Digital Management, Fifth Edition

International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 168 national standards bodies.

• ISO 15489-1:2016 Information and documentation – Records management – Part 1: Concepts and principles
• ISO 24143:2022 Information and documentation — Information Governance – Concepts and principles While each of these sources approach concepts related to IG from their own unique perspective, each has a vested interest in the success of IG as a cross-functional strategic framework. And while nuances and differences to approach are to be expected, the lack of a common understanding is concerning. Reviewing just these seven terms related to IG allows us to see where the confusion and misunderstandings originate.

DATA

• Any symbols or characters that represent raw facts or figures and form the basis of information. (ARMA International)
• Any information stored on a computer, whether created automatically by the computer, such as log files, or created by a user, such as the information entered on a spreadsheet. (The Sedona Conference Glossary)
• Set of characters or symbols to which meaning is or could be assigned. (ISO 24143)

In its purest sense, data are the building blocks of information. Data are information before context or explanation has been applied. On their own, data are essentially meaningless and without value.

Both the ARMA and ISO definitions speak to this and are in alignment. The TSC definition, unfortunately, defines a subset of information and limits the definition to electronically stored data. This is not surprising as the TSC glossary focuses on eDiscovery.  Ironically, it is the TSC definition that is closest to how the term data is most commonly used/misused.

If data are meaningless and without value or context, then why do we worry about data protection, data security, data privacy, etc.? In these instances, we really mean information. When speaking to stakeholders, if we say data when we mean information, it becomes impossible to differentiate the two, and the differences are important. For example, the loss of unprocessed, unanalyzed, and out of context data, while troubling, is likely not cause for significant alarm. The loss of information, particularly information that has great value or risk associated with it, is the IG equivalent of a five-alarm fire.

INFORMATION

• Data that has been given value through analysis, interpretation, or compilation in a meaningful form. (ARMA International)
• Hard-copy documents and electronically stored information. (The Sedona Conference Glossary)
• Data in context with a particular meaning. (ISO 24143)

Unfortunately, the TSC definition is so generic it is almost meaningless from the perspective of IG.  The TSC definition of information is important and meaningful from the perspective of discovery, but otherwise out of place here. There is again close alignment with the ARMA and ISO definitions, but ARMA goes a step further and includes the concept of value.  ISO 24143 uses the term ‘information asset’ to associate the concept of value with information, but in both cases the inclusion of value is misplaced. 

If there is anything we have learned from records management, information security, privacy, eDiscovery, or any of the IG related disciplines, it’s that not all information has value and even less information has value to an organization. When we say that information has value, specifically value to an organization, what is being referred to is properly called a record. There is, of course, more to it than that, but the concept of value is one of the things that differentiates records from information.

Here again we have a problem if we use one word when we mean another. If when speaking to stakeholders, we associate the concept of value with information, then how do we justify the regular and routine deletion or destruction of information and the ongoing preservation of records? If both have value, shouldn’t both be preserved and retained? When we say that information has value, what we mean is that it has utility: information is useful to an organization because it supports the ability to perform functions. If we cannot separate information from records when explaining and justifying the need to treat records separately and distinctly, our work becomes that much harder.

RECORD

• Any recorded information, regardless of medium or characteristics, made or received and retained by an organization in pursuance of legal obligations or in the transaction of business. (ARMA International)
• Information, regardless of medium of format, that has value to an organization. (The Sedona Conference Glossary)
• Information created, received, and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business. (ISO 15489)

The definitions of record are all close, but only the TSC definition associates the concept of value with a record (though it is implied by the inclusion of asset in the ISO definition).  Both the ARMA and ISO definitions focus on the retention or maintenance of information as the differentiating factor for records, but retention or maintenance alone is not enough.  If a record is simply defined as information that is retained (remembering that value is already included in the definition of information) as part of legal obligations or in the transaction of business, then everything is a record based on these definitions.  Many organizations already retain nearly everything, often because they have a poor understanding of what a record truly is. For example, many organizations retain backups for inordinate amounts of time because they believe that the backup is a record. Another reason organizations over retain is because saving is passive and electronic storage is basically “out of sight, out of mind.” If all the electronically stored records and information turned into paper documents and showed up in the CEOs office tomorrow, something would be done about it. Better definitions of record would help in both cases.

Records managers know that the proactive or passive saving of information does not make the information a record. In addition to simple retention, records have unique attributes that non-records and information do not. To improve these definitions, and better differentiate records from all the information an organization retains, the attributes of authenticity, integrity, reliability, and usability should be included in the definition. This is why many non-information management professionals mistakenly believe that everything is a record, or because the item was created and retained for ‘a reason’ it must be retained as a ‘record.’ This has resulted in the massive over-retention of ROT (redundant, obsolete, trivial) information at nearly every organization. Whether or not the tools and structures exist to manage and delete information over time, if a distinction cannot be made between ROT and that which needs to be retained, the default position typically is, and historically has been, to keep nearly everything. Even when an organization attempts to tag or label their information and records, confusion soon follows.

METADATA

• Structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use or manage an information resource. (ARMA International)
• The generic term used to describe the structural information of a file that contains data about the file, as opposed to describing the content of the file. (The Sedona Conference Glossary)
• Data describing context, content and structure of records and their management through time. (ISO 15489)

The classic definition of metadata is “data about data.” Metadata is not a confusing concept, but when it is poorly defined, it can be difficult to understand.  Data has previously been defined as characters or symbols to which meaning could be assigned. Once meaning is assigned, also previously defined, you have information. So, “data about data” is truly meaningless. This is exactly the problem with the TSC and ISO definitions. Both use the term data when they mean information. Further, the ISO definition is limited to records, but nearly all electronically stored information has some type of metadata associated with it. These poor definitions combined with their limited application to records only leads to confusion.

The ARMA definition is the best by encompassing the variety of ways that metadata is used and, unlike the TSC and ISO, does not misuse the term data to describe metadata. The ARMA definition calls out that metadata is, in fact, information that provides greater context or other useful detail about an information asset. Yet the meaningless “data about data” definition persists.

Further complicating the concept is when vendors and software providers (I’m looking at you Microsoft) twist and reapply terms to mean something that was never intended, further muddling the concept and confusing users. What is a valuable concept and approach to managing information now often elicits deep sighs and eyerolls when standardizing metadata is brought up as a possible project in meetings. As a result, only the most dedicated practitioners can get traction with these projects.

INFORMATION GOVERNANCE

• A strategic, cross-disciplinary framework composed of standards, process, roles, and metrics that hold organizations and individuals accountable for the proper handling of information assets. The framework helps organizations achieve business objectives, facilitates compliance with external requirements, and minimizes risk posed by sub-standard information management practices. Records and information management is an essential building block of an information governance program. (ARMA International)
• The comprehensive, interdisciplinary framework of policies, procedures, and controls used by mature organizations to maximize the value of an organization’s information while minimizing associated risks by incorporating the requirements of: (1) eDiscovery, (2) records and information management, and (3) privacy/security, into the process of making decisions about information. (Sedona Conference Glossary)
• Strategic framework for governing information assets across an entire organization in order to enhance coordinated support for the achievement of business outcomes and obtain assurance that the risks to its information, and thereby the operation capabilities and integrity of the organisation, are effectively identified and managed. (ISO 24143)

The main problem with these definitions is their length and complexity. Each comes across as a garbled mash up of terms that ultimately leave the reader confused.

IG is a broad and complex concept, so it is not surprising that attempts to define it are also complex.  The problem is that these definitions do not make the conversation around IG any easier, especially when engaging with non-practitioners. It is those very non-practitioners that we need to buy into the IG approach… mainly the C-Suite executives whose support and funding are needed for IG to be successful. 

What IG needs is an elevator-pitch style definition. Surprisingly, Wikipedia has a simple and solid definition of IG, “the overall strategy for information at an organization.” This simple and to the point description allows the rest of the more complex ideas to be worked in as relevant.  This definition also sets the stage for those aspects that IG will address and enables the specifics of an IG program to be further defined based on the needs of the organization.  How IG is executed depends on multiple factors including industry, regulatory framework (or lack thereof), litigation profile, risk appetite, and others. Priorities, strategies, and approach are determined by these factors and the simple definition provides flexibility to address these.

RECORDS MANAGEMENT

• The field of management responsible for establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, retrieve, and ensure disposition of an organization’s records and information. (ARMA International)
• The planning, controlling, directing, organizing, training, promoting and other managerial activities involving the lifecycle of information, including creation, maintenance (use, storage, retrieval) and disposition, regardless of media. (The Sedona Conference Glossary)
• Field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records (ISO 15489)

For most organizations, a mature and well executed records management program is an essential pillar of IG. While there is some variation among these definitions, they are fairly consistent. The ARMA definition incorporates the management of information, which is important as records only represent a fraction of the information organizations create and retain. The TSC definition also adds the important concept that information is retained regardless of media or format but does not specify records as separate from information.  The concept of a record is built into the lifecycle of information, which is referenced, but a non-practitioner will likely not know this. The media issue is important because too many organizations and non-practitioners believe that only paper documents can be preserved as records. The ISO definition hits the correct points about records management, but it limits itself by defining RM as only applying to records.

While none of these definitions is poor or inaccurate, confusion still exists as none of them hit all the essential points. The best definition would be an amalgamation of all three.  This ensures that records and information are included, and that media or format is addressed. Further, the proper term should likely be Records and Information Management to add clarity.

DEFENSIBLE DISPOSITION (or DISPOSAL or DELETION?)

• The actions taken under formally defined and approved policies and procedures that result either in records being destroyed or permanently transferred to another organization. (ARMA International)
• … (ISO 15489 / 24143)
• The effective disposal of physical and electronic information that does not need to be retained according to an organization’s policies when the data is not or no longer subject to a legal requirement for retention, be it statutory or as part of a litigation. (Sedona Conference Glossary)

Defensible disposition, or more accurately defensible disposal, is a core concept of IG.  It is interesting that, having just developed the ISO 24143 Information Governance Standard, ISO is silent on this term.  Additionally, the ARMA and TSC definitions simply define the disposition of records, which as any trained records manager will tell you, is by definition defensible.  Disposition is an action taken on records that is based on policy, procedure, and a retention schedule and which occurs during the normal course of operations.  Defensible disposal is typically a long-term, heavily documented, dedicated effort to dispose of records and information that were not deleted during the normal course of operations and, in the case of records, were not deleted once retention obligations were met, as well as the deletion of the typically massive volumes of redundant, obsolete, and trivial (ROT) information that organizations tend to hold onto.  Often the goal of a defensible disposal effort is to bring the organization’s retention efforts current to policy and the retention schedule. This is done while working on implementing routine, often automated, deletion and disposition of all records and information.  Neither the ARMA nor the TSC definitions make these distinctions.

Ideally, practitioners need a single definition of defensible disposal so that the term is universally understood and applied.  Without it, any effort to delete information, well executed or not, could be labeled ‘defensible disposition’ making all such efforts questionable.

GETTING IT WRONG

When essential IG terms are unclear and misunderstood, too often the result is that well-intentioned efforts at an organization end up creating risk.  Too many organizations have issued legal hold notices with language that only references records, “You are required to preserve the records described in the Legal Hold Notice.” Yet if we have learned anything from the past 15 years of litigation in the US, simply preserving the official records is not enough.  While having a standardized and regularly issued legal hold notice is a huge step in the right direction, statements like this example open the organization to risks of spoliation by using the term “records” when what is meant is “information.”  Swing and a miss. Multiple examples abound.  Whether it’s a ‘no exceptions’ approach to deletion, or a full out resistance to deletion because “someone may need it someday,” these problems/challenges are often rooted in a misunderstanding.  When Information Management practitioners, and those in related disciplines, approach these terms and key concepts differently, unintended confusion will result. Lawyers that say records when they mean information, IT execs that refer to managing data when they mean records, RIM professionals that talk metadata when they mean tagging…. on and on.  We wonder why the users and the C-Suite don’t understand us, are confused, or worse, frustrated.

WHAT TO DO

Revisions to the key terms used by IG professionals are clearly needed, but if the release of ISO 24143 is any indication, the proper involvement of IG experts appears to have been lacking.  Whether it is ARMA, ISO, TSC, IAPP, AIIM, or the multitude of the organizations in the information management space, there needs to better coordination and collaboration as these terms and concepts are refined.  In addition, more legal professionals are involved in the IG space than ever before. This means the terms need to reflect more than just the eDiscovery perspective that TSC has represented to date.

Most importantly, practitioners need to get involved.  While volunteering for projects and standards development committees is important, it is more than that.  We need to not only encourage but PUSH our colleagues in the professional organizations to collaborate.  Updating and creating standards and best practices in silos is no longer viable.  It is ironic that one of the objectives of IG is to breakdown stakeholder silos yet, as professional organizations, we still follow the siloed model. It has to end.

What also needs to end is practitioners playing fast and loose with terminology. We need to be precise and consistent with how we use the key terms and the underlying concepts. We can do this by ‘tending to our own garden’ in our respective organizations.  We need to review all organizational documents to ensure consistent use of information-related terminology.  This includes policies, procedures, charters, terms of reference, strategic objectives and any additional documents that discuss or make reference to information operations and activities.

Do you have a corporate glossary? It may be time to develop one.

At the end of the day, we as the professionals in the IM/IG space, need to take ownership of this terminology problem.  Until we mean what we say and say what we mean, we cannot expect those we need to influence and buy into our efforts to come along. We need to be ‘singing from same sheet of music.’

This article was written by Jason Stearns (CRM, IGP, CIPP-US, CIPM) who is Arrayo’s Information Governance, Privacy, and Records Management Practice Lead, and edited by Olympe Scherer.