Riding the next wave of information management

Written by :

GWI

Information Awareness Week 2024: Riding the next wave of information management

18-22 March is Information Awareness Week. As data and information professionals, the GWI team are passionate about promoting modern and sustainable information management practices. In this blog, we share information management tips, insights and best practices according to our information experts Danika Lanham and Jane Brimacombe.

Information assets

The Queensland Government Enterprise Architecture (QGEA) defines an information asset as ‘an identifiable collection of data stored in any manner and recognised as having value for the purpose of enabling an agency to perform its business function, thereby satisfying a recognised agency requirement’.

It may be comprised of data and information stored across multiple locations but dealing with the same topic e.g. customer information.

Information assets are defined and managed in Information Asset Registers so they can be understood, shared, protected and used to their full potential.

Information architecture

Information architecture involves organising and structuring information assets effectively and sustainably. Good practice information architecture provides a structured description of an organisations’ information, the relationship of this information to business requirements, processes, applications and technology, and the rules that govern it.

Information architecture includes the provision of approaches, models and a methodology for designing and managing information assets so that they are directly linked to business drivers. It enables employees to manage, find and use information timely and effectively.

Information governance

Information governance is the development and implementation of an accountability and decision rights framework to ensure the appropriate management of information throughout its lifecycle. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information to enable an organisation to achieve its goals. (Adapted from Gartner.)

Without information governance, enterprise risks increase around the security, quality, integrity, privacy, confidentiality, accessibility, use and re-use of information assets. This can result in legislative and regulatory non-compliance, an increased likelihood of data spill or breach, as well as increased costs, organisational inefficiencies and flawed decision-making.

Information security classification

Information security classification is the process of assessing an organisation’s digital and physical information assets to determine the controls needed to apply the appropriate level of protection. The greater the impact to an individual or organisation if the information were to be lost, disclosed, compromised or misused, the higher the level of protection that is required. Protection can take the form of security access controls, as well as labels or protective markings.

There is a direct link between consistent and appropriate information security classification and the mitigation of information and cyber security risks. It is critical that organisations implement the classification framework most relevant to their business.

Information lifecycle management

Lifecycle management refers to the proactive management of information assets from creation or capture through to retention and disposal. It ensures an organisation’s information is effectively managed, secured and stored so that it can be appropriately re-used and shared. Lifecycle management helps to maximise the value of information, protects it from misuse or loss and ensures it is retained for the minimum retention period.

Without lifecycle management, organisations are at risk of accumulating an expanding volume of information assets, increasing costs and escalating the risk of potential cyber incidents, data spills and data breaches, resulting in financial and reputational damage.

Retention and disposal

Retention and disposal are critical to effective information management (IM). Retention in an IM context refers to the length of time information (both digital and physical) must be kept to meet legislative, regulatory or business requirements. State and federal regulators provide guidance about the minimum period that information must be retained. At the end of the retention period, information can be disposed (i.e. destroyed or deleted) following a prescribed process.

This element of the information lifecycle is relatively complex and is often delayed or put off due to time or resourcing constraints. However, by not completing appropriate disposal processes, organisations create ever-increasing holdings of information that can be lost, accessed or disclosed without authorisation – resulting in a data breach.

Privacy and ethics

Privacy is a human right for individuals and critical for organisations. Organisations have an obligation to collect, handle, manage and secure personal information to minimise the risk of serious harm, while also navigating Australian and global privacy regulations. Appropriate security and access controls must be implemented to mitigate data breach risks which can result from the misuse, loss, unauthorised access, use, modification and disclosure of personal information. The collection and proactive management of personal information, throughout its lifecycle, must be considered early and often across both projects and routine operations.

Alongside privacy issues and risks are the ethical questions posed by the collection and analysis of information. These centre on the impact to individuals, the potential for misuse, and economic value. Should we collect this information just because we can?