Just google the term “maximising the value of information” and you will get a plethora of results. How did we get here and why are we still struggling to manage information?
Technology has led to a massive growth in the volume of information. Now there are new technologies to manage the ever-increasing volumes of information across multiple systems and platforms. Some of these systems are great and really help us achieve efficiency, ease of use and better business outcomes. But shouldn’t we be more strategic instead of just throwing another piece of technology at it?
How can we maximise the value and minimize the risk to our information before implementing new technologies? Implementing Information Governance strategies can provide organisations with a framework to better understand and manage the information that they need to create, use, share and and at some point information that can be disposed of.
Information Governance, as described by Gartner, “is the specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information…”. In guidance for Establishing an Information Governance Framework, the National Archives of Australia describes Information Governance as a “system for managing information assets across an entire organisation to support its business outcomes”. Data.NSW promotes an Information Management Framework that’s provides a shared direction for how information should be managed within the NSW public sector. The common theme here is to have a framework and systems that manage all of an organisation’s information, including records and data, from creation through to business use and eventual disposal.
With effective information governance practices in place organisations can achieve responsible corporate governance and leverage opportunities to maximise the value of information assets.
Information Governance Frameworks
Developing an information governance framework with a ‘by design’ approach will help organisations to have information that is trusted, reliable and business outcome focused. Effective frameworks require collaboration across specialty areas including privacy, security, compliance, information management, records management, data management and information technology. A key component in aligning theses specialty areas is an information asset register.
Information Asset Register
You can’t develop an effective information governance framework or maximise the value of your information until you know what you have and understand its context, who controls it and its limitations. An Information Asset Register helps you to understand:
- what your information assets are,
- where your information assets are located,
- what software applications they are managed in,
- what formats they are in,
- who the business owners or custodians are,
- requirements for access, security and privacy,
- the value of information to the organisation legally or otherwise (high or low),
- requirements for retention and disposal, and
- possible risks that need to be mitigated
An information asset register should be a key component in any information governance framework and is a great starting point in maximizing the value of your information. Below are just 2 examples of what an information asset register might look like.
About the Author
Annette Senior has a Graduate Diploma of Science (Information Services) and has worked in information specialist roles since 2000. She has delivered front line support services for Electronic Information Management systems and has extensive experience as a systems administrator for TRIM. In addition to her technical understanding, she is a knowledgeable and adept trainer, designing and delivering information management and system-based training for diverse audiences. Annette’s’ experience in risk and compliance areas informs her approach to information and records management frameworks. She has experience developing and maintaining recordkeeping policy, procedures, classification and disposal tools to support business objectives and the implementation of technology.
In our last Microsoft 365 (M365) article we began to touch on retention capabilities within M365. A core retention capability within M365 is that of retention policies, which provide the ability to:
- decide whether to retain and/or delete information assets
- apply a single policy to the entire Agency or specific locations and users
- apply a policy to all content in a location or to content meeting certain conditions
Retention Policies are a great feature for organisations with relatively simple retention and disposal requirements. Policies work as a behind the scenes feature, and are applied to content matching policy settings without any end user intervention.
When a retention policy is applied to locations or information assets, people can continue to edit and work with information assets. However if a document is deleted or modified a copy of the document is retained in the Preservation Hold Library (PHL) in SharePoint or the Recoverable Items Folder (RIF) in Exchange. It is important to note that if content is deleted or modified:
- for deleted items the original document/email is moved to the Recycle Bin and deleted after 93 days (SharePoint, OneDrive, Teams) or Deletions folder and deleted after a default 14 days (Exchange)
- where a copy is taken, the copy will have its own GUID and it is not clear whether any relational link is created between the copy and the original (including audit history of the original)
- recycle bins are not indexed therefore any searches, including eDiscovery searches, will not be able to discover information assets within a recycle bin. However the PHL and RIF are indexed and searchable
PHL exist at a site collection level within SharePoint (or SharePoint backend solutions like Teams and OneDrive). The libraries are only created when the first item needs to be copied to the library, rather than when the retention policy is created. PHL are only viewable by Site Collection Administrators (or other admin roles with access to Site Collection Administrator permissions). Microsoft MVP Joanne Klein has written a helpful explainer on the Preservation Hold Library, including a table which documents PHL behaviours when particular site actions are performed.
“Digital Preservation” by zipckr is licensed under CC BY 2.0
The RIF in Exchange is hidden from end users, but content is discoverable via eDiscovery searches. Administrators with appropriate controls can perform actions on user RIF using the Exchange Management Shell. Users RIF storage quota, when a retention policy is applied to the mailbox, is automatically set to between 90GB and 100GB. If the auto-expanding archiving feature in Exchange Online is enabled, the storage quota for the RIF in the user’s archive will be unlimited.
When configuring a retention policy rules can be set to keep content forever, or dispose of content a certain period after the following retention triggers:
- the content was created
- the content was last modified
Retention Policy Gaps
Retention policies are unable to accommodate retention triggers that are event-based (e.g. date of termination, expiry of contract, date of birth, etc). While Retention Policies present a promising feature for managing simple retention requirements, the lack of disposition review process for Retention Policies leaves gaps in compliance if proof of defensible destruction is a requirement.
In the next part of our series we’ll look at Retention Labels in M365.
About the Author
Adelaide Copland has worked as an information specialist and CM/TRIM application administrator since 2014. Adelaide has experience in Microsoft 365 implementations, process improvement, records training delivery, development of policies and procedures, strategy and establishing digitisation programs.
NZ has led the world in issuing its Algorithmic Charter for Aotearoa New Zealand in July this year. The charter is designed to ensure NZ citizens have confidence in how government agencies use algorithms and demonstrating a commitment to transparency and accountability in using data.
Algorithmic accountability has been much on my mind for a while now. I first wrote about this as an emerging issue for recordkeeping in 2016. Since that time, algorithms have been identified as decision making tools in many contexts and are likely to increase in use by organisations as the trends towards datafication of all types of things, not least of which is people.
Many books have been written identifying the inherent bias built into assumptions controlling algorithms; one of the best known of these is Professor Sofiya Noble’s Algorithms of Oppression, but many other scholarly articles have emerged around the use of algorithms. Similarly there has been an expansion of attention to data ethics, following the Snowden revelations about widespread unauthorised data collection by multiple governments and the Cambridge Analytica Facebook scandals of 2015-2016. Some of the world’s biggest data players are even backing calls for ethical approaches to data use and regulation of AI.
Examples of misintended (we assume) results which severely impact people, are growing. They include the Google facial recognition service that labelled images based on skin colour and the earlier labelling of dark skinned individuals as ‘gorillas’; or more locally the use of AI and predictive technologies in our own home grown Robo-debt scandal linked to the suicide of a number of targeted individuals; and most recently the controversy surrounding the algorithmic grading of UK’s school leaver results in CoVID times. The emergence of the Indigenous Data Sovereignty initiatives reflect just how seriously Indigenous communities regard the appropriation and perpetuation of stereotyping in data use. Of course there are great benefits, new insights and advantages to also be found in greater activation of data – it’s just that the problem stories show the devastating results of misapplied use of technology.
Recordkeeping and Algorithms
“3D-Printed Algorithm” by tonnerrelombard is licensed under CC BY 2.0
So what is the role of recordkeeping in the process of documenting algorithms which learn and evolve? It’s a big topic, far too big for me to be able to answer and one which needs much more work. The UK Information Commissioner’s Office is doing interesting work in building an AI Auditing Framework which will likely have recordkeeping implications. But what seems likely as a starting point is far more systematic documentation about algorithms, AI and predictive learning. So here is perhaps some beginning thoughts:
- identify and maintain the data on which the algorithms are trained;
- document and records all processes in the design of systems and algorithmic development;
- clear documentation about the intent of the algorithm, and
- development of a regular, systematic and documented auditing approach to test whether the algorithm is still doing what it set out to do.
All this also brings with it questions of individual consent (and the use of umbrella consent models), social expectations and larger social conversations about consultation, about whether the outcomes are ethical etc.
It’s a big topic – I’m not going to be the one to ‘solve’ it. There is so much to know and find out. But I am actively thinking in this space, and would love to hear from like minded recordkeeping people.
About the Author
Ms Barbara Reed, Director of Recordkeeping Innovation Pty Ltd, has been a consultant in the fields of records, archives and information management since 1985. She is active in professional arenas, including the teaching and training environments. She has played a major role in the development of Australian and International standards for records management, digitisation, recordkeeping metadata and others.