Data Governance: Controls and Culture
As said, ESI is an increasingly understood and litigated issue. What requires much more thought by employment lawyers is data governance. Data governance is the system of rules and procedure that relate to how an enterprise’s ESI is stored, managed, used, merged, deleted, and transferred.
According to the Data Governance Institute, data governance is a “system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”
While data governance is a term not usually directly associated with employment lawyers, it should be. (Recall that one of the core cases in the e-discovery world was an employment discrimination case).
Moreover, data governance should be both a set of controls and a cultural norm at organizations. Organizations are too data-driven and too dependent on technology to allow the storage, management, use, retrieval, elimination and exfiltration of data to be left to anything short of a fundamental shift in the way that lawyers, technology personnel and executives interact with each other and with the organization’s data.
Which brings me back to employment lawyers: since that data is often rife with employee-related information and will most likely be used in employment-related litigation, employment counsel must ensure that good data governance practices are in place.
The first step in data governance for employment lawyers is a big one: fully assessing the situation.
Some key questions* can help frame your investigation:
- Do you have a data “governor?” In other words, is someone in charge of data governance? Is there/can there/should there be a cross-functional team that deals with data issues? Are you or other lawyers on that team or connected to the process?
- Have you surveyed your situation? Do you know what data is where, what retention policies are in place and who is in charge of deciding upon and executing those policies?
- Do you have a data governance strategy, even an informal one?
- Do you know the probability of risk? How has that data been used (or abused) in the past? What is your litigation and discovery risk?
- How are data emergencies (breaches, discovery requests) and data security managed? Who decides? Are litigation holds designed to work across technologies, such as ensuring data preservation of text messages?
- How will you assess the true costs of e-discovery? What is, in good faith, “reasonably accessible” and what is not?
- How is information usage/access logged, by whom and where are the logs kept?
- Are employees properly educated in good data stewardship and practices, including how and when to mark documents as privileged?
- Are you monitoring the efficacy of your controls?
- Is someone able to report on data governance and its efficacy as an F.R.Civ.P 30(b)(6) witness?
- How will you ensure that your data governance plan is up-to-date and is encompassing new and emerging technologies? For instance, as encryption becomes more “popular” (Google and Apple have released phones will “full device” encryption) what rules will issue to employees?
- How would you measure a “successful” data governance plan?
- Is there a way to ensure that data governance becomes a cultural rather than a mere rule-based set of norms for the enterprise? Are leaders willing to lead on the issue of the importance of data governance? Will the company create a culture of data awareness and data integrity?
Edit on 11/7/2015: Developments in the EU push rigorously maintaining information provenance to the forefront of concern.
In short, you need to Assess, Plan and regularly Reassess. And finally, you need to build: build a compliance scheme and build a leadership culture and environment where data awareness and integrity are at the heart of the enterprises’ culture.
More on this topic in the coming weeks.
*- Citations and very interesting reads: my questions these questions are adopted from, but do not exactly mirror, IBM’s Data Governance Blueprint: Leveraging Best Practices and Proven Technologies (pdf) and Gartner’s How to Measure Success with Information Governance?. See also the American Health Information Management Association’s E- Discovery Litigation and Regulatory Investigation Response Planning: Crucial Components of Your Organization’s Information and Data Governance Processes.