LITIGATION SUPPORT TIP OF THE NIGHT

If you're looking for a simple guide to information governance from a respected authority in the field, see Ernst & Young's Information Governance for the Real World, and its Information Governance Solution guide. Ernst & Young is one of the 'Big Four' accounting firms and also one of world's largest professional services firms. It advises businesses on how to implement an information governance program.

Ernst & Young has identified seven key principles of information governance:

1. Know your information: develop search criteria to find certain document types.

2. Know where you have information: be able to find PII that must be deposed of.

3. Access: limit data access to certain teams.

4. Protection: find gaps in data protection policies.

5. Response to external events: run gap analysis of processes to respond to data breaches.

6. Keep data no longer than necessary: emphasize the right to erase PII and be forgotten under the GDPR.

7. Dispose: delete redundant and outdated data

Information governance policies help organizations:

• Make informed decisions quickly.

• Comply with regulations and discovery requests.

• Reduce the cost of data storage.

Ernst & Young recommends:

a. Conform to the regulations of FINRA; the SEC; the FDA; and other government bodies to help protect privacy rights.

b. Don't rely on IT to take a black box approach to preservation and collection. Develop an in-house discovery preparedness program.

c. Address the proliferation of information systems.

d. Data maps should be used to track records subject to regulations.

e. Identify critical data assets.

f. Implement a defensible disposition program.

The UK's National Health Service is the largest single payer healthcare system in the world. The Royal Marsden Hospital of the NHS was the first hospital in the world dedicated to caring for cancer patients, and currently it is the largest cancer center in European. Its information governance policy provides an excellent example of how a world class organization secures Protected Health Information (PHI).

The hospital's policy requires non-confidential information to be made public. Openness and confidentiality are given equal importance. An annual audit is performed of its cyber security program. It must also assess each year if its policy complies with legal requirements, and the collected information meets an adequate standard of quality. The policy references the principles established by the National Data Guardian for Health and Care in England. The National Data Guardian is an independent body which provides guidance to the UK on the data confidentiality in its health care system. Its Data Security Standards require that:

1. Staff ensure that personal data is handled securely.

2. Staff understand their accountability for data breaches.

3. Staff pass an annual data security test.

4. Personal data can only accessed by those who need it.

5. Annual audits must address workarounds used by staff which compromise data security.

6. A report must be made to senior management within 12 hours of a data breach being discovered.

7. A continuity plan must be implemented.

8. Unsupported software cannot be used.

9. A cyber security framework should be used to protect against threats.

10. IT contractors must meet these standards.

A Data Protection Officer ensures compliance with the GDPR and an Information Governance Manager ensures compliance with the data security standards.

The International Organization for Standardization Standard 22301 addresses the requirements necessary to maintain a document management system against disruptive incidents. ISO 22301 implements a Plan-Do-Check-Act schema to help improve business continuity.

ISO Standard 22301 encourages evaluation of a business continuity management system in order to ensure to gets the intended results. The MAO (Maximum Acceptable Outage) is the time it would take for a faulty plan to lead to results which would be unacceptable. The MBCO (Minimum Business Continuity Objective) is the minimum level of services necessary for an organization to achieve its objectives during a disruption. ISO 22301 sets time frames to re-implement crucial services and specifies how warnings are to be given when there is a threat to business continuity.

The involvement of senior management and the participation of an internal advocate are crucial for the success of a program to protect a business's document management system. Individual departments must be required to follow the same standards and cooperate. Companies may already have measures in place which help them to conform to ISO 22301. Routine internal audits should be performed to ensure compliance to the standard.