Archives February 2022

Whitepaper: Are You Stuck in the Past with Your RIM Program and Software?

by Jasmine Boucher, BMgt, CIP

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

Back to Sagesse Whitepapers

Back to Sagesse 2022

Introduction

Many knowledge workers are introduced to records and information management (RIM) as a task that is completed from the side of their desk. Often the reason behind this is due to the lack of an official records management program or dedicated staff members. The exposure to RIM for these professionals can be limited and the value, often is yet to be discovered.


In this paper we will discuss the historic challenges (for some the current challenges) that record and information managers have faced in implementing software, understanding the next steps for progress, and the business case for implementation. After reading this you should be better positioned to understand the core RIM issues that may exist in your organization, be able to perceive a better future, and present options to your business. The goal for this white paper is to help those who are either just starting in RIM or struggling to gain approval for a formal RIM program and software implementation.

Historic Challenges of Records Management

Records and information management is a profession that for some individuals or organizations has seen little-to-no change, not because change did not exist but because they were either unaware of or did not see the value of progression and innovation in processes and technology. For some individuals there was concern that their jobs would be made irrelevant or they would no longer be required. Others did not see financial value in improvement, and yet for some the field just did not interest them or they did not seek to understand it. ISO standard 15489-1: 2016 defines Records Management (RM) as “the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.” (ISO)

Many organizations still do not have any sort of formal records management program. Historically if there was a program it typically focused on the management of paper files. In some organizations the records group would act as a central filing group. They would receive a document, classify it, and then file it. When and if needed that document would then be retrieved and sent to the requestor. At the end of the lifecycle the records management group would take the steps to apply the disposition process (although for many this step may not occur on time or at all). Even with the transition to an electronic age, for many users, that simply meant adding an additional step… printing it off.

If we look back to the definition as stated by ISO Standard 15489-1 there is a lot more to records management than storing, retrieving, and disposing of documents. For many years it seems that some organizations were limited in their understanding of records management and simply ignored the other facets whether it be creation and capture, receipt and maintenance, or processes surrounding the records (in terms of retaining documents).

Many organizations faced challenges with even the smallest portions of records management that they did consider. Some of these challenges include:

  • Storage space (physical & electronic)
  • Inconsistent classification systems
  • Numerous save locations
  • Several repositories
  • Duplication of documents
  • Access rights
  • Versioning confusion

For those organizations that are not up to date with RIM standards and legislation today, this is not only a historical problem, but one that is plaguing their current activities. In addition, these challenges have only increased with the massive volumes of information created and collected today plus the multiple formats on which it is stored. For organizations that do not have a formal records management program or system in place, records management is simply the storage of documents and not the processes of creation, collaboration, and approval in many current RIM programs.

Today, people within these organizations are beginning to see the issues, discover the problems, and start to consider and adapt to an innovative way of managing their information assets. Becoming innovative according to the Cambridge Dictionary is “(the use of) a new idea or method”. (Cambridge Dictionary). Innovation is not simply “going digital”, and it is not merely changing process from one medium to another, it is about reinvention, thought leadership, and strength through efficiencies. For those organizations that consider network folders as electronic records and information management, who have no consistent capture methods, no audit history, no classification system or retention schedule that is organizationally expansive, and no methodology for disposition – they have a long way to go before they have what would be considered a formal RIM program in place. Just because you save something electronically does not make it better and it does not make it “managed”. Without processes, procedures, and controls, there is no record integrity. In an uncontrolled electronic workplace users ask questions like the following:

  • What is the correct version?
  • Who worked on it last?
  • Where is it saved?
  • Does it need to be saved in two places?
  • Was there an emailed copy?
  • Why can’t I find the signed version?
  • Why was this created?
  • Was this saved in the wrong location?

RIM professionals look at other issues such as:

  • Does this add business value?
  • Do people reference this?
  • What is the retention schedule rule(s) that is associated?
  • Is this copy signed and official?
  • How should I classify this for retention?
  • Is it ready for disposition?
  • Are there holds that are related?
  • Why was this given to me?

While many organizations have identified that RIM is a vital function, there are many that have not yet determined it to be critical or worth investing resources in. For these organizations some see the value internally but cannot get either departmental or management buy-in. Other companies feel that deploying software will be a quick fix and solve any existing RIM problems.

Often these organizations either do not have a formal position (FTE) for these RIM tasks, or the position exists but has no official backing or the organizational strength to make the required changes.

A key factor here is education. Many knowledge workers still see RIM as being the management of physical files, not the complete process that information goes through within the organization. Identifying issues is the first step to being able to move forward and gain traction.

The role of records and information managers today is completely different from the past. Today it has become more complex, misunderstood, and more important than ever before. This is because the role has grown and evolved, requires more departmental input, and has perhaps more importance then in the past with the growing requirements of legislation, freedom of information, and organizational differentiation.

Understanding Your Next Steps

To fully understand records management we need to first define it. We have already defined what records management is, but fundamentally we need to first define what a record is to then determine what records management is required for. There are many definitions of a record, from those in a dictionary defined simply as “to set down in writing” or “to give evidence of” (MerriamWebster) to some that are more specific. ISO has defined a record as “information created, received, and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business.” (ISO). In addition to the many definitions of what a record is there is also terminology that changes between organizations, countries, and simply personal preference. Records are not simply documents; they are so much more than that.

Records include things like images, videos, as well as data and information.

A records and information management program and the software associated is no longer a nice-to-have or add in, it is essential for business operations for many industries. Programs have been created to educate new records managers, associations have seen growth, and subject matter experts have emerged. People are beginning to spend more time interested in the subject, going into more depth, and paying attention to the implications of it. As more non-industry individuals and software providers alike see the value that RIM provides and understand more of the concept, the software that is available improves.

Historically, for many organizations RIM has been seen as a business cost, one that was necessary but did not bring revenue or value to the organization. While there are many ways to quantify the value that it brings these had often been overlooked or found irrelevant until such a time as there was an issue. Today, it can now be seen as an opportunity, something that could provide an organization with a competitive edge. With a better quality of information comes better decisions, and with increased volume and variety comes the necessity to have a better strategy surrounding RIM. One could say that RIM as a field and profession has expanded, but perhaps it’s not an actual expansion of RIM but rather a better understanding of what it is supposed to be by more business professionals and organizations.

Implementing a Software Solution

The ISO definition of records management has four key components: creation, receipt, maintenance, as well as use and disposition with processes surrounding them all. With each of these components we can look for ways to innovate using software tools. For example, if we look at creation, we are now discussing software tools with artificial intelligence and the use of smart templates and forms. In receipt we could discuss electronic creation from birth, automated import, as well as generalized information gathering. Maintenance brings things like automatic reporting, on-demand visualization, and clear audit history. While for retention and disposition we look to automatic classification, programmed calculation of retention periods, consistent approval processes, and clear disposition reports that are automatically generated.

Going forward companies should strive to be able to manage their information of all formats in an efficient and effective manner. If you are looking to improve the manner in which your organization conducts electronic document management, there are several key factors that should be considered.

  • Version Control – being able to save and access multiple versions within a single document
  • Single Save Location – saving in only one place
  • Searchability – ease of finding data regardless of your position
  • Accessibility – access to your information from anywhere at any time
  • Access Control – keeping data secured
  • Audit trail – visibility into the document’s lifecycle
  • Customization – people don’t think the same way, thus shouldn’t have to work the same way

A truly beneficial system will enable organizations to benefit from both significant document management capabilities and records management requirements. If you are looking to improve the methods in which you conduct automated and electronic records management these are a few functions that should be considered.

  • Manage Retention Rules – these should be managed within the software
  • Automation – ensure that processes are automated wherever possible
  • Association – based off criteria, the classification and rules should be applied to records
  • Calculation – based off classification, the system should calculate the retention period
  • Holds – allowing information to be held for a different period based off requirements
  • User Responsibility – no one knows the documents better then the users themselves
  • Lifecycle Management – management from birth to death within one system
  • Disposition – proper procedure for approval and disposition when ready

Even with this in place, education is still critical for RIM professionals, end users, and senior management. Employees can be your greatest strength in RIM; however, they cannot do what they do not know. Records manager often state things like “my users won’t do that” or “I can’t leave them responsible – it will never be done”. My response is always the same, “they will not help you if they do not know how and do not understand the value.” It is amazing what can happen when you educate and then put your trust in your coworkers, they are more capable than you are often led to believe.

Records and information managers are now even more important. They need to have a business perspective and be able to manage the lifecycle of information assets from creation to disposition. They need to have methods for managing different types of records without interruption to the business, and they need to educate the users about the management of information, what it means, and how it can add value to the organization.

The Business Case for Software Implementation

According to the 2020 Industry Watch produced by AIIM “58% of organizations realize they need to move up the information management value chain from simply mitigating risk and cost to creating value.” (AIIM) From this report, over half of the organizations already realize they have an issue that needs to be corrected, they just need to be presented with an option on how to do it. This same report indicates there are three main steps that can be taken to begin digital transformation:

  1. Identify your organizations current state
  2. Do a review of the organizational environment
  3. Document the future state

With this in mind you can move forward with a business case, gain executive buy in, and plan for the future. Be sure that you are not only resolving today’s problems but also looking at the problems of tomorrow, this how is your project is going to be a long-term success.

The benefit of implementing RIM software is clear to those of us are pushing for change. Some of the benefits include:

Time & Efficiency → Financial Gain

Having an RIM software helps to reduce the amount of time that the end users waste looking for information, validating its accuracy, and allows for regular tasks to be completed faster.

Staff Effectiveness → Human Turnover Reduction

By allowing staff to spend more time on the tasks that they are actually hired to complete and are within their skillset they are typically more content with their role. This results in a happier workforce that is retained longer.

Compliance → Risk Mitigation

An RIM software properly implemented can help to mitigate a substantial amount of risk whether it is during regular and external audits or ensuring compliance with internal policies. In addition it makes responding to information requests more efficient and allows staff to become more effective with their time.

Competitive Advantage → Positioning & Value Added

Competition within industries today is extremely fierce, going “digital” is no longer a method of ensuring a successful position within an industry. By having an effective RIM system this can help to ensure that customer service is as efficient as possible, there are no unforeseen delays caused by information requests or audits, and the company as a whole is running smoothly. RIM will not make a business successful, but it can help to provide the necessary competitive edge in comparison to other organizations.

Context → Improved Decision Making

Risk is also mitigated as it provides information to individuals at their fingertips which helps to ensure that informed decisions are made for the organization as a whole. Having the additional context that wouldn’t have been available otherwise within the timeframe required can ensure that the full picture is drawn out before critical decisions are made.

Although it may be clear to some, many of us still need to provide compelling evidence that implementing RIM software adds value to the organization. Creating a business case is the opportunity that you have to tell your company that yes this is required to move forward.

For a successful business case, you should take the following steps:

  1. Clearly define the issue
  2. State the benefits & identify the risks
  3. List the options
  4. Calculate costs
  5. Identify the resources required
  6. Establish a timeline
  7. Create a draft project plan
  8. Plan for Change Management

The biggest hurdle that you will likely encounter is securing executive buy-in. This is a large concern for most individuals pushing for the change. Without buy-in you have no project and thus no way to begin moving forward and improving your program through software implementation.

Buy-in is essential and how you position the project is going to be one of the biggest factors to ensure success. Here are some other ways to ensure that your project is given the green light:

  • Connect your project to other corporate goals.
  • Define how the project will impact other business areas and the impact that it will then have on customers.
  • Identify and create a risk mitigation strategy.
  • Relate your project to senior management and how it will directly enable their teams.
  • Plan for the system rollout, change management initiatives, and financial implications.

In summary, RIM as a profession has evolved significantly since the 1970s as a result of electronic records replacing paper. However, there is still a long road ahead for it to be in the forefront of all people’s minds. Individuals in positions of authority are beginning to understand the implications of poorly managed records and information and the value that could be gained through proper RIM. It is more important than ever that people are educated in information management in order to help them truly understand the meaning and value that it brings. Finally, ensuring that you can move forward internally and adopt innovation with full support of the executive team is vital to the success of any project.

Corporate Overview & Biography

Indixio specializes in IT solution services for intelligent information management through two main channels, enterprise content management (M-Files) and geospatial information management (custom built solutions). Indixio was established in the year 2000 with the primary clients being in government, education, transportation, and utilities. Indixio is staffed with a highly skilled team from sales and support through development, looking to effectively deploy and implement desktop, web, and mobile solutions that are fully integrated for business.

As a premier and authorized service provider, as well as a Certified Delivery Partner of M-Files Indixio continually pushes the envelop of what is possible with custom modules, add-ins, and integrations that add significant business value. After discovering a gap in the industry Indixio developed a custom module that is additional to M-Files for Records Management, this module allows leveraging the power of M-Files while being able to efficiently apply records management requirements. From managing retention rules, automating the application of those rules, administering holds, and determining the retention period of documents this module does it all.

The Indixio head office is located near Montreal with a satellite office in Alberta. Indixio serves customers all across Canada and the United States. With over twenty years of experience providing consulting services and IT solutions Indixio has helped organizations better manage their information and successfully complete and implement their projects. Indixio has one simple vision: simply your work by making information more accessible than ever before. At Indixio, we believe in outstanding customer service and exceptional technical support.

About the Author

Jasmine Boucher BMgt, CIP
Technical Account Manager
Indixio Inc.
jboucher @ indixio.com

Jasmine draws the line between customer needs and system requirements. With a belief that success is a requirement not a possibility Jasmine truly looks out for the best interests of all around her. As a past records management coordinator for a municipality she leverages her experience to ensure that customers are on route to success not only immediately but also in the long term.

Holding a degree from Athabasca University in Management and a CIP Certification from AIIM, Jasmine has not only the business experience but also the education and guiding principles to ensure for successful deployments of RIM systems.

Jasmine currently works with organizations across Canada to improve their document and records management capabilities through the deployment of M-Files. Ensuring that both the needs of the end users and the RIM professionals are met.

Êtes-Vous sur la Bonne Voie? Un Apercu de la Planification Strategique

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

par Christine Ardern, CRM (retraitée), FAI

 

Back to Sagesse 2022

 

Résumé

La planification stratégique peut sembler intimidante et rébarbative. Toutefois, les avantages de la planification l’emportent sur les inconvénients et contribuent à créer une feuille de route pour les activités de programme. Dans ce document, nous examinerons les éléments qui constituent la planification stratégique. En fournissant les étapes à suivre et en présentant les ressources qui peuvent être utilisées comme outils de référence, vous pourrez décider si vous commencerez à planifier l’avenir de votre programme.

Introduction

En tant que consultante, je reçois souvent des demandes exigeant une analyse des besoins dans le cadre d’un programme de gestion des documents et de l’information (GDI) ou d’un programme d’archives. L’entreprise veut savoir comment son programme reflète les pratiques exemplaires en vigueur et comment déceler les lacunes à des fins de planification. Par exemple, il pourrait y avoir un manque de places pour une formation, ou encore un haut dirigeant pourrait décider de préparer un plan à long terme pour une division et souhaiter les commentaires des employés à propos du programme de GDI ou de gestion de l’information (GI).  Or, une analyse des besoins suffit-elle?  Elle fait certainement ressortir l’état actuel du programme, mais à elle seule, elle ne permet pas de régler les problèmes qui surviennent. Si vous avez défini un état souhaité, l’analyse des besoins identifiera les lacunes nuisant à son atteinte. Par contre, si vous ne trouvez pas les solutions, les ressources, le budget et le temps nécessaires pour combler ces lacunes, il est assez difficile d’atteindre cet état souhaité.

Bon nombre de projets pourraient nécessiter l’établissement d’un plan stratégique pour faire avancer les choses avec le soutien, le budget et les ressources appropriés. Voici quelques exemples : 

  • L’élaboration et la mise en œuvre d’un programme de gouvernance de l’information;
  • La sélection et l’implémentation d’un logiciel; 
  • Un grand déménagement des bureaux qui entraîne le passage à un bureau automatisé et une transformation numérique;
  • La nécessité de gérer l’information électronique qui est conservée pendant de nombreuses années dans un dépôt numérique fiable dans le cadre d’un programme de préservation numérique.

Quel que soit l’objectif visé, le plan stratégique constitue une feuille de route pour y parvenir. Ce document explique comment élaborer un plan stratégique, y compris les activités, les échéanciers et les ressources connexes. 

COMMENT DÉMARRER

Le plan ne se suffit pas à lui-même. L’un des meilleurs moyens d’obtenir du soutien pour un projet est d’identifier un catalyseur opérationnel que le projet appuiera. Dans le cas de la mise en œuvre d’un programme de gestion des documents et de l’information, Pacific Gas and Electric Company, à San Bruno, en Californie, constitue un exemple de problème ayant créé une ouverture pour un programme de gestion des documents amélioré. Dans ce cas, une rupture de la conduite de gaz et l’incendie qui s’en est suivi ont entraîné de graves dommages au sein de la communauté et une poursuite en justice. Bien que cela se soit produit après coup, les lacunes du programme ont contraint l’entreprise à évaluer ses pratiques de gestion des documents et d’y apporter des améliorations. 

L’orientation définie par votre entreprise offre une occasion de soutenir ses activités grâce à une meilleure gestion des documents et de l’information. L’amélioration du service à la clientèle est un domaine dans lequel le programme peut améliorer l’accès aux renseignements afin de répondre, en temps opportun, aux demandes de renseignements des clients. Si les systèmes sont encombrés par des renseignements désuets et que cela entraîne un ralentissement du temps de réponse, la création d’un processus d’élimination des documents redondants, périmés et inutiles améliorera la situation lors des demandes des clients.

Le fait de positionner le programme afin qu’il soutienne l’orientation de l’entreprise facilitera le processus de planification.

L’analyse de rentabilité
De nos jours, il est impossible d’entreprendre des activités et d’obtenir des ressources en entreprise sans obtenir l’engagement et le soutien des cadres supérieurs. Afin d’obtenir ce soutien, vous devrez peut-être effectuer une analyse de rentabilité qui montre les coûts et les avantages de la réalisation de votre projet, soit, dans le cas présent, la création du plan stratégique.

Le but principal de l’analyse de rentabilité est de vendre votre projet (dans le cas présent, le plan stratégique) aux cadres supérieurs afin d’obtenir leur engagement, ainsi que le budget et les ressources nécessaires. L’analyse de rentabilité documente la raison d’être et la justification du projet, en plus de décrire les coûts proposés, les répercussions financières et économiques, ainsi que les avantages, les risques et la valeur que le projet offre à l’entreprise. 

L’élaboration d’une analyse de rentabilité est une activité en soi. Il n’en est pas question dans ce document, mais il existe des liens vers des exemples d’analyses de rentabilité que vous pouvez consulter au besoin.  Si vous avez de la chance, le budget comprendra les fonds nécessaires pour couvrir les coûts de l’élaboration du plan stratégique et vous n’aurez donc pas besoin d’effectuer une analyse de rentabilité. Bon nombre d’éléments dépendent de votre entreprise et de la disponibilité des ressources et des fonds.

Définir votre vision 

Avoir un énoncé de vision peut sembler inutile, mais si vous partagez des renseignements avec des parties prenantes et du personnel, il est utile d’avoir une définition de haut niveau, brève et concise, de votre vision pour l’avenir. L’énoncé de vision définit un cadre pour aller de l’avant. 

La vision de l’iSchool de l’Université de Toronto est documentée comme suit :

  • Atteindre l’excellence internationale dans les domaines de la recherche et de la formation en information.

EWSolutions fournit des services-conseils en matière de gestion et de planification des données. Anne Marie Smith, vice-présidente de l’éducation et méthodologiste en chef, donne un exemple de vision de la gestion des données :

  • Garantir une intégrité et une compréhension de renommée mondiale des politiques, pratiques, processus et normes relatifs aux renseignements de l’entreprise afin de soutenir l’entreprise, ses clients et ses partenaires dans l’atteinte de leurs objectifs opérationnels.

Une vision simple du programme de GDI pourrait énoncer ce qui suit :

  • Les documents et l’information de ABC sur tous les supports seront accessibles, saisis, gérés et éliminés pour répondre aux besoins de l’entreprise. 

En gros, la vision est une articulation simple et claire d’un état futur. Elle ne précise pas comment y arriver.

Élaboration d’un plan stratégique

Tout d’abord, qu’est-ce qu’un plan stratégique?

  • Le plan stratégique est élaboré selon un processus systématique consistant à visualiser un avenir souhaité, à élaborer une vision et à la traduire en buts et objectifs définis au sens large et en une série d’étapes pour les atteindre.

Imaginons que vous faites partie d’une grande entreprise qui a des bureaux dans toutes les provinces canadiennes. Votre programme de GDI est en vigueur depuis 10 ans et chaque fois qu’un changement a lieu dans l’entreprise, vous réagissez et faites de votre mieux pour résoudre la myriade de problèmes de GDI qui en découlent. C’est comme ça depuis toujours. 

Récemment, l’entreprise a décidé qu’il était temps de mettre en œuvre un programme de GI et on vous a demandé de diriger l’équipe chargée de la planification.  Par où commencer?

Une approche consiste à élaborer un plan stratégique devant être présenté aux cadres supérieurs et qui décrit quels sont les éléments nécessaires pour passer d’un programme de GDI à un programme de GI à l’échelle de l’entreprise. La stratégie vous aide à :

  • identifier où vous vous trouvez actuellement et toutes les lacunes qui doivent être comblées;
  • définir les activités, les ressources et les échéanciers nécessaires pour passer de votre état actuel à l’état souhaité;
  • élaborer un document qui peut être utilisé pour faire accepter votre idée, mobiliser les employés et la direction et évaluer vos progrès.

En réalité, ce processus de planification devrait être continu et le plan devrait être mis à jour régulièrement pour refléter les progrès que vous faites et redéfinir ce qui reste à faire. Ce n’est pas un effort ponctuel. 

Gérer le projet de plan stratégique

Généralement, élaborer une stratégie à partir de rien, en vous disant « je pense que c’est une bonne idée, je vais donc me lancer », n’est pas la meilleure façon de procéder. Tout d’abord, vous aurez besoin de l’aide de personnes dans l’ensemble de l’entreprise. Avez-vous le pouvoir de les obliger à coopérer? Les cadres supérieurs doivent comprendre le projet et ses buts et objectifs afin qu’un budget et des ressources vous soient alloués. La supervision du projet est également importante et la première étape consiste à créer un comité directeur composé des principales parties prenantes provenant de l’ensemble de l’entreprise. Ce comité vous ouvrira des portes et fournira une approbation finale des documents, le cas échéant. Idéalement, le comité directeur est présidé par une personne qui agit à titre de champion pour vous en plaidant votre cause auprès des cadres supérieurs. Ce groupe supervise les décisions de haut niveau et approuve les décisions, les rapports, etc.

En fonction de la taille de l’entreprise, des ressources que vous avez dans votre service et du nombre de services avec lesquels vous collaborerez, vous pourriez aussi vouloir créer un deuxième comité. Ce comité de travail pratique est composé de personnes qui représentent les unités fonctionnelles et qui connaissent les processus et les procédures dans ces domaines. Ainsi, lorsque vous réaliserez des entrevues, que vous recueillerez des renseignements ou que vous effectuerez un suivi, vous aurez quelqu’un avec qui collaborer pour vous assurer de communiquer avec les bonnes personnes.

Le comité directeur intervient à toutes les étapes de l’élaboration du plan. La fréquence des réunions dépend de l’étendue et de la durée du processus.

Définir les étapes de haut niveau

Au cours du processus de planification, il faut suivre une série d’étapes dans un ordre logique :

  • recueillir des renseignements sur la situation actuelle de l’entreprise;
  • analyser des renseignements afin de déceler les lacunes à combler et de formuler des recommandations sur les mesures à prendre pour concrétiser votre vision;
  • préparer un rapport qui décrit les conclusions, les recommandations et les ressources nécessaires pour mettre en œuvre les activités, les coûts proposés et les échéanciers en vue de mener à bien les activités.

Collecte de données et documentation de l’état actuel

Évaluer l’état actuel

La première étape consiste à comprendre où vous en êtes à l’heure actuelle. Et les renseignements que vous examinez et recueillez dépendent beaucoup du plan que vous élaborez. Si vous élaborez un plan pour l’ensemble de votre programme, il peut inclure la collecte de renseignements sur ce qui suit :

  • Quelles sont les politiques et procédures en place? Sont-elles à jour? 
  • À quand remonte la dernière mise à jour de votre calendrier de conservation? 
  • Tous les employés connaissent-ils le programme et le mettent-ils en œuvre? 
  • Quels documents d’information existe-t-il concernant l’entreprise, son mandat et son orientation ou son plan futur?  
  • Quel est le mandat actuel du programme? Couvre-t-il tous les renseignements, quel que soit le support? 
  • Fournissez-vous une formation sur le programme? Où en êtes-vous avec une solution logicielle en matière de GDI? Avez-vous le contrôle des documents électroniques? 
  • Avez-vous suffisamment d’espace pour l’administration et le stockage de documents? 

Les types de questions que vous posez dépendent des renseignements dont vous avez besoin pour élaborer votre plan.

Outils pour recueillir des renseignements 

Une fois que vous avez examiné les différents documents de l’entreprise, notamment les politiques, les procédures, etc., il est temps de parler aux personnes au sein de l’entreprise et à l’extérieur de celle-ci si vous avez des activités axées sur le public. Les renseignements peuvent être saisis au moyen :

  • d’entrevues individuelles;
  • de groupes de discussion;
  • de questionnaires en ligne comme le site Survey Monkey.

Déterminer quelles sont les personnes que vous souhaitez rencontrer et ce que vous voulez apprendre constitue souvent la meilleure approche à adopter. Comme nous l’avons appris pendant la pandémie, il n’est pas nécessaire de se réunir en personne maintenant que nous avons accès à des outils comme Zoom et Teams. 

Une mise en garde s’impose à cette étape de collecte de renseignements – il n’existe pas de solution unique. Les renseignements que vous souhaitez obtenir varieront selon la personne et le poste qu’elle occupe au sein de l’entreprise. Les types de questions que vous posez dépendront de la raison particulière pour laquelle vous élaborez la stratégie.  

Au début de ma carrière de consultante, un cadre supérieur m’a dit de m’en tenir à des messages de 45 secondes parce que les cadres sont des gens occupés et ils ne peuvent pas consacrer une heure à vous écouter leur expliquer ce que vous voulez. Il en va de même dans la situation présente. Faites en sorte que vos entretiens avec des cadres supérieurs soient courts et directs. 

Les membres du personnel de l’entreprise pourraient profiter de cette occasion pour formuler les commentaires qu’ils ont toujours voulu partager et seront prêts à consacrer davantage de temps aux entrevues.

Si vous souhaitez recueillir des réponses simples, soit des oui ou des non, auprès d’un grand nombre de personnes, il est utile de se servir d’un outil de sondage automatisé.

Auprès de qui recueillez-vous des renseignements?

L’un des aspects les plus importants de la collecte de données est la détermination des personnes avec lesquelles vous traitez régulièrement. Il y a probablement des personnes clés dont les commentaires sont essentiels. Il est important de comprendre ce que les personnes font dans leur travail, comment elles interagissent avec le programme au quotidien. Vous devez également comprendre quelle incidence le domaine que vous examinez à des fins de planification a sur ces personnes. 

Par exemple, vous pouvez définir un plan de sélection et de mise en œuvre d’une solution logicielle. Pour ce faire, il est primordial de savoir comment les renseignements sont créés, partagés, gérés et stockés dans l’ensemble de l’entreprise. Les utilisateurs et le personnel des TI représentent des participants clés dont les commentaires sont importants.

Vous savez probablement quels sont les problèmes et pourriez-vous asseoir avec eux et leur proposer des éléments. Mais pour obtenir le soutien et l’adhésion au plan, d’autres personnes doivent confirmer ce que vous savez déjà. Elles pourraient également avoir des idées précieuses sur les améliorations à apporter. En discutant avec des personnes au sein de l’entreprise, vous vous assurez que vous comprenez leurs exigences et que leurs commentaires contribuent à votre planification. L’élaboration du plan constitue une occasion de mettre en valeur le programme. 

Des personnes de différents échelons vous parleront de leur « liste de souhaits » aux fins de votre exercice de planification. En fonction du domaine visé par votre exercice de planification, vous pouvez communiquer avec les personnes suivantes :

  • les membres et les partenaires de votre service;
  • les cadres supérieurs;
  • les utilisateurs de vos services : les utilisateurs professionnels internes ou les clients externes;
  • les principales parties prenantes ayant un intérêt direct dans le programme. Il peut s’agir d’un avocat, d’un agent de la protection de la vie privée, d’un employé des TI ou d’autres partenaires commerciaux.

Dans une entreprise, nous avons rencontré tous les membres des groupes fonctionnels. Dans une autre, nous avons rencontré des représentants de différentes fonctions opérationnelles dans plusieurs emplacements. Des entrevues individuelles peuvent être nécessaires selon la personne et ses responsabilités. Les renseignements que vous souhaitez obtenir vous aideront à établir qui sont les personnes avec lesquelles vous devez communiquer et la façon dont les renseignements peuvent être recueillis. 

Souvenez-vous qu’il faut sortir des sentiers battus. Peut-être que vous avez déjà essayé diverses choses pour aller de l’avant, mais que vous vous êtes heurté à des obstacles. Les personnes qui n’appuient pas votre projet ou qui s’y opposent peuvent avoir vécu des expériences ayant influencé leur vision de votre projet de planification. Alors, voyez ce processus comme une occasion de reprendre les discussions avec elles, permettez-leur d’exprimer leur mécontentement et réglez les problèmes qu’elles ont soulevés. Tout le monde aime donner son opinion et peut devenir un excellent allié. Si vous ne comprenez pas ce qui motive différentes opinions, vous ne pourrez pas les traiter de manière adéquate au moment voulu. 

L’analyse des forces, faiblesses, possibilités, menaces (analyse FFPM)

Vous entendrez souvent parler d’une analyse FFPM :

  • Forces
  • Faiblesses
  • Possibilités
  • Menaces

L’analyse FFPM peut faire partie des entrevues individuelles ou être réalisée au moyen d’une séance de groupe de discussion dans le cadre de votre évaluation de l’état actuel du programme. Il peut s’agir d’un groupe de personnes provenant d’un service ou de diverses fonctions opérationnelles et de divers échelons au sein de l’entreprise. Et parfois, vous n’aimerez peut-être pas ce que vous entendrez. L’objectif principal est de réfléchir aux questions suivantes :

  • Dans quels domaines les choses vont-elles bien (forces)?
  • Dans quels domaines pourriez-vous apporter des améliorations (faiblesses)?
  • Quelles sont les possibilités qui vous permettraient d’aller de l’avant, d’apporter des changements, etc.?
  •  Êtes-vous confronté à des obstacles qui pourraient se transformer en points négatifs pour vous?

Pendant toute discussion, quelqu’un devrait prendre des notes sur les commentaires et effectuer un suivi. Certains des thèmes peuvent se chevaucher en raison de la nature des idées qui sont exprimées. 

J’ai constaté que malgré le fait qu’il s’agisse d’un outil conventionnel, les tableaux à feuilles mobiles constituent un moyen simple de documenter l’information. Si vous utilisez un ordinateur portable, vous voudrez partager l’écran afin que tous les participants puissent voir comment les idées circulent. 

À la fin de la séance, vous pourrez hiérarchiser et saisir tous les commentaires afin de définir une série de points clés sur lesquels vous pouvez vous appuyer dans votre phase de planification. 

De nombreuses ressources montrent comment effectuer une analyse FFPM et certaines références sont fournies à la fin du document.

L’analyse comparative

L’analyse comparative est un autre outil utile pour comparer votre programme ou votre situation avec le programme ou la situation d’entreprises semblables à la vôtre. Cela dit, il est important d’être prêt pour la rétroaction et de savoir ce qui pourrait se passer. Nous avons dû procéder à un examen organisationnel il y a quelques années et nous avons été invités, dans le cadre de celui-ci, à communiquer avec d’autres entreprises semblables à la nôtre. Il s’est avéré que notre entreprise était la seule à avoir un programme de gestion des documents. Je vous laisse réfléchir au résultat. Fait intéressant, peu de temps après que nous avons effectué notre analyse comparative et que le programme de GDI a été dissous, le gouvernement a adopté une loi qui a obligé toutes ces mêmes entreprises (y compris la nôtre) à créer des programmes de gestion de documents. Et la vie continue!

Dans un exercice d’analyse comparative, vous recueillez des renseignements auprès d’entreprises semblables à la vôtre sur divers aspects de leurs activités de programme, y compris ce qu’elles font et comment elles le font, le nombre de membres du personnel, l’espace alloué au programme, les solutions logicielles, etc. Si un programme comprend le stockage de documents inactifs, vous pouvez demander combien d’espace ces entreprises ont et quels services elles offrent. 

Vous voudrez peut-être tenir un sondage et parler à vos homologues en personne ou par vidéoconférence. Si vous utilisez cette approche, il peut être judicieux d’envoyer les questions à l’avance à des fins de préparation. Autrement, l’utilisation d’un outil comme Survey Monkey vous permet de créer un sondage en ligne, qui peut être envoyé directement aux répondants. Quelle que soit l’approche que vous adopterez, il est important de fournir aux personnes avec lesquelles vous communiquerez des éléments de contexte et une présentation du processus.

Plus le sondage est simple, plus il est facile pour les répondants de fournir de la rétroaction et pour vous de compiler les réponses. S’il paraît trop long, personne ne voudra y répondre. L’une des façons d’inciter des personnes à répondre à sondage consiste à leur proposer de leur envoyer les résultats. Si vous décidez de le faire, vous devrez obtenir l’autorisation de chacun des contributeurs pour partager les données.

Après avoir reçu les résultats, vous devrez compiler les réponses de manière à faciliter le traitement de la rétroaction. Il est souvent plus facile de fournir un tableau des domaines clés sur lesquels vous souhaitez insister afin que le lecteur n’ait pas à consulter un long document faisant état des réponses

Saisie de vos conclusions et formulation de recommandations

À ce stade, vous avez terminé vos entrevues, effectué l’analyse FFPM et recueilli les réponses au sondage sur l’analyse comparative. L’étape suivante consiste à consolider tous les renseignements et à compiler les conclusions afin que vous puissiez déceler les lacunes et formuler des recommandations en conséquence. Par exemple, les résultats pourraient montrer que : 

  • Le personnel de l’entreprise ne comprend pas ce qu’est la gestion des documents et de l’information ou la gouvernance de l’information.
  • D’autres entreprises ont affecté plus de personnel que vous dans un programme similaire au vôtre.
  • Il n’existe au sein de votre entreprise aucun schéma de classification, calendrier de conservation ou schéma de métadonnées à jour.
  • Office 365 est installé dans toute l’entreprise, mais aucune stratégie de gestion de l’information n’est en place. L’information existe donc en silos et les employés créent leurs propres bibliothèques personnelles.
  • Les documents papier inactifs ne sont pas stockés sur place et ne respectent pas les calendriers de conservation.
  • Les politiques et les procédures n’ont pas été mises à jour pour refléter la nécessité de gérer les renseignements sur tous les supports.

Évidemment, bien d’autres conclusions sont possibles. Après avoir examiné les résultats et tiré vos conclusions, vous devrez formuler une série de recommandations sur les mesures à prendre pour aller de l’avant.

Mesure du respect des normes acceptées

Après avoir résumé les résultats, vous devriez avoir une bonne idée de l’état actuel et des lacunes du programme.

Il est toujours utile de pouvoir se référer à des normes et à des lignes directrices externes qui s’appliquent à des programmes de GDI et de GI pour voir où vous vous situez par rapport aux pratiques exemplaires. Voici des ressources à utiliser :

  • la norme ISO 15489-1, deuxième édition : 15-04-2016; 
  • les principes et les autres normes de l’ARMA;
  • la Norme sur les enregistrements électroniques de l’Office des normes générales du Canada (ONGC);
  • les lois et règlements auxquels votre entreprise doit se conformer;
  • les normes logicielles, comme la norme DoD5015.2 et les Universal Electronic Records Management Requirements de la National Archives and Records Administration (NARA).

La norme ISO 15489-1, deuxième édition : 15-04-2016, Information et documentation, Gestion des documents d’activité; Partie 1, Concepts et principes, est un excellent point de départ pour examiner les pratiques exemplaires. Elle décrit ce qui devrait être mis en place. Elle décrit les éléments clés d’un programme et fournit donc un point de départ pour déterminer ce que vous faites et ne faites pas.  La norme porte sur :

  • les dossiers et systèmes d’enregistrement;
  • les politiques et responsabilités;
  • l’évaluation;
  • les mesures de contrôle des dossiers;
  • le processus de création, de conservation et de gestion des dossiers.

Chaque section comporte une sous-section décrivant les activités à entreprendre.

Pour examiner votre programme, vous pouvez établir quels éléments sont actuellement en place et dans quelle mesure vous les respectez. Lorsqu’il y a des lacunes, vous avez la possibilité de définir un ensemble d’activités pour vous assurer que votre plan comble ces lacunes. Cela vous aidera ensuite à définir votre plan, y compris les ressources et les échéanciers.

Les principes de l’ARMA sont un autre excellent outil à consulter pour déterminer vos activités de programme. 

Il y a quelques années, Pacific Gas and Electric a subi une importante rupture de gazoduc et un important incendie, et les experts-conseils qui ont effectué l’évaluation du programme de GDI ont utilisé le modèle des principes relatifs à la maturité de l’information dans le cadre de la tenue de documents de l’ARMA. Ils ont identifié les composantes clés d’un programme efficace de gestion des documents et évalué la façon dont les pratiques de tenue de documents de Pacific Gas and Electric se comparaient au modèle de maturité de l’information d’ARMA International. De manière très concise, cette feuille de calcul montre les lacunes :

Dans ce cas, l’évaluation devait être utilisée dans le cadre d’un procès contre la Pacific Gas and Electric Company. Les conclusions, ainsi que d’autres rapports, ont été soumis à la cour. Il va sans dire que les conclusions ont été prises au sérieux et que les problèmes relevés dans les pratiques de tenue de documents ont été réglés.

Après avoir terminé l’évaluation de l’état actuel de la situation, il faut examiner où vous voulez être dans trois à cinq ans et déterminer les lacunes et les activités nécessaires pour aller du point « A » au point « B ». 

Les normes qui définissent les exigences relatives aux logiciels fournissent une base pour la sélection des logiciels et, dans certains cas, énoncent quels fournisseurs ont été certifiés par rapport à la norme particulière. Ces outils sont utiles et constituent un bon point de départ pour élaborer vos propres exigences.

Définir les activités proposées

Après avoir terminé la collecte de renseignements et effectué quelques comparaisons par rapport aux normes, vous avez probablement cerné cinq ou six domaines clés méritant d’être développés davantage. Il peut s’agir :

  • de politiques, de procédures, de normes; 
  • de l’élaboration de directives en vue de gérer les renseignements dans Office 365;
  • de la sélection et de la mise en œuvre d’une solution logicielle;
  • des considérations d’espace;
  • de la continuité et de la conservation des documents numériques;
  • de formation et de suivi de programme.

Chacune de ces principales catégories doit être ventilée en une série d’activités avec des échéanciers et des besoins en ressources. 

Prenons l’exemple de la sélection et de la mise en œuvre de logiciels. L’un des plus grands défis auxquels nous sommes confrontés en GDI et en GI est que les vendeurs de logiciels changent les noms des produits aussi rapidement que le marché crée un nouveau mot à la mode et que la technologie évolue. Autrefois, les solutions logicielles de gestion de documents et de gestion des documents étaient distinctes. Au fil des ans, les fonctionnalités ont fusionné et nous avons obtenu des solutions de systèmes de gestion électronique des documents et des dossiers (SGEDD). Ensuite, la gestion de contenu a été lancée, jusqu’à ce que les systèmes de gestion de l’information électronique les remplacent. Nous avons maintenant des serveurs de contenu. Quel est le message clé? Sachez ce dont vous avez besoin, faites vos recherches sur le marché et ignorez le nom que le logiciel porte aujourd’hui.

Plusieurs des ressources mentionnées précédemment peuvent fournir une introduction aux exigences spécifiques relatives aux logiciels. Pourquoi les utiliser? Même si elles sont peut-être plus complexes que les vôtres, ces exigences ont été définies par des experts pour aborder les différents aspects de la gestion de l’information électronique et constituent un excellent point de départ pour votre recherche. Vous pouvez également consulter des entreprises de recherche comme Gartner et Forrester pour savoir ce qu’elles ont à dire sur l’état actuel de la solution logicielle de gestion de l’information.

Lorsque vous élaborez les activités, vous pourriez en tenir compte au moment de choisir un logiciel. En même temps, vous devez documenter qui effectuera les tâches et combien de temps sera nécessaire.

NuméroActivitéPersonne-ressourceTemps nécessaire
1Examiner toutes les normes qui pourraient vous aider et définir les exigences.La ou les personnes chargées de la GDI/GI1 semaine
2Faire des recherches sur les vendeurs et sur les fonctionnalités qu’offrent leurs produits.La ou les personnes chargées de la GDI/GI1 semaine
3S’il est possible d’aller au-delà d’Office 365, ce qui n’est pas toujours le cas, définir ce que vous voulez que le logiciel fasse et l’environnement dans lequel il doit fonctionner.La ou les personnes chargées de la GDI/GI1 semaine
4Rédiger une demande de propositions et choisir les vendeurs auxquels vous souhaitez l’envoyer. Dans le cadre de la demande de propositions, vous pourriez vouloir décrire en détail les fonctionnalités que vous souhaitez, en donnant une idée de ce qui est « indispensable » par rapport à ce qui est « souhaitable ».La ou les personnes chargées de la GDI/GI2 semaines
5Passer en revue les réponses à la demande de propositions et déterminer quelles sont les entreprises auxquelles vous souhaitez demander une démonstration. Évaluer les produits.L’équipe de projet de la GDI/GI3 semaines
6Choisir un logiciel et finaliser le contrat avec le vendeur.La ou les personnes chargées de la GDI/GI1 semaine

Il s’agit d’un exemple de façon de définir les activités de la première phase du processus d’implémentation d’un logiciel. Après avoir sélectionné un logiciel, vous devez planifier un ensemble d’activités relatives à son implémentation au sein de l’entreprise. L’exemple montre comment déceler le besoin d’une solution logicielle et élaborer un ensemble d’activités pour aller du point A au point B. 

Chaque lacune clé et priorité nécessitera une série de recommandations et d’activités de soutien, comme le montre l’exemple.

Les activités ne peuvent pas toutes être réalisées en même temps. La meilleure approche consiste donc à déterminer s’il existe des risques, des priorités ou des éléments à aborder sur-le-champ pour obtenir de bons résultats. Il y aura des activités qui dépendront d’autres activités, sans lesquelles elles ne pourront pas être entreprises. Par exemple, si une partie de votre plan consiste à gérer vos documents par le biais d’une solution logicielle, vous devez avoir un schéma de classification et un calendrier de conservation en place, de même qu’un modèle de métadonnées approuvé. Contrairement à la croyance populaire, aucun logiciel ne vient avec toutes les fonctionnalités dont vous avez besoin. Avez-vous des politiques et procédures en place? Si ce n’est pas le cas, il sera difficile de créer un programme de formation pour le personnel.

Un autre aspect du plan consiste à déterminer le temps nécessaire pour entreprendre chaque activité. Un échéancier est essentiel pour établir des attentes réalistes de la part de toutes les personnes qui participent au projet. Ce n’est pas parce que des cadres supérieurs pensent que la transformation numérique est une excellente idée après avoir lu le dernier numéro du magazine du PDG et qu’ils vous convoquent que la transformation se fera du jour au lendemain. Il faut comprendre et définir :

  • où la transformation devrait être mise en œuvre pour obtenir le plus grand avantage et réduire les risques; 
  • quels processus subiront des modifications; 
  • quels équipements et logiciels choisir; 
  • quels nouveaux processus créer; 
  • quels sont les domaines dans lesquels il faudra former les employés.

Élaboration du rapport et établissement des étapes de l’implémentation

La rédaction d’un rapport, comme celle d’un article, demande de la pratique et une certaine réflexion. La rédaction d’un flot d’idées qui vous semblent parfaitement logiques ne vous permettra pas nécessairement de faire passer votre message. Vous devez penser à votre public cible et au message que vous essayez de faire passer. Il ne s’agit pas de montrer que vous avez fait beaucoup de recherches, mais de faire en sorte que quelqu’un se rallie au projet que vous voulez réaliser. Tout le monde n’a pas besoin de connaître tous les détails du contexte. On m’a souvent dit de présenter les points clés dans un résumé parce que c’est la partie que les cadres supérieurs examineront. Si ce résumé contient des renseignements qui les intéressent, ils consulteront les parties correspondantes. Le rapport décrit : 

  • la façon dont vous avez recueilli les données;
  • quels sont les résultats et les conclusions;
  • quelles sont les lacunes à combler;
  • les recommandations sur les prochaines étapes;
  • un plan d’implémentation qui examine chaque recommandation et qui définit :
  • les personnes qui auront un rôle à jouer et des responsabilités en lien avec la surveillance et l’implémentation;
  • le calendrier d’implémentation; 
  • les dates de début et de fin; 
  • la dépendance, pour pouvoir commencer, de l’achèvement d’autres activités;
  • le nombre de personnes qui participeront à la mise en œuvre de chaque recommandation; 
  • le coût, en fonction des salaires, de l’équipement, etc.;
  • les échéanciers et les jalons proposés.

Étant donné que vous élaborez un plan stratégique, les activités seront classées par ordre de priorité et couvriront une certaine période. En examinant les recommandations, il ressort de façon évidente que certaines choses peuvent être faites assez rapidement et peuvent avoir une incidence immédiate qui montrera l’avantage qu’apporte le projet.  Si vous mettez en œuvre une solution logicielle, un projet pilote peut vous donner un aperçu de son acceptation par les utilisateurs, du temps nécessaire pour effectuer l’analyse des données et nettoyer les fichiers partagés, de ce qui est nécessaire pour créer un modèle de métadonnées, etc. 

Le rapport comprend généralement une série d’annexes qui fournissent des détails sur les résultats des entrevues et de l’analyse comparative. 

Il y a autant d’approches que de plans. En 2010, le Conseil scolaire de Calgary a entamé un processus pour réinventer son programme de documents. Son calendrier de gestion des documents, étayé par un document détaillé décrivant les étapes à suivre, fournit une illustration de haut niveau des activités prévues. Le calendrier 2017 montre pour sa part quelles sont les activités réalisées, ou les jalons atteints, et les échéanciers des autres activités.

En 2015, la Ville de Guelph a conclu avec Ergo Information Management Consulting un contrat d’élaboration de plan stratégique pour son programme de gestion des documents. Le rapport final et la stratégie proposée constituent un excellent exemple. Lors de la préparation de cet article, j’ai communiqué avec Sheila Taylor d’Ergo et avec le groupe de gestion de l’information de la ville pour obtenir l’autorisation de faire référence au plan. Jennifer Slater, gestionnaire de l’information, de la protection de la vie privée et des élections/greffière municipale adjointe m’a répondu ce qui suit :

Ce plan nous a certainement été d’une aide précieuse au fil des ans pour faire avancer notre programme.

Votre plan présentera vos conclusions et votre approche pour aller de l’avant, les ressources nécessaires et les résultats attendus. Il servira de référence permanente pour suivre vos progrès et devra donc être mis à jour régulièrement.

Conclusion

La planification constitue une partie importante de l’élaboration de tout programme. L’élaboration d’un plan stratégique prend du temps et nécessite des ressources. Il vous fournit une feuille de route qui peut être utilisée pour documenter les mesures nécessaires pour aller de l’avant dans des domaines qui ont été identifiés au moyen d’un processus structuré.

Un très grand nombre d’aspects de tout programme de GDI/GI nécessitent de la planification. Au cours de ma carrière de consultante, j’ai travaillé à l’élaboration de stratégies de mise en œuvre d’une solution SGEDD, à la création et à la mise en œuvre d’un programme de GDI à l’échelle de l’entreprise et à la définition des besoins futurs en matière d’espace et de personnel dans le cadre de programmes de GDI/GI. Chacun de ces éléments exige une vision pour l’entreprise et un examen de l’état actuel au moyen d’une évaluation des besoins qui détermine les écarts entre la situation actuelle et le résultat visé. 

Il est difficile de décrire en détail une stratégie pour chacun de ces éléments dans un article. J’ai donc essayé de fournir quelques étapes générales. J’ai inclus dans les notes des ressources et des plans du domaine public pour vous donner un aperçu du processus de planification. 

La prochaine étape consistera à commencer l’élaboration de votre plan. 

Auteure

Christine Ardern, CRM (retraitée), FAI, est ancienne présidente et membre d’ARMA International et lauréate d’un prix Emmett Leahy. Elle a participé à la planification, à l’élaboration et à la mise en œuvre de la gestion de l’information dans des entreprises des secteurs privé et public, tant au Canada qu’à l’étranger. Christine a enseigné à la iSchool de l’Université de Toronto et a donné des présentations dans le cadre de séminaires et d’ateliers de l’ARMA. Elle est actuellement membre du comité de rédaction de la publication Sagesse d’ARMA Canada.

Les Références

1 « Catalyseur opérationnel » est un terme générique qui peut être utilisé dans toute entreprise pour examiner ce qu’elle considère comme important. Le plan peut alors être ciblé pour soutenir ce « catalyseur ».  

2 https://www.nationalarchives.gov.uk/archives-sector/finding-funding/how-to-fundraise/3-building-networks-and-cultivating-support/building-a-business-case/ and https://www.guelphpl.ca/en/about-us/resources/Documents/Accessible-Documents/Reports-and-Publications/Final-Report-Jan-24-vFNL-FINAL-ua.pdf

3 Élaborer une mission pour la gouvernance des données. Anne-Marie Smith, Ph. D., EWSolutions.com https://www.ewsolutions.com/data-management-university/

4  www.Businessdictionary.com/definition/strategic-planning.html

5 https://planning.curtin.edu.au/local/docs/Guide_to_Benchmarking_Oct2007.pdf

6 https://www.archives.gov/records-mgmt/policy/universalermrequirements

7 https://www.arma.org/page/principles

8 Paul Duller, Ph. D. et Alison North, Records Management within the Gas Transmission of Pacific Gas and Electric Company, Prior to the Natural Gas Transmission Rupture and Fire), San Bruno (Californie), le 9 septembre 2010, 172 pages.

9 https://cbe.ab.ca/about-us/board-of-trustees/trusteepublicdocuments/corporate-records-management-program-high-level-timeline.pdf#search=records%20management

Do You Know Where You are Going? A Look at Strategic Planning

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

by Christine Ardern, CRM (retired), FAI

 

Back to Sagesse 2022

 

Abstract

Strategic planning may seem to be a daunting process and just one more thing to do.  The benefits of planning outweigh the time involved and help create a road map for program activities.  This paper will look at the elements which go into strategic planning.  By providing the steps involved and presenting resources that can be used as reference tools it will help you should you decide to start planning your program’s future.

Introduction

As a consultant, I often see requests for proposal asking for a needs analysis for a RIM or an archives program.  The organization wants to know how its program measures up against current best practice and how to identify gaps for future planning.  The business driver might be a space concern, as in they’ve run out, or the senior manager to whom they report wants to prepare a division-wide long term plan and wants input about the RIM/IG program.  But is a needs analysis enough?   It certainly identifies the current state of the program but on its own, it is not sufficient to address the issues that come up.  If you have defined a desired state, the needs analysis will identify the gaps.  However, without identifying solutions to fill those gaps and the related resources budget and timelines, it’s pretty difficult to reach your desired state.

There are many projects that might drive the need for a strategic plan to get the support move forward with the appropriate support, budget and resources.  Examples include: 

  • The development and implementation of an information governance program
  • Software selection and implementation 
  • A major office move which drives a move to an electronic workplace and digital transformation
  • The need to manage electronic information which has a long-term retention in a trusted digital repository as part of a digital preservation program.

Regardless of what the objective is, the strategic plan is a roadmap of how to get there.  This paper will look at how to develop a strategic plan and the supporting activities, timelines and resources. 

Getting Started

The plan does not stand on its own.  One of the best ways to get support for any project is to identify a Business Driver which the project will support.  In the case of implementing a records and information management program, an example where a problem created an opening for an improved records management program was Pacific Gas and Electric in San Bruno, California.  In this case, a gas line rupture and subsequent fire led to serious damage within the community and a lawsuit.  While it was after the fact, the organization was forced to assess its records management practices and move towards improvements, as a result of the gaps in the program.  

Your own organization’s defined direction provides an opportunity to support the business through improved records and information management.  Enhanced customer service is one area in which the program can be shown to improve access to information in order to respond to customer enquiries in a timely fashion.  If systems are clogged with old, outdated information, that result in slow response time, creating a disposition process to get rid of ROT will improve response times to customer requests.

Positioning the program to support the business direction will facilitate the planning process.

The Business Case

It’s impossible, in today’s workplace, to undertake activities and get resources without senior management commitment and support.  In order to get that support, you may need to have a business case that shows the costs and benefits of undertaking your project, in this case creating the strategic plan.

The main reason for creating the business case is to sell your project (in this, case the strategic plan) to senior management to get their commitment, together with the budget and resources necessary. The business case documents the reason and justification for the project and will outline the proposed costs, the financial and economic impacts and the benefits, risks and value the project brings to the organization’s operations.  

Building a business case is an activity unto itself so while it is not part of this paper there are links to examples of business cases that you can refer to should you need to.   You may be fortunate to have funds in the budget that will cover the cost of the strategic plan and therefore not need to do a business case.  A lot depends on your organization and the availability of resources and funds.

Defining Your Future Vision 

Having a vision statement may seem somewhat unnecessary but if you are sharing information with stakeholders and staff, it’s helpful to have a high level, short and sweet definition of where you want to be in the future.  The vision statement sets a framework for moving forward.  

The University of Toronto’s iSchool vision is documented as:

  • International excellence in research and education in Information.

Enterprising Warehouse Solutions provides consultancies on data management and planning.  The VP of Education and Chief Methodologist, Anne Marie Smith, provides an example of a Data management vision:

  • To ensure world-class integrity and understanding of this organization’s information policies, practices, processes, and standards to support the organization, its customers, and its partners in the achievement of their business objectives.

A simple RIM program vision might state:

  • ABC’s records and information on all media will be available, captured, managed and disposed to meet organizational needs.  

In each case, the vision is a simple, clear articulation of a future state. They do not state how this will be done.

Creating a Strategic Plan

To start with, what is a strategic plan?

  • It is a systematic process of envisioning a desired future, creating a vision, and translating it into broadly defined goals and objectives and a sequence of steps to achieve them.

Let’s imagine you are part of a large organization, which has offices in each province across Canada.  Your RIM program has been in place for 10 years and each time a change takes place in the company, you react and do the best you can to address the myriad of RIM issues that come up.  That’s the way it’s always been.  

Recently the organization has decided it is time to implement an Information Governance (IG) program and you have been asked to head the planning team.   Where do you start?

One approach is to create a strategic plan to present to senior management which outlines what is required to move from a RIM program to an organization-wide IG program.  The strategy helps you:

  • Identify where you are currently and any gaps that require action
  • Define activities, resources, and timelines to get from your current state to the desired state
  • Create a document which can be used to sell the idea, get buy in and measure your progress.

In reality, this planning process should be ongoing, and the plan should be regularly updated to show what progress you are making and redefine what is still to be done.  It is not just a one-time effort.  

Managing the Strategic Plan Project

Typically developing a strategy from the bottom up, as in, I think it’s a good idea so I’ll go out and start it, is not the best way to go.  First, you will need assistance from people across the organization.  Do you have the authority to get them to co-operate?  Senior management has to understand the project and its goals and objectives so that you get a budget and resources.  Project oversight is also important, so a first step is to create a steering committee, made up of key senior business stakeholders across the organization who will open doors for you and provide final sign off on documentation as required.  Ideally, the steering committee will be chaired by someone who will act as a champion for you in moving things forward at the top. This group oversees the high-level decisions and signs off on decisions/reports, etc.

Depending on how big the organization is, resources you have in your own department and the number of departments you will be working with, you might also want to create a second committee.  This committee is more of a hands-on, working committee of individuals who represent the business units and who know the processes and procedures in those areas so that as you are doing interviews, gathering information or doing follow ups, you have a go-to person to work with to make sure you reach the right people.

These committees are active throughout the various steps of creating the plan. The frequency of meetings will depend on the scope and length of the process.

Defining the High Level Steps

As you go through planning process there are a series of steps to follow which proceed in a logical order:

  • Gathering Information about the current situation within the organization
  • Analyzing the information so that you can identify gaps that need to be filled and create recommendations about what needs to be done to attain your vision
  • Preparing a report which outlines the findings, recommendations, resources required to implement the activities, proposed costs and timelines to complete the activities

Data Collection and Documenting the Current State

Assessing the Current State

The first step is to understand where you are right now.  And the information you review and gather depends a lot on the plan you are developing.  If you are doing a plan for your overall program it might include gathering information about:

  • What policies and procedures are in place?  Are they up to date?  
  • When was the last time your retention schedule was updated?  
  • Are all staff aware of and implementing the program? 
  • What background documentation exists about the organization, its mandate and its direction/future plan?    
  • What is the current mandate of the program?  Does it cover all information, regardless of the media?  
  • Are you providing training on the program?  How far along are you with a RIM software solution?  Are your electronic records under control?  
  • Do you have enough space for administration and storage? 

The types of question you ask will depend on the information you need in order to develop your plan.

Tools to Gather Information 

Once you have reviewed the various documents about the organization, including policies and procedures, etc. it’s time to talk to people within the organization, and outside if you have public-facing activities.  The information can be captured through:

  • individual interviews
  • focus groups
  • online questionnaires such as survey monkey

The “who” and what you want to learn often determines the best approach. As we know from our time in the pandemic, meeting in person is not necessary now that we have access to such tools as Zoom and Teams.  

One note of caution in this phase of the information gathering – one size does not fit all!  Depending on the individual and their position within the company, the information you want to obtain will vary. The types of questions you pose will depend on the particular reason for developing the strategy.   

Early on in my consulting career I was told by a senior executive that you need a 45 second elevator speech to get across your message because executives are busy people and cannot spend an hour listening to you while you explain what you want.  The same is true in this type of situation.  Keep the interview short, sweet and to the point if you are dealing with senior management.  

Staff within the organization might use this as a great opportunity to provide that input they’ve wanted to share and will be prepared to give more time to the interviews.

If you have a large number of people from whom you want to gather simple yes or no answers, an automated survey tool is useful.

Who Do You Gather Information From?

One of the most important aspects of the data gathering is to identify those people with whom you have regular contact. There are likely some key people from whom it is critical to get input.  It is important to understand what people do in their day to day jobs how they interact with the program on a regular basis and understand how the area you are looking at for planning purposes affects them.  

For example, you may be defining a plan for selecting and implementing a software solution.  Knowing how information is created, shared, managed and stored across the organization is a primary consideration.  Users and IT staff would be key participants from who to get input.

You probably know what the issues are and could sit down and provide a list off the top of your head.  But in order to get support and buy-in, other people have to confirm what you already know.  They might also have some valuable insights to where improvements could be made. Talking to people across the organization ensures that you understand their requirements and ensures their input has contributed to your planning. The development of the plan is an opportunity to market the program.  

There will be different levels of people to whom you speak about their “wish list” for the future for which you are planning.  Depending on the area you are planning for, you might want to speak to:

  • Your own departmental staff and partners
  • Senior management
  • Users of your services: internal business user or external clients
  • Key stakeholders who have a vested interest in the program.  It might include Legal Counsel, Privacy officers, IT and other business partners

In one organization we met with all staff members in functional groups.  In another we met with representatives of different business functions in several locations. Individual interviews may be required, depending on the person and his/her responsibilities.  The information you want will help determine who should be contacted and how the information can be gathered. 

One thing to keep in mind is that this is an exercise in thinking outside the box.  You may have tried a variety of things in the past to move forward and run into roadblocks.  Those people who were not supportive or were the nay sayers may have past experiences that colour their view of what you are planning for.  So, look at this process as an opportunity to renew discussions, allow them to get their beefs out on the table and address them.  People like to have their opinions heard and sometimes those same people can turn out to be your biggest allies.  If you don’t understand why they have the opinions they do, you can’t address them so it’s a no win when you have to deal with them. 

The SWOT Analysis

You’ll often hear people talk about a SWOT analysis:

  • Strengths
  • Weaknesses
  • Opportunities
  • Threats

The SWOT analysis can be part of individual interviews or undertaken in a focus group session as part of your assessment of the current state of the program.  It might involve a group of people from one department or from a variety of business functions and staff levels across the organization.  And sometimes you may not like what you hear.  The main objective is to brainstorm about:

  • Where you do things well (strengths)
  • Where you could do things better (weaknesses)
  • What opportunities are out there for you to move forward, make changes, etc., and
  •  Are you facing obstacles in the program that might turn into negatives for you?

As the discussion takes place, someone should be taking notes about the comments and tracking the discussion, which may, despite your best intentions, cross some of the themes, just by the nature of thoughts jumping around. 

I’ve found that despite the fact it’s old technology, flip charts, which capture the thoughts around each of the themes, are a simple way of documenting feedback.  If you are using a laptop you’d want to be able to share the screen so that everyone can see how the ideas are flowing.  

At the end of the session you can prioritize and capture all the feedback so that you can define a series of key points to help you build on in your planning phase. 

There are many resources that show how to carry out a SWOT analysis and some references are provided at the end of the paper.

Benchmarking

Benchmarking is another useful tool to compare your program/situation with other similar organizations.  Having said that, it’s important to be prepared for the feedback and know what might happen.  We had to do an organizational review some years ago and were asked, as part of it, to contact other similar organizations.  It turned out that we were the only ones to have a records management program!  I will let you think about the outcome.  Interestingly, not long after we did our benchmarking and the RIM program was disbanded, the government enacted legislation that resulted in all those same organizations (including ours) having to establish their RM programs.  And life goes on!!

In a benchmarking exercise, you are gathering information from similar organizations about different aspects of their program activities including what they do and how they do it; number of staff; space allocated to their program; software solutions, etc. If their program involves inactive records storage you might ask how much space they have and what services they offer.  

You may want to have a survey form and actually talk to your counterparts in person, or on a video call. If you use that approach it is wise to send the questions out ahead of time, so that they are prepared. Alternatively, using a tool such as Survey Monkey allows you to create an online survey, which can be sent them directly.  Regardless of the approach, it is important to provide the context for the benchmarking and provide them with an introduction to the process.

The simpler the survey form, the easier it is for the respondents to provide feedback and for you to compile the answers.  If it appears too long, it may just go unanswered.  One way to encourage participants to answer is by offering to send the completed results out to them.  If you do decide to do that, you will have to get permission from each of the contributors to share their data.

Once you receive the results back, you have to compile the responses in a way that makes comparing your organization with the feedback easy to understand.  Providing a table of the key areas you want to emphasize is often easiest so that the reader is not wading through pages and pages of survey questions and answers.  

Capturing Your Findings and Creating Recommendations

At this point you have completed your interviews, done the SWOT analysis, and gathered the benchmarking surveys.  The next step is to consolidate all the information and compile the findings so that you can identify the gaps and create supporting recommendations.  For example the findings might show that:  

  • People within the organization do not understand what Records and Information Management or Information Governance are
  • Other organizations have more staff than you do in a program that is similar to yours
  • There is no up to date classification scheme and retention schedule and no metadata scheme exists
  • Office 365 exists across the organization but there are no information management strategies in place, so information exists in silos and people are creating their own personal libraries.
  • Inactive paper records are stored off-site and retention schedules have not been applied to them
  • Policies and procedures have not been updated to reflect the need to manage information on all media

These are obviously not all the possible findings.  Once you have reviewed the findings and drawn your conclusions about what is required, you will create a series of recommendations on steps to be taken to move forward.

Measuring Against Accepted Standards

Having summarized all the findings, you have a good sense of the current state and where there are gaps in the program.

It’s always useful to be able to reference external standards and guidelines about RIM and IG programs to look at where you are compared to best practice.  Some of the resources which can be used include:

  • ISO 15489-1, second edition: 2016-04-15 
  • ARMA Principles and other standards
  • CGSB electronic records standard
  • Legislation and Regulations with which your organization must comply
  • Software standards such as DoD5015.2 and NARA’s Universal Electronic Records Management Requirements

ISO 15489-1, second edition: 2016-04-15, Information and documentation, records management; Part 1, concepts and Principles, is an excellent starting place to look at best practice programs.  It outlines what should be in place.  It outlines the key elements of a program, so provides a starting point to identify what you are doing and not doing.   The standard addresses:

  • Records and record systems
  • Policies and responsibilities
  • Appraisal
  • Records Controls and
  • Processes for creating, capturing and managing records

Each section is supported by a subsection of activities outlining the activities to be undertaken.

As a basis for reviewing your program, you can determine which elements are currently in place and how well you are complying with them.  Where there are gaps, you have an opportunity to define a set of activities to ensure that your plan addresses those gaps.  That then helps you define your plan, with resources and timelines.

The ARMA Principles are another excellent tool to reference in order to identify your program activities. 

A number of years ago, Pacific Gas and Electric had a major gas pipeline rupture and fire and the consultants who undertook the assessment of the RIM program used the ARMA Record Keeping principles Information Maturity model to assess the RIM program.  They identified key components of a successful records management program and assessed how Pacific Gas and Electric’s recordkeeping practices against ARMA’s International’s Information Maturity Model.  In a very concise way, the spreadsheet shows where the gaps existed.

In this case, the assessment was to support a legal trial against PG and E.  The findings, along with other reports were submitted to court.  Needless to say, the findings were taken seriously and the record-keeping practices addressed.

Once you have completed the current assessment, it’s time to look at where you want to be in three to five years, identify the gaps between where you are and that desired state, and determine what activities are required to get from point “A” to point “B”.  

Standards that define software requirements provide a basis for software selection and in some cases, show which vendors have been certified against the particular standard.  These are useful tools as starting points for your own requirements.

Defining the Proposed Activities

Having completed the information gathering and done some comparisons with the standards, you have likely identified five or six key areas that represent the major areas for further development. These might include:

  • Policies, procedures, standards 
  • Creating guidance to managing information in Office 365
  • Selecting and implementing a software solution
  • Space considerations
  • Digital continuity and preservation
  • Training and program monitoring

Each of these major categories needs to be broken down into a series of activities with timelines and resource requirements.  

As an example, let’s look at selecting and implementing software. One of the biggest challenges we face in RIM and IG is that the software vendors change the names of what they are selling as fast as the market creates a new buzz word and as technology evolves.  Once upon a time records management and document management software solutions were two separate solutions.  Over time the functionality merged and we got EDRMS solutions.  Then content management came onto the scene, until Electronic Information Management systems replaced them and we now have content servers.  What is the key message?  Understand what you need the software to do, do your research into what’s out there and ignore what it’s called today.

There are several resources mentioned earlier that can provide an introduction to specific software requirements.  Why use them?  While they may be more complex than your requirements, they have been defined by experts to address the various aspects of managing electronic information and are an excellent starting point for your research, rather than you having to start from scratch.  You can also look at research companies such as Gartner and Forrester to learn what they have to say about the current state of EIM software solution

In developing the set of activities, these are the key areas you might think about in selecting the software.  At the same time, you must document who will do all this and how long it might take.

NoActivityResponsibleTime Required
1Review any existing standards that might assist in defining your requirements and define requirementsRIM/IG Designate(s)1 week
2Research the vendors and what their products have to offerRIM/IG Designate(s)1 week
3If you have an opportunity to go beyond Office 365, which many of us don’t these days, define what you want the software to do and the environment in which it has to operateRIM/IG Designate(s)1 week
4Create an RFP and select the vendors you want to send it to. As part of the RFP you might want to detail the functionality you want, giving an idea of what is a “must have” versus a “nice to have”.RIM/IG Designate(s)2 weeks
5Review the responses to the RFP and determine which companies you would like to have demonstrate their products; Review productsRIM/IG Project Team3 weeks
6Select the software and finalize the contract with the vendorRIM/IG Designate(s)1 week

This is an example of how to define the activities in the first phase of the software implementation process.  Once you have selected the software, you have a separate set of activities to plan around the implementation across the organization. The example shows how you have identified the need for a software solution and created a series of activities to get from point A to point B. 

Each key area that you have identified as a gap and priority will require a series of supporting recommendations and activities, as outlined in the software example above.

All the activities cannot be undertaken at once, so the best way to approach the planning is to determine if there are any areas of risk, priorities and quick hits where activities can be undertaken immediately to get big results.  There will be activities which are dependent upon other activities, without which they cannot be started.  For example, if part of your plan is to manage your records through a software solution, you need to have your classification scheme and retention schedule in place, together with an approved metadata model.  The software does not, contrary to popular belief, come with everything done for you!  Are your policies and procedures in place?  If not, then it will be difficult to create a staff training program.

Another aspect of the plan is to consider how long it might take to undertake each activity.  A timeline is critical to create realistic expectations from all involved in the project.  Just because senior management thinks digital transformation is a great idea, has read all about it in the latest CEO magazine and calls you in to get started on it, it’s not happening overnight.  There is a need to understand and define

  • where it should be implemented to get the biggest benefit and minimize risk 
  • what processes will change 
  • what equipment and software to select, 
  • what new processes to create and 
  • what areas to train people on.

Creating the Report and Defining Implementation Steps

Writing a report, like preparing an article, takes practice and some thought.  Writing out a stream of ideas that make perfect sense to you is not necessarily going to get your message across.  You have to think of your audience and the message you are trying to get across.  It’s not about showing how much research you’ve done, it’s getting someone to buy in to what you want to achieve.  Not everyone needs all the background details. Many times I’ve been told to make the key points in an Executive Summary because that is the part that senior management will look at.  If that summary contains anything they are interested in, they will drill down into the relevant parts.  The report itself outlines 

  • How you gathered the data
  • What the findings and conclusions are
  • What gaps exist that need to be addressed
  • Recommendations about next steps
  • An implementation plan which looks at each recommendation and defines
  • Who plays what role and has responsibility for oversight and implementation
  • What is the timing for implementation– how long might it take? 
  • When does it start and finish? 
  • Is it dependent on anything else being completed before it can be started?
  • How many people will be involved in implementing each recommendation?  
  • What will the cost be, based on salaries, equipment, etc.?
  • What are the proposed timelines and milestones?

Given that you are creating a strategic plan, the activities will be prioritized and cover a period of time.  In looking at the recommendations, it’s obvious that some things can be done fairly quickly and may have an immediate impact which will show the benefit of the project.   If you are implementing a software solution, doing a pilot project might provide insights into user acceptance, how long it takes to do your data analysis and clean up shared files, what is required to create a metadata model, etc.  

The report typically includes a series of appendices which provide details about the findings from such things as interviews and benchmarking.  

There are as many approaches to presenting the plan as there are plans themselves.  The Calgary Board of Education (CBE) began a process to reinvent its records management program in 2010. Its Records Management Timeline, which was supported by a detailed document outlining the steps, provided a high-level image of planned activities and its 2017 timeline shows which activities have been completed (milestones) and the timelines for other activities. 

The City of Guelph contracted with Ergo Information Management Consulting to develop a strategic plan for its records management program in 2015.  It is an excellent example of a final report and strategy.  In preparing this article I contacted both Sheila Taylor at Ergo and the city’s Corporate Information Management group to get permission to reference the plan.  Jennifer Slater, Manager, Information, Privacy and Elections/Deputy City Clerk wrote back saying:

It has certainly been invaluable to us over the years as we move our program forward.

Your plan is going to present your findings and identify your approach to moving forward over time, the resources required and the expected outcomes.  It serves as an ongoing reference to point to monitor your progress and should be updated on a regular basis.

Conclusion

Planning is an important part of any program development.  Developing a strategic plan takes time and resources.  It provides you with a roadmap that can be used to document what is required to move forward in areas that have been identified through a structured process.

There are so many aspects of a RIM/IG program that require planning.  During my consulting career I have worked on developing strategies for implementing an EDRMS solution; creating and implementing an organization-wide RIM program; defining future space and staffing requirements for RIM and IG programs.  Each requires a vision of where the organization wants to be, a review of the current state through a needs assessment which identifies the gaps between where the organization is and wants to be and the plan of how to get there.  

Detailing a strategy for each of them in one article is difficult so I have attempted to provide some steps at a general level.  I have included, in the endnotes, some resources and actual plans which are in the public domain to give you some insights into the planning process.  

The next step is for you to get started.  

About the Author

Christine Ardern, CRM (retired), FAI, is a Past President and Fellow of ARMA International and an Emmett Leahy award winner. She has been involved in information management planning, development and implementation in private and public sector organizations both in Canada and Internationally.  Christine taught at U of T’s i-School Institute and presented at ARMA seminars and workshops. She is currently a member of ARMA Canada’s Sagesse editorial board.

References

1  Business driver is a generic term that can be used in any organization to look at what it sees as its core focuses. The plan can then be focused to support that “driver”.  

2 https://www.nationalarchives.gov.uk/archives-sector/finding-funding/how-to-fundraise/3-building-networks-and-cultivating-support/building-a-business-case/ and https://www.guelphpl.ca/en/about-us/resources/Documents/Accessible-Documents/Reports-and-Publications/Final-Report-Jan-24-vFNL-FINAL-ua.pdf

3 Developing a Mission for Data Governance. Anne-Marie Smith, PhD, EWSolutions.com https://www.ewsolutions.com/data-management-university/

4  www.Businessdictionary.com/definition/strategic-planning.html

5 https://planning.curtin.edu.au/local/docs/Guide_to_Benchmarking_Oct2007.pdf

6 https://www.archives.gov/records-mgmt/policy/universalermrequirements

7 https://www.arma.org/page/principles and https://www.arma.org/page/PrinciplesMaturityModel

8 Dr. Paul Duller and Alison North wrote their 172 page report entitled Records Management within the Gas Transmission of Pacific Gas and Electric Company, Prior to the Natural Gas Transmission Rupture and Fire, San Bruno, California, September 9, 2010

9 https://cbe.ab.ca/about-us/board-of-trustees/trusteepublicdocuments/corporate-records-management-program-high-level-timeline.pdf#search=records%20management

La Gestion des Documents et de l’Information est Essentielle au Développement et a l’Impleméntation de Systèmes

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

par Tod Chernikoff, CRM, IGP, CIP

 

Back to Sagesse 2022

 

Résumé

Les personnes qui achètent ou conçoivent des systèmes de gestion de l’information n’ont pas toujours en tête la conformité aux exigences en matière de gestion des documents et de l’information. Pour combler cette lacune, le personnel chargé de la gestion des documents et de l’information d’une entreprise doit participer dès le début au processus de cycle de vie de développement des logiciels pour s’assurer que ces systèmes gèrent adéquatement les documents et l’information tout au long de leur cycle de vie.

Introduction

Votre équipe de gestion des documents et de l’information (GDI) est un partenaire essentiel et doit participer dès les premières étapes au processus de cycle de vie de développement des logiciels (CVDL) pour s’assurer que les systèmes gèrent adéquatement l’information tout au long de leur cycle de vie. En comprenant l’importance de s’assurer que les systèmes utilisés pour traiter et gérer les biens sont créés et configurés de manière à conserver et à éliminer adéquatement les documents et l’information, vous améliorerez les capacités de votre entreprise en matière de gestion des documents et de l’information. La participation de l’équipe de la GDI est essentielle à l’élaboration et à la mise en œuvre adéquates de systèmes, aussi appelés produits, pour diverses raisons. Premièrement, elle veille à ce que les documents d’une entreprise qui sont stockés dans un système soient conservés et éliminés conformément au calendrier de conservation. Ensuite, elle s’assure que le système est en mesure d’empêcher la destruction ou la suppression des documents qui doivent être conservés à des fins légales, administratives ou d’enquête. Elle peut également aider à soutenir les caractéristiques des documents faisant autorité, conformément à la norme ISO 15489.

Il faut tenir compte de quelques points clés, d’autant plus que, quel que soit le type d’entreprise pour laquelle ou avec laquelle vous travaillez, il y aura des différences d’un processus de CVDL à l’autre. Le CVDL désigne un processus ou un cadre au sein d’une entreprise qui produit des logiciels au moyen d’un flux structuré de phases comportant des tâches définies.

Les systèmes sont habituellement élaborés et implémentés dans le cadre d’un processus axé sur les projets. Par ailleurs, le programme de GDI d’une entreprise est permanent. Il s’agit de quelque chose que les employés d’autres secteurs de l’entreprise ne comprennent peut-être pas, ce qui a également une incidence sur la façon dont les professionnels de la GDI abordent leur travail.

Dans le cadre du processus de CVDL, votre programme de GDI doit établir, maintenir et maintenir à jour, selon les besoins, un cadre permettant de fournir de l’information à jour sur les exigences et de gérer votre partie du processus d’examen. Ce processus doit être élaboré de manière à être communiqué et appliqué de la même manière par tous les membres de l’équipe de GDI. 

Il doit également permettre d’examiner les cas de systèmes incapables de gérer et d’éliminer correctement les documents et l’information, d’accorder des exceptions ou de suggérer des solutions de rechange.

Les entreprises ne possèdent pas toutes les mêmes capacités. Ce qui fonctionne pour une entreprise ne fonctionnera peut-être pas pour une autre. Préparez-vous à élaborer un processus adapté à votre situation.

Cela dit, les messages que je souhaite vous transmettre dans cet article sont les suivants : 

  1. Le personnel chargé de votre programme de GDI constitue un élément essentiel du processus de CVDL et doit participer dès les premières étapes, dans le cadre de tous les projets, ne serait-ce que pour confirmer qu’aucune information n’est en jeu et que le projet peut aller de l’avant sans autre examen.
  2. Il faut faire des compromis pendant le processus.
  3. Les systèmes sont habituellement élaborés et implémentés dans le cadre d’un processus axé sur les projets. Par ailleurs, le programme de GDI d’une entreprise est permanent.
  4. Vous devez tenir compte d’autres facteurs si vous passez d’un processus papier ou physique à un environnement numérique. Dans certains cas, cela peut être plus simple que la mise à jour de certains processus numériques.
  5. Dans le cadre du processus de CVDL, votre programme de GDI doit établir, maintenir et maintenir à jour, selon les besoins, un cadre permettant de fournir de l’information à jour sur les exigences et de gérer votre partie du processus d’examen. Ce processus doit être élaboré de manière à être communiqué et appliqué de la même manière par tous les membres de l’équipe de GDI. 
  6. Il doit également permettre d’examiner les cas de systèmes incapables de gérer et d’éliminer correctement les documents et l’information, d’accorder des exceptions ou de suggérer des solutions de rechange.
  7. Les entreprises ne possèdent pas toutes les mêmes capacités. Ce qui fonctionne pour une entreprise ne fonctionnera peut-être pas pour une autre. Préparez-vous à élaborer un processus adapté à votre situation.

Méthodes de développement de logiciels

Les systèmes ne sont pas tous créés ou développés de la même façon. Les deux principales méthodes de développement de systèmes sont la méthode en cascade et la méthode agile.

La méthode en cascade est une méthode linéaire et séquentielle comportant des livrables établis. Selon cette méthode, les parties prenantes fournissent des exigences dès le départ et le projet doit répondre à ces exigences. Même avec la méthode en cascade, il existe différentes façons d’adapter le processus. Les deux premières colonnes de la figure 1 montrent deux parcours similaires, mais légèrement différents, et la façon dont je les compare.

Le développement agile est axé sur un processus itératif dans le cadre duquel les exigences et les solutions évoluent au fil du temps de manière collaborative grâce à des équipes inter-fonctionnelles. Cette discussion portera davantage sur la méthode en cascade, mais il est important de ne pas oublier que dans certaines entreprises, la méthode agile est la plus utilisée. Je travaille dans une entreprise où nous utilisons les deux méthodes, et le volume de projets utilisant la méthode agile augmente.

La figure 1 illustre trois méthodes de développement possibles et leur comparaison les unes aux autres. La première colonne présente la méthode dont il est question plus loin dans cet article. Je l’ai découverte dans le secteur privé. La deuxième colonne représente le cadre du cycle de vie du rendement de l’entreprise (CCVRE). J’ai utilisé cette méthode lorsque je travaillais comme consultant auprès d’un organisme gouvernemental aux États-Unis. Le CCVRE et le CVDL sont les deux formes de méthode en cascade. La troisième colonne décrit un cadre de développement agile. Dans certains cas, il existe des noms de phases, des aspects et des activités semblables d’une méthode à l’autre. Elles sont alignées pour illustrer, de la façon la plus claire possible, leurs similitudes.

CVDLCCVRECadre de la méthode agile
CréationDémarrageLancement
CréationConceptLancement
PlanificationPlanificationPlanification
Analyse de systèmesAnalyse des besoinsPlanification
Conception de systèmesConceptionPlanification
Développement de systèmesDéveloppementDéveloppement
Essai de systèmesEssaiDéveloppement
Acceptation par les utilisateursEssaiDéveloppement
DéploiementImplémentationDéploiement
Clôture de projetsExploitation et maintenanceFermeture
Élimination
Figure 1 Comparaison des méthodes de développement de systèmes

Expérience et prise de conscience d’un problème de déconnexion

Avant de travailler à temps plein en GDI et m’intéresser au CVDL, mes expériences ont porté sur des aspects des technologies de l’information (TI), comme la qualité et le nettoyage des données, ainsi que sur l’expérience utilisateur, l’analyse des besoins et la participation à des réunions, à titre d’observateur, au cours desquelles des cadres supérieurs effectuaient des examens et prenaient des décisions concernant des projets de TI. Ces expériences, qui datent d’une d’une vingtaine d’années, m’ont préparée pour l’avenir. Je vous recommande de rester à l’affût des possibilités de participer aux processus de votre entreprise afin d’élargir vos connaissances, vos compétences et vos aptitudes. Il pourrait s’agir d’occasions de participer à des projets visant à intégrer de nouveaux outils et de nouvelles technologies. Vous pourriez, par exemple, vous porter volontaire pour tester de nouveaux outils avant ou pendant leur déploiement, ou suivre une formation sur de nouveaux outils ou des outils qui seront possiblement utilisés.

À peu près à la même époque, il y a une vingtaine d’années, j’ai commencé à constater qu’il y avait souvent un manque de communication entre les personnes qui achetaient et construisaient des systèmes de gestion de l’information et celles qui étaient chargées de la conformité aux exigences relatives à la GDI. Maintenant, je passe une bonne partie de mon temps au travail à établir cette communication. Il ne se passe pas une journée de travail sans que j’assiste à une réunion, que je communique avec un gestionnaire de projet, un analyste-spécifications ou un membre d’un groupe commercial participant à l’un des quelque mille systèmes de l’entreprise mondiale de mon employeur. Je passe également du temps à fournir à diverses parties prenantes, tant à l’intérieur qu’à l’extérieur du service de l’information, de la formation à ce sujet.

Rôles

Dans le cadre du processus de CVDL, vous pouvez rencontrer de nombreuses personnes qui jouent différents rôles. 

Votre équipe sera dirigée par le gestionnaire de la GDI ou de la gouvernance de l’information (GI), le directeur ou un autre cadre de votre entreprise et comprendra des membres du personnel de la GDI ou du GI, selon les fonctions exécutées par l’équipe. Vous interagirez probablement, à un moment ou à un autre, avec des groupes ou des services de votre entreprise, notamment :

  • un conseiller juridique ou l’avocat général; 
  • le service de la conformité;
  • le service de la gestion des contrats, de l’approvisionnement ou des fournisseurs; 
  • les groupes commerciaux ou fonctionnels qui, dans bon nombre de cas, seront propriétaires des systèmes en cours d’élaboration, y compris leurs équipes de direction; 
  • les groupes et services des technologies de l’information responsables des systèmes et de l’infrastructure;
  • diverses équipes et divers comités et groupes de travail chargés de l’examen;
  • divers entrepreneurs et fournisseurs;
  • des utilisateurs finaux;
  • des équipes d’élaboration de projets ou de développement de systèmes, y compris : 
    • des gestionnaires de projets;
    • des architectes de solutions;
    • des architectes d’entreprise;
    • des analystes-spécifications;
    • des testeurs, des formateurs;
    • des spécialistes des communications;
    • des spécialistes en gestion du changement;
  • Enfin, les cadres supérieurs qui, selon toute vraisemblance, possèdent un grand pouvoir de contrôle et de financement au sein de l’entreprise.

Méthode RACI (responsable, agent comptable, consulté et informé)

Pour documenter le niveau de participation des divers groupes dans le cadre du processus de CVDL ou d’autres processus au sein des entreprises, beaucoup utilisent un tableau RACI. L’acronyme « RACI » signifie Responsable-Agent comptable-Consulté-Informé. La partie responsable est celle qui amorce et exécute la tâche. En outre, elle est chargée d’obtenir les approbations nécessaires. L’agent comptable est, en fin de compte, chargé de l’achèvement de la tâche. Il n’y a qu’un seul agent comptable par tâche. Les parties consultées sont celles à qui vous faites appel dans le cadre de la réalisation de la tâche. Une grande partie du temps attribué pour un projet est consacré aux communications bilatérales avec les parties consultées. Les parties informées sont celles qui sont tenues au courant de l’avancement du projet au moyen de communications unilatérales. À la figure 2, les éléments de la première ligne représentent diverses composantes d’une entreprise ou d’un organisme public. À gauche, vous trouverez les tâches liées à chaque phase d’élaboration d’un projet fictif. Dans cette représentation de la méthode en cascade, le programme de GDI figure à l’extrême droite. L’équipe de la GDI est informée des analyses de rentabilité des projets à l’étape de la création et consultée sur les exigences opérationnelles, etc. Dans la figure 1, la lettre « R » indique les parties chargées d’une tâche, la lettre « A » indique l’agent comptable dans le cadre d’une tâche, la lettre « C » indique les parties qui sont consultées et la lettre « I » indique les parties qui sont informées de l’avancement d’une tâche.

Si votre entreprise utilise à la fois la méthode en cascade et la méthode agile, des RACI distincts seront produits pour les différentes méthodes.

Gestion des applicationsArchitecture de l’informationEntrepriseCommunicationsGDI
Création
Analyse de rentabilitéC / IA / CI
Exigences opérationnellesCC / IA / CC
Planification
Approche relative aux exigencesCCI
Analyse de systèmes
Exigences relatives aux systèmesC / ICC
Conception de systèmes
Avant-projetC / IR /C / ICII
Développement de systèmes
Plan de testIIIC
Essai de systèmes
Résultats des essaisIC / IC / III
Acceptation par les utilisateurs
Plan de mise en œuvreC / ICC / IC / II
Déploiement
TransfertIIIII
Clôture du projet
Leçons apprisesCCCCC
Figure 2 Exemple de tableau RACI de la méthode du CVDL

Exigences de haut niveau en matière de GDI

Il est important que les membres du programme de GDI fassent connaître aux secteurs du développement et des affaires de l’entreprise quels sont les diverses exigences relatives à la GDI et les détails de chacune d’entre elles. Les systèmes devraient permettre, par exemple : 

  • de préserver les documents et les renseignements nécessaires à des fins d’utilisation dans le cadre de litiges, d’enquêtes ou autre, et de les diffuser (et permettre leur fonction de préservation des documents par l’intermédiaire d’une interface de programmation d’application (API));
  • d’associer les documents à des périodes de conservation et les conserver pendant ces périodes;
  • de veiller à ce que les documents conservent leur intégrité, leur authenticité, leur fiabilité et leur facilité d’emploi, comme le prévoit la norme ISO 15489;
  • d’éliminer les documents et l’information d’une manière qui est correctement documentée et qui les rend irrécupérables;
  • de rechercher et d’extraire des documents; de fournir les paramètres et les capacités de production de rapports nécessaires;
  • de contribuer à la transition des documents des anciens dépôts vers les nouveaux pour assurer une tenue à jour et une élimination appropriées.

Le programme de GDI doit également fournir des renseignements supplémentaires qui permettront aux entreprises, aux équipes de projet et aux autres intervenants de bien communiquer la façon dont ils se conformeront à ces exigences.

Éléments pouvant être exclus de la portée

Comme je l’ai mentionné précédemment, il y a des situations dans lesquelles l’équipe de GDI ne participera pas aux projets ou aux produits en cours d’élaboration ou de déploiement. Voici des exemples de types de systèmes qui sont souvent hors du champ d’application, car les données ou les documents ne sont généralement pas stockés dans ces systèmes pendant une longue période.

  1. Les systèmes de communication inter-réseaux reçoivent des données, puis les transmettent immédiatement dans un autre système approprié aux fins de traitement ou de stockage dans un entrepôt de données. Le pare-feu d’une entreprise est un exemple de système de communication inter-réseau.
  2. Les systèmes d’infrastructure sont conçus pour un réseau de TI qui automatise les processus opérationnels à l’échelle de l’entreprise. Les applications de productivité de Microsoft Office comme Word ou Excel sont un exemple de système d’infrastructure.
  3. Les systèmes de commande d’interface sont conçus pour faciliter les communications entre les différents systèmes de données afin qu’ils puissent tout simplement se « parler ». Une interface de stockage temporaire de données (STD) est un exemple de système de commande d’interface.
  4. Les systèmes de recherche sont conçus pour fournir des capacités de recherche régulières ou ponctuelles parmi les données d’autres systèmes ou celles d’autres entrepôts de données. Splunk constitue un bon exemple.
  5. Les systèmes interactifs reçoivent des données aux fins d’examen, puis les transfèrent vers un autre système interactif aux fins d’examen plus approfondi ou vers un entrepôt de données si aucun examen n’est nécessaire. Les données peuvent demeurer stockées indéfiniment dans le système interactif tant qu’elles sont en cours d’examen. Un exemple de système interactif pourrait être celui utilisé par les caissiers ou les représentants du service à la clientèle d’une institution financière.

Harmonisation des processus – méthode en cascade

Comme le montre la figure 1 ci-dessus, le processus du CVDL présenté dans cet article est divisé en neuf phases distinctes disposées selon une approche linéaire et séquentielle. Vous trouverez ci-dessous une description des sections et des responsabilités fondamentales au sein d’une équipe de GDI.

Création

À l’étape de la création, l’objectif principal est de créer une circulation de l’information et d’assurer la compréhension des membres de l’équipe. Prenons l’exemple d’une équipe qui travaille à la migration d’une application de courriel sur place vers un système infonuagique plus récent, comme Outlook de la suite Microsoft 365. Elle doit comprendre les exigences, de même que les processus de GDI connexes susceptibles d’être utilisés. Par ailleurs, l’équipe de GDI, composée d’un gestionnaire de la GDI, d’analystes de la GDI et de ressources techniques, doit comprendre l’objet du processus opérationnel et du système proposé ainsi que tout besoin opérationnel connexe. Il s’agit d’un moment idéal pour envoyer les nombreuses questions et demandes de renseignements formulées par les équipes.

Planification

À l’étape de la planification, l’équipe de projet veille à ce que l’équipe de GDI participe pleinement au projet à titre de partie prenante pendant toute la durée du projet. S’il existe une certaine incohérence entre les exigences opérationnelles et celles de la GDI, comme un calendrier de conservation des documents qui ne reflète pas une exigence opérationnelle valide de conservation au-delà des exigences prévues par la loi et la réglementation, une mise à jour du calendrier peut être nécessaire et le ou les membres opérationnels de l’équipe de projet doivent collaborer avec leur service pour entamer le processus de demande de mise à jour dès que possible. Au cours de cette étape, l’équipe de GDI participe au lancement du projet et continue de s’assurer qu’elle comprend le projet et les activités à venir.

Analyse des systèmes

À l’étape de l’analyse des systèmes, l’équipe de projet documente entièrement les documents, l’information et les données dans le ou les systèmes, qui traiteront et stockeront les données. Elle intègre également les exigences relatives à la GDI aux exigences globales du ou des systèmes et à la documentation connexe. 

Ce processus peut être simplifié si, par exemple, l’équipe de GDI a créé des suppléments à la trousse de documentation des exigences opérationnelles qui fournissent des lignes directrices ou des directives donnant un aperçu détaillé des exigences mentionnées ci-dessus en lien avec les exigences de haut niveau en matière de GDI. Si vous connaissez les normes logicielles du gouvernement des États-Unis, comme la norme DoD 5015 ou les exigences universelles de gestion des documents électroniques de la NARA, voici des exemples de ce à quoi cela pourrait ressembler. 

Entre-temps, l’équipe de GDI entre davantage dans les détails des processus et exigences opérationnels, et acquiert une compréhension des documents, de l’information et des données traités par le système et commence à conseiller l’équipe de projet pour toute question de GDI ou à tout problème de conformité.

Conception de systèmes

À l’étape de la conception de systèmes, l’équipe de projet crée l’architecture technique qui comprend les outils et les méthodes nécessaires pour satisfaire aux exigences en matière de GDI. L’équipe de projet consulte également l’équipe de GDI au besoin pour répondre à toute question en suspens et crée des plans d’essais qui tiennent compte des exigences relatives à la GDI. 

À cette étape du processus d’élaboration, l’équipe de GDI continue d’examiner les renseignements relatifs au projet au fur et à mesure que la situation évolue et modifie ses conseils en conséquence. Elle contribue également à l’examen des plans d’essais et de communication.

Développement de systèmes

À l’étape de développement de systèmes, l’équipe de projet veille à ce que le ou les systèmes en cours d’élaboration comprennent les fonctionnalités et les exigences relatives à la GDI précisées dans la documentation sur les exigences relatives au système et à la conception. Au-delà de la conception, le système est correctement configuré et intégré aux autres systèmes puisqu’il a été conçu pour fonctionner de concert avec ceux-ci. 

Entre-temps, l’équipe de GDI continue de répondre aux questions et de régler les problèmes qui se présentent et prépare les renseignements ou les données nécessaires à l’étape de mise à l’essai du ou des systèmes.

Essais de systèmes

À l’étape des essais de systèmes, l’équipe de projet procède à la mise à l’essai du ou des systèmes développés, y compris les composantes et les points d’intégration liés à la GDI grâce aux renseignements, aux données et aux exigences fournies par l’équipe de GDI. Elle transmet enfin les résultats à l’équipe de GDI, qui les examine et fournit une rétroaction appropriée. À cette étape, l’équipe de GDI examine également le matériel de formation et la documentation de soutien, et formule des commentaires à leur sujet, le cas échéant.

Acceptation par les utilisateurs

À l’étape de l’acceptation par les utilisateurs, l’équipe de projet veille à ce que tous les problèmes relatifs à la GDI décelés pendant le processus de mise à l’essai ont été résolus, procède à des essais des composantes de la GDI et des points d’intégration par les utilisateurs, et règle ces problèmes à la satisfaction de l’équipe de GDI avant le déploiement. 

L’équipe de GDI détermine si les composantes et les points d’intégration de la GDI sont prêts à être déployés en fonction des résultats des essais effectués par les utilisateurs et des mesures de suivi jugées nécessaires. Elle examine le matériel de formation et la documentation de soutien liés à la GDI et fournit les mises à jour nécessaires.

Déploiement

Au moment où le ou les systèmes sont déployés, l’équipe de projet les mettent en production pour les utilisateurs finaux et commence à assurer le soutien et la maintenance continus. 

À cette étape, l’équipe de GDI assume, le cas échéant, les responsabilités liées au programme de GDI et fournit, au fil du temps, les mises à jour nécessaires à la GDI, au besoin.

Clôture

À l’étape de clôture du projet, l’équipe de projet transfère toutes les responsabilités pertinentes liées à la GDI et conserve et élimine la documentation sur le ou les systèmes, conformément au calendrier de conservation. Enfin, l’équipe de GDI fournit toute l’aide nécessaire pour résoudre les problèmes liés à la GDI et des commentaires sur la documentation relative aux leçons apprises.

Harmonisation des processus – méthode agile

Bien que cet article porte principalement sur l’harmonisation des processus selon la méthode en cascade, je profite de l’occasion qui m’est offerte pour examiner les cinq étapes et responsabilités liées aux projets selon la méthode de développement agile. 

Comme il s’agit d’une méthode itérative, elle ne suit pas une trajectoire strictement linéaire. La méthode agile est plus qu’une méthode – c’est un état d’esprit qui est défini par des valeurs, guidées par des principes, qui se manifestent par des pratiques émergentes. Ce que bon nombre de personnes voient le plus clairement dans cette méthode, c’est la façon dont les logiciels sont élaborés par sprints, de courtes périodes déterminées ou itérations cycliques au cours desquelles une quantité de travail déterminée doit être effectuée. Au sens large, le concept d’agilité renvoie aussi à l’acceptation du changement et aux communications régulières pour produire de la valeur. Cette méthode passe par la pleine collaboration de tous les membres de l’équipe, par l’apprentissage par la découverte et par l’amélioration continue. 

Les noms des étapes correspondent à leur objet. En vous fondant sur les responsabilités axées sur les livrables présentées dans cet article, vous pouvez avoir une bonne idée de ce qui se passe à chaque étape. (Voir la figure 1.)

Les étapes du lancement et de la clôture n’ont lieu qu’une seule une fois par projet, tandis que les étapes de la planification, du développement et du déploiement sont cycliques et commencent par le développement et le déploiement d’un produit minimalement viable, puis par des sprints, jusqu’au déploiement d’un produit définitif. Voici une brève description des principales responsabilités de l’équipe de projet envers l’équipe de GDI à chaque étape de la méthode de développement agile, en gardant en tête que les étapes de la planification, di développement et du déploiement se répètent de manière cyclique pendant la durée d’un projet donné.

Lancement

À l’étape du lancement, l’équipe de projet s’assure que l’équipe de GDI est tenue au courant des différents éléments et qu’elle est informée de la personne-ressource ou de l’énoncé des travaux du projet, des évaluations des fournisseurs et des outils de notation, ainsi que de la feuille de route du produit et du carnet de commandes, une liste classée par ordre des priorités énumérant les (nouvelles) caractéristiques devant être mises en œuvre dans le cadre du projet. La feuille de route du produit est un plan d’action sur la façon dont le produit (système ou solution) suit le cycle de vie du projet. La feuille de route fournit un contexte pour les tâches quotidiennes de l’équipe de projet, mais elle permet également de réagir aux changements de priorités et de ressources.

Planification

À chaque étape de planification, l’équipe de projet veille à ce que l’équipe de GDI soit tenue au courant des différents éléments et informée des exigences non fonctionnelles, du carnet de sprint (liste des livrables ou des fonctionnalités à mettre en œuvre dans le projet, le système ou le produit classé par ordre des priorités), de l’approche relative aux exigences, de l’architecture des applications, du modèle logique de données, du profilage de données et du mappage des données ainsi que des exigences opérationnelles de l’architecture axée sur le service. « L’architecture axée sur le service définit une façon de faire en sorte que les composants logiciels puissent être réutilisés et qu’ils deviennent inter-exploitables grâce à des interfaces de service. Les services utilisent des normes de l’interface commune et un modèle architectural afin d’être rapidement intégrés aux nouvelles applications. » Un exemple d’architecture axée sur le service pourrait consister à intégrer des systèmes afin qu’ils puissent se « parler » afin d’accroître leur efficacité.

Développement

À chaque étape de développement, l’équipe de projet s’assure que l’équipe de GDI est tenue au courant des différents éléments et informée de l’avant-projet, des spécifications du projet de l’architecture axée sur le service, des plans d’essais, des cas et des listes de vérification, ainsi que de la planification de la mise en œuvre et de l’état de préparation opérationnelle. L’équipe de GDI devrait également être consultée en vue d’obtenir ses commentaires sur les leçons apprises ou rétrospectives de la fin du sprint.

Déploiement

Au cours de chaque étape de déploiement, l’équipe de projet doit s’assurer que l’équipe de GDI est tenue au courant des plans de mise en œuvre de la production. 

Clôture

Alors que le projet tire à sa fin, le gestionnaire de projet et d’autres personnes chargées d’obtenir la rétroaction doivent s’assurer que l’équipe de GDI est consultée au sujet des leçons apprises et des rétrospectives de fin de projet. 

Malheureusement, cette brève description ne rend pas justice au processus et je vous incite fortement à approfondir vos connaissances à propos de cette méthode. Le Manifeste pour le développement Agile de logiciels constitue un bon point de départ. J’espère que cette explication rapide vous incitera à approfondir le sujet.

Conclusion – Commentaire sur le CVDL

Il existe des façons simples d’aborder de nombreux processus comme le CVDL. Bien que les systèmes modernes de gestion de l’information contiennent des composants matériels et logiciels complexes, si vous décortiquez le processus de développement ainsi que les composantes des communications et des relations qui y sont associées, vous verrez leurs caractéristiques :

  1. Le CVDL n’est pas un processus compliqué. J’en ai appris un peu sur ce sujet grâce à mon défunt père, qui a travaillé comme ingénieur à la NASA pendant des décennies.
  2. Il n’y a pas de solution unique. Cette règle s’applique aussi bien aux entreprises qu’aux systèmes.
  3. Le développement de systèmes ne concerne pas exclusivement les TI. Il s’agit aussi, notamment, de la GDI, des activités de votre entreprise, du client.
  4. Vous devez utiliser des normes et d’autres ressources, comme des ensembles de connaissances, des index, des pratiques exemplaires, des rapports techniques et des principes, s’il y a lieu. Il est inutile de réinventer la roue.
  5. Des communications fréquentes peuvent être nécessaires à certaines étapes d’un projet donné, voire pendant les activités courantes. Les exigences en matière de conservation peuvent changer; il est donc important d’en tenir compte dans l’élaboration des systèmes.
  6. Vous devez apprendre à connaître les composantes en jeu au sein de l’entreprise. Vous aurez l’occasion de rencontrer les mêmes personnes à de nombreuses occasions, sur une base continue.
  7. La documentation personnalisée concernant le processus de votre entreprise peut être utile et constituer un atout pour votre équipe de GDI (lorsque la documentation est bien gérée).
  8. Un suivi des projets est nécessaire, surtout dans les grandes entreprises ou dans les entreprises complexes. Les membres de votre équipe de GDI déploient de nombreux efforts en tout temps, et si vous avez la bonne information à portée de main, il sera plus facile pour vous de produire des rapports à l’attention de votre chaîne de gestion.
  9. La formation axée sur les rôles, adaptée aux responsabilités du stagiaire, aide grandement. Si votre équipe de développement et vos partenaires commerciaux comprennent votre processus et vos exigences, ils seront beaucoup plus susceptibles d’être réceptifs à votre participation. Si vous attirez l’attention des personnes à l’échelon approprié, vous pourrez mieux tirer parti de votre rôle.

Finir là où nous avons commencé

Si vous ne retenez rien d’autre de cet article, terminons avec le sentiment que j’ai exprimé au début… Votre équipe de GDI est un partenaire essentiel et doit participer dès les premières étapes au processus de CVDL pour s’assurer que les systèmes gèrent adéquatement l’information tout au long de son cycle de vie.

Biographie

Tod Chernikoff est gestionnaire de documents certifié, professionnel de la gouvernance de l’information et professionnel de l’information certifié. Il possède plus de vingt-cinq ans d’expérience dans la prestation de services de gestion des documents et de l’information et de gouvernance de l’information aux entreprises et à d’autres clients. Il a occupé divers postes de portée locale, régionale et internationale au sein d’ARMA International, notamment celui de membre du conseil d’administration. Todd a reçu le prix Alan Andolsen 2014 décerné par l’ICRM en reconnaissance du mentorat exceptionnel à titre de gestionnaire de documents certifié. Il est membre de l’équipe de gestion des documents et de l’information de la Navy Federal Credit Union, où il contribue à la réalisation des activités de GDI à l’échelle mondiale. Les opinions et points de vue exprimés dans cet article sont ceux de l’auteur.

Records and Information Management is Vital to System Development and Implementation

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

by Tod Chernikoff, CRM, IGP, CIP

 

Back to Sagesse 2022

 

Abstract

There is frequently a gap between those who buy or develop information management systems and compliance with records and information management requirements. To bridge that gap an organization’s records and information management staff must be involved in the Software Development Lifecycle process from the beginning to ensure those systems properly manage records and information across its lifecycle.

Introduction

Your records and information management (RIM) team is a critical partner and must be involved in the software development lifecycle (SDLC) process from the earliest stages to ensure that systems properly manage information assets across the information lifecycle.  By understanding the importance of making sure the systems used to process and manage information assets are created and configured to properly retain and disposition records and information you will further your organization’s capabilities around records and information management.  RIM involvement is critical to the proper development and implementation of systems, or products as some organizations call them, for a variation of reasons. First, it ensures that an organization’s records that are stored in a system are retained and dispositioned in accordance with the organization’s records retention schedule. Next, it ensures that the system can prevent the destruction or deletion of records that are required to be retained to satisfy legal, administrative, or investigative holds that are placed upon those records, or other information in the system. It also can help to support the characteristics of authoritative records per ISO 15489.

There are a few key points to consider, especially since whatever type of organization you work for, or with, there will be variations in how the SDLC process operates. SDLC refers to a process or framework within an organization that produces software through a structured flow of phases with defined tasks within each of those steps.

Systems are developed and implemented typically in a project-centric process. On the other hand, RIM is and ongoing program with your organization. This is something staff in other parts of the organization may not understand, and it also impacts how RIM staff approaches their work across the organization.

As part of the SDLC process, your RIM program must build, maintain, and update, as needed, a framework to provide current requirements information and manage your part of the review process. This process should be built so no matter who on the RIM team is working with a project team, the process and messaging is the same from team member to team member.

Where systems are not able to adequately manage and disposition records and information, your process should enable examination of these situations and grant exceptions and/or suggest workarounds.

All organizations are not built with the same capabilities. What works in one may not translate well to others. Be prepared to create a process that works for your situation.

That said, what I’d like to pass on to you in this article is that: 

  1. Your RIM program staff is a critical part of the SDLC process and must be involved from the earliest stages of that process in all projects, even if it to say no records are involved and the project can move along without further RIM review
  2. There will be give and take in the process
  3. Systems are typically developed and implemented in a project-centric process. On the other hand, RIM is and ongoing program with your organization
  4. You need to make additional considerations if you are moving a paper-based or physical process into a digital space. In some cases, this may be simpler than upgrading certain digital processes
  5. As part of the SDLC process, your RIM program must build, maintain, and update, as needed, a framework to provide current requirements information and manage your part of the review process. This process should be built so no matter who on the RIM team is working with a project the process and messaging is the same from team member to team member
  6. Where systems are not able to adequately manage and disposition records and information your process should enable examination of these situations and grant exceptions and/or suggest workarounds
  7. All organizations are not built with the same capabilities. What works in one may not translate well to others. Be prepared to create a process that works for your situation

Software Development Methodologies

Not all systems are created or developed the same way. The two main systems development methodologies are waterfall and agile.

Waterfall methodology is a linear, sequential method with set deliverables where stakeholders provide requirements up front, and the project is planned to accommodate those requirements. Even within waterfall there are different ways to accommodate the process. The first two columns of Figure 1 show two similar, yet slightly different paths and how I compare them.

Agile development is centred around an iterative process where requirements and solutions evolve over time in a collaborative manner using cross-functional teams. This discussion will centre more on the waterfall methodology, but we cannot forget that in some organizations agile is the dominant methodology used. I work in an organization where we use both, and the volume of project using agile is growing.

Figure 1 depicts three possible development methods and how they compare to one another. The first column indicates the method that will be discussed later in this article, I have encountered this method in the private sector. The seconds column depicts the Enterprise Performance Lifecycle (EPLC) Framework. I have encountered this method while working as a consultant with a United States government agency. EPLC and SDLC ae both forms of waterfall methodology. The third column depicts an Agile development framework.  In some instances, there are similar phase names, aspects, and activities in multiple examples of the methodologies. They are aligned to depict their similarities as best as possible.

SDLCEPLCAgile Framework
OriginationInitiationInitiate
OriginationConceptInitiate
PlanningPlanningPlanning
System AnalysisRequirements AnalysisPlanning
System DesignDesignPlanning
System DevelopmentDevelopmentDevelopment
System TestingTestDevelopment
User AcceptanceTestDevelopment
DeployImplementationDeploy
Project CloseoutOperations and MaintenanceClose
Disposition
Figure 1 Comparison of systems development methodologies

Experience and Realization of the Problem of a Disconnection

My experiences, even before becoming involved in RIM on a full-time basis, or even leaning about the SDLC, touched on aspects of information technology (IT) such as data quality and cleansing, along with user experience, requirements analysis and attending meetings, as an observer, where upper-level managers conducted reviews and made determinations regarding IT projects. Looking at these experiences some 20 plus years ago I was, without knowing it, being prepared for what was to come. I would recommend keeping your eyes open for any opportunity that might allow you to become involved in processes your organization may undertake that would allow you to expand your knowledge, skills and abilities.  These could include opportunities to be involved in projects to bring new tools and technologies onboard such as volunteering to test new tools prior to, or during, their deployment, take training on new tools being implemented or considered for implementation.

About this time 20 years ago, I began to see that there was a frequent disconnect between those who bought and built information management systems and compliance with RIM requirements. Now I spend great deal of my time on the job making that connection. Hardly a workday goes by that I don’t attend a meeting or speak with, email, or message a project manager, a requirements analyst, or a member of a business group involved in one of a thousand or so systems across the global enterprise of my employer. I also spend time at work providing various stakeholders both inside and outside in the information services department an education on this topic.

Roles

There are many people in many roles you can encountered across your organization as part of the SDLC process. 

As part of the RIM program staff your team will be headed by your organization’s RIM or Information Governance (IG) manager, director, or similarly titled leader and will include RIM and/or IG staff based on the functions performed by the team. You will likely at one time, or another, interact with your organization’s groups or departments such as:

  • Legal or general counsel 
  • Compliance
  • Contracts, procurement, and/or vendor management 
  • Business or functional groups that in many cases will be the owners of the systems being developed, including their leadership teams 
  • Information technology/services groups that act in the capacity of systems and infrastructure operations teams
  • Various review teams, committees, and task forces
  • Various contractors and vendors
  • End users
  • Project or system development teams including: 
    • Project managers
    • Solutions architects
    • Enterprise architects
    • Requirements analysts
    • Testers, trainers
    • Communications specialists
    • Change management specialists
  • And finally, senior managers who in all likelihood control a great deal of the power and funding within the organization.

Those Responsible, Accountable, Consulted, and Informed (raci)

To document the level of involvement of the various groups across the SDLC process, or other processes within organizations, many use what is known as a RACI chart. RACI stands for Responsible-Accountable-Consulted-Informed. The responsible party is one that initiates and performs the work to achieve the task. In addition, they are responsible for obtaining the appliable approvals. The accountable party is ultimately accountable for the completion of the task. There is only one accountable party for each task. Consulted parties are those who opinions are sought and asked to assist in completing the task. A great deal of project time goes into two way communication with consulted parties.  Informed parties are those who are kept abreast of project progress through one way communication.  The abbreviated chart in Figure 2 indicates across the top the various components within a business or public agency, and the tasks within each development phase down the left side for a generic, fictitious project. In this representation involving the waterfall methodology, the RIM program is shown on the far right. In this representation the RIM team is informed about projects’ business cases in the Origination Phase and consulted on the business requirements and so on. Within Figure 1, an “R” Indicates the responsible parties for a task, an “A” indicates the accountable party for a task, a “C” indicates the parties that are consulted, and an “I” indicates those parties that are informed about a task’s progress.

If your organization uses both waterfall and agile methodologies separate RACIs would be produced for the different methods.

Application ManagementInformation ArchitectureBusinessCommunicationsRIM
Origination
Business CaseC / IA / CI
Business RequirementsCC / IA / CC
Planning
Requirements ApproachCCI
System Analysis
Systems RequirementsC / ICC
System Design
Design PackageC / IR / C / ICII
System Development
Test PlanIIIC
System Testing
Test ResultsIC / IC / III
User Acceptance
Implementation PlanC / ICC / IC / II
Deploy
HandoffIIIII
Project Closeout
Lessons LearnedCCCCC
Figure 2 Example of a SDLC methodology RACI chart

High Level RIM Requirements

It is important that the RIM program make known to the development and business communities within the organization the various RIM requirements and details behind each set of requirements. Systems should be able to, for example: 

  • Place holds on records and information needed for litigation, investigation or similar purposes and release those holds (and allow their legal hold function to be utilized via API)
  • Associate records with retention periods and retain records in accordance with those periods
  • Support records maintaining their integrity, authenticity, reliability and, usability as called for in ISO 15489
  • Dispose of records and information in a manner that is properly documented and renders them unrecoverable
  • Allow for searching and retrieving records; Provide needed metrics and reporting capabilities
  • Help transition legacy record from old repositories to new ones for proper maintenance and disposition.

The RIM program should also make available additional information that will enable businesses, project teams and others involved to properly communicate how they will comply with these requirements within the various artifacts or documents produced along the path of the SDLC.

What May be Out of Scope

As mentioned earlier, there are situations where RIM team is not likely to be involved with projects or products being developed or deployed. Below are examples of types of systems that are frequently out of scope since data or records are typically not stored within these systems for an extended period.

  1. Gateway systems receive data, and then immediately moves the data into another appropriate system for action, or for storage within a data warehouse. An example of a gateway system might be an organization’s firewall system.
  2. Infrastructure systems are designed for an IT network that automates business processes at an enterprise level. An example of an organization’s infrastructure system might be Microsoft Office productivity applications such as Word or Excel.
  3. Interface control systems are designed to facilitate communications between other varied data systems, so that they can quite simply “talk” to each other. An example of an organization’s interface control system might be a Temporary Storage Data (TSD) interface.
  4. Search systems are designed to provide regular or ad hoc search capabilities into other systems’ data, or other data warehouses’ data. An example of an organization’s search system might be a tool such as Splunk.
  5. Transactional systems receive data for review, and then moves the data to another transactional system for further review, or a data warehouse if no review is necessary. Data may remain stored indefinitely on the transactional system while the data is still under review. An example of an organization’s transactional system might be the system used by tellers, or member/customer service representatives in a financial institution.

Process Alignment – Waterfall

As depicted in Figure 1 above, the SDLC process being shown in this article is divided into nine distinct phases arranged in a linear, sequential approach. Below each section will be described as well as the basic responsibilities of an example project team and the responsibilities of the RIM team.

Origination

In the Origination Phase the main objective is to create a flow of information and understanding on the part of each team. The project team, say for example a team working to migrate an organization’s email application from and older on-premises system to a newer, cloud-based system such as Outlook within Microsoft 365 for business, needs to understand the associated RIM requirements and processes the RIM team uses to review the project. On the other hand, the RIM team, say made up of a RIM Manager as well as RIM Analysts and technical resources, needs to understand the purpose of the business process and proposed system as well as any associated business needs. This is a time in the SDLC where an opportunity exists to air the many questions and requests for information that will surely come up from both teams.

Planning

In the planning phase the project team ensures that RIM team becomes fully engaged as a stakeholder and remains a stakeholder for the duration of the project. If there is some form of mismatch between the business requirements and the RIM requirements, such as the records retention schedule does not reflect a valid business retention need over and above the legal or regulatory requirements, an update to the schedule may be in order and that the Business member(s) of the project team needs to work within their department to begin the process to request that update as soon as possible. In this phase of the SDLC, the RIM team will participate in the project kick-off and continue to ensure its understanding of the project and upcoming activities

System Analysis

In the system analysis phase, the project team will fully document the records, information, and data that the system will capture, process and store, as well as integrate the RIM requirements into the overall systems requirements and associated documentation.  

This process can be simplified if, for example, the RIM team has created supplements to the business requirements documentation package that provide guidelines or guidance indicating a detailed view of the requirements highlighted above in the discussion of the High-Level RIM Requirements. If you are familiar with US Government software standards such as DoD 5015 or NARA’s Universal Electronic Records Management Requirements these are examples of what that might look like. 

Meanwhile, the RIM team will delve more deeply into the associated business processes and the business requirements as well as gain an understanding of the records, information, and data the system will be dealing with and begin to advice the project team on any issues arising that might complicate RIM or compliance issues.

System Design

In the system design phase, the project team creates the technical solution architecture that includes the tools and methods that will execute on the applicable RIM requirements. The project team also consults with the RIM team as needed to answer any outstanding questions and creates testing plans that reflect the RIM requirements.  

At this point in the development process the RIM team will be continuing to review project information as conditions evolve and make any adjustments in its advice as needed. They will also be providing input to and reviewing the testing and communications plans.

System Development

In the system development phase, the project team will ensure the system being built includes the RIM-related features and requirements as specified in the system and design requirements documentation. Beyond the build, the system will be properly configured and integrated with other systems as it has been designed to work with. 

Meanwhile, the RIM team will continue to address any questions or issues that arise and will prepare any information or data needed for the System Testing phase.

System Testing

In the system testing phase, the project team conducts testing of the developed system, including the RIM related components and integration points using the information, data and requirements provided by the RIM team and provides the results to the RIM team who will review them and provide appropriate feedback.  In this phase, the RIM team will also be reviewing the training materials and support documentation and provide feedback on them as needed.

User Acceptance

In the user acceptance phase the project team will ensure that any RIM related issues uncovered during the System Testing process have been resolved, conduct user testing of the RIM components and integration points, and resolve those issues to the satisfaction of the RIM team prior to deployment. 

The RIM team will determine if the RIM components and integration points are ready for deployment based on the results of the user testing and any follow up actions deemed necessary and will review and provide any necessary updates for the RIM related training materials and support documentation.

Deployment

At the point in time the system reaches deployment the project team places the system into production for the end users and begins to provide on-going support and maintenance of the system. 

During this phase of the project, the RIM team will assume, if any exists, responsibilities related to the RIM program and over time provides applicable updates to RIM configurations, as needed.

Closeout

As the project closeout phase occurs, the project team will transfer any applicable RIM related responsibilities and retain and disposition applicable system documentation per the records schedule. Finally, the RIM team will provide any applicable assistance with existing or ongoing RIM related issues and provide any input to the lessons learned documentation.

Process Alignment – Agile

Although the focus of this article is the process alignment of the waterfall methodology, I will take a brief opportunity to look at the five phases and associated responsibilities for projects using an agile development methodology. 

As this is an iterative method – it does not follow a strictly linear path. Agile is beyond a methodology – it is a mindset that is defined by values, guided by principles, and manifested through emergent practices. What many see most plainly through this methodology is how software products are delivered iteratively through sprints, or short, time-boxed periods or cyclical iterations during which a set amount of work is to be completed, but more deeply it represents a way of thinking that embraces change, regular feedback, and delivers on value. It uses full team collaboration, learning through discovery and continuous improvement. 

The names of the phases correspond to their focus and from the responsibilities shown here focusing on deliverables you can get a good idea of what happens within each phase. (See Figure 1)

The initiate and close phases occur once in each project, while the planning, development and deploy phases are cyclical and start with developing and deploying a minimally viable product and cycling through sprints to deployment of a fully developed product. The following is a brief description of the major responsibilities of the project team to the RIM team in each phase the of agile development methodology, remembering that planning, development, and deploy(ment) phases repeat in a cyclical manner over the span of a given project.

Initiate

In the initiate phase the project team works to ensure the RIM team is up to date and informed on the project’s contact or statement of work, vendor evaluations and scoring tool(s) as well as the product roadmap and backlog, a prioritized list of (new) features to be implemented as part of the project. The product roadmap is a plan of action for how the product (system or solution) along the path of the projects lifecycle. The roadmap provides context for the project team’s daily work but should also enable the ability to respond to shifts in priorities and resources.

Planning

During each planning phase the project team works to ensure the RIM team is up to date and informed on the non-functional requirements, sprint backlog (a prioritized list of deliverables or features to be implemented in the project, system, or product), requirements approach, application architecture, logical data model, data profiling and mapping as well as the service-oriented architecture (SOA) service requirements. “SOA defines a way to make software components reusable and interoperable via service interfaces. Services use common interface standards and an architectural pattern so they can be rapidly incorporated into new applications.” An example of an SOA might be to integrate systems so they may “talk” to one another to increase efficiencies.

Development

During each development phase the project team ensures the RIM team is up to date and informed on the design package, SOA design specifications, test plans, cases, and checklists as well as implementation planning and operational readiness. The RIM team should also be consulted on their input on end of sprint lessons learned or retrospectives.

Deploy

During each deploy phase the project team must ensure the RIM team is kept up to date on the production implementation plans. 

Close

As the project comes to the close phase, the project manager, and others responsible for collecting feedback must ensure that the RIM team is consulted on their input on end of project’s lessons learned and/or retrospectives. 

Unfortunately, this brief description does not do the process justice and I highly encourage you to investigate this methodology more deeply. The Agile Manifesto is a good place to start. I hope this quick explanation encourages further investigation.

Conclusion – Or a Simple Commentary on SDLC

There are simple ways to approach many processes such as the SDLC. Although modern information management systems contain complex hardware and software components, if you break down the development process as well as the associated the communications and relationship parts, you will see their down-to-earth traits before you:

  1. SDLC should not be equated with rocket science. I’ve learned a bit about that topic courtesy of my late father who spent decades as a NASA engineer
  2. One size does not fit all. This goes for organizations and systems
  3. Systems development is not exclusively about IT. It’s also about RIM, your organization’s business, the customer – you name it
  4. Use standards and other resources such as bodies of knowledge, indexes, best practices, technical reports, and principles, as appropriate. Don’t reinvent the wheel
  5. Frequent communications may be required during certain phases of any given project and even into ongoing operations. Retention requirements can change so it is important to keep this in mind as systems are developed
  6. Get to know the components involved across the organization. You will almost certainly do repeat business and see many of same people and roles on an ongoing basis
  7. Customized documentation for your organization’s process can be helpful and an asset to your RIM team (when documentation is well managed)
  8. Project tracking is required, especially in large or complex organizations. Your RIM team members may be working on a good number of efforts at any time, and it will make reporting to your chain of management easier if you have the information close at hand
  9. Role-based training, where training is tailored to the responsibilities of the trainee, helps greatly. If your development team, and business partners understand your process and requirements, they are much more likely to be receptive to your presence in the process, and if you can get the attention of those at the proper level you may be able to better leverage your position in the process

The End is Where we Began

If you retain nothing else from this article, let us end with the sentiment I began with…Your RIM team is a critical partner and must be involved in the SDLC process from the earliest stages to ensure that systems properly manage information assets across the information lifecycle.

About the Author

Tod Chernikoff is a Certified Records Manager, an Information Governance Professional and a Certified Information Professional. He has over twenty-five years of experience providing records and information management and information governance services to organizations and clients. He has served ARMA International in positions at the local, regional, and international levels including as a member of the ARMA International Board of Directors. He received the ICRM’s 2014 Alan Andolsen Award in recognition of outstanding CRM Mentorship. He is a member of the Records and Information Management Team at Navy Federal Credit Union where he is helping to enable RIM operations across the global enterprise. The opinions and views expressed in this article reflect only those of the author.

Information Governance vs Data Governance: What’s the Difference and Why Does it Matter?

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

by Jennifer Bodnarchuk, MSc, PhD

 

Back to Sagesse 2022

 

Abstract

In this increasingly digital age, the line between data and information is blurred, and for those working to govern and manage data and information, this can add complexity to an already complex task. The thesis of this article is that the distinct differences between data and information do not need to be understood in order to govern data and information. Definitions of data, information, data governance, and information governance were explored and analysed. Similarities were identified and options for combined data and information governance structures are presented for consideration. Data and information governance are essential to provide the guiderails of process and structure to protect, preserve, organize, and give appropriate access to the data and information that lead to knowledge and wisdom for organizations.

Introduction

The disciplines of records and information management, information governance, data management, and data governance appreciate orderliness, organization, categorization, classification, clean lines, and clear distinctions. Professionals in these disciplines understand that these are not easy to achieve, but see the value that they bring. So it seems that these disciplines should have a clear grasp of the distinctions among each other. This may have been clearer historically, but as discussed in the last issue of Sagesse, ongoing digital transformations, increased electronic record keeping, and advances in data and technology are blurring the lines among these disciplines.

This article briefly explores this blurred line between data and information and quickly reaches the conclusion that a clear distinction is difficult to determine. Thus, rather than spend further time and energy on finding the line between the two, the article concludes with suggestions of how to focus on the similarities so that we, as a combined group of data and information professionals, can help our respective organizations achieve clarity to find the knowledge and wisdom to achieve organizational strategies and goals.

What is Data? What is Information?

The simple definitions of data and information should be just that: simple. They are words that should have meanings easily defined in a handy dictionary, or, in a handy web browser. A brief search can quickly bring up a short list of similar, but not clearly distinct definitions.

Merriam-Webster alone provides three definitions of data (1):

  1. factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation
  2. information in digital form that can be transmitted or processed
  3. information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful

These definitions provide much food for thought and may stimulate more questions than answers regarding what, exactly, is data? For example, these definitions seem to imply that data is information. Data and information are linked inextricably to each other, so the reference is understandable, and yet, one would expect a clear way to distinguish the unique features of each. Merriam-Webster’s definitions for information do not seem to provide that clear distinction either (2):

  1. knowledge obtained from investigation, study, or instruction
  2. the attribute inherent in and communicated by one of two or more alternative sequences or arrangements of something (such as nucleotides in DNA or binary digits in a computer program) that produce specific effects
  3. a signal or character (as in a communication system or computer) representing data; something (such as a message, experimental data, or a picture) which justifies change in a construct (such as a plan or theory) that represents physical or mental experience or another construct
  4. a quantitative measure of the content of information; specifically: a numerical quantity that measures the uncertainty in the outcome of an experiment to be performed

Whether referring to Merriam-Webster or another reference, it does not take long to determine that there is not a common definition of the terms data and information for the lay person. What if we defer to the experts within ARMA (3) and DAMA (4)?

This is certainly an issue ARMA has considered, as they suggest that the “easiest way to understand the differences between these terms is visually”: (5)

Fig. A. ARMA’s visual representation of the distinction among information and data, as well as other terms.

ARMA’s definition of information and data seems to indicate that data is structured, and content is unstructured. However, DAMA professionals and other data experts likely take issue with the simple statement that “Data is structured.” (7) Data experts describe data, and not just information, on a continuum from structured to unstructured (8), and so ARMA’s definition is not yet the final answer.

The second edition of DAMA’s Data Management Book of Knowledge (DMBOK) does not draw distinctions between data and information, but rather suggests that both can be managed together. The thesis of this article agrees with the DMBOK’s view and suggests further that the distinct differences between data and information do not need to be understood in order to govern data and information. In other words, rather than trying to find agreement through clarifying and defining exactly what data and information are, the data and information communities can unify around the goals of data governance and information governance.

What is Data Governance? What is Information Governance?

While there may be an expectation that the definitions of the words data and information would be simple, there is likely no such expectation for the definitions of the concepts of data governance and information governance. 

A selected list of definitions of data governance, from both official organizations and less formal contributors, include:

  1. The exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets. (9)
  2. A system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods. (10)
  3. A framework for accountability for the management of data and related resources, including data ownership, quality, architecture, tooling, access, and security. (11)
  4. The overall administration of the availability, integrity, security, and usability of the data available to an organization. (12)
  5. A mix of processes that collectively seek for the integrity, security, and availability of data. (13)

Likewise, a selected list of definitions of information governance, from both official organizations and less formal contributors, include:

  1. The overarching and coordinating strategy for all organizational information. It establishes the authorities, supports, processes, capabilities, structures, and infrastructure to enable information to be a useful asset and reduced liability to an organization, based on that organization’s specific business requirements and risk tolerance. (14)
  2. The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs. (15)
  3. A framework for accountability to ensure appropriate behaviour and regulatory compliance in the creation, storage, use, sharing, protection, archiving, and deletion of information. (16)
  4. The policies, procedures, and multi-disciplinary arrangements to manage an organization’s information for its immediate and future needs. These include regulatory, legal, risk, environmental, and operational requirements. Information Governance attempts to minimize the risks and costs of storing and using information, while maximizing its value. (17)
  5. A strategic process that mitigates any business risk, storage costs, and makes sure that all the needed compliances are being adhered to. (18)

Based on a single reading of these definitions, a clear distinction is not achieved. Finding themes within the paragraphs of information is a lot to process. However, using a simple data visualization technique can provide an analysis. Figures B, C, and D were created by focusing on the individual words in the sentences, removing the meaningless words like the, over, of, as well as the words data, information, governance, and organization—assuming that these are a necessary part of the definition of data or information governance for an organization—and adjusting suffixes so that similar concepts matched. 

The word clouds in these figures create a different form of information: different sized words, instead of different ordered words in a sentence. In a single image, Fig. B represents the content of the five definitions of data governance. These words can give a sense of the concept of data governance, at a very high level. While the words would differ slightly based on different definitions, there are some themes worth considering: ensuring security and availability of an organization’s data, and that there is integrity and accountability in processes and decisions, guided by management.

Fig. B. Word cloud based on five definitions of data governance. This image is available at https://worditout.com/word-cloud/4947457.

The same process for the five definitions of information governance resulted in the image in Fig. C. The definitions of information governance mentioned risk most often, followed closely by costs and storage. Also key to the definition are: processes, compliance, regulatory issues, value, strategy, and requirements

Fig. C. Word cloud based on five definitions of information governance. This image is available at https://worditout.com/word-cloud/4947477.

Finally, all ten definitions were combined to a single list, resulting in Fig. D, which may be interpreted as representing the definition of combined data and information governance. While information governance’s emphasis on risk remains significant, processes appear as the top linking factor among the definitions. Costs and storage from information governance, as well as availability, security, management, and accountability from data governance remain prominent. Some words have become more prominent in the combined version that didn’t draw attention before, such as framework, authority, asset, and shared.

Fig. D. Word cloud based on five definitions of data governance and five definitions of information governance. This image is available at https://worditout.com/word-cloud/4947480.

While this is not a perfect nor thorough analysis, it still provides food for thought. Perhaps instead of trying to continue to clarify how data governance and information governance are different, collective efforts could move forward seeking similarities. Data governance proponents and information governance proponents could work together to ensure that data and information are secure, available, compliant, and managed as assets. Organizations like ARMA and DAMA can acknowledge and embrace the common themes and be willing to leverage the strengths of each organization and set of professionals. In other words, rather than trying to find agreement through clarifying and defining exactly what data governance and information governance are, the data and information communities can unify around the goals of data and information governance.

What is Data and Information Governance?

The above sections have shown that definitions are difficult for multiple groups to agree on, and the definition of data and information governance is no different. What follows is not a definitive description but rather one example of what an organization’s combined data and information governance committee structure might look like.

Based on materials in a Johns Hopkins University’s GovEx Academy course (19) and knowledge of a municipal government organizational structure, six roles were identified for a theoretical Data and Information Governance Committee.

  1. Executive or Policy Leader. This role is for foundational decision-makers who argue for, support, and/or amend information and data governance policies. There is flexibility in who exactly fills this role, but the key is to have at least one committee member at the upper most levels of the organization who will support the information and data governance committee. It is crucial that a person filling this role is passionate about the development and ongoing sustainability of a data and information governance structure because he or she will set the tone for culture and change around this topic. The role can be filled by a data expert or an information expert.
  2. Information & Data Leaders. This role can be filled by multiple members so that the knowledge and understanding of data professionals and information professionals are represented. These leaders should have deep understanding of the respective data and information concerns and priorities across the organization. As well, these information and data leaders need to be strong managers and clear communicators with the ability to translate data and information concepts into action.
  3. Stewards & Owners. Stewards and owners can exist at many levels of the organization, including the executive level, the business level, or the technical level, and particular membership will depend on the data and information held by the organization. If there are numerous potential candidates, a rotating membership could be considered. Owners have authority over the data and information. Stewards manage data and information assets on behalf of others and in the best interests of the organization. 
  4. Information Technology (IT) Liaison. The IT department is integral to the information and data governance process. Thus, the liaison is a key role to bridge any gap between the needs of the information and data governance committee and IT through a very close working relationship, especially on issues such as information and data security. Key skills for this role include thorough understanding of data analysis, data cleaning, data mining, as well as the business and technical requirements for solutions such as enterprise content management systems. The person needs the ability to translate information and governance policies to IT implementation and vice versa.
  5. Communicator. Communicating with the larger organization or the public about information and data governance is crucial in an increasingly digital world. As we continue to think critically and ethically about use of data and information, communication on these topics is essential and this role is a key member of the governance committee. Any person filling this role needs to maintain a level of comfort speaking about current procedures, and be open to dialogue with clients, consumers, and residents.
  6. Legal & Privacy. An information and data governance program should actively build into its structure partnerships with the legal department and the privacy office. People in legal and privacy roles have access to regulations about data and information privacy and protection, and the legal team can also ensure that data and information acquired under contracts are managed in compliance with such contracts. 

These six roles are one example of a committee structure that considers both information governance and data governance concepts, representing overlaps between data and information needs. Each organization will need to build the combined structure that makes most sense for their situation. For example, the Canadian Institute for Health Information publicly shares their Data and Information Governance Committee Terms of Reference, including a list of members, where the purpose of the committee is:

“to drive the data and information governance agenda … and ensure that effective data and information governance mechanisms (policies, processes, systems and practices) are in place within the organization across the data-information life cycle.” (20)

And Finally, Why Does it Matter?

Exploring definitions and comparisons of data, information, data governance, and information governance provides no end of thought-provoking materials. While some argue that there is a difference between data governance and information governance, this article argues that what differences there may be should not prevent us from identifying similarities and seeking common ground.

Both data governance and information governance aim to guide processes, establish frameworks, determine authority, protect assets, and share data and information. This guidance may be envisioned at a high level like the funnel in Fig. E, which represents a version of the conceptual relationship between data, information, knowledge, and wisdom.

Image

Fig. E. The DIKW chain/pyramid/hierarchy by Sketchplanations (21)

The answer to the question “Why does it matter?” may be represented by the gold nugget of wisdom shown in the figure. Determining the content of that gold nugget is the responsibility of organizational leaders. They have to sift and have to decide, based on purpose and goals, regulations, and strategy – what is important? What knowledge and wisdom are they seeking? All along the way, data and information governance, with all of the associated data and information management practices, are essential to facilitate the processes that distil the data and information down to those pieces that are important: those that lead to knowledge and wisdom.

So, if a level of uncertainty can be accepted regarding the line between data and information, and if common themes between data governance and information governance can be prioritized, then data and information professionals can help their organizations focus on this bigger picture.

Bibliography

“ARMA.” ARMA. Accessed September 30, 2021. https://www.arma.org/.

Bhatt, Vivek. “Data Governance or Information Governance?” Infotechtion. August 10, 2020. https://www.infotechtion.com/post/data-governance-or-information-governance.

“Body of Knowledge.” DAMA. Accessed September 30, 2021. https://www.dama.org/cpages/body-of-knowledge.

“Data and Information Governance Committee Terms of Reference.” Canadian Institute for Health Information. Accessed September 30, 2021. https://www.cihi.ca/en/data-and-information-governance-committee-terms-of-reference.

“Content or Data or Document or Information or Knowledge or Record?” ARMA. Accessed September 30, 2021. https://www.arma.org/page/Information.

Curtis, Brian. “Data Governance vs. Information Governance: Understanding the Two.” YourTechDiet. Accessed September 30, 2021. https://www.yourtechdiet.com/blogs/data-governance-vs-information-governance/.

“DAMA.” DAMA. Accessed September 30, 2021. https://www.dama.org/cpages/home.

“Data.” Merriam-Webster. Accessed September 30, 2021. https://www.merriam-webster.com/dictionary/data.

“Data Governance,” CIO Wiki, accessed September 30, 2021, https://cio-wiki.org/wiki/Data_Governance.

“Definition of IG.” Information Governance Initiative. Accessed September 30, 2021. https://iginitiative.com/.

“Definitions of Data Governance.” The Data Governance Institute. Accessed September 30, 2021. https://datagovernance.com/the-data-governance-basics/definitions-of-data-governance/.

Foote, Keith D. “Data Governance and Information Governance: Contemporary Solutions.” Dataversity. September 13, 2016. https://www.dataversity.net/data-governance-information-governance-contemporary-solutions/.

“Information.” Merriam-Webster. Accessed September 30, 2021. https://www.merriam-webster.com/dictionary/information.

“Information Governance.” ARMA. Accessed September 30, 2021. https://www.arma.org/page/Information_Governance.

“Structured vs. Unstructured Data: A Complete Guide.” Talend. Accessed September 30, 2021. https://www.talend.com/resources/structured-vs-unstructured-data/.

About the Author

Jennifer Bodnarchuk is the Senior Data Scientist for the City of Winnipeg. She holds a PhD in Psychology and an MSc in Data Science. She has over 20 years’ experience using data to inform decisions and is a founding member and current president of an aspiring DAMA Chapter in Winnipeg.

Endnotes

1  “Data,” Merriam-Webster, accessed September 30, 2021, https://www.merriam-webster.com/dictionary/data.

2  “Information,” Merriam-Webster, accessed September 30, 2021, https://www.merriam-webster.com/dictionary/information.

3  “ARMA,” ARMA, accessed September 30, 2021, https://www.arma.org/.

4  “DAMA,” DAMA, accessed September 30, 2021, https://www.dama.org/cpages/home.

5  “Content or Data or Document or Information or Knowledge or Record?,” ARMA, accessed September 30, 2021, https://www.arma.org/page/Information.

6  “Content or Data or Document or Information or Knowledge or Record?,” ARMA, accessed September 30, 2021, https://www.arma.org/page/Information.

7  “Structured vs. Unstructured Data: A Complete Guide,” Talend, accessed September 30, 2021, https://www.talend.com/resources/structured-vs-unstructured-data/.

8  “Body of Knowledge,” DAMA, accessed September 30, 2021, https://www.dama.org/cpages/body-of-knowledge.

9  “Data Governance,” CIO Wiki, accessed September 30, 2021, https://cio-wiki.org/wiki/Data_Governance.

10  “Definitions of Data Governance,” The Data Governance Institute, accessed September 30, 2021, https://datagovernance.com/the-data-governance-basics/definitions-of-data-governance/.

11  Vivek Bhatt, “Data Governance or Information Governance?,” Infotechtion, August 10, 2020, https://www.infotechtion.com/post/data-governance-or-information-governance.

12  Keith D. Foote, “Data Governance and Information Governance: Contemporary Solutions,” Dataversity, September 13, 2016, https://www.dataversity.net/data-governance-information-governance-contemporary-solutions/.

13  Brian Curtis, “Data Governance vs. Information Governance: Understanding the Two,” YourTechDiet, accessed September 30, 2021, https://www.yourtechdiet.com/blogs/data-governance-vs-information-governance/.

14  “Information Governance,” ARMA, accessed September 30, 2021, https://www.arma.org/page/Information_Governance.

15  “Definition of IG,” Information Governance Initiative, accessed September 30, 2021, https://iginitiative.com/.

16  Vivek Bhatt, “Data Governance or Information Governance?,” Infotechtion, August 10, 2020, https://www.infotechtion.com/post/data-governance-or-information-governance.

17  Keith D. Foote, “Data Governance and Information Governance: Contemporary Solutions,” Dataversity, September 13, 2016, https://www.dataversity.net/data-governance-information-governance-contemporary-solutions/.

18  Brian Curtis, “Data Governance vs. Information Governance: Understanding the Two,” YourTechDiet, accessed September 30, 2021, https://www.yourtechdiet.com/blogs/data-governance-vs-information-governance/.

19 https://govexacademy.jhu.edu/courses/

20  “Data and Information Governance Committee Terms of Reference.” Canadian Institute for Health Information. Accessed September 30, 2021. https://www.cihi.ca/en/data-and-information-governance-committee-terms-of-reference.

21 https://twitter.com/sketchplanator/status/1353363750989029378

Le Respect de la Souveraineté des Données des Premières Nations dans le Cadre de la Gestion des Documents et de l’Information

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

par Centre de gouvernance de l’information des Premières Nations

 

Back to Sagesse 2022

 

Résumé

L’article commence par la présentation du Centre de gouvernance de l’information des Premières Nations (CGIPN) et de ses travaux. Il définit ensuite les concepts de souveraineté des données des Premières Nations et de données des Premières Nations avant de décrire brièvement les principes de propriété, contrôle, accès et possession (PCAP) des Premières Nations. Il se termine par une discussion sur les façons dont les professionnels de la gestion des documents et de l’information peuvent participer à la souveraineté des données des Premières Nations et respecter les principes de PCAP dans le cadre de leur travail. 

Introduction

La gestion des documents et de l’information (GDI) constitue un élément clé du système de gouvernance de l’information de toute entreprise. Pour les professionnels canadiens qui gèrent ces documents, la mise en œuvre de pratiques exemplaires assure la vitalité de l’information; mais qu’en est-il des cas où les documents et les renseignements appartiennent aux Premières Nations et non aux institutions qui les conservent? Ce document présente d’abord le Centre de gouvernance de l’information des Premières Nations (CGIPN) et décrit les droits inhérents des Premières Nations à la souveraineté des données. Il traite ensuite des répercussions qu’ont les principes de PCAP des Premières Nations sur le travail des gestionnaires de la GDI. Il se termine par un appel à l’action afin que les professionnels de la GDI respectent les principes de PCAP et adoptent des pratiques qui préservent la souveraineté des données des Premières Nations. 

Qu’est-ce que le CGIPN?

Le Centre de gouvernance de l’information des Premières Nations (CGIPN) est un organisme à but non lucratif constitué en société dont le mandat consiste à produire des recherches et des renseignements fondés sur des données probantes qui contribueront à la souveraineté des données des Premières Nations du Canada. Le CGIPN a pour vision que chaque Première Nation bénéficiera de la souveraineté des données conformément à sa vision du monde distincte. Le CGIPN est une société mandatée par les Chefs en assemblée de l’Assemblée des Premières Nations (APN) (résolution no 48 de l’APN, décembre 2009), qui affirme la souveraineté des données et appuie le développement de la gouvernance et de la gestion de l’information au niveau communautaire par le biais de partenariats régionaux et nationaux. Il préconise un consentement libre, préalable et éclairé, respecte les relations de nation à nation et reconnaît les coutumes distinctes des Premières Nations. Ses travaux comprennent la recherche et l’analyse des éléments techniques de la souveraineté des données des Premières Nations, comme la gestion de l’information et la gouvernance des données. 

Souveraineté des données des Premières Nations 

Définition des données et de l’information des Premières Nations

Ce que les Premières Nations considèrent comme de l’information leur appartenant diffère historiquement du point de vue du gouvernement canadien et des professionnels de la GDI, y compris des établissements universitaires, des archives, des bibliothèques, des musées et des dépôts. Les Premières Nations affirment que leurs données et leur information ne sont pas seulement des données statistiques ou des documents historiques. Les statistiques, tirées d’enquêtes et d’autres recherches, et les documents historiques contiennent les histoires, le savoir traditionnel et la propriété intellectuelle des Premières Nations. Elles constituent des ressources précieuses pour les Premières Nations. 

Les données et l’information des Premières Nations peuvent être définies comme tout ce qui répond aux trois critères suivants : 

  • les renseignements sur les membres des Premières Nations, comme la santé, l’emploi et le logement; 
  • les renseignements provenant des Premières Nations, comme les langues, les tendances, les chansons, les danses; 
  • les renseignements sur les réserves et les terres, les eaux, les ressources et l’environnement traditionnels des Premières Nations (CGIPN, 2020). 

Définition de la souveraineté des données des Premières Nations 

La souveraineté des données est un élément d’autodétermination et d’autonomie gouvernementale (Kukutai, 2016). L’accès aux renseignements (1) sur les citoyens, les terres, les eaux, les économies et les ressources naturelles d’une nation est essentiel à la bonne gouvernance et au développement durable (Nations Unies, s.d., Commissariat à la protection de la vie privée, 2016). Sans ces renseignements, les gouvernements ne seraient pas en mesure de mettre en œuvre des politiques et des programmes efficaces ni d’évaluer leur réussite. 

En tant que nations souveraines, les Premières Nations ont le droit de gouverner et de protéger leur population, leurs terres, leurs territoires et leurs ressources. Ainsi, les Premières Nations ont des droits inhérents, constitutionnels et issus de traités en ce qui concerne leurs renseignements. La souveraineté des données exige que le droit des Premières Nations de gérer leurs données et leur information soit respecté :

[TRADUCTION] [L]es droits de gouvernance des données des nations autochtones s’appliquent quel que soit l’endroit où les données sont détenues ou qui les détient. Cela comprend le droit à la production des données dont les peuples autochtones ont besoin pour soutenir la reconstruction et la gouvernance des nations. […] La SDA (souveraineté des données autochtones) comprend également le droit de déterminer comment les données des Premières Nations sont régies et gérées (Raine et coll., 2019). 

Les Premières Nations exercent leur souveraineté en matière de données en appliquant leurs propres lois, politiques et processus (CGIPN, 2020). La façon dont elles choisissent de le faire leur appartient. Les lois et protocoles traditionnels des Premières Nations, l’application moderne de ces lois et la nécessité d’élaborer de nouvelles lois, de nouveaux codes, protocoles, politiques et programmes influeront sur les régimes individuels de gouvernance des données des Premières Nations. Cela dit, les Premières Nations ont adopté une approche commune pour ce qui constitue la souveraineté des données. Les Premières Nations ont adopté les principes de PCAP pour ouvrir la voie à la réalisation de la souveraineté des Premières Nations en matière de données. 

« PCAP » signifie propriété, contrôle, accès et possession. Ces principes sont, individuellement et collectivement, les piliers de la souveraineté des données des Premières Nations. Les principes de PCAP des Premières Nations ne sont pas nouveaux. En fait, ils représentent des thèmes et des concepts qui ont été défendus et promus par les peuples des Premières Nations depuis des années. Au cours des vingt dernières années, les principes de PCAP ont été appliqués avec succès par les Premières Nations du Canada pour protéger leurs données et leur information. Bien qu’il existe un bon consensus concernant les principes de PCAP, il est important de se rappeler qu’ils ne constituent pas un ensemble de normes. Chaque Première Nation peut avoir sa propre interprétation des principes de PCAP. Les principes de PCAP ne sont pas une doctrine ou une prescription : ils respectent le droit des Premières Nations de prendre leurs propres décisions en ce qui concerne leurs données et leur information (CGIPN, 2020). 

Propriété 

Le principe de propriété traite des droits de propriété et des droits de la personne des Premières Nations relativement à leurs données et à leurs renseignements. Le principe de propriété s’applique à l’information recueillie, utilisée et stockée par la Première Nation, ainsi qu’aux renseignements recueillis, utilisés, stockés ou pris par des entités non autochtones, comme des représentants de gouvernements, des archéologues, des gens d’affaires ou des chercheurs universitaires. Les droits de propriété en matière de données et d’information sont également liés au droit des peuples autochtones à l’autodétermination et à l’autonomie gouvernementale. Ces droits sont confirmés dans la Déclaration des Nations Unies sur les droits des peuples autochtones (DNUDPA), adoptée par le gouvernement fédéral et celui de la Colombie-Britannique. Cette déclaration reconnaît également les droits des Premières Nations à l’égard de leur propriété intellectuelle, de leur savoir traditionnel et de leurs expressions culturelles traditionnelles, qui s’appliquent à tout type d’information et à tout endroit où cette information se trouve. Or, de nombreuses institutions canadiennes ne connaissent pas ces droits ou ne comprennent pas comment les respecter. Enfin, le principe de propriété soutient l’application des autres principes.

Contrôle 

Les Premières Nations revendiquent le droit de gérer leurs données et leur information selon le principe de contrôle. Les Premières Nations ont non seulement adopté des lois et des protocoles, mais elles détiennent également le droit de prendre des décisions concernant l’information détenue par d’autres. Les Premières Nations conservent le contrôle de leur information, sauf lorsqu’elles donnent un consentement préalable libre éclairé au partage, à la publication, à la destruction ou à toute autre utilisation d’une telle information. La prise de décisions unilatérales par toute institution non autochtone au sujet des documents et de l’information des Premières Nations dont elle a la garde est contraire au principe de contrôle. 

Accès 

Le principe d’accès est exercé de deux façons différentes. D’abord, les Premières Nations ont le droit d’avoir accès à leurs renseignements, quel que soit l’endroit où ils se trouvent. Ensuite, les Premières Nations revendiquent le droit de décider qui a accès à l’information qui leur appartient. Elles élaborent des politiques d’accès au sein de leur nation pour régir l’accès à l’information sous leur contrôle direct. Les professionnels de la GDI peuvent respecter ce principe dans le cadre de l’accès à des renseignements appartenant aux Premières Nations et détenus par des tiers. Dans de tels cas, ils doivent collaborer avec les Premières Nations pour élaborer des protocoles de gouvernance. Encore une fois, la prise de décisions unilatérales par des tiers en vue de permettre l’utilisation, la vente, le partage ou la publication d’information appartenant aux Premières Nations sans le consentement de ces dernières est contraire à ce principe. 

Possession 

Les Premières Nations revendiquent le droit de posséder leurs données et leur information. Le principe de possession a donc été ajouté pour s’assurer qu’elles puissent se prévaloir de ses droits de propriété, de contrôle et d’accès. Il comprend la possession de biens matériels, comme des masques, des livres, des enregistrements, etc. Il comprend également la possession de biens immatériels, comme des données stockées sur des serveurs informatiques. Les Premières Nations possèdent de tels biens lorsqu’ils sont enregistrés sur un serveur qui leur appartient. D’autres personnes peuvent détenir de l’information appartenant à des Premières Nations, mais uniquement dans le cadre d’un rôle d’intendant de données, avec le consentement des Premières Nations. 

Principes de PCAP et GDI

Comme nous l’avons mentionné précédemment, une grande partie de l’information des Premières Nations est conservée par des institutions canadiennes plutôt que par les Premières Nations elles-mêmes. D’ailleurs, il se peut qu’elles ignorent l’existence de documents et d’information leur appartenant qui sont détenus par diverses institutions. Dans de nombreux cas, elles n’ont pas consenti librement à la création, à la reproduction ou à l’utilisation de ces documents ou de cette information. Cela pourrait avoir de graves répercussions sur les entreprises qui détiennent et gèrent l’information qui appartient aux Premières Nations. 

Les Premières Nations font valoir leur droit à la souveraineté des données et à l’application des principes de PCAP. Les professionnels de la GDI doivent respecter les principes de PCAP et s’employer activement à faire respecter les droits des Premières Nations. Des suggestions sont présentées dans ce document afin d’aider les professionnels de la GDI à comprendre les répercussions que ces droits ont sur leur travail.

Respect de la propriété 

Les professionnels de la GDI ont de nombreuses occasions de respecter la propriété de l’information des Premières Nations dans le cadre de leur travail. D’abord, ils déterminent quels sont les documents et l’information qu’ils gèrent et qui pourraient, à juste titre, être considérés comme la propriété d’une ou plusieurs Premières Nations, selon la définition donnée par les Premières Nations dans la section Souveraineté des données des Premières Nations du présent document. Déterminer quelle est l’information qui appartient aux Premières Nations et aviser ces dernières de leur emplacement constituent une étape nécessaire pour tout professionnel de la GDI ou toute institution chargée de la GDI qui s’engage à respecter la souveraineté des données des Premières Nations. 

Les professionnels de la GDI peuvent également respecter la souveraineté des données des Premières Nations en préconisant des procédures organisationnelles et une technologie qui permettent de repérer facilement les documents et l’information des Premières Nations. Cela peut comprendre l’adoption de métadonnées afin de classer l’information par catégories, soit par territoire et par Première Nation. La souveraineté des données des Premières Nations peut également être soutenue par l’adoption de politiques et de pratiques qui favorisent le partage des connaissances avec les Premières Nations et l’établissement de relations avec ces dernières. 

Les Premières Nations sont les propriétaires légitimes de leurs documents et de leur information. Par conséquent, les institutions qui détiennent l’information des Premières Nations et les professionnels de la GDI qui la gèrent sans leur consentement doivent s’efforcer de retourner cette information à qui elle appartient. Le rapatriement complet des documents et de l’information aux propriétaires légitimes constitue non seulement un pas de plus vers une véritable réconciliation, mais aussi vers le respect des droits inhérents, constitutionnels et issus de traités des Premières Nations à l’égard de la souveraineté des données. Par ailleurs, les professionnels de la GDI et les institutions chargées de la GDI doivent obtenir le consentement des Premières Nations pour continuer de conserver leurs documents. 

Respect du contrôle 

La déclaration du contrôle de droit en ce qui concerne les données et l’information des Premières Nations s’étend aux situations où elles sont détenues par un tiers, comme des archives, une bibliothèque ou un dépôt. Pour respecter de façon adéquate les droits des Premières Nations et l’affirmation du principe de contrôle, ces institutions doivent mettre en œuvre des politiques ou des ententes qui appuient la gouvernance des documents et de l’information des Premières Nations. Cela peut comprendre la création de nouveaux processus décisionnels auxquels participeraient les détenteurs de droits des Premières Nations ou des ententes conclues avec ces dernières pour gérer les documents, conformément à leurs directives. 

Respect de l’accès 

Les professionnels de la GDI peuvent respecter le principe de l’accès en facilitant l’accès des Premières Nations à leurs données et en en limitant l’accès à des tiers lorsque les Premières Nations n’ont pas donné leur consentement préalable, libre et éclairé. Ce principe doit être respecté chaque fois qu’une Première Nation revendique activement son droit d’accès à l’information qui lui appartient. Il est également possible de prendre des mesures préventives, comme l’adoption de politiques, de pratiques et de technologies qui permettent aux Premières Nations de conserver l’accès à leur information. La création d’un portail permettant aux détenteurs de droits des Premières Nations d’accéder à leur information constitue un bon exemple de mesure préventive. L’accès au portail pourrait se faire par connexion en ligne sécurisée. Dans les cas où l’information n’est pas numérisée ou ne peut pas l’être, les Premières Nations et l’institution doivent négocier l’élaboration conjointe de politiques et de procédures décrivant les protocoles d’accès. 

Les Premières Nations conservent également le droit de restreindre l’accès à leurs données et à leur information. Il peut s’agir d’accorder un accès partiel au détenteur des données et à des tiers, ainsi que de révoquer, en tout temps, les autorisations d’accès précédentes. Les professionnels de la GDI doivent obtenir le consentement des Premières Nations afin de déterminer qui, des Premières Nations, de l’institution chargée de la GDI et, éventuellement, des parties externes peuvent accéder à cette information et à quelles fins. Ces exigences peuvent être officialisées dans les politiques, les procédures et les ententes d’accès conclues entre les Premières Nations et les institutions. 

Respect de la possession

Les Premières Nations revendiquent le droit de posséder leur information, ce qui comprend la possession d’objets et de documents papier, ainsi que la possession d’information sous forme numérisée. Les institutions et les personnes qui veulent respecter les droits des Premières Nations à l’égard de la souveraineté des données sont invitées à défendre ces droits et à mettre en œuvre des politiques qui tiennent compte du principe de possession. Idéalement, le droit des Premières Nations de retirer leur information de toute institution qui les détient devrait être respecté en mettant en place des procédures à suivre à la demande des Premières Nations.

Dans certains cas, des Premières Nations choisissent de faire valoir leur droit en demandant à une institution de continuer de conserver leur information. L’institution en question agit alors à titre d’intendant des données ayant le devoir d’agir au nom des Premières Nations. Elle n’est chargée que de l’organisation, du stockage et de la tenue à jour de l’information. L’accès, la publication et toute autre utilisation de l’information relèvent de Premières Nations. Dans de telles situations, des contrats juridiques peuvent officialiser les rôles et les responsabilités de chacune des parties, ainsi que les processus d’accès et d’approbation. 

Un appel à l’action 

Les Premières Nations sont sur la voie de l’autodétermination et de l’autonomie gouvernementale alors qu’elles se reconstruisent après l’ère coloniale. La localisation des documents et de l’information des Premières Nations qui ont été intégrés aux systèmes d’information coloniaux est une composante essentielle de la gouvernance et de la réappropriation culturelle des Premières Nations. Les professionnels de la gestion des documents et de l’information peuvent aider à éliminer les obstacles institutionnels à la souveraineté des données des Premières Nations. 

Les pratiques et les mesures que les professionnels de la GDI et les institutions chargées de la GDI peuvent prendre pour respecter la souveraineté des données des Premières Nations et les principes de PCAP comprennent : 

  • trouver les documents et l’information des Premières Nations dans leurs systèmes; 
  • adopter des pratiques organisationnelles et des technologies permettant de repérer et de cataloguer facilement les documents et l’information des Premières Nations; 
  • établir des relations avec les Premières Nations dont l’information est détenue dans des institutions non autochtones;
  • reconnaître l’autorité des Premières Nations en élaborant conjointement des politiques et des protocoles de gouvernance; 
  • préconiser le financement de l’élaboration de pratiques et de normes de GDI dirigées par les Premières Nations; 
  • respecter la propriété et le droit des Premières Nations de rapatrier leurs documents et leur information; 
  • élaborer des politiques et des procédures qui respectent les principes de PCAP conjointement avec les Premières Nations.

Une grande partie des documents et de l’information des Premières Nations ont été retirés des collectivités autochtones et sont détenus par des gouvernements et des institutions non autochtones. Ces documents et cette information sont non seulement essentiels à la bonne gouvernance et à l’autodétermination, mais ils sont aussi porteurs des histoires et des savoirs traditionnels des Premières Nations. À titre de gardiens, et non de propriétaires, de l’information des Premières Nations, les institutions chargées de la GDI et les professionnels de GDI ont le devoir de protéger les intérêts des Premières Nations et d’honorer leurs droits sur ces documents et cette information. Ce document décrit plusieurs mesures à prendre pour respecter correctement la souveraineté des données des Premières Nations et les principes de PCAP, notamment l’abolition de pratiques qui ont été élaborées sans la connaissance, le consentement ou la surveillance des Premières Nations. Nous vous demandons de réfléchir à ce que vous-même, en tant que professionnel de la GDI, ferez pour aider. 

Biographie 

CGIPN. (2020) Les principes de PCAP® des Premières Nations extrait de : https://fnigc.ca/ocap 

Kukutai, Tahu et John Taylor (éd.). 2016 Indigenous Data Sovereignty Toward an Agenda, ANU Press. Extrait de : https://press-files.anu.edu.au/downloads/press/n2140/pdf/book.pdf 

Rainie, S., T. Kukutai, M. Walter, O. Figueroa-Rodriguez, J. Walker et P. Axelsson, (2019). « Issues in Open Data – Indigenous Data Sovereignty » dans T. Davies, S. Walker, M. Rubinstein et F. Perini (éd.), The State of Open Data: Histories and Horizons. Le Cap et Ottawa : African Minds and International Development Research Centre. 

Assemblée générale des Nations Unies. (2007) Déclaration des Nations Unies sur les droits des peuples autochtones. A/RES/61/295. Extrait de : https://www.un.org/development/desa/indigenouspeoples/wp-content/uploads/sites/19/2018/11/UNDRIP_F_web.pdf [consulté le 23 septembre 2021] Nations Unies. (s.d.) Big Data for Sustainable Development. Accessible au https://www.un.org/fr/sections/issues-depth/big-data-sustainable-development/index.html 

Notes en fin d’ouvrage

1 Nous utilisons le terme « information » dans cet article pour désigner les données et renseignements des Premières Nations, y compris, mais sans s’y limiter, les artéfacts, les dossiers, les documents historiques, les objets et les données statistiques. 

Respecting First Nations Data Sovereignty in Records and Information Management

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

by The First Nations Information Governance Centre

 

Back to Sagesse 2022

 

Abstract

The article begins with an introduction to the First Nations Information Governance Centre (FNIGC) and their work.  It then defines the concepts of First Nations Data Sovereignty and First Nations data before briefly outlining the First Nations Principles of OCAP®. The paper ends with a discussion of various ways Records and Information Management professionals are implicated in First Nations Data Sovereignty and how they may respect the principles of OCAP® in their work.  

Introduction

Records and information management (RIM) is a key component of any organization’s information governance system. For Canadian professionals managing these records, implementing best practices ensures the vitality of the information; but what about instances where these records and information belong to First Nations and not the institutions where they are currently housed? This paper will begin with an introduction of the First Nations Information Governance Centre (FNIGC) as well as outline First Nations’ inherent rights to data sovereignty. It will then discuss the implications of the First Nations Principles of OCAP® in the work of records and information managers (RIM professionals). It will end with a call to action for RIM professionals to respect the principles of OCAP® and adopt practices that uphold First Nations data sovereignty.

Who is FNIGC?

The First Nations Information Governance Centre (FNIGC) is an incorporated, non-profit organization committed to producing evidence-based research and information that will contribute to First Nations in Canada achieving data sovereignty. FNIGC envisions that every First Nation will achieve data sovereignty in alignment with its distinct worldview.  Mandated by the Assembly of First Nations’ Chiefs-in-Assembly (AFN Resolution #48, December 2009), we assert data sovereignty and support the development of information governance and management at the community level through regional and national partnerships. We adhere to free, prior, and informed consent, respect Nation-to-Nation relationships, and recognize the distinct customs of First Nations. Our work includes research and analysis of the technical elements of First Nations data sovereignty, like information management and data governance. 

First Nations Data Sovereignty 

Defining First Nations Data & Information

What First Nations consider to be their information has historically differed from the perspectives of the Canadian government and RIM professionals, including academic institutions, archives, libraries, museums, and repositories. First Nations assert that their data and information is more than just statistical numbers or historical records. Statistics, derived from surveys and other research, and historical records contain our stories, traditional knowledge, and intellectual property. They are precious resources to First Nations. 

First Nations data and information can be defined as anything relating to the following three criteria: 

  • Information about First Nations people, like health, jobs, and housing,  
  • Information from First Nations, like languages, patterns, songs, dances, and 
  • Information on First Nations reserve and traditional lands, waters, resources, and the environment (FNIGC, 2020). 

Defining First Nations Data Sovereignty 

Data sovereignty is an element of self-determination and self-government (Kukutai, 2016). Access to information (1) about a Nation’s citizens, lands, waters, economies, and natural resources is critical to good governance and sustainable development (United Nations, n.d., Office of the Privacy Commissioner, 2016). Without this information, governments are unable to implement effective policies and programs, or measure their success. 

First Nations, as sovereign nations, have rights to govern and protect their people, lands, territories, and resources. As such, First Nations have inherent, Constitutional, and Treaty rights over their information.  Data sovereignty requires that the First Nations right to govern their data and information is upheld:

[T]he data governance rights of Indigenous nations apply regardless of where the data is held or by whom. This includes the right to the generation of the data that Indigenous peoples require to support nation rebuilding and governance… IDS (Indigenous data sovereignty) also comprises the entitlement to determine how Indigenous data is governed and stewarded (Raine et al., 2019). 

First Nations exercise data sovereignty through the application of their own laws, policies, and processes (FNIGC, 2020). How First Nations choose to exercise their data sovereignty is up to them. First Nations traditional laws and protocols, the modern application of these laws, and the need to develop new laws, codes, protocols, policies, and programs will influence First Nations individual data governance regimes. That said, First Nations have adopted a common approach to what constitutes data sovereignty. The First Nations Principles of OCAP® were adopted by First Nations to forge the path toward the realization of First Nations data sovereignty. 

The acronym OCAP® stands for the principles of Ownership, Control, Access, and Possession. These principles are individually and collectively the pillars of First Nations data sovereignty. The First Nations Principles of OCAP® are not new. In fact, they represent themes and concepts that have been advocated for and promoted by First Nations people for years. Over the past two decades the First Nations Principles of OCAP® have been successfully asserted by First Nations across Canada to protect their data and information. While there is a good degree of consensus surrounding OCAP®, it is important to remember that the principles are not a set of standards.  Each First Nation may have a unique interpretation of the OCAP® principles. OCAP® is not a doctrine or a prescription: it respects the right of First Nations to make their own choices about their data and information (FNIGC, 2020). 

Ownership 

The principle of ownership speaks to proprietary and human rights of First Nations in their data and information.  The ownership principle applies to information that is collected, utilized, and stored by the First Nation as well as information that is collected, utilized, stored, or taken by non-First Nations entities, such as government officials, archeologists, business professionals, or academic researchers. Rights to ownership in data and information are also connected to the human rights of Indigenous peoples to exercise self-determination and self-government. These rights are confirmed in the United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP) which has been adopted federally and provincially in BC.  This Declaration also recognizes First Nations rights to their intellectual property, traditional knowledge, and traditional cultural expressions. These rights apply regardless of the form of the information or where it is held. Many Canadian institutions are unaware of these rights or lack understanding of how to respect them. The assertion of ownership supports the application of the remaining principles.

Control 

First Nations assert rights to govern their data and information, expressed in the principle of control.  First Nations not only have information governance laws and protocols to govern information that must be respected, but also hold rights to make decisions about their information held by others. First Nations retain control of their information unless they have offered their free, prior, and informed consent to share, or allow others to use, publish, destroy, etc., their records and information.  Unilateral decision-making by any non-First Nation institution about First Nations records and information in their custody is contrary to the principle of control. 

Access 

The principle of access is asserted in two different ways.  The first is that First Nations hold a right to access their information regardless of where it is held.  The second is that First Nations assert the right to determine who has access to their information.  First Nations are developing access policies within their Nation to govern access to information under their direct control. RIM professionals can respect this principle as it applies to accessing First Nations information held by third parties. This would involve working with First Nations to develop governance protocols. Again, unilateral decision-making by others that allows the use, sale, sharing, or publication of First Nations information without First Nations consent is contrary to this principle. 

Possession 

First Nations assert the right to possession of their data and information. The principle of possession was added to ensure First Nations assertion of ownership, control, and access can be realized.  This includes the physical possession of tangible items like masks, books, recordings, etc. It also includes possession of intangible items like data stored on computer servers which can be achieved where First Nations themselves are in the physical possession of the server.  Others may hold First Nations information, but only in a position of data steward and with the consent of the First Nation.  

OCAP® and RIM

As discussed above, much of First Nations information exists within Canadian institutions rather than the Nations themselves.  First Nations may not even be aware of records and information held by the various institutions. In many cases, First Nations did not freely consent to the creation, duplication, or use of those records or information. This may have serious implications for the organizations that hold and manage information that rightfully belong to First Nations. 

First Nations assert their right to data sovereignty and the principles of OCAP®.  RIM professionals must respect a First Nation’s assertion of OCAP®, and actively work to uphold their rights. Suggestions are offered here to assist RIM professionals in understanding the implications of these rights on their work.

Respecting Ownership  

RIM professionals have many opportunities to respect First Nations ownership of their information in their work. It begins with identifying any records or information they manage that might rightfully be defined as owned by a First Nation or First Nations collectively, as defined by First Nations in the First Nations Data Sovereignty section of this paper. Identifying First Nations information and informing the respective Nation of its location is a necessary step for any RIM professional or institution committed to respecting First Nations data sovereignty. 

RIM professionals can also respect First Nations data sovereignty by advocating for organizational procedures and technology that allows First Nations records and information to be easily identified. This may include the adoption of metadata that categorize information by the territory it relates to or the Nation from which it was extracted.  It could also include the adoption of policies and practices that support knowledge sharing with First Nations whose information is implicated and encourage building relationships with said Nations. 

First Nations are the rightful owners of their records and information. As such, institutions holding and RIM professionals managing First Nations information without their consent must work to return said information to their respective Nation.  Complete repatriation of records and information to the rightful owners of said information is not only a positive step towards true reconciliation, but also abides by First Nations inherent, Constitutional, and Treaty rights to data sovereignty. Alternatively, First Nations consent to continue holding their materials is required. 

Respecting Control 

The assertion of de jure control of First Nations data and information extends to situations where it is being held by a third party, like an archive, library, or repository. To appropriately respect First Nations rights and assertion of the principle of control, these institutions must implement policies or agreements that support First Nations governance of their records and information. This might include the creation of new decision-making processes that include First Nations rights holders or agreements to steward the materials as dictated by the First Nations.  

Respecting Access 

RIM professionals can respect the principle of access by facilitating First Nations access to their data and limiting access by others where the First Nations have not otherwise expressed their free, prior, and informed consent.  This must be respected whenever a First Nation actively asserts their rights to access their information, but can also be preemptively respected by adopting policies, practices, and technologies that allow for First Nations to maintain access to their information.  An example of this might be creating a portal for First Nations rightsholders to access their information.  This could be done through a secure online connection.  In cases where the information is not or cannot be digitized, co-developed policies and procedures outlining access protocols should be negotiated between First Nations and the institution. 

First Nations also maintain the right to restrict access to their data and information. This may include only authorizing partial access to the data holder and third parties as well as rescinding previous authorizations for access at any time. RIM professionals must seek consent from the First Nation to determine who from the Nation, the RIM institution, and, potentially, external parties can access said information and for what purposes. These requirements can be formalized in policies, procedures, and access agreements between a First Nation and the institution holding their information. 

Respecting Possession

First Nations assert a right to possess their information, which includes the physical possession of tangible artefacts and records, as well as the jurisdictional possession of intangible information like digitized records. Institutions and individuals wanting to respect First Nations rights to data sovereignty, are encouraged to advocate for and implement policies that honor any First Nations assertion of possession. Ideally, First Nations’ rights to remove their information from the institution holding them should be respected by implementing procedures that a First Nation could trigger at any time.

There may be situations where a First Nation is interested in asserting their right of possession by having the institution continue to hold their information.  In this situation, the institution would be acting as a data steward and would owe a duty to the First Nation to act under their direction. The institution would only be responsible for the organization, storage, and maintenance of the information.  Any use, access, analysis, publication, etc., of the information would be under the direction of the First Nation.  Legal contracts can formalize the roles and responsibility of each party in such situations as well as inform the processes for access and approvals.  

A Call to Action 

First Nations are each on a path towards self-determination and self-governance as we rebuild our nations following the colonial era. Locating First Nations records and information that have been integrated into colonial information systems is a vital component to First Nations governance and cultural reclamation. Records and information management professionals can help remove institutional barriers that stifle First Nations data sovereignty. 

Practices and steps that RIM professionals and institutions can take to respect First Nations data sovereignty and the principles of OCAP® include: 

  • Identifying First Nations records and information within their systems 
  • Adopting organization practices and technology that easily identify and catalogue First Nations records and information 
  • Building relationships with local First Nations whose information is being held in non-First Nations institutions
  • Recognizing First Nations authority by co-developing governance policies and protocols 
  • Advocating for funding of the development First Nations-led RIM practices and standards 
  • Respecting First Nations ownership and rights to repatriate their records and information 
  • Co-creating policies and procedures with First Nations that respect the principles of OCAP®

So much of First Nation records and information have been removed from First Nations communities and are held by non-First Nations governments and institutions.  These records and information are not only vital to good governance and self-determination but also carry our stories, traditional knowledge, and history. As custodians, and not owners, of First Nations information, RIM institutions and professionals owe First Nations a duty to protect our interests and honor our rights in these records and information. This paper has outlined several steps that need to be taken to properly respect First Nations data sovereignty and the principles of OCAP®, including dismantling practices that have been developed without First Nations knowledge, consent, or oversight. We ask you to reflect on what you as a RIM professional will do to help. 

Bibliography 

FNIGC. (2020). The First Nations Principles of OCAP® Retrieved from: https://fnigc.ca/ocap 

Kukutai, Tahu & Taylor, John (Eds.). (2016). Indigenous Data Sovereignty Toward an Agenda, ANU Press. Retrieved from: https://press-files.anu.edu.au/downloads/press/n2140/pdf/book.pdf 

Rainie, S., Kukutai, T., Walter, M., Figueroa-Rodriguez, O., Walker, J., & Axelsson, P. (2019). Issues in Open Data – Indigenous Data Sovereignty.In T. Davies, S. Walker, M. Rubinstein, & F. Perini (Eds.), The State of Open Data: Histories and Horizons. Cape Town and Ottawa: African Minds and International Development Research Centre. 

UN General Assembly. (2007). The United Nations Declaration on the Rights of Indigenous Peoples. A/RES/61/295. Retrieved from: https://www.un.org/development/desa/indigenouspeoples/wp-content/uploads/sites/19/2018/11/UNDRIP_E_web.pdf [Accessed September 23, 2021] United Nations (n.d). Big Data for Sustainable Development, Retrieved from: https://www.un.org/en/sections/issues-depth/big-data-sustainable-development/index.html 

Endnotes

1 We use the term Information here to refer to any First Nations data and information including, but not limited to, artifacts, records, historical documents, physical items, and statistical data.  

Enhance Communications to Improve Privacy Practices

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

by Anne-Marie Hayden, Communications & Privacy Consultant, Hayden Public Relations & nNovation LLP

 

Back to Sagesse 2022

 

Abstract

Good communications are vital to organizations proactively meeting their privacy obligations. Certain techniques can also help manage privacy challenges when they inevitably arise. In this article, discover concrete techniques to better comply with consent and openness requirements and improve online privacy policies and notices. You’ll also acquire practical crisis communications tips to plan for – and react to – a privacy breach. 

Introduction

Guidance on consent, a hallmark principle in many privacy laws, often emphasizes that privacy notices and policies need to be offered in plain, easy-to-understand language for consent to be truly meaningful. The thing is, the regulators’ guidance doesn’t often tell you exactly how to do that. I’ve spent 25 years in communications and 18 of those in privacy. Now, I enjoy being a privacy and communications consultant and, in this role, I help organizations improve their privacy communications to enhance their compliance. This article flows from a presentation I made at the ARMA Canada Information Conference earlier this year (2021). Below, I share ideas on what I see as the links between privacy and communications. I also offer some concrete communications tips that can help, both in terms of avoiding some privacy challenges and in addressing privacy problems, like breaches, when they arise. 

The Connection Between Communications and Privacy

Organizations are required to designate someone responsible for managing privacy. Some ARMA members are directly responsible for information privacy, access and, of course, records and information management. Even if you do not wear the chief privacy officer – or CPO – hat, good records management practices are fundamental to meeting privacy obligations and reducing privacy risks. Consider the important roles you play, along with others, in limiting access and in having safeguards, disposition schedules and methods for proper information disposal.

In addition to records and information management, communications is another important skill and function that can enhance your privacy practices. Whether in the public or private sector, when managing privacy, the 10 privacy principles, tucked into schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), often come into play, either to comply with the legislation or to do a comprehensive privacy impact assessment (PIA). If you examine each of the principles closely, many of them (such as Accountability, Identifying Purposes, Challenging Compliance) have an interplay with communications. Here, I want to focus on the two most concretely related privacy principles: Consent and Openness. 

Consent and Openness

There are, of course, differences between the public and private sectors insofar as how or when consent is involved. At the core, however, both of these principles are about ensuring individuals are aware of, that they understand and that they have access to how their personal information is collected and used so that they can actively decide whether to hand it over. 

Privacy notices and policies play a role in obtaining meaningful consent. Privacy notices, like the one shown in Figure 1 highlights what personal information is collected, with whom it’s being shared and for what purpose. 

Graphical user interface, application, Teams

Description automatically generated

Figure 1 1 (Vayle, 2021)

Privacy notices need to be offered just-in-time, within the right context, and sensitive personal information requires express, opt-in consent. Privacy policies, meanwhile, are used to educate and train employees on an organization’s privacy management practices. By making privacy policies public on a website, they support efforts to obtain consent and they demonstrate transparency, openness and accountability. Privacy policies tend to contain more detailed information about privacy practices including safeguards for protecting information, as well as contact information and procedures for accessing or correcting personal information, asking questions, or even making a complaint.

The Problem With Privacy Policies

This isn’t breaking news, but there are a few challenges when it comes to privacy policies. For one thing, many businesses say they don’t have a privacy policy. Policies that do exist are not offered in context and they’re often somewhat hidden. Another issue is that most people don’t read these policies anyway, often due to how typically long and complex they can be. 

 Typical privacy policies are often filled with legalese. They continue to take, on average, ten minutes each to read and some say it would take three months each year to read all of the privacy policies connected to the services you use. This is a barrier to obtaining meaningful consent.

It’s no wonder then that very few Canadians say they understand what organizations are doing with their personal information. And they’re not alone. Employees also don’t understand the privacy policies, so they are less capable of respecting them, not to mention answering questions about issues or practices. 

It’s not the easiest thing to do perfectly. There are real tensions between transparency and simplicity, finding just the right balance between the two.  

Top Ten Tips For Better Privacy Communications

Here, since many records and information management professionals play a role in protecting privacy, I share a few tips to help improve privacy communications, particularly in online privacy notices and policies.

  1. APPLY BEST PRACTICES IN WRITING FOR WEB 

Communicating online requires us to adapt the way we write things, so let’s start by recognizing we are almost always writing for online. Given this, we need to consider how people obtain and digest that online content. 

  1. KEEP IT SHORT 

Make sure your sentences are short and concise, with one key idea each. Keep trimming, re-reading and finding efficiencies in your text. 

  1. USE ACTION WORDS

Avoid the passive voice – action words resonate a lot better with audiences. An easy way to remember the difference: the active voice tells what a person or thing does. The passive voice tells what is done to someone or something. For example, “The privacy officer will describe the process” as opposed to “The process will be described to you by the privacy officer.”

  1. MAKE IT CLEAR

Most of us are guilty of using jargon, acronyms and abbreviations all too often in our day-to-day work with colleagues, but it’s really important to eliminate them especially when communicating with the public, to ensure our content is understood. We often end up writing for ourselves, forgetting that we’re not the audience!

  1. USE SUB-HEADINGS

Use sub-headings to make your text scannable to the eye. Think of media headlines you may scan if you don’t have time to read the whole thing. We read this way all day long, online, often without realizing it. 

  1. MAKE LISTS

Well-organized lists are also helpful at getting information across – on or offline. Use bullets and numbered lists instead of complete paragraphs. 

  1. FOCUS ON TOP TASKS

Lead with what web experts call the “top tasks.” These are the main reason people go to a particular web page. Think about why people go to that page or site, what they likely want to accomplish, and give it to them right off the top. In media they say “don’t bury the lead,” so, similarly, don’t put the key information at the end of the text you’re writing for the web. 

  1. LAYER INFORMATION

Using layers to point to more in-depth information can be helpful, to go into more detail on something, again such as shown in Figure 1 from above. Think of how you could point to the more comprehensive privacy policy from the notice, for example. 

  1. HAVE TEXT REVIEWED

Ask someone who is less familiar with your subject matter to review your text and encourage them to give you honest feedback. You can even show it to your kid or your mom. 

  1.  RUN CONTENT THROUGH READABILITY TESTS

Make sure a range of people can understand your content. Many writers don’t realize that most word processing software has built in readability and accessibility tests. Recognize these tools have their limitations, but it’s still useful to run your content through them, as you work to simplify and streamline your text. You may be surprised by the results and it may encourage you to further refine what you’ve written.

Crisis Communications For Breaches

It’s often not a question of if but rather when a breach will occur. 

These tips can help avoid certain privacy problems, but they are not a silver bullet. They can’t help if, for example, if you’re collecting or using personal information when you shouldn’t be. And they’re not going to prevent a privacy breach. 

Alexander Graham Bell wisely said that “Before anything else, preparation is the key to success.” It’s a good idea – and an example of how to help address the Accountability and Safeguards principles – to be prepared with a breach readiness plan, before one occurs. A breach readiness plan is usually prepared by the Chief Privacy Officer, but often involves many parties across an organization, including records and information management. 

It’s also a good idea to involve the communications folks to ensure a crisis communications section is included in this plan. It’s not necessarily fun to think of the things that can possibly go wrong, but for the purposes of that plan you will want to envisage and test various scenarios. 

Identify and media train your potential spokespersons, so they’re ready, willing and most of all, able. And prepare some foundational key messages, as well as questions and answers, in advance, that you can refine further once something hits. The key is not to waste time, when a breach occurs, doing certain things you could have been ready with. 

When a breach occurs, you need to quickly review and implement your organization’s breach plan. I encourage you to involve your communications colleagues in this process at all key stages. I’ve seen them too often be brought in at the last minute, too close to when it’s time to go live with an announcement. That’s not a way to ensure the organization is putting its best foot forward publicly.

You do need to get the facts related to the incident and find out about the impact and the legal issues. When it comes to notifying regulators or to the public, you’ll need to assess the requirements to do so, the scope and the impact of the incident and what information is available. From a communications’ point of view, you need to ensure you have very clear, concise and consistent messaging. You want to exhibit that you’re responsive, transparent and empathetic. I also urge you not to forget internal audiences, because consistency in messaging is key. This is a frequent issue for organizations.

Any organization that has experienced a breach knows that breaches are a little different from other types of crises, so it’s important to recognize this. They can often be like peeling an onion, as the situation evolves. Given this, you should assume there will be a series of communications and be ready to adapt as the situation evolves.

When You’re The Spokesperson

At times, there can be a role for information management (IM) and privacy experts to play in public communications and media strategies. Greater access to subject-matter experts can often enhance trust and increase that sense of an organization’s accountability.

When should the privacy person be the spokesperson? It may depend on your organization’s size, its internal policies and whether it is open to a decentralized approach. It may also depend on whether your privacy management program is at a certain level of maturity and generally in good shape. If, however, your organization’s breach response plan identifies you as a possible spokesperson, you’ll want to develop your media skills before a problem arises.

This means working with communications colleagues on key messages, as well as learning and practicing strategies to handle tough questions and to apply bridging techniques, which are ways you can move away from more difficult or controversial questions to ones you are more comfortable responding to. Remember when speaking to the media never speculate or repeat negatives, unless you want to see those words quoted in a news story. 

It’s a good idea to always over-prepare. Keep in mind that honing these skills can help, even if you are not playing a front-facing role with the media, but you just want to be more confident and comfortable – when, for example, you’re dealing with media for other reasons, such as managing access to information requests.

Communicating To Build Trust

Privacy can sometimes be seen as standing in the way of communications activities. I believe we need to work on evolving this narrative and put privacy forward as a value proposition instead. Doing privacy well can directly improve credibility and trust. What’s exciting to see is that organizations are starting to get this, and some are reaping the rewards, as individuals say they prefer to work and do business with organizations that protect their privacy. 

Privacy officers have made great strides over the years in making connections with Legal, Information Technology, Security, IM – and these professions have become part of the broader privacy community. It’s less common to see communications practitioners in the space; more headway could be made to tighten links between communicators and privacy officers. I would encourage you to start collaborating by learning and applying some communications best practices such as those highlighted earlier in this article.

Hopefully this article gives you some helpful ideas on why this is important, how good communications are vital to privacy compliance, what you can do in practical terms, and how communications can help manage privacy challenges when they do arise.

 It’s not a perfect science. Meanwhile, the channels we communicate through are changing all the time – and as my teenagers remind me every day, there are so many channels. Anyone who sends an email, drafts or explains a policy, makes a presentation, deals with clients or participates on social media has become a communicator of sorts, even if we’d prefer not to be. Luckily, these are very transferable skills. 

This is also an opportunity for records and information management professionals to increase their communications expertise and, in tandem, bolster their organizations’ privacy compliance. The best efforts at applying some best practices, even if imperfect, show real effort toward transparency, openness and accountability. And that’s what garners trust and is a big win, from a privacy perspective.

About The Author

Anne-Marie led communications for the federal privacy regulator for close to two decades. She combines her passion for privacy, knowledge of data protection and 28 years of communications expertise. She helps clients comply through, for ex., privacy impact assessments and clear privacy policies, and offers guidance on security breaches.

References

1 ARMA Canada Information Conference 2021, Integrating Communications for Improved Privacy Practices Tuesday, June 1, 2021, https://armacanada.org/home/information-conference/2021-on-demand/#

2  For more information on the Privacy Act go to https://laws-lois.justice.gc.ca/ENG/ACTS/P-21/index.html and for more information on PIPEDA go to https://laws-lois.justice.gc.ca/ENG/ACTS/P-8.6/index.html

3 https://www.vayle.io/

4 According to this survey, 65% of companies have a privacy policy, https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2020/por_2019-20_bus/

5  Just 9% of adults say they always read a company’s privacy policy before agreeing to the terms and conditions, while an additional 13% say they do this often. And additionally, 38% of Americans say they sometimes read these policies. There is also a segment of the population who forgo reading these policies altogether: More than a third of adults (36%) say they never read a privacy policy before agreeing to it, https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/

6 https://www.npr.org/sections/alltechconsidered/2012/04/19/150905465/to-read-all-those-web-privacy-policies-just-take-a-month-off-work

7  For example, only 3/10 Canadians say they have an understanding of what the federal government is doing with their personal information, https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2019/por_2019_ca/

8 Interview with Bell published in How They Succeeded (1901) by Orison Swett Marden

9 https://www.forbes.com/sites/shamahyder/2021/06/22/how-to-use-data-while-maintaining-consumer-trust-what-the-latest-research-reveals/?sh=3d6ca7b42ddd

Say Goodbye to May Long Weekend

SAGESSE VOLUME VII WINTER 2022 – AN ARMA CANADA PUBLICATION

by Mark Grysiuk, C|CISO, CRM, CIP

 

Back to Sagesse 2022

 

SAY GOODBYE TO MAY LONG WEEKEND is a fictional case study about a Canadian organization attacked by hackers right before May long weekend. All their core systems go down. The Records Manager plays a critical role in guiding management decisions and providing insights into incident response planning. What happens next after the first two hours? Readers can draw their own conclusions.


What bad timing. It is 3:30 on a Friday before the May long weekend when your phone rings. Just let it go to voicemail. Thinking about this weekend’s wine tour in Niagara region, four o’clock pm cannot come fast enough, you mutter quietly. The COVID-19 pandemic officially ended last month. This is your first vacation in two years. 

It rings again, and then again. You fight the urge to pick up the phone.

Against the advice of your intuition, you check your voice messages.

It is your IT manager, Jamie. She thinks there has been a breach. All systems are down. You have been asked to attend a meeting in one hour to provide an update and discuss next steps. You have been asked because senior management believes you are the most qualified to advise and protect the integrity of your organization’s efforts to document and contain the breach. 

Wow, as your mind drifts away, absorbing what had just happened, that presentation you gave to the Board six months ago about ARMA International’s Generally Accepted Record-keeping Principles must have resonated with management, specifically The Principle of Availability and Integrity.

Drifting off in thought. Wondering what you will say to your close friends who have been looking forward to this short weekend getaway.

You can hear it now,

“Rob, what do you mean you are cancelling on us? You have been with this company for three years and haven’t taken a break.” 

And you respond with,

“I don’t want to lose my job.”

Cutting you off in mid-sentence, your friend Joey responds with,

“You won’t lose your job. You are like, one of the best at what you do, and are always getting job offers. Get over it!!”

Reality sets in.

You and your IT services team have known for some time now about the vulnerabilities impacting your web application systems.

In fact, a recent external audit discovered one of your organization’s web applications exposes sensitive information in error messages that is easily missed but quite visible if you are looking for it. This, you recently learned, is a common issue with applications that are not properly configured. You look through the window of the meeting room across from your desk where the meeting will be taking place, and can see a poster on the wall displaying OWASP top ten web vulnerabilities. OWASP (Open Web Application Security Project ®) refers to this as the Security Misconfiguration Risk

And an older app containing personal health information, which should have been decommissioned three years ago, is vulnerable to what OWASP refers to as the Broken Access Control security risk. 

The auditor pointed out that an attacker could exploit these flaws and gain access to personal information in user accounts and/or conduct reconnaissance to execute a ransomware attack. 

Observing the time, forty-five minutes until the meeting starts. Your mind wanders to past conferences and webinars, and all the meetings talking about what must happen to mitigate the risk of a security incident that impacts availability and integrity of your systems. 

Looking out the window, a white Ford van has been parked in the school parking lot for several hours. 

Outside, many of your colleagues are leaving the office. At the high school across the street, teenagers are rushing outside. Spring is in the air. The sun shines. The April showers have brought beautiful May flowers, blooming in the gentle breeze, lightly brushing against the trees tucked in the valley that overlooks your office building. The partially clouded sky signals the beginning of a beautiful long weekend.

But not for you… 

Expect a long weekend, pounding back coffee and eating pizza. 

Thirty minutes until everyone arrives.

Earlier this year you and your IT Manager convinced management that it would be a good idea to follow a security standard. Given your organization’s size and home base in Canada, you have chosen the Canadian Centre for Cybersecurity’s Baseline Cyber Security Controls for Small and Medium Organizations. Management agrees with the idea but had yet to commit to annual funding of the program. 

But now, none of the past narrative matters. 

As the clock ticks towards 5:00 pm, your mind branches like a spider spinning its web in several directions.

What are your next steps? Do you call the Privacy Commissioner? Do you call a lawyer? 

With a plan, you would know exactly who to call first. You would know whether you should be preparing a website to address questions from the public or whether you can utilize a different response strategy. More importantly, you would feel confident that your response aligns with generally accepted security response best practices.

Not like Equifax’s response in 2017:

Equifax’s Management created a site called ‘equifaxsecurity2017.com’ directing consumers to enter the last six digits of their social security number to determine if they have “potentially been impacted.” How could an organization with so much personal information even consider that type of response? Thinking about it, one that was not prepared. A security researcher created an almost identical site called “securityequifax2017.com,” demonstrating how easy it would be to fool consumers.

Flipping through your notes, a phone number appears. Next to that phone number is the name of a lawyer who specializes in privacy breaches and technology law, and a note stating, “highly recommended.” Without thinking, you dial the number. The lawyer picks up after two rings. The lawyer agrees to meet with management tonight at 6 PM.

Retrieving your notes from last week’s presentation by Cybersecure Canada Certification Body is the next step to prepare for the meeting at 5:00.

Looking at the first page, Cybersecure Canada’s Information Sheet, at the top of the page,

To achieve certification, “…your organization must review and implement the 13 security controls established by the Canadian Centre for Cyber Security.”

And the first step is to have a plan.

That plan, according to last week’s presenter, Victor Beitner, “should address incidents ranging from trivial to extremely severe, including incidents that cannot be handled directly by the organization.”

You are also aware that, even before incident response can be effective, your organization will need to undergo a comprehensive compilation of its system assets. In cybersecurity, identifying all critical information systems is critical. Not ninety percent of systems, one hundred percent, because ninety percent means ten percent of your Crown Jewels are vulnerable to an attack.

Often referred to as a system inventory/data map, it must identify all applications and systems, servers, software, and their respective versions, and system value (i.e., extremely sensitive equals high impact). Your IT department purchased a configuration management database, but it lacks a dedicated resource. Patch management, which is a core requirement to mitigate IT system risks, can be effectively managed using a well-resourced configuration management system. This system will help your organization identify risks, assign owners to those risks, and develop risk mitigation strategies. 

Continuing, you review the section of your notes, based on the preparation, identification, eradication, recovery, lessons learned incident response framework. 

Preparation

It should not be any surprise that training staff on how to respond, and/or whether they are directly involved in incident response is key requirement for preparation. It would be expected that on an ongoing basis, you will be preparing your staff on how to identify and respond to different incidents. In addition to mandatory training, offering workshops, writing newsletters, and sending reminder emails to key staff will help in the preparation stage.

With leadership support, following Baseline Cyber Security Controls for Small and Medium Organizations will guide your organization’s implementation. Identify and designate all staff required to manage cybersecurity incidents, including responding to external parties and defining their roles and responsibilities. For example, if the organization does not have a legal department, the records manager can be the designated staff member to initiate all contact with outside counsel and regulators (i.e., your province’s privacy commissioner if you have one). Consider designating as a second contact your IT manager, who may be better positioned to adequately describe the details to outside counsel when required on short notice. Contact list should include employee name, job title, contact information.

If internal resources cannot commit to what could be calls early in the morning or late at night, engage a third-party service provider to support your organization outside regular business hours. That third-party service must have the authority to initiate incident response procedures.

Developing user stories are more engaging to non-technical users and will help them understand the impact of low, medium, and high-risk incidents. User stories provide valuable insights on how to handle, for example, a ransomware attack, a phishing email, or a document sent to an incorrect email address (for some examples see appendix). Scenario-based learning should be part of all training and awareness activities. 

Ideally, however, there should be a small number of staff that can step up if required. Not meeting this minimum requirement means the organization will not receive credit for Baseline Control BC 1.1. Flag this is as a high risk and assign an owner it. It must be a senior leader, preferably the most senior person.

Purchasing cybersecurity insurance is Baseline Control 1.3 (BC 1.3). Check with your current insurance provider. The organization may already have some coverage. If required, consider expanding that coverage. Insurance companies can also recommend preferred third-party forensic service providers, as well as privacy breach coaches. Add all this information to the written plan.

How far do you need to go with training? How specific do the examples need to be in the training and what are we learning objectives? See the next section.

Identification

Every employee within your organization should be able to identify when or if an incident is taking place. And they should not be afraid to report an incident. They do not need technical knowledge but there should be a plan in place to proactively educate on how to spot and report red flags, including:

  • Unauthorized use or access (e.g., a lagging computer when there are no planned software updates could indicate that a cryptojacking attack is underway.)
  • Service interruption or what is sometimes referred to as denial of service. (e.g., your email account is bombarded with thousands of email messages, or your website crashes due to the volume of unanticipated activity)
  • Malicious code (e.g., ransomware software that encrypts all your information, and your organization’s information is then controlled by a bad actor)
  • Network system failures (e.g., The denial of service mentioned above is likely to lead to an enterprise-wide system failure if not contained quickly)
  • Application system failures (e.g., new software functionality that has not been properly tested and contains vulnerabilities that leads to application system failures.)
  • Unauthorized disclosure or loss of information 
  • And, yes, whether a breach is underway.

Some of this can be done with technology depending on your budget. Simulated phishing campaigns executed monthly are very effective in helping employees spot bad emails. They help remind staff that just because a URL uses the HTTPS protocol, does not mean that it is safe, and that very subtle spelling errors can easily be missed (e.g., a missing letter in a domain name). Of course, there is more to it than just sending out a monthly phishing test. Establish a baseline metric after the first test. Over the next twelve months, assign training as required, and keep track of who requires customized support. Expect the click rate to trend downward, assuming training is well-received by staff.

While employees do not require technical skills, they should have the skills to quickly capture error messages in a screenshot. This helps IT be more effective in diagnosing and resolving issues, especially those related to application system failures. (Don’t assume all your staff know how to take screen shots.) 

Containment

The National Standards Institute of Technology advises that “an essential part of containment is decision-making.” When is it appropriate to, for example, shut down a system, disconnect it from the internet, or disable certain functions?

When an incident takes place, report it to your helpdesk and/or incident response team, the appropriate designated employees will take immediate action to contain the incident. Their activities include but are not limited to isolating the incident, determining the source and where it came from and what vulnerability the unauthorized intruder exploited, resolve any identified vulnerabilities, and continuously assess the damage and impact. What is most important is acquiring, preserving, securing, and documenting evidence and preserving chain of custody. 

Also, remember to treat IT and security resources with respect. Providing breakfast, lunch, and dinner at no cost to the team is highly recommended. Stress levels will be high and any moral support that can be provided will be greatly appreciated. 

Eradication

Depending on the severity of the incident, and the resources that have been deployed, some time may go by before you begin the eradication step. This is when all traces of the infection have been removed from systems. Vulnerabilities will be identified and, ideally the forensic experts will have determined the root cause of the incident, removing malware, viruses and any other dysfunctional code that contributed to the system breakdown. This step will also include identifying all impacted devices and removing them from the environment.

Recovery

At this stage, hopefully within the first twenty-four hours of the incident taking place but could be longer depending on the severity of the incident, your incident response team will be taking the required steps to recover. Assuming your organization has a disaster recovery plan, which prioritizes your systems in accordance to value, your incident response team will return those systems back to an operational state by order of priority utilizing the most recent backups.

While this is going on the incident response team will be monitoring the systems as they are brought online and assessing in real time as to whether the incident may reoccur. They will also be making sure that the systems are restored from a clean source. And they will be confirming that all impacted systems are functioning as they are intended to function. Additional monitoring may continue to look for related activity if it is deemed necessary.

Lessons learned

While this may be obvious, it is crucial that organizations examine its existing processes and develop an ongoing mitigation plan to reduce the likelihood of a similar incident reoccurring in the future. Do not wait too long after an incident has been resolved to conduct this final step. Crucial perspectives from the varying stakeholders involved will be lost. 

——————————————————————————————————————-

Sitting in your desk, looking out your window while pondering everything in your notes, that white van still idles, alone in the parking lot, now covered in shade from the valley above.

At 4:57, a text message from IT reporting that the entire team is in the containment stage, disconnecting systems from the network but not disconnecting power. 

The management team arrives together at 5:00. The meeting begins. The CEO, looks at you, and asks,

“Robert, what happened?”

To which you succinctly reply,

“We are under what looks to be a malware attack. Our core systems are down. We are not able to provide an exact cause at this time and whether any sensitive information has been exposed.

IT will be working through the weekend and will have an update at 8:00 pm tonight. I have also engaged outside council. Their team will meet with us at 6:00 pm. I highly recommend we follow their advice before making any formal announcements.”

“Robert, what are we not doing that we should have been doing?

“I am not hear to cast blame, but it has taken far too long to address the vulnerabilities flagged during the last audit. Rather than focusing on the past, let us learn from our mistakes. We can talk about approving our funding request next week. Right now, we, and by we, I mean the entire information management team, would ask that the room where IT is currently working be sanctioned off. We need to remove all people not involved in this incident. If there’s anyone left on the floor please ask them to leave immediately. We cannot risk unauthorized staff tampering with any evidence.”

We do not need your entire team here all weekend, but you should be available for updates and decisions. My recommendation is to follow the advice of counsel. I have cancelled my weekend plans and will be staying late.

Final Thoughts

If you are currently under attack, do not overreact. Stay calm.

Engage legal counsel and follow their advice. 

If you do not have legal counsel, conduct an online search. Finding a reputable firm quickly should be relatively easy. 

If you are not under attack and do not have legal counsel, you are one step behind everyone else. Step up and engage, before it is too late.

And that van in the parking lot that no one is thinking seriously about…. I will let the reader draw their own conclusions.

Appendix

Diagram, timeline

Description automatically generated
Diagram

Description automatically generated
Diagram

Description automatically generated

ABOUT THE AUTHOR

Mark Grysiuk has been working as an information management practitioner for 18 years. He is a Certified Chief Information Security Officer, Certified Records Manager and Certified Information Professional. Mark won ARMA’s 2015 Brit Literary Award for an article entitled The Cookie trail: Why [Information Governance] Pros Must Follow the Crumbs.