Sheila Taylor is a well known consultant, educator, speaker and writer with more than 20 years of experience in the information management (IM) field.
Sheila Taylor is a well known consultant, educator, speaker and writer with more than 20 years of experience in the information management (IM) field.
Due to the broad data/information collection, review, and retention provisions of the USA Patriot Act, RIM professionals have expressed concern about the risks to privacy rights and confidentiality when Canadian organizations store e-mails (and other cloud-based data) on servers in the United States. Recent developments suggest the Government of Canada (GoC) shares their concern when it comes to the government’s e-mails.
As reported by Michael Geist in the Toronto Star (article available for purchase here), the GoC’s Email Transformation Initiative will consolidate “more than 100 different email systems used by more than 300,000 employees into a single, outsourced email system”. When defining the system requirements, the government invoked a national security exception to require secure storage of the e-mails on servers in Canada.
A Request for Proposal (RFP) was issued to four pre-qualified vendors: Bell Canada, Dell Canada, HP Canada, and IBM Canada. In June 2013, the $350+M contract was awarded to Bell Canada, in partnership with CGI Information Systems And Management Consultants Inc.
Documents recently obtained by the B.C. Freedom of Information and Privacy Association reveal that US companies who were shut out of this procurement urged US government officials to launch a trade complaint. As Mr. Geist reports, “While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country, the government insisted on Canadian-based storage” and “pointed to privacy concerns stemming from the USA Patriot Act” regarding that requirement.
This situation is interesting on a number of levels.
First, it reinforces the concerns RIM professionals have expressed for many years about the potential privacy risks that may arise from the provision in the USA Patriot Act to gather and disclose data/information to law enforcement without appropriate oversight or disclosure and to retain that data/information indefinitely.
Second, it illustrates the GoC’s commitment to protect its e-mails by ensuring their storage on Canadian servers despite the risk of upsetting its largest trade partner.
Third, and perhaps of most interest, it demonstrates that the GoC has secured a protection not available to the average consumer or to most organizations operating in Canada. As Mr. Geist reports, “. . . the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.”
The Sedona Conference® recently released a public comment version of its Commentary on Information Governance, a project of The Sedona Conference Working Group One on Electronic Document Retention & Production (WG1).
A new definition of Information Governance
The Commentary adds another definition of ‘information governance’ to our lexicon. According to The Sedona Conference®, information governance is “an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.”
Breaking down the silos
The Commentary emphasizes the need to break down silos and achieve coordination among an organization’s information-focused disciplines such as RIM, data privacy, information security, and e-discovery to ensure “a top-down, overarching framework, informed by the information requirements of all information stakeholders . . . [to] enable an organization to make decisions about information for the good of the overall organization and consistent with senior management’s strategic directions.”
The 11 principles at a glance
To assist organizations in developing and implementing that framework, the Commentary provides “a comprehensive set of basic principles to guide the development and operation of a robust Information Governance program in any organization.” The eleven principles are:
Each principle is discussed in detail in the body of the document.
Appendices address the synergies – and conflicts – in the intersections of IG stakeholders (i.e. RIM, privacy, security, and e-discovery), a maturity continuum as it relates to an information function’s level of independence maturity, the risks associated with digital assets, and the quantitative/ROI business case for IG in terms of optimizing corporate value, risk reduction, hard cost avoidance, and soft cost avoidance.
Opportunity to comment
Because the document is a public comment version, comments and suggestions for improvement are welcome. You can join the dialogue online (paid and free accounts are available) or submit comments by email to firstname.lastname@example.org
You may have noticed that we haven’t published any new articles recently (blogging is hard!). It’s been a hectic fall, continuing into an equally hectic winter. If you’ve missed our articles, we apologize and hope to be back soon.
If you do enjoy our articles and newsletters, please contact us or leave a comment here. In the meantime, if you would like to suggest a topic or even offer to write a guest post, please let us know!
Chucking Daisies: Ten Rules for Taking Control of Your Organization’s Digital Debris (published by ARMA International in hard copy and PDF download) is a useful, inexpensive resource for educating IT, legal, risk and other professionals and line of business managers about fundamental R/IM principles and the imperative for any organization to effectively manage its ever-increasing volume of digital information.
In just over 50 pages, the authors Randolph A. Kahn, Esq. (President of Kahn Consulting and the author of books such as Information Nation Warrior) and Galina Datskovsky, Ph.D., CRM (formerly Senior VP of Information Governance at Autonomy and ARMA International Board Chair/Immediate Past President 2012-2013) cover ten key rules:
#1 – Stop keeping everything forever
#2 – Clean up the past to gain business efficiency
# 3 – Keep only what you can access and be sure you can access what you keep
# 4 – Create an enterprise-wide information governance team
# 5 – Strive for reasonableness, not perfection
# 6 – Policy must come before technology
# 7 – Don’t expect to totally control your cloud provider
# 8 – Manage information from creation to disposal using big bucket rules
# 9 – Automate information management and take the responsibility away from employees
# 10 – Don’t live in fear of discovery – be prepared with a discovery response plan.
Their writing style is crisp, concise, and engaging. And they use R/IM terms sparingly, presenting key terms (e.g. authenticity, vital record, etc.) in sidebar boxes.
If you’re looking for a detailed examination of how to implement the rules, you’ll need to look further (and the authors’ list of additional resources will help you in that regard). But I encourage you to consider this book if you’re looking for a quick read to help stakeholders understand the issues and begin planning to better manage digital information or, to quote from the last line in the book, “Start chucking those daisies!”
In case you’re curious, here’s the authors’ analogy between ‘chucking daisies’ and taking control of digital debris. Think about a bunch of fresh cut daisies in a vase as you read the following (I added the bolded text for emphasis).
“. . . as the days pass and no matter how much fresh water is added, their beauty will begin to decline. After a couple of weeks, their stems will start to bend, their once bright white and yellow colors will turn brown and their petals will wilt and fall off. They begin to stink and you throw them out. That is the lifecycle of most things; they come into existence and, at some point, they decline and die and need to be disposed of. Information is no different. Think of the information in your organization as the daisies. It has a lifecycle – it comes into existence and at some point, when it no longer has business or legal value, it begins to ‘stink’ as it clogs up your systems and should be disposed of. Old, outdated information needs to be ‘chucked’ (or thrown away) just like dying daisies – maybe not in just a few weeks, but at some point it needs to go.” (page vi, Chucking Daisies: Ten Rules for Taking Control of Your Organization’s Digital Debris).
Disclaimer: Sheila Taylor is a member of ARMA International’s Content Editorial Board (CEB) which is responsible for aiding ARMA International in unifying and streamlining content development processes across all formats. She was not a CEB member while Chucking Daisies was under development.
The Fall 2013 supplement to Carswell’s Records and Information Management is a comprehensive guide to RIM professional development in Canada, authored by Sheila Taylor. For those who don’t subscribe to this publication, the chapter has been republished as a white paper and posted on the Ergo website in our new “Published Articles” section.
The white paper is intended for existing and future RIM practitioners and employers, and discusses RIM competencies and positions, RIM education and training, and RIM certifications and accreditations. To our knowledge it is a unique resource, and we are making it available free of charge with the hope it will be useful to the Canadian RIM community.
The information presented is current as of July 2013, but if you would be interested in seeing this resource kept up to date in the future please let us know in the comment section below or by sending us an email.
Along with issuing this white paper, we are pleased to announce that a selection of previously published articles, book reviews and other resources authored by Ergo will now be available on our site at www.eimc.ca/resources/articles. Visitors may download and distribute these materials freely with attribution to Ergo and provided they are not altered, sold or used for any other commercial purpose.
I passed! I’m an IGP for the next 3 years. A list of the 56 inaugural IGPs is available here.
Not sure yet what the recertification requirements will be since ARMA International is still finalizing them but see that the ‘My Certification’ tab in my online ARMA profile now shows a requirement for 25 hours with a CE cycle end date of December 31, 2013. Since that date is fast approaching, I hope ARMA will announce the recertification details soon.
The passing score was 650 (maximum score = 900). I’m not sure what my score was because ARMA doesn’t report individual scores – you’re only told if you ‘pass’ or ‘fail’, just like with the Certified Records Manager (CRM) exams.
I’m also not sure what the exam success rate was since ARMA didn’t announce the number of individuals in the pilot test group. It would be interesting to know the success rate. Perhaps ARMA will publish it in the future?
As a consultant and educator, I’m often asked about information management certifications so I’ve been watching the development of the Information Governance Professional (IGP) certification by ARMA International (ARMA) with interest.
According to ARMA, a certified Information Governance Professional “creates and oversees programs to govern the information assets of the enterprise. The IGP partners with the business to facilitate innovation and competitive advantage, while ensuring strategic and operational alignment of business, legal, compliance, and technology goals and objectives. The IGP oversees a program that supports organizational profitability, productivity, efficiency and protection.”
When ARMA advertised the pilot test group at a significantly reduced fee ($250 USD vs. the regular fee of $599 USD), I decided to apply. Read on if you’d like to hear about my experience in applying to write, preparing to write, and actually writing the exam.
Did I pass the exam? I don’t know. ARMA will use the pilot group results to determine a passing score for the exam. That means I have to wait until Phase 2 testing has been completed and the test results analyzed. Stay tuned . . .
You can demonstrate eligibility to write the exam in one of two ways. I applied under the option of a 4-year degree (bachelor’s degree or global equivalent) plus a minimum of 3 years of management or leadership experience in one of the specified fields (RIM). More information on the eligibility criteria is available here.
I applied for the pilot test group in early July (July 10th was the application deadline) by submitting payment and a completed application including my written agreement to uphold and abide by the IGP Code of Ethics. Unlike the Certified Records Manager (CRM) application process, you don’t have to submit your documentation (e.g. transcripts and job descriptions) unless your application is selected for audit.
ARMA approved my application within 24 hours (way to go ARMA!) and I visited the test centre’s online scheduler to book the exam for my preferred date and test site. Like the Institute of Certified Records Managers (ICRM), ARMA International uses Pearson VUE test centres.
ARMA’s FAQ addresses exam preparation as follows: “There is no formal coursework required for the exam. Candidates should have a strong command of the Generally Accepted Recordkeeping Principles®, current industry issues, e-discovery, technology, and case law – all of the key components of information governance.”
To be honest, I did very little to prepare. I figured after 20+ years of records/information management experience, I’d take my chances. I did, however, read the Candidate Handbook, look at the Exam Blueprint, and quickly review the Information Governance DACUM Chart which lists the duties, tasks, and steps required as well as the knowledge, skills, and attributes making up each of the exam components. I also took the sample exam.
I booked my exam for July 19th (the last day for pilot group testing) and almost missed my appointment, having forgotten about it until less than ½ before I was to report to the test site! Fortunately, the test site was relatively close to my office and – due to relatively light summer traffic – the eastbound 401 wasn’t the usual parking lot. I got to the test site with 8 minutes to spare in the 30 minute grace period!
Signing in was efficient – I produced my “Authorization to Test (ATT)” e-mail containing my unique 20-character Candidate Identification Number, showed 2 pieces of id (one with my photo and signature), had my photo taken, read and signed the testing centre’s agreement, and signed the register. Because it’s a closed book exam, I wasn’t allowed to take any materials (not even a watch!) into the testing room. I was, however, given a small whiteboard and marker for note-taking.
Then I went into the testing room (a relatively small room equipped with 7 PCs) where I completed the online non-disclosure agreement, watched a brief tutorial about the testing software, and wrote the exam. Fortunately, the individual who was mumbling to himself as he wrote a different exam left ½ way through my exam, leaving me alone in the room without distractions.
You’re allowed 165 minutes (or 2 hours, 45 minutes) to complete 140 multiple choice questions. That works out to 1.12 minutes/question which is far more generous than the paltry 45 seconds the ICRM gives you to complete the 100 multiple choices in each of their Parts I to V exams (each of those exams is only 80 minutes!).
You’re presented with 4 possible answers for each question and have to select the 1 best answer. As you complete the exam, you can mark a question as ‘incomplete’ or flag it for ‘review’. You can also comment on individual questions (but any time doing that counts against your 165 minutes), or you can provide comments after submitting your exam (in which case commenting time is not deducted from exam time). It is optional to provide comments.
The exam questions address the following competency domains: managing information risk and compliance (15% of the exam questions), developing information governance (IG) strategic plan (15%), developing IG framework (17%), establishing the IG program (17%), establishing IG business integration and oversight (18%), and aligning technology with the IG framework (18%).
After completing the exam, I reviewed the questions I had flagged for review (about 25) and changed a few answers. I finished the exam with about 1 hour, 40 minutes remaining.
Then, after returning the whiteboard and marker, and signing the register once again, I was free to go back into the sweltering heat after possibly having attained the IGP certification.
Information management practitioners are familiar with metadata (or data about data) in the context of records. It is one of many tools that can be used to identify and categorize information, thus making it easier and faster to find in the future. Records metadata is a useful tool which doesn’t get a lot of attention.
But metadata of another sort has been getting worldwide attention ever since Edward Snowden blew the whistle about the US National Security Administration collecting cell phone metadata and requiring companies like Google, Microsoft, Yahoo, Apple and Facebook to turn over information about email and Internet activities through the PRISM program. Snowden’s revelations illustrate how metadata can be used to provide a detailed digital profile of an individual. For more information, visit The NSA Files portal from the UK’s Guardian newspaper.
While some may not find that prospect alarming, many such as Ann Cavoukian (Ontario’s Information and Privacy Commissioner) do. In a recent op ed article in the Toronto Star (July 17, 2013), she spoke out against what she sees as the flawed defense of justifying the NSA’s extensive surveillance operations by saying the information collected is “only metadata” and its collection “is neither sensitive nor privacy invasive since it does not access any of the content contained in associated phone calls or emails.”
Cavoukian argues the “truth is that collecting metadata can actually be more revealing than accessing the content of our communications.” You can read more about her thoughts on this topic in the recently released document, A Primer on Metadata: Separating Fact from Fiction available here.
(Please note: Some cartoons originally posted in this article caused some technical difficulties, so they have been temporarily removed and replaced with links. Hopefully we will be able to restore the original images soon.)
I’m always on the look out for humourous cartoons to use in training materials and the Dilbert comic strip by Scott Adams continues to delight. Over the years, I’ve found great strips on a variety of information management topics like the discoverability of e-mail, original or ‘wet ink’ signatures, and records retention. I’ve been using the following records retention strip for many years to give students a humourous look at how not to do records retention.
I also mine Dilbert for cartoons on topics related to the practice of information management such as strategic planning, project management, social media, cloud computing, and email usage. Check out the end of this post for some of my favourite strips on these and other topics.
I found Scott Adams’ July 19th characterization of off-site storage as putting “trees in jail” particularly funny, but also very apt. There are lots of organizations whose sizeable collections of poorly indexed and rarely accessed records are effectively serving life sentences off-site because retention periods (even if they exist) can’t be applied without significant time and effort. How many of your organization’s records are in jail?
If you’re not a follower of Dilbert (you can set an alert to receive each day’s new strip here), you may also want to check out his July 18th post about of-site storage.
Dilbert cartoons are searchable here and there are options to buy, license, share, email, and print each strip. Although the site says strips are available from January 1, 1989 to date, I wasn’t able to find some of my favourite strips when I searched the site by keyword/subject. But I could find them if I searched by publication date (or clicked through numerous strips covering the approximate time periods in which I thought they were published). Here are some of my favourite IM and IM-related posts. Enjoy!