Conducting an information review
An information review is a process for identifying and evaluating the ability of your agency's core information assets to meet your business needs. An information asset is information in any format which supports a business process.
An information review, sometimes referred to as an 'information audit', provides a strong foundation for establishing effective information governance within your agency. It identifies the value of information as a business asset so it can be managed properly and support business outcomes. an information review can help your agency meet its Digital Continuity 2020 targets for Principle 1 – Information is valued and Principle 2 – Information is managed digitally
Outcomes of an information review
The main outcomes of an information review are:
- improving understanding of your agency's business information needs – including identification of what information is captured, created, used, who uses it, whether it meets user and business needs, and who is responsible for the information asset;
- identifying both strategic and operational opportunities and risks – including new opportunities, potential business benefits and efficiencies, information that is being underused or areas where insufficient or untrustworthy information is a barrier to efficient business practices or public trust; and
- creating a shared understanding of information assets within the business that can support your Information Governance Framework.
Secondary benefits of an information review include:
- identifying 'silos' of information – information closely held by one part of an organisation, but which has wider uses within an agency. By breaking down those silos and encouraging information to be freely shared within your organisation, business benefits will be optimised;
- assisting in the development of an information architecture which will aid understanding of the information structure, and forward planning use of information, in your agency;
- meeting obligations for an Information Publication Scheme, required by the Freedom of Information Act 1982, and the Personal Information Digest, required by the Privacy Act 1988;
- identifying additional information that can be made available to the public;
- developing other information-based resources such as controlled document registers required by ISO 9001-based systems; and
- potentiallyuseful in developing a records authority, although an information review does not necessarily include comprehensive or rigorous analysis.
Conducting the review
The information outlined in this advice is one way of conducting an information review, there is no agree 'best practice' method. The option you select should be scalable and adapted to meet your agency's needs.
The scope and steps in an information review will vary with the size and complexity of your organisation and your information assets. It is important that an information review should:
- focus on the most important business activities and related information assets
- not restrict the scope to a particular format for information (for example, paper or digital).
It may be useful to take a staged approach to conducting the information review by establishing priorities or a sequence of business areas or business processes.
Obtain management support
You will need a senior management sponsor or champion who understands the benefits of an information review and supports the project. This could be secured through your Information Governance Committee or Chief Information Governance Officer.
Ensure that the scope of the review is appropriate to your agency. Consider focusing initially on core business functions or identified areas of risk.
Gathering data to assist your information review can be achieved through various means including focus groups, interviewing key stakeholders or surveying staff. You could also consider using information gathered in previous reviews or from your agency's Check-up Digital assessments. By using the older information as a baseline you can tailor your questions to suit.
Draft the questions carefully as responding to questions can be burdensome and meaningful analysis of the responses can be challenging if questions are not framed with a clear purpose in mind.
Key questions to consider are:
- What are the core information assets created or used in each business area?
- What is the business purpose served by the information asset?
- Who creates and uses the information asset?
- Who is responsible for maintaining the information asset?
- What problems or issues, such as timeliness, accuracy or completeness of the information asset, impact on business effectiveness?
- What is the value, business criticality and importance of the information asset?
Depending on the purpose of your information review, you may wish to collect additional data about some of the following areas:
- legislation, standards, policies, procedures and commitments which dictate how things are done
- security or privacy issues relating to the information asset
- systems and technology used to create, manage and access the information asset
- location of the information and how secure it is
- possibilities for information reuse
- changes to business practices
- detail on the actual information such as the format, volume
- rules or restrictions about alteration of the information
- how long the information remains useful for agency business
- duplication of the information
- consequences of the information asset being unavailable, are there adequate backups?
- intentions for digital transition if the information asset is maintained as paper or another physical format
- suggestions for improvement
- opportunities for and impediments to making the information available to the public.
Analyse data gathered from the review
When analysing the data from the review, the strengths and weaknesses of that information to support your business. Issues need to be prioritised against organisational performance and risk, as well as the likely cost and time to address the issues.
You should be able to identify information assets that are suitable for inclusion in an information asset register. This register can be used:
- as part of ongoing governance of information assets by identifying them, their purpose and who is responsible for them
- to identify important and valuable information assets required for business continuity.
The Archives' has prepared an example of what an information asset register might contain, which includes suggested data you might collect.
Report your findings
When documenting the findings of the review, you should highlight the strengths and weaknesses of each information asset and which business processes the information supports.
Potential weaknesses of information assets include those that:
- have been identified as inadequate for the business purpose;
- are a source of frustration for people using or managing them;
- are unavailable to those with a legitimate need;
- do not appear to serve a purpose, are underused; or
- are duplicated.
Your report should outline the key issues identified and provide an overview of the significance and status of each. Recommendations for further projects or action can be of value for your Information Governance Committee in making decisions.
Business processes are always changing. You should regularly review the status of your core information assets and update your information asset register as required. This will ensure that the data gathered is current and allow you to amend or update your recommendations to reflect any changes or developments in your agency's core business.