Information governance framework

An information governance framework is the legal, regulatory and business context within which information assets are created, used and managed. Documenting this for your agency sets out an approach and commitment to implementing an effective information governance framework and the controls that are required to maintain it.

Documenting the framework:

  • outlines the broad environment within which information is created and managed;
  • describes the factors and business drivers which determine or influence the creation, management and use of information, including legislation, regulations, compliance, risk, and business needs;
  • documents the principles which guide the creation, management and use of information;
  • provides an overarching description of how information is governed with particular emphasis on whole-of-agency coordination, planning and leadership; and
  • documents your organisation’s commitment to information governance and provides senior management endorsement.

The following information provides a useful guide for the key aspects and components to include when documenting an information governance framework. See example – National Archives information governance framework.

Other documents that support information governance include:

Documenting an information governance framework

Components

Title

Date and version number

Scope

Establish the coverage of the framework. Does it cover information in all formats and in all agency locations nationally and internationally? Does it cover all staff including those in outsourced and contract arrangements? Are there exclusions which need to be noted?

Purpose

Explain, within the context of your agency, why an information governance framework is needed. This should be tied to agency governance. This may include stating:

  • The framework guides the creation, use and management of [the agency’s] information assets.
  • The agency is committed to the principles set out in this document.
  • The framework supports robust decision-making, risk management and compliance with external requirements.
  • The framework is an integral part of overall agency governance and is an integral part of our business.
  • Failure to properly create, describe, capture, manage and store information exposes the organisation to increased risks.

You may also outline some of the benefits of an information governance framework, including:

  • avoiding the need to continually re-create corporate knowledge
  • improved service delivery
  • reducing staff time and effort required to locate and access relevant, complete information
  • quicker and more accurate response to government demands and requests for information
  • lower costs of compliance with freedom of information requests and other legal discovery
  • protection of citizen rights
  • mitigation of risks to reputation that might arise from media or audit criticism of poor information governance practices or non-compliance with legislative and regulatory obligations.

Organisational information principles

Your organisational information principles provide a foundation against which information governance can be tested. These should reflect your agency’s particular circumstances and approach to managing its information assets. Examples of principles might include the following statements:

  1. All information we create is ready for re-use, is interoperable across the Commonwealth and is available and usable for as long as needed.
  2. All information is discoverable across our organisation by those with legitimate need.
  3. Our information is accurate, up-to-date and complete.
  4. Our governance mechanisms ensure that information management practices support good decision making, with integrity, accountability and transparency to deliver good business outcomes.
  5. Our systems protect information from unauthorised alteration, deletion or misuse.
  6. Our people understand and appreciate the value of information as an asset for the organisation and the Commonwealth, as the intellectual property of the nation and cultural heritage of our people.

The broader environment

Describe the broader environmental factors that influence your business, and how they impact on, or have accountability requirements for, your agency.

Whole-of-government requirements

Set out whole-of-government policies and best practice initiatives to which the agency has committed. Outline the whole-of-government policies and directives that are relevant to the management of agency information including, but not limited to:

  • Digital Continuity 2020 Policy (National Archives of Australia)
  • Digital Transformation Plans, Digital Service Standard and Digital Design Guide (Digital Transformation Office) and
  • Relevant ICT policies (Department of Finance)

Legislation

Describe relevant legislation, both general legislation applicable to most Australian Government agencies, such as the Archives Act 1983, as well as agency-specific legislation that impacts on information governance, such as your enabling legislation or any legislation that you administer. This may include:

  • Freedom of Information Act 1982,
  • Privacy Act 1988,
  • Electronic Transactions Act 1999,
  • Crimes Act 1914 and
  • Evidence Act 1995.

Business context

Describe how information governance supports business performance and outcomes. This may include a statement outlining how the role of information governance helps the agency to meet strategic priorities, increases business performance and reduce risk.

Clients and stakeholders

Provide a brief statement outlining how information will be managed to support client and stakeholder requirements and expectations. This may include outlining how client information will be managed to support accountability, and designing solutions that help clients maximise the value of the information. 

The organisational environment

Describe the importance of embedding information governance into all aspects of your agency's business and how this will be achieved.

Organisational culture

Provide a statement on the importance of a culture that supports information governance and how this will be achieved. This might include ensuring management support for the value of information and the importance of sharing information. It may also include:

  • leveraging the role and profile of the agency’s information governance committee (or equivalent) to highlight the value and importance of information;
  • valuing and supporting information management and ICT professionals;
  • providing ongoing capability development for information management and ICT professionals; and
  • providing the relevant training and guidance to all staff.

Accountability

Outline how accountability is at the core of an information and governance framework. Describe and identify who has overall responsibility for how information is managed and used, and who is responsible for each significant information asset. This links with the need to identify roles and responsibilities in the operational environment.

Strategy and planning

Describe how information governance will be built into agency strategies and planning requirements. This should involve linking to other corporate governance frameworks such as business continuity, risk management, workforce planning and other agency corporate planning documents. It is also important to link to initiatives which improve the use of information for business needs, for example your agency's information management strategy.

Reporting and compliance

Detail the agency’s approach to information governance compliance and reporting requirements. This may include, but is not limited to, meeting information security requirements, Freedom of Information Act and the Privacy Act requirements and annual reporting requirement to the National Archives. This may also include compliance with or reporting on requirements set out internally by the information governance committee.

Infrastructure

Outline key infrastructure to support information assets and the mechanisms in place for their ongoing management. Infrastructure may include:

  • software, hardware, connectivity and ICT support
  • onsite and offsite digital and physical storage
  • security classified storage.

Risk, audit and security

Outline what controls your agency has in place to ensure adequate protection of information assets. Proper management of information helps to reduce risk while at the same time, a robust risk management framework will help to protect your information. It is also important to acknowledge the link between risk and information and the importance of governing these two. 
Mention scrutiny of information governance practices to which your agency may be subject such as the media, internal audits or Australian National Audit Office reports.
Also describe the information security requirements to which your agency is subject, such as the Australian Government Information Security Manual (ISM) or the Australian Government Protective Security Policy Framework (PSPF). There may also be additional internal security requirements that need to be documented here.

The operational environment

Describe the operational aspects that contribute to your overall information governance framework. 

Roles and responsibilities

Outline the specific information governance roles and responsibilities of key staff in your agency.

  • Agency heads
  • Senior management
  • Information governance committee [or equivalent]
  • Information asset owners
  • Information management and ICT professionals
  • Managers
  • All staff

Standards

Provide a brief statement outlining relevant standards that influence the way information is managed in your agency. Consider including reference to other standards to which your agency has committed that may have implications for information governance, for example, metadata, information, records and document management standards as well as risk management and quality assurance standards.

Policies and procedures

Outline all relevant policies and procedures that are part of your governance framework. This will include policies on:

  • records management
  • information management
  • data management
  • information security
  • risk management.

This should also include any policies and procedures which intersect or need to be considered as part of your information governance framework. Such policies may include those on the usage of:

  • Social media
  • Cloud computing
  • Teleworking and remote access
  • Mobile devices. 

Business processes

Describe how information governance is generally maintained during the conduct of business. This should also address how business processes interact with systems and technology. This may involve specifying key requirements for information in business process such as:

  • good metadata
  • interoperability
  • accessibility
  • data quality.

Also describe business processes which present a challenge to meeting key requirements and how the agency chooses to manage these as part of its information governance framework.

Systems and technology

Outline how information is governed within business systems across your agency. This would describe the process for identifying, assessing and documenting a management plan for information in business systems. This may involve conducting an information review to identify systems that use or contain business information, and documenting them in your information architecture or information asset register. This may also include the process for seeking endorsement from your agency information governance committee.

This should not be limited to business systems owned and maintained by your agency or located on your agency's premises. This may extend to systems and technology hosted in the cloud, via social media and mobile devices.

Promotion of the framework document

Set out who needs to be aware of the framework and how they will be informed of its existence or subsequent changes and updates.

Review intervals for your framework

Review the framework periodically to ensure that it remains current. In addition, the framework should be reviewed after events that might affect information governance arrangements, such as major administrative change.

Senior management endorsement

Provide evidence that the CEO, or the information governance committee chair has endorsed the framework. This may be done in a brief paragraph, signed by the CEO or the information governance committee chair, recognising the important place of information governance in the agency and directing staff to comply with the requirements of the framework.

Copyright National Archives of Australia 2017