What is an information governance framework?
An information governance framework is the structure that provides a holistic overview of the influences that inform how an organisation creates and manages its enterprise-wide information assets (records, information and data).
Understanding, assessing and documenting your agency's legal, regulatory and business requirements are essential steps in formalising and maintaining your information governance framework.
Your agency’s information governance framework describes:
- the broad environment in which information assets are created and managed
- business drivers and other factors that affect the creation, management and use of information assets. These include legislation, regulation, compliance, risk, and business needs
- principles that guide the creation, management and use of information assets
- its overarching approach to the governance of information assets, with an emphasis on enterprise-wide coordination, planning, roles and responsibilities and leadership
- its commitment to information governance, including endorsement from senior management.
The Building trust in the public record policy recommends that agencies review and update their information governance framework to incorporate enterprise-wide information management for records, information and data. This includes developing an information governance framework if one does not exist (action 2).
The National Archives’ own Information and data governance framework is available as a guide for developing or reviewing your agency’s information governance framework.
An information governance framework template is also available, that agencies can customise to develop or update their own framework document.
Parts of an information governance framework
Provide a clear overview explaining your information governance framework’s:
The purpose explains why your agency needs an information governance framework and how it supports its overall governance.
Examples of purpose statements include:
- The framework guides the creation, use and management of [the agency’s] information assets.
- The framework supports robust decision-making, risk management and compliance with external requirements.
- The framework establishes [the agency’s] enterprise-wide approach to governance of our information assets, and is integral to supporting our broader governance processes
- Failure to properly create, describe, capture, manage and store information assets exposes [the agency] to increased risks.
Outline the benefits of an information governance framework. Examples include:
- avoiding the need to continually re-create corporate knowledge
- improved service delivery
- less time and effort spent on locating and accessing relevant and complete records, information and data
- quicker and more accurate responses to government needs and requests for records, information and data
- lower costs of compliance with freedom of information requests and other legal discovery
- stronger protection of citizens' rights
- mitigating reputational risks that may arise from media exposure, adverse audit findings, or non-compliance with legislative and regulatory requirements.
Broadly outline your agency’s information assets. This information may include:
- the locations of key national and international offices that create, manage and store information assets. Make sure you include any relevant contractor arrangements
- confirmation the framework covers all physical and digital information formats that may be managed through different processes
- staff that are subject to the framework. This includes all employees, contractors and consultants
- any specific people, places or information assets that are not covered by the framework.
The primary aims of the framework should be succinctly communicated as core objectives. These must align with your agency’s corporate plan and business function to ensure the framework supports your agency’s business requirements.
Examples of objectives include:
- to clearly define the standards, expectations and responsibilities for managing information assets for all [the agency’s] staff
- to ensure [the agency’s] information management practices meet our legal obligations, accountability requirements, business needs and stakeholders’ expectations.
Your agency's information principles reflect its fundamental approach to managing information assets.
Information principles can be used to test your information governance. If all of the principles are met, your information governance is working.
Examples of information principles are:
- All information assets we create are ready for use and re-use. They are usable for as long as needed and are interoperable within our agency and externally as required.
- All information assets are discoverable across our agency by those with legitimate need.
- Our records, information and data are accurate, up-to-date and complete.
- Our governance mechanisms ensure that information management practices support good decision-making. Integrity, accountability and transparency are essential to delivering good business outcomes and building public trust.
- Our systems protect information assets from unauthorised alteration, deletion or misuse.
- Our people understand and appreciate the value of information as an asset for the organisation and the Australian Government, as Australia's intellectual property, and cultural heritage that has ongoing value.
Explain how information governance will be built into your agency’s planning requirements. This includes linking to other corporate governance frameworks, such as:
- business continuity
- risk management
- workforce planning
- corporate planning
Key drivers and strategy
Summarise the key drivers for your framework.
This section may include:
- a broad explanation of your agency’s role and responsibilities
- core projects and activities your agency is delivering that demonstrate your role and responsibilities
- principles that have been developed and endorsed by the international communities and professional sector for your agency
- reference to the Building trust in the public record: managing information and data for government and community policy, which applies to the management of all Australian Government information assets.
Other supporting whole-of-government initiatives that are relevant to your agency’s operating environment for information asset management can also be key drivers. These may include:
- AI Ethics Framework – Department of Industry, Science, Energy and Resources
- Data Interoperability Maturity Model – National Archives of Australia
- FOI Essentials for Australian Government agencies and ministers – Office of the Australian Information Commissioner
- Foundational Four – Office of the National Data Commissioner
- Guidelines for Ethical Research in Australian Indigenous Studies – Australian Institute of Aboriginal and Torres Strait Islander Studies
Roles and responsibilities
Outline the information management roles and responsibilities of all staff in your agency.
Make sure you clearly identify the roles that are accountable for information creation and capture, information governance, high-value information assets and for promoting the framework.
Roles you might like to include in this section are:
- all staff
- managers and supervisors
- data trustees
- information and communications technology staff
- information governance staff
- chief information governance officer (CIGO)
- enterprise data management
- information governance committee
- agency head
Outline how information assets are governed within business systems across your agency. Be sure to include the general process for identifying, assessing and documenting a management plan for information assets in business systems.
Your information review and considering your information asset register or documented information architecture will help you identify systems that use or contain information assets. Talk to your agency’s information governance committee for guidance on these processes.
Include systems and technology hosted in the cloud as well as those that your agency owns, maintains or hosts on its premises.
Examples of business systems are:
- onsite and offsite digital and physical storage
- security classified storage
- storage that is part of cloud services such as infrastructure, platform or software as a service (IaaS, PaaS, SaaS).
- systems accessed via social media and mobile devices.
Talk to your agency’s information governance committee for help conducting an information review. The committee’s formal endorsement of your review can help build support across the agency.
Risk audit and security
Managing your information assets properly will reduce risk while a robust risk management framework helps protect your information.
Use this section to outline:
- risks to your information assets
- information security requirements your agency needs to meet
- how your agency ensures its information assets are protected.
Risks to information assets
Risks to information assets may include:
- unauthorised destruction of records, information or data either deliberately or inadvertently
- legacy systems that prevent access, management, sentencing and disposal of information assets in line with legislative or other requirements
- an inability to implement long-term storage and digital preservation strategies causing lost information assets of national significance, data silos and increasing volumes of unidentified data.
Information security requirements
Information security requirements your agency may need to meet include:
- Australian Government Information Security Manual (ISM)
- Australian Government Protective Security Policy Framework (PSPF)
- any extra internal security requirements
Controls to protect information assets
Controls your agency has in place to ensure information assets are adequately protected include:
- Information governance committee: This committee is responsible for strategic coordination and monitoring of enterprise-wide governance of information assets
- Chief information governance officer (CIGO): The CIGO supports your information governance committee and is accountable for enterprise-wide governance of information assets
- Information or data management plans: These plans outline the value of information assets and identify strategies to manage them accountably and transparently over time.
Outline the cultural practices and relevant standards that support information governance in your agency.
Explain how your agency will encourage an organisational culture that embeds information governance into all aspects of its business.
This may include:
- commitment from the agency head to promote the value of information assets and the importance of high quality records, information and data
- the information governance committee’s role in highlighting the importance of good information management practices
- senior management recognising the achievements of information management and ICT professionals
- HR promoting the value of ongoing capability development for information management and ICT professionals
- providing information management training and guidance for all staff.
Briefly outline the standards that influence or directly map how information assets are managed in your agency.
These standards include:
- ISO 16175: Processes and functional requirements for managing records, International Organization for Standardization
- ISO 15489: Records management, International Organization for Standardization
- AGLS metadata standard, National Archives of Australia
- Australian Government Recordkeeping Metadata Standard, National Archives of Australia
- Information Management Standard for Australian Government, National Archives of Australia
- Minimum metadata set, National Archives of Australia
Policies and strategies
Outline all relevant strategies and policies that are part of or directly impact your information governance framework. This should reference your enterprise-wide information management strategy and information management policy.
Include internal strategies that work together to provide accountability and guidance for information asset governance across your agency. These could cover:
- cloud services
- data management
- digital preservation
- information security
- mobile devices
- normal administrative practice (NAP)
- remote working arrangements
- risk management
- social media
Make sure you include whole-of-government policies and strategies that impact on how you manage your information assets. These may include:
- Australia’s Cyber Security Strategy 2020, Department of Home Affairs
- Australian Privacy Principles, Office of the Australian Information Commissioner
- Commonwealth Procurement Rules, Department of Finance
- Digital Service Platforms Strategy, Digital Transformation Agency
- Digital Transformation Strategy, Digital Transformation Agency
- Open Government National Action Plan 2018-20 – Department of the Prime Minister and Cabinet
Describe the legislation relevant to your agency. This includes:
- general legislation applicable to most Australian Government agencies
- agency-specific legislation that impacts on information governance, such as your enabling legislation or any legislation that you administer.
Examples of legislation with information management requirements are:
- Archives Act 1983
- Crimes Act 1914
- Electronic Transactions Act 1999
- Evidence Act 1995
- Freedom of Information Act 1982
- Privacy Act 1988
- Public Governance, Performance and Accountability Act 2013
Promoting the framework
Outline who needs to be aware of the framework, its key objectives and any subsequent updates.
To support the uptake of the framework, promote it as tool that will enable better business and accountability outcomes for your agency.
Reviewing your framework
Review your information governance framework regularly to ensure it remains current.
You should also review it after events that might affect information governance arrangements, such as major administrative change.
Senior management endorsement
Provide evidence that your senior management has endorsed the framework.
This can be a brief paragraph signed by the agency head or the chief information governance officer (CIGO). It should recognise the importance of information governance in the agency and direct staff to comply with the framework's requirements.