Information Governance vs. Data Governance – Who Cares?
I just discovered this post Information Governance is more than just Data Governance by E.G. Nadhan. In general, the terms “Data” and “Information” have been used by many to mean the same thing. Nadhan raises some valid points which I will reinforce in this post – specifically, that as data management practices mature there is value in differentiating between data and information. I first wrote about this a few months ago in To Engage Business, Focus on Information Management rather than Data Management. This blog takes the next step to discuss the difference between Information Governance and Data Governance.
As a reminder, “Information = Data + Context.” The context we are talking about is the business process context. If we have policies that are relevant regardless of process context, it is Data Governance. If the policies are relevant in the context of a specific process context, then it is Information Governance. Examples of data governance policies are “never store the credit card security code”, “always validate a new address against a common validation service”, and “the first letter of the product serial number is a code that refers to the plant that manufactured the product.”
An example of an Information policy is to “mask the customer account number except for the last four digits on all customer interactions except for on tax statements and paper-based account notifications and only unmask the full account for employees based on their role and function being performed”. Another example of an information policy is a customer-facing document regarding privacy policies and compliance with anti-spam legislation, “Do Not Call” registries, and customer marketing contact management best practices.
To get back to the title of this article, who cares about Information Governance versus Data Governance? Well if a business process context is relevant, the business owner cares. If the business process context is not relevant, then the IT data owner cares.
The kinds of policies that Information Governance cares about include:
- Appropriate use. How should, or shouldn’t, certain types of information be used by employees, customers, and partners.
- Business value. Are we effectively taking advantage of and deriving value from intelligence derived from data.
- Information meaning. What are the agreed-upon definitions of things like “active customer”, “customer relationship”, or “risk weighted assets”.
- Information Life–cycle. What are the rules about acquiring new information, how long should information be retained, and when should it be purged.
- Information Ownership. Who is the process owner for creating and maintaining the various types of information.
The kinds of policies that Data Governance cares about include:
- Data transparency. What data do we have in the enterprise, where is it, and how is it secured.
- Data lineage. What is the system of record for various types of data, how does it move between systems, and what transformations were applied in the process.
- Data Quality. What rules can be applied systematically in the capture, monitoring, and measurement of data assets.
- Service Levels. What are the required service levels for the timeliness of data delivery or synchronization between copies of the data
- Data Security. How can data be kept secure regardless whether it is controlled by an application system, copied to a test or training database, or stored in the cloud.
- Change Impact. What is the impact to existing and historical data and data processes if a given system change is implemented.
- Data Ownership. Who is accountable for maintaining and operating the data stores, whether they are stand-alone copies or linked to a production application.
Part of the problem to-date in many organizations is that the business has abdicated responsibility for data management to IT. And maybe that’s partly because we call it Data Management. If we really want the business to be engaged and take accountability, it’s about time we differentiate between Information Governance and Data Governance. We need both types of governance and we need everyone aligned around a common understanding of roles and responsibilities. The language we use to describe it can go a long way to getting there.