INFORMATION GOVERNANCE FOR PRIVACY COMPLIANCE

Transcription

1 Access and Privacy Conference Edmonton, June 13, 2012 Rick Klumpenhouwer, MA, MAS, CIAPP-M Partner, Cenera INFORMATION GOVERNANCE FOR PRIVACY COMPLIANCE

2 Course Objectives Understand the principles of information governance and how it can be used to implement health information privacy compliance; Analyze and apply this Click knowledge to edit and Master methodology subtitle within the style context of your own jurisdictional setting

3 What is a good privacy program? operates on some clear principles and values about information; requires intense involvement in how information systems and practices operate on the ground ; more proactive than reactive; an program with ongoing functions, maintenance, goals, assessment and improvement; runs as an information management/governance program

4 Information Management Organization of and control over the structure, processing and delivery of information. Answers the questions: What kind of information do I need to create/receive? How and what do I retain and why? How do I find and use information that I ve stored?

5 Elements of Information Management 2. RM FRAMEWORK 10. ASSESSMENT/IMPROVEMENT 9. DESTRUCTION 8. ACCESS/SECURITY 7. STORAGE/PRESERVATION Support Business Click to edit Functions Master subtitle style Preserve Evidence for Accountability 1. INFORMATION POLICY 3. TRAINING/CHANGE MGMT 4. SYSTEM DESIGN 6. TRACKING/RETRIEVAL 5. RECORD CAPTURE

6 What do you need to understand a record? Content The intellectual substance of a document, including text, data, symbols, numerals, images, and sound. Structure The manner in which elements are organized, interrelated, and, displayed. Context The organizational, functional and operational circumstances surrounding records' creation or use.

7 Information Governance Concept used by UK NHS to integrate patient privacy into the new EHRs they were developing; Manage solutions overlap reduce redundancy of effort Quality measurement Click need to edit to track Master progress subtitle style Participation compliance on issues integrated with, not opposed to, health care objectives A need to bring together privacy and functional requirements operationally, manage development, and measure progress

8 Why IG? two main drivers: electronic information systems Use/reuse Stuctured/unstructured data Integrity/accuracy Transaction/Data analysis Digital continuity information regulation Access to information Privacy/Security ediscovery SOX/C-SOX

9 Information Governance Transactional Applications Click to edit Enterprise Master subtitle style Repository Systems Policy Application Winston Chen, A Brief History of Data Governance (2010)

10 Why IG? Digital IM requires more planning, accountability, application of value. Governance Elements Surveillance and assessment Decision-making Accountability Counter-intuitive: governing information, not information for governing.

11 IG Defined Collaboration of interests Information Governance is the enterprise wide framework that includes the people, processes, and procedures necessary to ensure the preservation, availability, security, confidentiality, and usability an enterprise s information. (David Hill, EMC2) Government by IT: Digital Governance is often referred as Egovernance, E-governance or Electronic Governance. In simple terms, it refers to governance processes in which Information and Communications Technology (ICT) play an active and significant role.

12 IG Defined Governance Framework The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. (Gartner)

13 How?

14 How? Wonderful sentiments, but the real problem is how to implement Still working with existing IM implementation systems: IT development/maintenance Records management Access to Information Privacy/Security Enterprise risk management Archives Just work together harder?

15 How? Managing Assets Model Fixed assets that need to be inventoried, controlled, and made available as need arises IT and records management lifecycle or supply chain Automated workflow, transaction, logistics solutions Compliance to standards regime/audit and enforcement key

16 IBM Supply Chain Management IBM is leading the way by approaching information governance from a supply chain perspective think of information as goods and services in a physical supply chain.

17 Managing Assets Model Problems Is information really a fixed asset? How do you measure success? Forcing a system through compliance rather than contributing to quality outcomes Access and Privacy just one of many competing interests in governance decision-making and assessment

18 Managing Assets Model Problems Is compliance to standards deployment effective? Information management happens at each workstation how do you control that? IG seen as a barrier or even a brake to operations What are the benefits? How do you measure? How do you engage executive sponsors?

19 Information Governance Functional Records Management/Archives Records retention/destruction/integrity control Capture schedules/destruction processes storage and retrieval preservation/continuity Information about information (metadata) Based on records description (classification) Functional context is a key component of records description and control Policy on collection, use, disclosure, access and security based on function

20 Function-Based Information Governance Functional purpose and context of information the key to organizing, assessing, retrieving, and maintaining information to meet IG needs.

21 Function as Informaiton Policy Interface IM Function Activities Policy Determinant IT IT systems development, maintenance Functional needs Records management Information capture, availability, and retention Functional needs Access to information Locating, retrieving, and making available information Click relevant/important to edit to citizen Master right of access need subtitle style Functional context as part of relevancy and status decision-making Privacy Appropriate personal information collection, use, disclosure Function (purpose) Security Protecting sensitive information from unauthorized access, loss Functional context Enterprise risk management Identify and mitigate risk to organization and others Functional context Archives Preserve/make available information of long-term value Functional context

22 Function-Based Information Governance Segregate information (schedules, registries) about policy, business functions and information/information systems Apply policy to functions; relate functions to Information Many to many relationships Information Policy Click to edit Functions Master subtitle style (Taxonomy) Information A A A B C D B C D B C D

23 Organization Infrastructure Support Functions: HR, Finance, Facilities, Supplies/Services, Information Management Click to PLANNING/DESIGN edit Master title style Function, Activity or Transaction ENGAGING/SERVICING OBJECTS Topics, Clients

24 Functional Language FRUIT LEVEL SHOWS DESCRIPTION RANGE SOURCES EXAMPLE FUNCTION Why Area Scope, SUB-FUNCTION (optional) Why Subject of Activity Role/ Program within Function Openended Openended Legislation, Mandates Organization charts, administrative history, job descriptions Human Resources Compensation ACTIVITY How Action, triggered by Transaction with topic or client Closed Standards, job descriptions interviews, organization charts Review TASK (optional) How Specific Task within Activity Closed Benchmarking TRANSACTION with TOPIC OR CLIENT What Object of Activity Static, openended Interviews, records inventory, annual reports Pay Scales, Managers, Joe Smith

25 Functional Language Accountability/ Documentation Significance HUMAN RESOURCES Compensation COMMUNITY CARE Long Term Care MATERIAL MANAGEMENT Equipment Maintenance Planning/Design Engaging Servicing Function, Activity or Transaction by which the methods, policies, and eligibility, status, and design of the function are chosen, developed, evaluated and improved Function, Activity or Transaction by which terms of client or object engagement are set or ended. FUNCTIONAL EXAMPLES Developing and evaluating compensation plan; Planning, developing program and evaluating program; Planning, designing and reviewing equipment maintenance system Establishing level/terminating Referrals, placement, scheduling, care planning Referrals, site or shop scheduling Function, Activity or Transaction by which services are actually delivered to clients or objects, based on terms of engagement Delivery/ Maintenance of compensation Resident Care Diagnosing problem, repairing, updating

26 Information Governance 26

27 Information Governance 27

28 Functional IG Perspective/Approach Continuum vs. lifecycle Design in function-based policy to systems Support of function vs. compliance Access and privacy participates in system design to support functional documentation and compliance analysis

29 IG Happy Land From fixed asset to changing product and tool attached to functional context. Success=How well does information support functional needs? From compliance to participation in a function-based policy Access and Privacy as isolated problem to essential expertize in the solution.