What is the Difference Between Information Governance and Data Governance?

What is the Difference Between Information Governance and Data Governance?

As a result of the need to protect data from breaches and comply with complex and evolving global data privacy regulations, we talk about “governance” more than ever, and I’m often asked about the difference between information governance and data governance.

In “Information Governance for Healthcare Professionals: A Practical Approach,” which is a terrific information governance resource even if you’re not a healthcare professional, Robert F. Smallwood refers to information governance as “a complex amalgamated discipline, made up of multiple sub-disciplines.” So true! In fact, data governance is one of these sub-disciplines, as is e-discovery, records and information management (RIM), compliance, risk management, privacy, information security, and data storage and archiving. This means that information governance stakeholders—the leaders who must participate in an information governance program if it is to be successful—must come from Legal, RIM, Compliance, Privacy & Security, IT and the lines of business (including, potentially, representatives from HR, sales and marketing and even site security).

What is data governance?

For Smallwood, data governance is about data quality and security, focusing only on structured data in databases. It encompasses data modeling, de-duplication to eliminate redundant data, and data cleansing to remove corrupted, inaccurate, or extraneous data.

Another definition of data governance, from the Data Governance Institute, is that data governance “is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” This definition would apply to both structured and unstructured data.

What is the purpose of information governance?

From the CGOC perspective, data governance encompasses both these definitions, and Smallwood makes an interesting and equally applicable observation that while information governance “must be driven from the top down by a strong executive sponsor,” data governance’s focus is “from the ground up at the lowest or root level.” I love this distinction because it goes to the heart of what is required for organizations to make information governance and data governance work. In fact, if you look at the sub-disciplines of information governance listed above, each, like data governance, requires a “from the ground up” effort to ensure the processes are accurate, complete and meet the specific requirements of the sub-discipline. Meanwhile, information governance is that top-down effort of coordination among stakeholders of all the sub-disciplines to make sure their efforts are coordinated, additive and based on the best possible information from across the organization. Information governance is impossible without data governance and the effort of all the other sub-disciplines. And without information governance, all the effort of data governance and the other sub-disciplines can still leave an organization with governance gaps that make it vulnerable to security breaches, compliance violations, increased costs, increased e-discovery risk and lower productivity.

What is information governance process maturity?

It is also the role of information governance to track the maturity of the processes of each sub-discipline, and in the winter issue of “Information Governance World,” Smallwood dives into our CGOC IG Process Maturity Model (IGPMM). The IGPMM is a guide to maturing information governance processes, improving information economics and enabling the defensible disposal of data debris. It enables information governance practitioners to benchmark their information governance programs against best practices, understand next steps for maturing them, and build a step-by-step roadmap for reducing cost and risk. The Maturity Model measures information governance maturity based on 22 processes across the information governance sub-disciplines, and the data governance processes tracked by the IGPMM include data source catalog and stewardship, system provisioning, active data management, disposal and decommissioning, legacy data management and storage alignment. The other process areas covered by the comprehensive IGPMM include Legal, RIM, Privacy & Security, IT and the business.

Because of the requirement to coordinate efforts across these disciplines, which often undergo their own transformations, information governance is necessarily a “complex amalgamation” that requires constant updating how we approach the underlying processes. I continue to look forward to working with the CGOC membership to improve our understanding of the challenges and opportunities and to refine and communicate evolving best practices.