An information governance framework is the legal, regulatory and business context within which information assets are created, used and managed. Documenting this for your agency sets out an approach and commitment to implementing an effective information governance framework and the controls that are required to maintain it.
Documenting the framework:
The following information provides a useful guide for the key aspects and components to include when documenting an information governance framework.
Other documents that support information governance include:
Establish the coverage of the framework. Does it cover information in all formats and in all agency locations nationally and internationally? Does it cover all staff including those in outsourced and contract arrangements? Are there exclusions which need to be noted?
Explain, within the context of your agency, why an information governance framework is needed. This should be tied to agency governance. This may include stating:
You may also outline some of the benefits of an information governance framework, including:
Your organisational information principles provide a foundation against which information governance can be tested. These should reflect your agency’s particular circumstances and approach to managing its information assets. Examples of principles might include the following statements:
Describe the broader environmental factors that influence your business, and how they impact on, or have accountability requirements for, your agency.
Set out whole-of-government policies and best practice initiatives to which the agency has committed. Outline the whole-of-government policies and directives that are relevant to the management of agency information including, but not limited to:
Describe relevant legislation, both general legislation applicable to most Australian Government agencies, such as the Archives Act 1983, as well as agency-specific legislation that impacts on information governance, such as your enabling legislation or any legislation that you administer. This may include:
Describe how information governance supports business performance and outcomes. This may include a statement outlining how the role of information governance helps the agency to meet strategic priorities, increases business performance and reduce risk.
Clients and stakeholders
Provide a brief statement outlining how information will be managed to support client and stakeholder requirements and expectations. This may include outlining how client information will be managed to support accountability, and designing solutions that help clients maximise the value of the information.
Describe the importance of embedding information governance into all aspects of your agency's business and how this will be achieved.
Provide a statement on the importance of a culture that supports information governance and how this will be achieved. This might include ensuring management support for the value of information and the importance of sharing information. It may also include:
Outline how accountability is at the core of an information and governance framework. Describe and identify who has overall responsibility for how information is managed and used, and who is responsible for each significant information asset. This links with the need to identify roles and responsibilities in the operational environment.
Strategy and planningDescribe how information governance will be built into agency strategies and planning requirements. This should involve linking to other corporate governance frameworks such as business continuity, risk management, workforce planning and other agency corporate planning documents. It is also important to link to initiatives which improve the use of information for business needs, for example your agency's information management strategy.
Reporting and compliance
Detail the agency’s approach to information governance compliance and reporting requirements. This may include, but is not limited to, meeting information security requirements, Freedom of Information Act and the Privacy Act requirements and annual reporting requirement to the National Archives. This may also include compliance with or reporting on requirements set out internally by the information governance committee.
Outline key infrastructure to support information assets and the mechanisms in place for their ongoing management. Infrastructure may include:
Risk, audit and security
Outline what controls your agency has in place to ensure adequate protection of information assets. Proper management of information helps to reduce risk while at the same time, a robust risk management framework will help to protect your information. It is also important to acknowledge the link between risk and information and the importance of governing these two.
Mention scrutiny of information governance practices to which your agency may be subject such as the media, internal audits or Australian National Audit Office reports.
Also describe the information security requirements to which your agency is subject, such as the Australian Government Information Security Manual (ISM) or the Australian Government Protective Security Policy Framework (PSPF). There may also be additional internal security requirements that need to be documented here.
Describe the operational aspects that contribute to your overall information governance framework.
Roles and responsibilities
Outline the specific information governance roles and responsibilities of key staff in your agency.
Provide a brief statement outlining relevant standards that influence the way information is managed in your agency. Consider including reference to other standards to which your agency has committed that may have implications for information governance, for example, metadata, information, records and document management standards as well as risk management and quality assurance standards.
Policies and procedures
Outline all relevant policies and procedures that are part of your governance framework. This will include policies on:
This should also include any policies and procedures which intersect or need to be considered as part of your information governance framework. Such policies may include those on the usage of:
Describe how information governance is generally maintained during the conduct of business. This should also address how business processes interact with systems and technology. This may involve specifying key requirements for information in business process such as:
Also describe business processes which present a challenge to meeting key requirements and how the agency chooses to manage these as part of its information governance framework.
Systems and technology
Outline how information is governed within business systems across your agency. This would describe the process for identifying, assessing and documenting a management plan for information in business systems. This may involve conducting an information review to identify systems that use or contain business information, and documenting them in your information architecture or information asset register. This may also include the process for seeking endorsement from your agency information governance committee.
This should not be limited to business systems owned and maintained by your agency or located on your agency's premises. This may extend to systems and technology hosted in the cloud, via social media and mobile devices.
Set out who needs to be aware of the framework and how they will be informed of its existence or subsequent changes and updates.
Review the framework periodically to ensure that it remains current. In addition, the framework should be reviewed after events that might affect information governance arrangements, such as major administrative change.
Provide evidence that the CEO, or the information governance committee chair has endorsed the framework. This may be done in a brief paragraph, signed by the CEO or the information governance committee chair, recognising the important place of information governance in the agency and directing staff to comply with the requirements of the framework.