Even when no one disagrees with the need for a business-wide data management strategy, implementing the protocols and policies can be an uphill battle. The key, it seems, is getting the right team in place. Just ask Merri Beth Lavagnino, the chief privacy officer at Indiana University. She's been at it for more than two and one-half years.
When Lavagnino was tapped in 2007 to help establish a governance program for information security and privacy, there was not much debate about the urgency of the task. The year before, the state of Indiana's newly enacted data breach notification law had gone into effect. It made employers accountable for mishandling data that could jeopardize the privacy of an individual. In addition, the university's information security and privacy policies were out of step with recent regulatory activity to restrict access to and protect student and employee data.
"Our philosophy of taking advantage of distributed technology, to provide as much access to data as possible for the good of the business, was being turned on its head," said Lavagnino, a speaker on privacy issues at the recent Burton Group Catalyst Conference in San Diego.
Making matters worse, employees were confused. The university's lack of a consistent set of security and data management standards made it difficult to know whether they were doing the right thing, Lavagnino said. The call for an updated information security and privacy governance program came from the university president. The effort was sponsored by the IT department, where she was then the chief information policy officer. IT drafted a set of information-handling standards for every employee to follow with the university's standing council of data stewards. But that didn't solve anything.
"We tried for two years to get the data stewards to govern all information, rather than just the data in their business areas," Lavagnino said. "It was really difficult."
The stewards were leaders of the school's various business functions, such as HR, student records, legal counsel and so on, Lavagnino explained. Meetings were held to bring the council up to date on the new regulatory environment. Subcommittees were formed to work on information governance policy, awareness and training. Roles and responsibilities were assigned to executive management, business management, technology management and users. The goal was to "make privacy principles actionable and real to employees," she said.
On Nov. 13, 2009 -- "a day that will live in infamy," Lavagnino quipped -- the data stewards council refused to go forward with the information governance policy. The policy had undergone two formal reviews. It was endorsed by the vice presidents, chancellors and faculty councils of all seven campuses in the Indiana University system. "This was the last version of the policy, ready to go forward for approval! They said, 'no,'" she said.
The business heads felt comfortable setting policy for their own areas of expertise, but they could not "tell other people what to do" about information governance, even about generally accepted privacy principles, such as maintaining data accuracy and collection limitation.
Requirements for implementing a data management strategy
According to Gwen Thomas, president of the Data Governance Institute, there has to be a driving reason for implementing a data management strategy, as well as a high-level sponsor -- as Indiana University's information security and privacy program had. Other more subtle but not less-important characteristics also are required, however. Because data governance programs raise hackles, organizers have to have the political power to overturn dissenters, she explained during a recent seminar at the Massachusetts Institute of Technology. Such a project also needs a firm time commitment from the participants, trusted project managers who can document and communicate with ease, and data and information analysts who know the ins and outs of the business's data systems, she said.
The effort to build a governance program for information privacy continues at Indiana University. After the "initial frustration wore off," Lavignino said, the IT experts regrouped. For the next six months, the team read up on governance, interviewed experts and talked to people at the university.
You do need to allow people to bow out. There are people who are not going to expand their scope beyond their subject area. They don't want to get it or maybe they cannot.
Merri Beth Lavagnino, chief privacy officer, Indiana University
"What we determined was that we needed to separate the governance strategy that is common to all the information at the university, from the data management, which we realized is the tactical implementation of the strategy," Lavagnino said. The next step was defining who was best suited to handle the respective domains. In IT circles, the accepted wisdom is that the business should drive the policy. In this case, however, it became apparent that the compliance experts should formulate the information handling standards to implement the university's privacy principles. The business function experts would then handle the data management standards.
"We knew the compliance people could oversee development of a list of requirments for handling all information. And we learned that the business function people just could not do it; right now -- the learning curve was too high," Lavagnino said.
Another lesson in hindsight: "You do need to allow people to bow out. There are people who are not going to expand their scope beyond their subject area. They don't want to get it or maybe they cannot," Lavagnino said.
Giving people a way to bow out is a subtle but important piece of advice for getting any kind of governance program off the ground, said Ian Glazer, senior analyst on the identity and privacy strategies team at Burton Group. "In [the Indiana University] case, people culturally didn't want to do it. They didn't feel compelled to do it, and at the same time they did not have a way to gracefully exit. So, they went along for the ride until the day they said, 'Nope, we're not doing any of this,'" he said.
Separating the strategic from the operational allows people who are reluctant to dictate strategic change to "organizationally save face," Glazer added.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.