Information Privacy, Retention and Other Necessary Evils

A recent article here in Computerworld Blogs was discussing Information Privacy and was querying what will be the event that becomes the "Enron of information privacy". I find this interesting in that MOST organizations haven't chosen to wait for an event that hasn't happened yet, or that just happened recently, such as the VA incident cited in the blog post.

Most organizations have proactively sought out methods to protect their information from unwarranted access by both physical methods and through use of software, many applying a one-two punch, using a combination of both. This is an issue that goes far beyond the legal concerns of having your employee's information exposed, as it can compromise an organization's competitive position as well. When most people think of privacy, it seems they limit their thinking in terms of PHI (personal health information) and PII (personal identity information) of individuals, which are covered under HIPAA and various State laws, such as California's SB1386. But there is much more to be concerned with that requires protection, so the concept of "Information Privacy" needs to be top-down and cover all organizational information assets. Hopefully, if this law passes, we may ALL have fewer concerns.

Where I think the post went awry though was when it started discussing records retention, and made the statement "... the IT world may get a breather from the record retention mayhem that plagues their budgets ...". As a RIM Professional, I have to ask WHAT MAYHEM? Retention is a requirement that has existed for information as long as it's existed ... unfortunately IT is just becoming aware of it. In part, this is because they have failed to seek out the requirements when deploying technology to the management of information in electronic formats, and also failed to address the existing laws, statues, and regulations for retention, all of which are applicable irrespective of the media, form, or format the information resides in.

The post goes on to bemoan the impact on IT by saying "... the downside for IT was that they became an integral part of financial audits, electronic discoveries, and business process projects..." This struck me as rather ironic. I guess IT seemed to think they were just brought into the loop to supply the tools and then walk away, they never bothered to understand that the ENTIRE REASON FOR using technology was to be an integral component of the very "business process projects" they're now complaining are a "downside" of their activity. If technology is deployed without an understanding of what it's designed to achieve and how it impacts the business processes, and the thought is an organization makes this major investment simply because it's cool to have new tools, IT must think business is a real-world version of "Tool Time" featuring Tim the Tool Man, out seeking more power for fun and adventure. 

Finally, we hear the old saw about encryption again.  "... more than likely, every piece of sensitive data -- from social security numbers to employee's addresses -- will be encrypted ..." which is not only a knee-jerk reaction, but a bad business decision. Information needs to be adequately protected by one means or another, but a mentioned in a previous blog entry, encryption is not a panacea. There are a number of concerns related to encryption, one being the time required to accomplish it, another being the costs (both those associated with time and space), or the need to use more costly means, such as encryption in real-time ... and lastly, there is the problem of managing the encryption keys to ensure YOU can access your encrypted information.
 
Face it IT, retention is here to stay ... properly protecting the information assets in the repositories you are responsible for is here to stay. It's a cost of business to properly do both, and they need to be built into YOUR business processes, and it's time to stop complaining about the level of effort required and the cost, and start providing the levels of service your clients both need and deserve.