Implementation of the Sedona conference on information governance: principles 4 to 6 – protection of privacy

To print this article, all you need to do is be registered or log in to

The Sedona Conference is a widely known institute that focuses on the study of law and policy in many areas, including Information Governance (IG). Commentary from the Sedona Conference on Information Governance provides 11 IG principles that help organizations make decisions about how they handle their information.

This article is the second in a series of articles focusing on the 11 principles of GI. We describe here the next three principles (principles 4-6), the corresponding questions an organization can ask to assess its IM posture, and the privacy management activities an organization can implement to align with these principles. Our first article in the series focusing on Principles 1-3 can be found here.

What are Principles 4-6 of the Sedona Conference Information Governance Principles?

Principle 4

The strategic objectives of an organization’s IG program should be based on a comprehensive assessment of information practices, requirements, risks and opportunities. An organization must:

  • Identify the different types of information it controls and whether the information is held by the organization, third parties on behalf of the organization, or both.

  • Identify its information lifecycle practices, including, but not limited to, creation and/or receipt of information, identification of location (active and inactive) for information storage, retention of information in these locations and disposal/destruction of information.

  • Assess identified information types and practices for information opportunities, risks, and compliance requirements.

Principle 5

An IG program should be established with the necessary structure, direction, resources, and accountability to provide reasonable assurance that program objectives will be achieved. An organization must:

  • Create a uniform framework to categorize its different types of information based on business needs, information-related compliance requirements, and risk controls.

  • Communicate GI requirements to all information consumers.

  • Dedicate the necessary human, technology and implementation resources to support its IG program and achieve its strategic objectives.

  • Establish the importance of strategic objectives, expected standards of conduct and accountability.

Principle 6

Efficient, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a central part of any IG program. An organization must:

  • Dispose of information that no longer provides value if that information is not needed for legal compliance, regulatory, or legal retention purposes.

  • Assess whether private or confidential information should be disposed of within a reasonable time after it ceases to be useful to the business to reduce the risk of disclosure.

Assessing an organization’s information governance program based on Principles 4-6

Organizations might consider the following questions to properly assess their current position on privacy against Principles 4-6 provided by the Sedona conference:

  • Has a comprehensive assessment of key stakeholders been carried out?

  • Have program objectives been established?

  • Has a compliance concordance table been established?

  • Does the organization conduct an annual review of policies, procedures, retention schedules, data cards, and contractual agreements?

  • Does the organization offer IG training?

  • Does the organization maintain a records or information retention schedule?

  • Does the organization have an information architecture?

  • Has global compliance metadata been defined?

  • Does the organization maintain a data map/inventory?

  • Does the IT department keep an inventory of applications?

  • Does standard contractual language reflect IG requirements?

  • Does the organization maintain a disaster recovery/business continuity program?

  • Are security controls in place for sensitive data?

  • How does the organization handle deletion of data when that data is retained beyond its legal and operational lifespan?

  • Does the organization maintain IG procedures, and have these procedures been implemented?

  • Does the organization maintain a process for legal holds?

  • Have the roles and responsibilities of the IG been defined?

  • Are there IR resources for each industry? If so, are they part-time or full-time?

  • Are there IT IG resources? If so, are they part-time or full-time?

  • Are there IG program resources? If so, are they part-time or full-time?

  • What is the level of senior management support for IG?

  • What is the level of management support for IG?

  • How widely are shared drives used in the enterprise?

  • Are GI audits performed (periodically or randomly)?

Privacy management activities to align with Principles 4-6

After assessing an organization’s governance maturity level based on these principles, organizations can consider implementing privacy management activities like those described below to align and close gaps toward privacy. confidentiality maturity.

  • Create a data inventory or data map of personal information. Review all personal data items collected to confirm that they are necessary for the relevant processing activities and stop collecting and processing data that is not necessary.

  • Update records or information retention schedules to move away from “records” and move more broadly to personal information stores, keeping in mind the principles of data minimization and limitation.

  • Update privacy notices to reflect retention schedules based on applicable regulations.

  • Implement privacy impact assessments in the life cycles of systems, processes and products.

  • Develop an incident response plan.

  • Develop a defensible disposition process and procedure.

  • Implement a data backup and disaster recovery program.

  • Perform routine vulnerability scans and penetration tests on network and cloud environments.

  • Perform routine testing of resilience and incident response processes.

  • Work internally to identify employee access roles based on their department and function.

  • Document privacy governance roles and responsibilities, including organizational charts, job descriptions, etc.

  • Implement role-based data privacy training, especially for those responsible for handling or processing personal information.

Privacy management activities under these three principles are essential for organizations to effectively manage information with sufficient granularity to identify and mitigate privacy risks. An organization should consider evaluating and implementing these principles as it progresses to a higher level of IG.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


12 steps to take before and during a data breach

Godfrey & Kahn SC

Your organization, like many others, probably recognizes the serious risk a data breach poses. No one wants the personal information of their employees or benefit plan members stolen.

US Data Privacy Law Compliance

Womble Bond Dickinson

In May 2017, the world of data privacy was changed irreparably when four members of the Chinese military hacked credit reporting company Equifax, exposing the personal information of nearly 150 million Americans.

Helen D. Jessen