What is the Directors responsibility to meet legislative obligations? Are your components supported by good information management?
Shirley Cowcher July 2014
What do you know about business and Information Management?
To start I would like you to consider the following questions:.
- Do you know what the duties of a Director are?
- Do you truly know what the organisation does?
- Do you know the legislative framework under which the organisation operates?
- Does your organisation manage its information as an asset much like its financial, property and human resource assets?
- Does it have access to appropriately qualified personnel to manage its information assets?
When I talk about information management I’m not talking about the technology, although that does come in to it. I’m talking about an organisation that has the means by which [it] plans, identifies, creates, receives, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains, preserves and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent..
So information management, in brief, is the framework of rules, systems and processes that ensures that organisations’ information is protected and exploited to its fullest extent. It is an umbrella term that encompasses document management and control, records management, library management, web content management to name just a few. It is not just about the “paper record” but includes the management of all information assets regardless of format or system (IT) dependency.
I would expect an organisation that is mature in the management of its information to have:
- An information Management Strategy & Framework.
- An Information Security Policy, Framework & Classification.
- A Records Management Policy, processes and procedures.
- Metadata Standards, including business classification and/or taxonomies.
- Data Interoperability & Quality Standards.
- A Retention & Disposal Policy.
Don’t worry if you haven’t got all these things. There aren’t many organisations that do. The unfortunate thing is that there are many organisations that don’t have any of these things and as a result the organisation’s officers and directors are at risk of not being able to demonstrate/prove that they are upholding their duties and therefore are compliant with the legislative requirements that they operate under.
I’m not going to talk about the framework, policies, processes and procedures that support information management in an organisation at this point. What I am going to do is use an example of a compliance requirement that would be better supported with information management.
Corporate Governance and Legislative Framework
Earlier, I asked if you knew the legislative framework under which your organisation operates. I asked this question as it is an important aspect of corporate governance.
Corporate governance being defined as:
the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled in corporations’. It encompasses the mechanisms by which companies, and those in control, are held to account.
Ethics, risk management, compliance and administration are all elements of governance.
I assume that you assign the responsibility of defining the legislative framework to the organisation’s legal people but as a director or executive manager or as the person held responsible for the management of information received and held by the organisation it may be in your best interests to have some idea of the organisation’s legal framework. If not all of it at least the legislation that directly impacts your area of work. So here is a brief list of some of the legislation you might want to know something about as they all have some compliance requirements for business.
Corporations Act & Regulations 2001
Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (commonly known as CLERP9)
Income Tax Assessment Act , 1936 & 1997
Fringe Benefits Tax Assessment Act 1986
Fair Work Act & Regulations 2009
Superannuation Guarantee (Administration) Act 1992
Occupational Health and Safety Laws which has in past few years undergone a harmonisation process to try to bring about a consistency across all state jurisdictions.
Workers Compensation and accident compensation laws.
Trade Practices and Fair Trading laws.
Laws of Evidence.
Electronic Transaction laws.
The number and complexity of legal and regulatory requirements with which businesses must comply is ever increasing. Many of these laws, including the Trade Practices Act and laws relating to occupational health and safety, anti-discrimination, environmental [and privacy] have imposed added responsibilities on executive management [and Directors] that can no longer be ignored except at the risk of substantial penalties. 
So if there are substantial penalties being applied to non-compliance then it is essential that executive management and directors ensure that the organisation has instituted policies, internal procedures and monitoring systems to meet adequate ongoing compliance with the legislation as well as ensuring that controls and reporting systems adequately reflect the compliance. These measures are fundamental to demonstrating to the court or the wider community that the organisation is capable of meeting its compliance commitments and that information/documents exist and are retrievable to prove that the compliance has been met in the normal course of business.
Information Management can support Legislative Compliance
Let’s now look at one piece of legislation as an example of how corporate governance and information management are connected. I will use the Privacy Act for this discussion as it is currently a topic of discussion withthe recent amendments.
If we think that corporate governance is the framework of rules and the systems and mechanisms that hold the organisation to account and information management is also about the framework of rules and processes that ensure that the organisation’s information is protected and exploited then let me highlight to you the fact that the foundation principle of the Privacy Act is also about implementing practices, procedures and systems to ensure compliance.
I see the relationship between the privacy act (and any other legislative compliance), information management and corporate governance like Russian Dolls with corporate governance being the largest of them and the Privacy Act being only one of many smaller dolls encased within the middle sized doll of information management. By definition information management is invasive of all functions and activities of any business that creates, stores and accesses information of any type and in any format to meet operational or legislative requirements.
Corporate governance falls into the realm of responsibility of the directors of organisations. As a director you are not responsible for the detail but the overall view. Are the systems in place, has the risk been assessed, are we protecting information adequately, will the organisation be able to prove compliance? Information management and compliance to specific legislation is the detail that as a director you don’t need to delve into but you do need to know something about it as you have to provide that overview to ensure that the organisation is compliant and accountable. It is the responsibility of executive management to put the detail in place.
In the case of the Privacy Act, or any other legislative compliance requirement, as a Director I would expect to receive a report from a compliance committee, or officer, that would determine the need for compliance and the actions taken to ensure that compliance has been met. This may not be a detailed report but it should contain sufficient detail to allow the directors to be adequately informed that the organisation is meeting its legislative responsibilities. The report itself and the directors’ scrutiny and acceptance of it, is a record of the directors adhering to their responsibilities. An organisation that has implemented IM would have a system in place for capturing and managing such information.
So briefly, how will information management support the implementation of the Privacy Act and therefore the compliance obligations of the organisation? Quite easily it will capture, manage and provide the information the organisation needs to meet its compliance requirements.
Implementing the Privacy Legislation
In implementing the Privacy Act the needs for the organisation to:
Step 1. Know what personal information it collects, how, why, when.
Step 2. Review existing processes and amend them as required
Step 4. Communicate and train personnel in the new Privacy processes
Step 6. Monitor and improve privacy processes and procedures
An organisation that has good information management processes in place, and suitably qualified personnel, would leverage this in the implementation process.
For example, to achieve step 1 an information audit needs to be undertaken. The audit will identify what information is collected about people, how it is collected, why it is collected, where it is stored, how it is used, who has access to it, how current it is and when it is to be destroyed. The currency of the information is particularly relevant with regard to consent for collection, use and disclosure. The capture of the information would be work flowed and the IT systems the information is associated with would be identified. Much of this would already be accessible through the existing IM systems.
Steps 2 and 3 would be supported in the provision and capture of existing and amended documented processes and procedures. In steps 4 and 5 the means and method of training and communication with personnel and customers would be captured in the information management system as proof of implementation of processes and procedures and in the case of step 5 this would also capture the actions of the customers in terms of providing informed consent and opting in or out of disclosure statements.
Information management is also very relevant for the ongoing success of step 6 where the organisation will capture the monitoring activities to improve processes and procedures and ensure and prove compliance. Step 6 will include a reporting mechanism to the directors as well as documented procedures that should include an approach whereby privacy compliance is designed into projects dealing with personal information right from the start, rather than being bolted on afterwards.
So now you know how information management can support governance and compliance requirements how does your organisation stack up? Is information management seen as part of the solution or is it still seen as “just the filing”?
 Queensland Government Chief Information Office (2009) http://www.qgcio.qld.gov.au/products/qgea-documents/548-information/2349-information-management-policy-framework
 Corporate Governance Principles and Recommendations, 3rd edition, ASX Corporate Governance Council, p3, 2014
 Governance Institute of Australia
 The Australian Records Retention Manual, 14th Edition, Information Enterprises Australia Pty Ltd, p.167, 2013
 Chapter 1: APP 1 Open and transparent management of personal information Version 1.0, February 2014 Office of the Australian Information Commissioner APP guidelines Page 3
 Guide to undertaking privacy impact assessments, Office of the Australian Information Commissioner, p.1 May 2014