Future Proof – Protecting our digital future

http://www.flickr.com/photos/thinkpublic/2366197687/

Yesterday I spoke at the NSW Right to Information/Privacy Practitioners Network at the lovely Parliament House Theatrette. The Practitioners Network is a really fantastic network of professionals who meet to share information about GIPA (Government Information Public Access) and privacy matters that affect those working in the NSW public sector.

Also speaking this morning was William Murphy from the Department of Finance and Services about the NSW government’s new ICT Strategy. My presentation followed William’s and focussed on what information professionals can do to help implement the ICT Strategy across government, and what we can do to minimise the information risks that are threatening government business information.

We are all in this together

I started by identifying that the title of my presentation was inspired by the beautiful and uplifting Ben Lee song, We’re all in this together. I noted that (as is not uncommon with my presentations) what I was going to say could verge into the doom and gloom territory, but in spite of this, I wanted Ben Lee’s positive spirit to prevail. We are all in this together, and together we have the experience and the skills set to do something positive about current information risks.

I then identified that whatever part of the information spectrum we work in – whether as brokers or advocates for public rights to government information, or as practitioners ensuring information is available to support business processes, or accessible for long term accountability and useability purposes, we are all information professionals as our work centres on the effective use and management of information. But, as information professionals, we need to be aware that the information we work with across government is at risk.

Risks threatening digital business information

Increasingly, the transition to digital ways to doing business has meant that information is often:

• not being maintained
• incomplete
• meaningless
• not trustworthy
• inaccessible, and
• not surviving.

Why are these risks occurring?

I then discussed the business scenarios occurring across government and other sectors that are causing these information risks.  

Many business systems cannot make fixed business information

Experience across government and other business sectors shows that information is not being maintained because digital business systems are often designed in ways that do not enable stable business information to be maintained. Business systems are often build on standard database principles of agility, flexibility and non-redundancy. This is because these systems do need to provide timely, up to the minute and accurate reflections of the current business environment. This means they are constantly updated which also means that they often don’t have the capacity to keep a fixed record when this is required.

This creates problems if decisions are challenged, transactions are questioned, or actions based on this dynamic business information are ever taken to court because there is no stable, fixed set of information to back up your decisions. Some claim that in these situations the system can be rolled back and the transaction simply run again to regenerate the data as it would have appeared, but experience is showing that this is not a good back up plan. Often, if one element in the database structure is changed, transactions and reports cannot actually be run again and access to this business information can be effectively lost for good. There needs to better awareness, therefore, at business system design of what information needs to be created to support ongoing business needs, and plans made to generate and export this from dynamic business systems.

Many systems cannot keep business information for as long as it might need to be kept

Next we discussed that, in contrast, many systems are great at making information, they are just not very good at keeping it for periods of time. Social media systems which are now widely used across government are good examples of this. Large amounts of government information are being created in the cloud on third party owned social media systems but in these environments, there are no guarantees that this information will be accessible and useable for as long as the business needs to access it. Research in the United States by Hany SalahEldeen shows that one year after the Egyptian Revolution, 11% of the social media content documenting this momentous event has disappeared. Information in the social media space is inherently fragile, but increasingly, key business processes such as community engagement, collaboration and project management are moving to the social media environment.

Social media is fantastic and it offers so many possibilities for future ways of doing business, but the instability of information in this environment needs to be acknowledged and addressed as part of any social media strategy so that the business will have ongoing access to its key business information and that this data is not inadvertently lost in the cloud.

Many systems are not designed to manage meaningful, accessible and trustworthy information over the medium to long term

Business systems are often not designed with the medium to long term in mind. Databases are often populated with codes and data values that do not have meaning for anyone other than the project staff directly involved with them. Often too these project staff are temporary or contract-based and do not stay long in an organisation. Once they leave, understandings of how information was managed, what it means, how it can be understood and used can all be under threat. For information professionals whose job it is to sustain information, integrate it with business process and provide ongoing access to it, this lack of meaning can render information completely unusable and inaccessible.

Business systems are also sometimes designed without the context and integrity controls neccessary to ensure the information within them can be trusted and reused. It is important to proactively identify what types of controls, business rules, metadata, titling rules and other information governance requirements are necessary to create and sustain accountable and trustworthy business information. Without this, we may be creating environments where the infromation generated cannot be trusted or used or relied upon for reporting or other data re-use purposes.

Digital information is actually hard to sustain

A key challenge is that digital information is inherently hard to sustain. There are significant costs and complexities in maintaining digital information and in a recent State Records survey, 80% of responding NSW public sector organisations reported some lack of confidence in maintaining key, high risk business information for a period of 10 years, let alone the 50 – 100 years that some key, high risk data actually needs to be kept for.

Sustaining information is becoming even more challenging because system migration windows, the timeframes within which business systems need to be changed or upgraded, are shrinking rapidly. Many business systems are now being migrated every 18 months. This is costly, complex and can often result in the loss of business information.

An additional risk comes from organisations trying to avoid the costs and complexities of migration. Increasingly we are hearing about scenarios where systems are actually too complex to migrate. They are identified as too hard to carry forward and so organisations are making the choice to orphan both the systems and the information contained in them. New systems are deployed instead, and the old systems together with the information inside them are sidelined and access to this corporate data is inevitably lost.

Software formats are vulnerable

In the current business environment, quite a lot of information is being created in complex software formats and maintaining accurate and accessible information in these formats through time is proving another significant challenge. Migrations and different rendering environments can all trigger slight but significant changes to the original information. For complex documentation like engineering and construction plans, over a fairly short time frame this can result in genuine alteration to the original information. If the information needs to be retained for long periods of time to support long term assets like roads, buildings, houses and other infrastructure, then it needs to be protected and managed through time so that its meaning and accuracy is not compromised.

Information is moving to the cloud

While the cloud offers fantastic opportunities, when moving information to the cloud it is really important to consider information access, management, security and control issues prior to the move to cloud-based systems. It is important that information governance frameworks are applied as rigorously in this environment as in any other business system environment. Critically, it is also really important to assess how information in the cloud will be integrated into all appropriate business processes, and how information of long term business use and value will be exported back into corporate systems at the conclusion of cloud arrangements.

So how does all of this relate to the ICT Strategy?

The ICT Strategy is all about building better and more effective government through:

• building new systems
• sharing information
• establishing new ways of operating, and
• encouraging social media use.

With this level of significant operational changes planned, it is vital for us as information professionals to get involved, and to get involved now.

As allied professionals we must all collaborate to collectively represent our views and contribute to the significant changes that are taking place. We must work together to to combat the information risks that are already impacting our workplaces and ensure that adequate information management frameworks are developed for the future that mitigate these risks.

Information professionals need to acknowledge all the capacities they bring to ICT discussions

A potential barrier to this involvement is that many information professionals do not feel that they have sufficient technical expertise to be involved in ICT innovation. But it is really important for information professionals to be aware that they have critical business knowledge that needs to be fed into any corporate ICT strategies and programs. Information professionals have extensive operational knowledge of how their organisations function – how business is performed, corporate responsibilities and who does what in the workplace. They have awareness of what the community requires of government information access frameworks and they understand what the community expects of government and the types of information government must make publicly avaiiable. They have awareness of how information flows across the business, of the different management requirements it is subject to and the different systems it resides in. And they have deep legislative awareness of the specific legal frameworks that apply to business information in their organisations and across government.

So information professionals need to stop selling themselves short! They have powerful and relevant knowledge and therefore must contribute their ideas on system design and information management requirements into all relevant business re-invention processes that arise. Information professionals also need to be advocates for information – how it should be made accessible, protected, preserved and sustained for as long as it is required. And information professionals also need to be aware that if they do not contribute to the ICT discussions in their workplaces, others will do it for them. These other contributors, however, are not likely to have the same depth of knowledge and same awareness of information management requirements, and therefore the systems they develop are unlikely to meet all necessary information management needs. Therefore it is critical that we get involved and collaborate with all ICT nad business colleagues to collectively develop systems that meet all business requirements now and into the future.

We need to do things ‘by design’

By helping to design new ways of operating that meet information management needs, information professionals can help to enable:

• access by design
• privacy by design
• recordkeeping by design
• good information by design.

We can hard wire, or bake good information management principles into business systems, to ensure risks are mitigated, information is available and sustainable business information will be maintained for as long as it is required.

And we need to do it now

And all organisation, whether they are impacted by the NSW ICT Strategy or not, actually need to be doing this. Gartner has predicted that by 2016, 20% of Chief Information Officers in regulated industries will lose their jobs for failing to implement information governance effectively. The information risks identified above are genuinely starting to impact. They are threatening business information and, according to Gartner, will continue to do so. So we need to contribute our expertise and ensure information is respected and protected in the business environments we work in and we need to do it now.

I closed by saying that State Records has a project underway to develop more effective guidance on managing the business information generated through social media. I said we would welcome stories, advice, feedback from all information professionals on their social media experiences. I said it would be useful for us to work together to:

• define new ways of managing social media information
• acknowledge that many organisations use between 3 and 9 social media channels and therefore we may need to develop different strategies and approaches for these different applications
• break down information silos so that all social media initiatives in an organisation can work together, integrate their information and feed it back into the business
• integrate social media into business processes and allow it to inform and improve business operations
• deploy our lessons learned and apply the extensive experience that a number of sectors have already had with social media (Universities in particular have much they can contribute here from their diverse experience)
• sustain information, by specifically identifying which social media information needs to be kept and managed.

At the conclusion there were a variety of questions about social media, the cloud, orphaned systems and also about how to get management to take corporate information risk seriously. There was also great discussion about these and other issues at morning tea. In all I had a great time at the Network and I really look forward to collaborating more with GIPA and Privacy colleagues on these important issues into the future.