Information Governance

Current situation analysis and implementation strategy

2014

1
 1. Introduction

Starting from 2012, the development of Estonian public sector services and electronic records
management is coordinated by the Ministry of Economic Affairs and Communications (hereinafter MEAC).
The first important document developed was the "Green Paper on the Organisation of Public Services"
(hereinafter GPOPS)1 that was approved by the Government of the Republic on 16 May 2013.

The need to direct the course from records management to information governance was articulated in
GPOPS because the administration procedures have hitherto not been sufficiently effective nor supported
the development of services. There is a lot of duplication of activities, copying of the logic of the paper
world, and manual work; at the same time it is difficult to find and use the necessary information fast.

Records management is primarily associated with records in the form of paper or computer file and their
management in the so-called records management system. At the same time, nowadays, records are
created, processed and managed also in other information systems and environments, whereas such
records differ significantly from traditional records.

It was emphasised in GPOPS that in the information governance, all information systems and
environments (including social media) where information is created and where records2 are processed or
made available are taken into account.

In June 2013, the records management, ICT and archiving specialists analysed the needs the records
management has not been able to meet, and why it is so. The base concept of information governance
was compiled and it was delivered to the Records Management Board3. At the extended meeting of the
Board on 14 June 2013, the base concept (see Appendix 1) was discussed and approved.

In November 2013, the Government of the Republic approved the "Digital Agenda 2020 for Estonia"4.
Based on GPOPS, measure 5.3.1 of the agenda "Development of better public services by using ICT" was
planned. One of the priority actions is to implement information governance in the public sector, which
would help to cope with the various information channels and flows.

In 2014, MEAC started preparations for the introduction of information governance in the public sector. An
analysis of the current situation and international experience, and the strategy for transition to
information governance were compiled.

This document contains a summary of the analysis and the strategy. It is based on the MEAC documents
"Analysis of the current situation of records management and information governance and international
experience. Final Report" and "From records management to information governance. Strategy plan."
(2014, PricewaterhouseCoopers Advisors Estonia (PwC Estonia)). The analysis and strategy were

1
MEAC. Green Paper on the Organisation of Public Services
https://www.mkm.ee/sites/default/files/green_paper_on_organisation_of_services_updated.pdf
2
This is based on the definition of record within the context of Archives Act (see § 2 (1)), where a record is "information recorded on any medium,
which is created or received in the course of the activities of an agency or a person, and the content, form and structure of which is sufficient to
provide evidence of facts or activities" https://www.riigiteataja.ee/en/eli/508042015003/consolide
3
MEAC. Co-ordination of the development of the area https://www.mkm.ee/en/objectives-activities/information-society/records-management-
information-governance
4
MEAC. Digital Agenda 2020 for Estonia https://www.mkm.ee/en/objectives-activities/development-plans

2
conducted and this summary was translated into English within the programme “Provision of Prerequisites
for Improving the Quality of Public Services”, financed from the European Social Fund.

2. Analysis of the current situation of records management and information governance and
international experience

At the request of MEAC, PwC Estonia analysed the records management and information governance
practices in Estonia and elsewhere. For making the comparison, the Estonian base concept was taken into
account. A desktop study, group and expert interviews and seminars, and project management group
discussions were conducted. In addition to the team of PwC Estonia, 43 individuals representing 14 state
and local government institutions, 5 other state institutions, and 7 private companies participated in the
analysis. The work was completed in June 2014.

2.1 Information governance analysis – concepts and terminology

As a result of the analysis it was found that the problems begin with different understanding of the
concepts related to information governance. For example, there are two different terms in English:
document and record, which are translated into Estonian with the same word "dokument"5. Due to the
specific field of information governance, the two English terms have important differences, and it was
found that the terms would require more accurate matches in Estonian.

The generally used concept is Information Governance. The descriptions of the concept vary in practice,
but in all treatments, the information governance is understood as the set of processes, roles, policies,
standards and measures, which together ensure the efficient and effective use of information, and thus
the achievement of an organisation's goals. Several related concepts are also used. The figure below
shows the interrelationships between various sub-concepts of information governance. Information
governance and information management are so-called umbrella concepts.

5
The translation problems relating to records management concepts and terminology have been described in the Estonian "chapter zero" of
MoReq2, section 2.4 https://www.mkm.ee/sites/default/files/estonian_et_-_chapter_0_english.pdf

3
Figure 1. Concepts used in information governance and the relationship between them.

Information governance is a complex, multi-component discipline:

 The collection of information in various forms from different sources (data, paper and electronic
documents, audio, video, etc.), its secure storage and timely destruction.
 The processing and analysis of collected information.
 The sharing of information with its consumers in a limited or unlimited form via a channel suitable
for them (information systems, internal and external web, electronic mailbox, etc.).

Figure 2. The components of information governance6

6
PwC. Information Governance Framework

4
The EDRM information governance reference model (IGRM) discusses the information governance from
the perspective of business processes and the division of responsibilities:

Figure 3. Information governance – business processes and sharing of responsibilities7

Well-functioning information governance provides a simple, structured and automated organisation of

work, the availability of information at the time it is needed, opportunities for information processing and
analyses, preservation of information, and an access only for the persons entitled thereto.

Well-functioning information governance can be achieved by:

 identifying what information is valuable enough to be managed;

 simplifying and automating information capture and storing as much as possible;
 ensuring that information is retained as long as it is needed;
 ensuring that contextual information – metadata, descriptions, etc. – is also retained and linked;
 reducing the amount of unstructured information in favour of structured information;
 reducing the number of traditional (paper, doc, pdf, etc.) documents and records;
 using data of IT systems to mitigate risks connected with providing evidence;
finding also a way how to capture/retain/reuse information stored in people’s minds and obtained
through learning and experience.8

2.2. Information governance analysis – problems

The main problem in information governance is that the organisation lacks an

overview of its information assets. It is unknown where, how, why and when the
information necessary for operations is created. Also, its effects on business process
are not understood.

7
EDRM. Information Governance Reference Model http://www.edrm.net/resources/guides/igrm
8
Records Management Board, 2013. Estonian base concept of information governance. See Appendix 1.

5
Information governance is related both to the organisation's activities and technology. Also, information
governance is not only a public sector concern, but it is also topical for the private sector, where rules for
the storage of information also apply and information is used in daily activities to achieve business
objectives. Information governance has inherited a big part of its problems from its sub-disciplines:
records management, data governance. However, there are problems specific only to information
governance.

The main problem derives from the fact that

organisations are not mature enough for information governance

There is no coherence necessary for the operation of processes between the different parts of the
organisation. Business processes are where information is created and given a value, but often this
knowledge does not reach the parts of the organisation dealing with data collection and governance. IT
department controls the technical tools that govern information, but it does not know the value of
information. Records management and legal departments are aware of the legal conditions, but they also
do not know the value of information. Thus, the most common situation is where the value of information
is understood in the company's units dealing with business, but its collection is not organised in the units
dealing with information management. There is no overview of which information, why, and where is
created, and how it is related internally and externally. It is not understood that the limitation of resources
prevents having an overview and that investments have to be made in order to ensure working order.

Other important groups of issues are:

 There are problems with data governance – the quality of data is low, the data is out of date or
unreliable, or not compatible with different systems.

 The paradigm of the paper world persists in electronic records management – records management
systems are not user friendly, processes are cumbersome, there is no certainty regarding the
preservation of digital records.

 Information does not have an owner – related documents and records are stored in different systems
and they are difficult to find, the owner and people responsible for the preservation of information
located in the central information system are unspecified. The problem is particularly characteristic
of systems created for local governments.

 Systems do not communicate with each other – the systems that manage, govern and preserve
information are not able to communicate with each other.

 The opportunities of social media are not exploited – social media channels are used only to post
messages or to share information, not for two-way exchange of information with the users of
services. On the other hand, the amount of social media information is very large and it is very
difficult to find and extract important information later.

6
 Processes do not form a whole – the whole is not seen, solutions are being developed for a small
number of processes, the needs of users and other systems are not taken into account, the flow of
information is not mapped and it is not considered which data can be collected where.

 Lack of cooperation – organisations that could and should cooperate, do not, because they see
themselves as completely independent functional units.

 Shortage of smart customers – in the procurement of information systems, there is a lack of ability
to precisely describe one's own or others' needs; developers and analysts are not able to get to know
the organisation enough in order to adjust the solution to achieve maximum results.

 The need for information governance is not perceived – the managers of organisations (rural
municipality mayors in local governments) do not necessarily perceive the need for information
governance, as there is no daily contact with administrative matters. The existence of a problem is
perceived when there is not enough information to make a decision.

2.3 Information governance analysis – maturity model

Several information governance models were analysed. One of them was the information governance
maturity model created by the software developer Oracle. The Oracle model describes the bottom-up
development of information governance in an organisation, i.e. the process by which information
governance begins with divisional cooperation, and is later adopted across the organisation. In some
organisations, the model offered by Oracle may be appropriate, but the interviews revealed that this
approach has not brought success in Estonia. This may be due to the Estonian cultural aspects; it may
also be that the creation of the model was based on large international companies, where the branches
have a lot of autonomy.

As a result of the analysis, it was found that in the Estonian context, it is best to adopt the ARMA
International information governance maturity model, according to which the development of information
government is managed from top to bottom:

7
 Level 1 - Sub-standard
Information governance concerns are not addressed at all or are addressed
minimally, in ad-hoc manner. Organizations that identify primarily with Level1
descriptions should be concerned if the information that they can daily use serves
effectively the business needs of the organization.

Level 2 - In development
There is a developing recognition that information and data have an impact on the
organization and that the organization may benefit from more defined information
governance. In Level 2, the organizations are still vulnerable to scrutiny of its legal or
regulatory and business requirements because its practices are ill-defined, incomplete,
nascent, or only marginally effective.

Level 3 - Essential
This level is characterized by defined policies and procedures that have to be followed in order
to ensure the functioning of the organization. Processes specifically intended to improve
information governance are implemented. In Level 3, the organizations still miss significant
opportunities for streamlining business and controlling costs, but they have the key processes
functioning, and are likely to be at least minimally compliant with legal, operational, and other
responsibilities.

Level 4 - Proactive
This level describes organizations that deal with information governance issues proactively and on
a daily basis. Information governance activities are routinely integrated into business processes.
These organizations are substantially more than minimally compliant with good practice and easily
meet legal and regulatory requirements. They understand that additional business and productivity
benefits can be achieved through more advanced information governance, analysing thoroughly the
existing information and using more complex amount of information.

Level 5 - Transformational
This level describes an organization that has integrated information governance into its overall
infrastructure and business processes. Compliance with requirements and legal, regulatory,
and other responsibilities is routine. This organization has recognized that effective
information governance plays a critical role in cost containment, competitive advantage, and
client service, and enables successful implementation of policies and strategies to achieve
these gains on a plenary basis.

Figure 3. Information governance – the maturity levels of ARMA model9

2.4 Information governance analysis – social aspects

Information governance mainly means the collection, publication, selection, deletion, and storage of
information. This may give the erroneous impression that the field is only pertinent to the organisation's
management and technology. However, it must be taken into account that the information being collected
has been created by people, and often the information collected concerns them very strongly. It is
especially highlighted in the fields that deal with sensitive personal data. Social values are particularly
important in the area of healthcare, but it should also be taken into account elsewhere. For example, at
first glance it may seem obvious that the content of the employee's work mailbox belongs to the company.
However, practices vary from country to country – in the United States it is indeed the case that the
employer has control over the content of the mailbox and the storage of information. In France, by

9
ARMA. Information Governance Maturity Model http://www.arma.org/docs/bookstore/theprinciplesmaturitymodel.pdf, adopted

8
contrast, the situation is reversed – the work mailbox is the person's private property, and the employer's
intervention is a violation of privacy.10

Thus, additional factors need to be taken into account when creating an information governance solution:
consent, privacy, autonomy, ownership, confidentiality and mutual benefits.

2.5 Information governance analysis – technical solutions

It is common practice among private companies offering ready-made solutions worldwide that information
governance systems consist of functional components that are sold separately. Thus, it is possible to buy
software for collecting information and separate software for searching it, processing it, etc. The available
technical solutions have a modular design, which means that by purchasing several solutions from the
same company, it is possible to create a solution that meets the organisation's information governance
needs. Examples of such products can be found in the product portfolios of IBM, HP and Symantec. An
advantage of such solution is that it enables the customer to put together a system that meets their exact
needs and make upgrades module by module. It also means that the company providing the solution has a
fairly steady customer, who is related to their products, and there is a possibility for multiple sales.

The solutions offered by different manufacturers are compatible on the technical side, integration tools
are standardised and mature. The main reasons for compatibility problems are the differences in data
composition, quality and semantics.

Standardised solutions are offered, in addition to the companies mentioned above, by ASG, HP, Iron
Mountain, Nuix, Recall, RSD, and SAP. Software specialization is different by field: for example, ASG is
more focused on the healthcare sector and Recall more on financial institutions. Some companies such as
HP and SAP are not sector-specific, and their products are intended for a wider clientèle.

The situation in practice is that, since information governance is largely dependent on the structure of the
organisation itself, it is not possible to find a so-called out-of-the-box solution. This principle is especially
true for larger organisations where the structure is long-established and stable. It should also be taken
into account that the solutions available have been developed for very large enterprises, and so they can
be more burdensome than helpful for small and midsize companies (in the context of Estonia even for
large businesses).

2.6 Information governance analysis – the situation outside Estonia

To describe the situation of information governance in the private sector, the AIIM (Association for
Information and Image Management) study was referenced in the analysis11. In 2013, AIIM conducted a
survey on information governance among companies, where 76% of respondents were from North
America, 15% from Europe and 9% from the rest of the world.

10
AIIM. Information Governance – records, risks and retention in the litigation age http://www.project-consult.de/files/AIIM_IW-
InformationGovernance-2013.pdf
11
AIIM. Information Governance – records, risks and retention in the litigation age http://www.project-consult.de/files/AIIM_IW-
InformationGovernance-2013.pdf

9
The representatives of the participating companies revealed that a large quantity of records is still stored
in printed form, and their number is increasing steadily, although there is a trend towards transition to
digital records. The biggest numbers of electronic documents that are being stored are:

 text documents, spreadsheets and PDF-files;

 e-mail;
 invoices and delivery notes generated by automated software solutions;
 data in information systems, e.g. ERP12, CRM13 and data in project management software.

The motivation to engage in information governance comes from the

risks that are hoped can be avoided, the advantages that are expected to
be achieved, and the problems that are sought to be solved.

The most important risk lies in lawsuits, which can be lost due to poor data retention and thus the lack of
evidence, followed by the loss of customer trust and intellectual property. The advantages that can be
achieved are significant savings of costs, which are currently being spent on the maintenance of
infrastructure, the use of existing information in the company's business processes and faster response to
crisis situations. The problems that businesses' information managers want to solve is coping with the
amount of electronic documents and e-mail, the implementation of information governance guidelines,
and the aggregation and unified management of information found in a number of systems.

44% of the companies surveyed had a company-wide information governance policy in place; 21% of the
companies had information governance only in specific departments or areas of activity, and it was not
aggregated into a comprehensive whole. Information governance is very often left for the IT department to
manage, but it varies by channel. Thus, the responsibility for customer information, for example, could
quite equally be divided between IT, administration department, legal and marketing departments.
Meanwhile, the IT department is responsible for e-mail, instant messaging, mobile, and cloud data. The
marketing department is responsible for a company's social media and web content. A large number of

12
Enterprise Resource Planning software
13
Customer Relationship Management software

10
companies have no one responsible whatsoever for certain channels. Variable areas of responsibility or
the lack of a responsible entity suggests that it is difficult to introduce a single company-wide information
governance.

The strategies of businesses to cope with the increasing amount of information vary. 41% have introduced
records and information management software, 28% have automated the categorisation and deletion of
the unnecessary information. 28% of companies have simply chosen to increase the capacity of storage
media for storing data. In companies with an information governance system in place, the automatic
classification of data works only in 14% of businesses. The lack of automation points to the fact that
solutions are not yet mature in this area. The accessibility of information that is retained and used is also
complicated. Currently over 50% of companies perform data retrieval queries from each channel
separately, i.e. physical records are searched from one place, e-mails from another and press releases
from a third place. 25% make queries in different information management systems, and only 9% of
companies have set up a central system for accessing data, regardless of the type of data or the
information management system.

Two of the most complicated information governance channels were e-mail and social media.

Expenditures to get the information governance under control have continuously increased in businesses.
In 2013, 45% of survey respondents planned to increase the expenditures on information governance
within the next two years. The plans to increase the expenditure were not focused mainly on one medium,
but on a wide spectrum of information governance channels. The most important plans were directed
towards information classification and search tools, followed by the further development of information
management software, and the creation of new applications. Investing in social media governance was
marked.

The general trend is to recognise the importance of information governance and to deal with it, but the
area is still in its developmental stage, and there are problems.

Public sector information governance was analysed using the case studies of two distinctive countries –
Denmark and the UK. Denmark is characterised by the fact that information governance problems have
been perceived there and the problems are being solved in a fairly rigid way – with legislation. England is
the birthplace of information governance – it was the first place where the problems with information
governance were acknowledged and solving them started in an especially sensitive area of healthcare.
Therefore, their information governance is dominated to a great extent by the aspect of confidentiality
guarantees. In both cases, the analysis dealt with information governance across institutions.

In Denmark, the goal is to transform the communication with state institutions into fully electronic
interaction and e-services as it allows saving costs. The term of information governance is not used in
Denmark, but the principles are the same.

The data available about a person is used in the citizen portal borger.dk in order to provide the person the
kind of information that is likely to be the most important to them at the given time. The purpose is that
information is simple to understand, the use of technical or legislative text is avoided. In order to insert

11
data, citizens are directed to a self-service environment. It is compulsory by law to have a mailbox in the
citizen portal and to use some services electronically. The forms have been harmonised across the portal.

Businesses have their own portal virk.dk that is not related to the citizen portal. The various forms there
have not been harmonised, i.e. data fields with the same content may have different names. In 2005, an
XML repository was created where the basic elements of records were kept. Its aim was to harmonise
forms, but unfortunately it is not used in practice.

In the Danish Public Information Act (Lov om offentlighed i forvaltningen) there is a general rule that public
sector records must be registered. The compliance with the requirement in state institutions is inspected
by the Danish National Archives. Moreover, the records are allowed to be registered in information
systems other than records management system, if those systems support work processes better and
enable more streamlined workflows.

Also, the data of databases has to be transferred to the Danish National Archives, but at the moment the
problem lies in the fact that metadata is not associated with it. Data pairing is considered a security risk. A
solution is being sought to this problem, because the addition of metadata retrospectively is difficult.

Thus, there is a landscape of information systems in Denmark, the data in which covers the different
aspects of a single person, but is not currently integrated into a whole.

In the United Kingdom, the information governance started at the Ministry of Health. The first principles,
known after Caldicott, the chairman of the commission that developed them, were created in 1997. They
regulated access to patient information. The principles were developed as the leaders of healthcare
institutions wanted to load patient information into systems that were not directly under the control of the
institutions, as the solution was outsourced. For the purposes of monitoring so-called Caldicott guards
were employed who checked that the institutions follow these principles. The Caldicott principles slowly
began to spread and reached social welfare institutions. Over time, the need to harmonise the principles of
healthcare and social welfare institutions arose, and an information governance discipline emerged. The
principles were criticised because they and information governance were considered too complex, and
there was a lack of motivation to engage in it. Another major criticism was that the original principles were
used for the purpose of not to exchange the necessary information; there are a lot of requirements, which
make the situation of patients, doctors and medical staff insecure. Therefore, it was decided to review the
initial Caldicott principles and correct them. In 2012, the Health and Social Care Act 2012 was enacted,
which provides, inter alia, for the creation of a transnational healthcare information system.

In 2013, the development had reached the point where the cooperation with other state institutions to
share information began. However, it is still in a developmental phase.14 Thus, at the state institution level,
the information governance is currently used more in healthcare and social welfare institutions, but as a
discipline, it has been adopted more by the private sector, where the aim is to cope with the large amount
of information. The field was quickly taken over by ARMA, who made further developments to it, taking

14
Williams, L. 2013 The Information Governance Review Department of Health pp 24–28

12
also into account the needs of private sector and the general view. The United Kingdom has also started to
analyse the possibilities of implementing the Estonian X-Road solution.

2.7 Information governance analysis – the situation in Estonia

There is a significant problem in Estonia – concepts – their fuzziness and different usage. The term
“infohaldus” (information management/governance) has been in use for some time, but in practice it is
used as a synonym for records management. This is probably due to the dual meaning of the term
"dokument". Therefore, for example, records management systems that have long been known in Estonia
are introduced as information management software.

The fact that information governance refers mainly to records management, was revealed from materials
published on the Web, where the benefits and advantages of information governance were mainly referred
to through the concept of records management. The same conclusion could be drawn from the interviews.
The interviews revealed, for example, that about 80% of local government representatives equate records
management to information governance.

On the other hand, information governance has been understood as the management of data created in
other systems. The related concept of "infoteadus” (information science) is used within the meaning of
librarianship. There has not been a comprehensive approach to information governance so far and there is
no clear consistency between the concepts and the content.

A single description of the role of the information manager has not been used. Since information
governance involves many components, in smaller organisations the various roles and related tasks may
be performed by a single person. In larger organisations, on the other hand, tasks may be fragmented
between several people. The personnel executing information governance activities may often be found a)
in the marketing and communications departments that manage the content of web pages and organise
communication with other institutions and the press, b) in administrative departments, that are interested
in document circulation and workflow management and archiving, or even c) in information technology
departments, where information system managers, personnel responsible for data governance and
information system developers operate.

There is no professional standard for information governance professionals in Estonia, and therefore there
is no good curriculum that would meet the objectives of information governance. ARMA has developed an
Information Governance Professional15 certification program, which could be used as one of the basic
materials for creating the Estonian information governance professional standard. ARMA certificate and
the curriculum required to obtain it includes the following areas: information governance risk assessment,
strategy creation, framework creation, the integration of information governance into business and linking
with technology.

The motivation of Estonian public and private sector with respect to information governance is different.
In the public sector, information systems are developed mainly in order to meet the requirements of the
law, rather than the actual needs of the institution. If the main objective in the public sector is not to fail to

15
ARMA. Information Governance Professional http://www.arma.org/r2/igp-certification

13
perform the required operations in the required manner, then the objective in the private sector is to reuse
the information that is created on a daily basis in business activities as efficiently as possible. In the
private sector the main question is how to store and make information easier to use in order to improve
business activities.

In recent years, a change in the paradigm has also started to take place in the public sector. According to
the developers, the customer is becoming smarter and more oriented towards solving problems and
standardising and simplifying processes, rather than ordering perfect special solutions. Better pre-
analysis and optimisation of processes enable the customers to explain their wishes better and to benefit
more from the developments. The share of consultations is increasing both for public and private sector
customers.

The importance of information governance has been recognised in the private sector and organisations
have been looking for solutions consciously for several years already. Information governance is
associated with the concept of knowledge management in particular and the following questions are being
focused on: how does the information move, which information is true, who holds the information, and
how is the information retained? Meanwhile, not only documents are at the centre of attention, but all the
information flows in the business. For a company it is very important that the right information is available
at the right moment. The lack of such information can lead to a substantial and direct financial loss. This
is particularly specific to manufacturing companies.

The private sector has realised that the communication of rules alone is not enough. It is also necessary to
delegate personal responsibility to all employees. In addition to delegating responsibility, this behaviour
helps the employees create a personal relationship with information governance rules. The act of
delegation is certainly not enough, but compliance also needs to be checked. People must feel that they
have the responsibility of the owner for the information they use. Real-time data processing helps to
achieve this as it provides the opportunity to respond immediately, not a week later. It gives a perception
that the information actually affects the company's operations. The use of data in real-time also helps to
reduce the risk of manipulating data.

In the public sector, data is collected "just in case". Officials collect information partly to protect
themselves since it is better to collect more information at a time than to break a rule. Another aspect of
collecting too much data is the uncertainty about future perspectives. It is apparent that the information
systems are developing, but it is not known what is needed in future.

The ignorance about the availability of information in the public sector is expressed through the
administrative burden of citizens and businesses – the citizen/business is forced to continuously provide
the same data to different authorities when communicating with the state. The main issue is not whether
the authorities manage to exchange information with each other or not, but rather how can one institution
know that the other institution already has the necessary information available? The existence of the
Administration System of the State Information System RIHA should help to solve the problem, but at the
moment it does not. The main reason is that RIHA is an environment that is described in the language of
the developers. Those officials who are not IT professionals need a so-called 'human readable' RIHA.

14
Information governance system as a specific software solution does not exist. Each organisation puts
together a suitable set of solutions that support their processes which, as a whole, form the information
governance system. Therefore, for example, e-mail, internal portal, records management system, but also
financial software can be considered to be in the information governance system, when these systems are
working in parallel, but not separately.

During the process of contracting for an information management solution, information distortion may
occur, so that the request does not reach the developer in the correct form. This is especially the case
when the order is submitted by the IT department, who may not know much about the processes that need
to be improved, but are familiar with the user interfaces and technical aspects. Thus, the business side
project manager and the owner of services should be involved in the procurement process to ensure that
the solution is actually directed at solving the problems related to the process.

When implementing any change, the most important initiators are top executives, whose leadership
fundamentally changes the organisation's culture, people's way of thinking, and people's courage to
initiate change. Bottom-up initiatives in Estonia have ended in failure.

The creation of information governance depends on the structure and size of the organisation. Small and
non-hierarchical organisations manage to govern information and knowledge without the use of strict
rule-sets. In large and hierarchical organisations, information governance becomes more complicated and
requires much more effort.

For automation, it is important that all data that it is possible to be machine-collected, should actually be
machine-collected and it should be done in a standardised form.

2.7 Information governance analysis – successes and failures

Failures vary and their severity and causes depend on the organisation's area of operation. Generally, the
stories that concern the public reach the public. Of such stories, the greatest failures are caused by the
communication of information, or lack thereof. For example, if personal information has been published, or
employees have not been informed of records that need to be retained.

For example, in 2007, the Financial Services Authority of the UK reported that the company Norwich Union
Life was fined, as it had failed to protect the confidential information of its customers. People's personal
information leaked out, which led to a number of fraud attempts against them. Namely, Norwich Union Life
customers' names and dates of birth were publicly available and this was taken advantage of by
scammers who contacted the company's call centre and obtained confidential information. There were
two essential errors here – first, the storage of sensitive data16 publicly, and second, the lack of adequate
security measures in the call centres, which could have prevented the release of even more sensitive
information.17

16
As there is no personal identification code used in the UK, the importance of the date of birth for identifying a person is more
important than in Estonia.
17
The National Archives (UK). Managing Information Risk http://www.nationalarchives.gov.uk/services/publications/information-
risk.pdf

15
There are several cases in the United States where companies have been fined for not archiving certain
documents well enough. In 2004, the Bank of America was fined 10 million US dollars because it was not
able to submit e-mails and other documents to SEC during an investigation. In 2002, five banks were fined
8.25 million US dollars due to the violation of data storage principles. In 2006, Morgan Stanley & Co paid a
15 million US dollar fine because it could not submit e-mails, and backups had been overwritten.18 This
failure consisted of the proper storage of information, or lack thereof.

Media can amplify the need for information that could, in case of a failure, damage reputation. For
example, in 2007, students in England were offered cheaper subway cards, but the demand was so great
that the web portal collapsed under the pressure and thousands of people were left without tickets. A
similar situation happened in England in 2008, when an electronic tax return system crashed on the last
day of the declaration submission. In 2007, the BBC reported that the Northern Rock bank is in difficulties
and is seeking support from the Bank of England. This was followed by a bank run on the company's online
banking system and as the latter collapsed, the bank run continued the next day on the bank's offices.19 In
this case, the negative example is the communication of information to the public or to the correct
audience, and the fact that the increased need to use the system was not predicted in advance.

There is less data available about information governance success stories than about problems. This is
not caused by the lack of success stories, but by the fact that if a system is working well, then it is
considered normal and not significant. Good examples can still be found.

An example of other countries' experiences is the Commonwealth Bank. The bank is one of Australia's
leading financial services providers. The bank had a number of customer databases based on the specific
products or business units, so it was a decentralised system that was also quite chaotic. A project was
carried out, during which customer data was consolidated and a unified overview of a client and their
deposits was received. In addition, the data was mapped and profiled according to its quality. Company's
internal rules and requirements for data processing and data quality improvement were introduced and
data flow solutions were developed. As a result, the bank has been able to use the data available to them
to improve the planning of their business activities.20

Union Bank of California is the fourth largest commercial bank in the State of California, and one of the 25
largest banks in the United States. The company wants to improve the management of their data quality,
and as part of this project, it was decided to create a data warehouse and implement data quality
improvement strategies in the company's internal culture. Activities to achieve these objectives were
divided into two groups: 1) data quality assessment and 2) a step-by-step plan to improve the situation.
The concept of system architecture was created, which aimed at the company's long-term business
interests and a business case was prepared, which was used to assess the long-term return on
investment. As a result of the analysis, the current situation of data and the degree of difference between

18
Ibid.
19
Ibid.
20
Ibid.

16
the maturity level to be achieved were determined, and a plan was set in place to get there. Opportunities
for quick success were identified to improve the situation.21

An example of an information governance success story in Estonia is the behaviour of the travel agency
Estravel during the so-called ash crisis caused by the volcanic eruption in Iceland, in which information
was delivered quickly and governed efficiently and people were helped to get back home. Both the loyalty
of the company's existing customers as well as the number of new clients increased.

Also, the Estonian income tax declaration22 can be considered a success story as it works very well, unlike,
for example, in England where the system crashed under the load in 2008.

Positive examples of the Estonian information governance and records management (cross-organisation
solutions):

 Document Exchange Centre23 which is used to exchange electronic records managed in records
management systems (computer files with metadata) in a secure X-Road environment24 both within
the public sector as well as between public and private sectors.
 The solution for notaries25 for making inquiries from different registers, which has made the
preparation of notarial contracts significantly easier and faster. For example, by finding data in
different registers it is identified whether a plot of land to be purchased has been set restrictions
that the buyer is not aware of.
 E-Prescription26, with which the Ministry of Social Affairs has been able to get the medicine market
under control.

The most successful cross-organisation solutions rely on the Estonian distributed information system and
the data exchange capabilities of X-Road.

Positive examples of Estonian information governance and records management (organisation-wide

solutions):

 The records management system of the State Chancellery, with which the number of routine
activities of employees and the amount of time spent on them was reduced, also costs were
reduced as the administration was made paperless.
 The hobby groups management solution of Harku municipality that automatically checks the
children's right to grants. As a result of the implementation of the solution the municipality budget
was 15-20% in surplus, which was used to increase the amount of the grant (greater grant for each
child).

21
The National Archives (UK). Managing Information Risk
http://www.nationalarchives.gov.uk/services/publications/information-risk.pdf
22
e-Estonia website The Digital Society: e-Tax https://e-estonia.com/component/e-tax/
23
Information System Authority. Document Exchange Centre DEC https://www.ria.ee/dec/
24
Information System Authority. Data Exchange Layer X-Road https://www.ria.ee/x-road/
25
Centre of Registers and Information Systems. e-Notary http://www.rik.ee/en/other-services/e-notary/
26
e-Estonia website The Digital Society. e-Prescription https://e-estonia.com/component/e-prescription/

17
 The communication of Värska municipality and Great-Värska Society in social media. The Society's
Facebook page is a grass roots initiative, which Värska local government is actively involved in by
sharing information and answering questions.
 Tallinn Department Store intranet, which has allowed the company to improve the organisation of
its information and to make everything necessary better available for the employees. Employees
can also communicate within intranet and are more involved in the activities of the company.
 International intranet of Aeroc International, which has given Aeroc a faster and more convenient
access to corporate inside information, including real-time sales, production and financial reports,
staff contact information and necessary documents.

2.7 Analysis of information governance – creating strategies

In order to begin to understand the strategy, a paradigm shift has to take place within an organisation with
regard to information governance. The following table illustrates the need for change in an organisation:

Table 1. The paradigm shift27

The old paradigm The new paradigm

The old attitude that "if the system allows me to Prevent the users from creating poor quality
do it, then it's all right." information and start the transition to a culture that
values high quality information.

The employee knows the organisation's rules by Define the rules, changes and reference system
heart and applies them when appropriate. principles and ensure their use.

Information is stored locally on the computer or it Collect information at the source of its origin and
is in a format that is not apparently part of the increase the speed of information flow in the
company's business process. organisation.

Everyone is obliged to scrupulously follow the Automate the compliance with organisation's rules
organisation's information governance rules. with regard to information governance both in
databases and work processes as well as in the user
interface.

In the course of business, the necessary Integrate the work process into one comprehensive
procedures for governing information have to be whole, and eliminate the need to perform each step
started manually. manually.

A general guide for creating information governance strategy has been developed through the practice of
PricewaterhouseCoopers (PwC) (see Table 3).

27
PwC. Information Governance Framework

18
Table 2. Activities for the creation of information governance strategy

Mapping of Development of Creation of Information

current situation information business case governance
governance model implementation plan

Key Analysis of scope, Analysis and Analysis of Prioritisation of

activities approach and assessment of information objectives.
objectives. main practices to governance costs
Tactical plan for the
identify now and on the
Identification of use of opportunities
opportunities and implementation of
the focus. for rapid
risks. the strategy.
improvement of the
Analysis of
Assessment of Detection of situation and setting
currently effective
alternatives and quantitative long-term goals.
information
creation of a vision benefits.
governance Setting indicators
for the future of
through interviews Preparation of for the project.
information
and workshops to business case.
governance.
identify the
earliest Creation of
opportunities to information
rapidly improve governance
the situation. framework and
strategy.

Results Current situation Information Business case. Information

analysis. governance governance
framework and implementation
strategy. plan.

Achieving results Collection and Identifying the Evaluation of rapid Priorities for
rapidly evaluation of barriers that hinder corrective achieving fast
opportunities for the measures. victories, achieved
rapid implementation of with self-financing.
improvement of the opportunities
Achievement plan
the situation. for rapid
for long-term
improvement of
victories.
the situation.

19
 3. Strategy for the transition of the Estonian public sector from records management to information
governance

After the completion of records management and information governance analysis, MEAC commissioned a
strategy that would describe the necessary measures and actions for the introduction of information
governance in the public sector. The objects of the contract were the development process of the strategy,
the draft strategy, and the communication plan. The work was carried out by PwC Estonia. Five working
groups were formed. The groups consisted of representatives from several areas (IT, service development,
records and archives management, legislative drafting, PR) both from the public and the private sector as
well as civil society representatives. Each working group met twice and discussed the strategy versions
and the proposals made by other working groups. A total of 63 people participated in the working groups
and 262 proposals were made for the strategy. Information governance project steering group continued
in the same composition that had also contributed to the completion of the analysis. The steering group
made decisions on the proposals of the working groups, and reviewed and approved the final draft
strategy. The draft strategy was completed in November 2014.

3.1 Information governance strategy – concepts

The concepts explaining information and its structure were discussed in the analysis that the strategy is
based on (see Chapter 2), and therefore, these were not duplicated in the strategy document. The key
concepts used in the strategy are:

 Information governance – the set of processes, roles, policies, standards and indicators, which
together ensure the efficient and effective use of information, and thus the achievement of an
organisation's goals.
 Public sector organisation (PSO, organisation) – constitutional institutions (such as the
Chancellor of Justice, the National Audit Office and the courts), ministries and the state
authorities within their area of government, other state institutions, local governments, legal
persons governed by public law (for example, Estonian Public Broadcasting, the National Library,
Bar Association, the Chamber of Notaries), and public law foundations (such as the Cultural
Endowment and the Environmental Fund).
 Public service – service that the state, local government, or a person in private law performing
public duties provides at the will (including presumed will) of a person for the performance of
their legal obligations or the exercise of their rights.28
Public service may be provided in relation to receiving and processing a person's application (for
example, when applying for a license, compensation, etc.), by creating opportunities for the
person to meet the notification, reporting or other obligation (e.g. reporting of economic activity,
submitting a tax return, etc.), or for other purposes (e.g. information service). During service
provision, interaction between the person and the PSO takes place. The public services initiated
by the PSO at the presumed will of the person are automatic or so-called proactive services. For
such services, communication between the person and PSO is minimal – for example, the PSO

28
MEAC. Green Paper on the Organisation of Public Services
https://www.mkm.ee/sites/default/files/green_paper_on_organisation_of_services_updated.pdf

20
 informs the person of the available grant or other benefit (e.g. childbirth allowance), or of a new
obligation (for example, notice of the arrival of a vehicle inspection deadline). The number of
proactive services is small during the preparation of the strategy, an example of which is the
automatic designation of a child's health insurance at birth.
 Service owner – decisive role with regard to a service that is performed by the person managing
the service’s basic process. The task of the service owner is to simplify the service processes and
to search for possibilities of making the services easier, more efficient or more effective. Another
task of the service owner is to provide the owner of the service provision channel (service desk,
self-service environment, e-mail or other channel through which the service is provided) with the
correct input information. The service owner is responsible for ensuring that the content and
functionality of his services are correct, relevant and up-to-date. Their task is the further
management of the service. The service owner is also responsible for the accuracy of the results
of the business analysis and the correct operation of the completed service and the accuracy of
the testing results. In the context of information governance, the owner of the service is the
person under whose guidance the required information (including documents) is identified,
collected, processed, distributed, archived and disposed of.
 Service catalogue – a dataset or database that contains a list of operational services and their
descriptions in a standardised structure.
 Management of service catalogue – the process of preparing the catalogue and updating the data
it contains. Often it is simply referred to as mapping of services.
 Service portfolio – a view of the service catalogue at a point in time with regard to the present as
well as the desired future state.29 Unlike the service catalogue, which contains only the active,
operational services, the portfolio contains all services across their life cycle, including services
that are in the planning stage and those that have already been removed.
 Service portfolio management – the process the purpose of which is to optimise the portfolio and
increase the total gain of services. In the course of portfolio management the readiness and level
of individual services is assessed, which also includes their comparison, and suggestions are
made for further development. Portfolio management enables the creation of a comprehensive
view of public services and the analysis of the benefits derived from the whole optimisation.
 Portfolio manager – person who manages the service portfolio in an organisation.
 Information asset – information that is necessary for the operation of the organisation (data,
documents, records, web content, social media messages, etc.).
 Disposal – deletion or destruction of data or documents/records in the course of a regulated
procedure in a manner that does not enable them to be restored.
 ISKE – the Estonian three-level IT baseline security system. The goal of the implementation of
ISKE is to ensure the security of the data processed in information systems30.

3.2 Information governance strategy – main objectives

29
http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
30
Information System Authority. Three-level IT baseline security system ISKE https://www.ria.ee/iske-en

21
The overall objective of the Estonian Information Governance Strategy is to support the development of
public services in order to ensure a better quality of services and user satisfaction.

Given the aging population and other needs, the aim of the information governance strategy is to ensure:

1. 20% more efficient performance of the public sector. In 2020, the state must cope with a budget
reduced by a fifth, and offer at least the same volume of at least the same quality public services.

2. Improvement of retrieval and sharing of data. The creation of and adding a content to the central
portfolio of public services31, so that all target groups could easily find the data used by public
services. In order to improve data retrieval, proper semantics needs to be set up for describing data.

3. Determination of roles and responsibilities. At national and PSO level, the roles and responsibilities
needed for the implementation of measures and actions have been assigned.

The strategic objectives support the "Smarter governance" objective of the Digital Agenda 2020 for
Estonia in three ways:

1. The development of public services in order to ensure a better quality of services and the continuous
growth of users' awareness and satisfaction.

2. The estimation of the cost of providing public services over the extent of their life cycle and across
different operations, taking into account the impact of services on PSO workload and customer
administrative burden.

3. The development of public services and administration to ensure the paperless official
communication target level of 95% by 2020.

Services' development is an important goal in the Regulation (EU) No 1304/2013 of the European
Parliament and of the Council of 17 December 2013, which established investments in institutional
capacity and in national, regional and local public administration and public services efficiency as a
priority, with a view to reforms, better legal regulation and good governance.

3.3 Information governance strategy – related initiatives

The strategy "From records management to information governance" is not a standalone initiative, but
compatible with earlier activities and analyses carried out by MEAC. The strategy is a key component that
shows how to apply the created tools in a way that contributes to the achievement of "Digital Agenda
2020" objectives. (See Figure 4)

22
Figure 4. Information governance strategy – context and links to other initiatives

23
The studies, analyses, guidelines and tools are available on the MEAC website, some of them also in
English.32 Below is a brief description of each document in the context of information governance:

 The Green Paper on the Organisation of Public Services (GPOPS) gives the definition of public
services, provides a concentrated overview of the problems of citizens and enterprises,
encountered upon the use of public services, and the problems encountered by the state and local
governments in providing such services, suggests possible solutions for the problems defined, and
lists the measures for the achievement of the solutions. The Green Paper has been translated into
English.
 E-services design handbook aims to assist civil servants in updating the services and shaping
these to give them more focus on clients’ needs in both physical and e-environment. The use of the
described model should help to enhance the value and user-friendliness of the services, while
optimising the administrative burden and expenditures that accompany public services. The
suggested model was tested during a re-design process of three e-services provided by the
Estonian Road Administration.
 Process analysis handbook suggests the methodology for process management and mapping,
based on the world’s best possible practices that would also match the requirements of Estonian
public sector. The handbook gives PSOs the guidance on implementing a process-based
management model that will contribute to the transparency of organisations, help develop a system
for measuring the performance and improve the monitoring of expenditures and utilisation of
resources.
 Administrative burden calculator helps to assess the burden that the planned service will put on
consumers, and the administrative expenditures born by providers of services. The results are
converted into money to give a better overview of the influence of administrative burden.
 Integrated Portfolio Management of Public Services framework will help adopt decisions about the
development of public services and use of channels and their value for society in general, including
the greatest benefits for customers and providers of public services. Public service portfolio
management will help to: channel the available resources properly, take the objectives of
governmental and other authorities into consideration and to consider the needs of the customers.
During framework development, the models for public service description and measurement were
elaborated, the distribution of an organisation's roles and responsibilities was described, and the
central architecture for the public service portfolio was offered. The summary of the framework has
been translated into English.
 Indicators for measuring usability helps with ordering and developing software. It provides
guidelines for defining usability and measuring the results later.
 Framework for self-service environments. During the framework preparation, the existing public
sector self-service environments were analysed and as a result the principles for the creation of
customer-focused and convenient self-service environments were developed. The framework has
been translated into English.

32
MEAC. Information society services https://www.mkm.ee/en/objectives-activities/information-society/information-society-
services

24
 Records management and information governance analysis. The basis for the strategy document
was the analysis of the current situation of records management and information governance and
international experience. English summary of the analysis is available in Chapter 2 of the present
document.
 The goal of the e-State Charter is to bring together best practices for administration and form a
basis for better application of good administration principles. The charter is evolving in time and
developed together under the leadership of the National Audit Office. The charter gives people
information about their rights, state organisations their development goals and the National Audit
Office the basis for future audits. The charter is also available in English.
 A detailed analysis and the elaboration of the concept of 20 public sector e-services. As part of the
pilot project, a concept was developed for 20 public e-services. Its goal was to increase the quality
of business processes of the existing public services and help with planning new customer-friendly
services. Through training, business process mapping and services design, the service owners were
imparted the knowledge of how to evaluate, improve and create more efficient e-services. Also, the
participants of the project were given an overview of modern and freeware tools and methodologies
for designing services. During the project, a lot of different benefits were revealed, confirming the
necessity for service-based management.

3.4 Information governance strategy – development methodology

The strategy was prepared on the basis of the "Analysis of the current situation of records management
and information governance and international experience", the contents of which are summarised in
Chapter 2.

It was taken into account that in order to achieve the objectives, the problems of information governance
described in Section 2.2 must be solved. The most important is to make the search and use of necessary
information as easy as possible, allowing users in any role – citizens, businesses, customer service
representatives, heads of institutions, other officials – to make the right decisions quickly and thus ensure
the effective achievement of the objectives of the PSO and the state. The purpose is not to aggregate all
the information generated in an institution or institutions in the future into a central information
governance system, but to find solutions that will enable to manage and use this information
conveniently.

The strategy is based on the ARMA maturity model (see also Figure 3). As the Estonian state information
system architecture and X-Road allow the collected data to be used repeatedly and exchanged securely;
the ARMA model was adjusted according to the context of Estonia (see Appendix 2). The model consists
of eight categories, for each of which a level of maturity can be determined. The model categories are:
accountability, transparency, integrity, protection, compliance, availability, retention and disposition. The
five maturity levels are: sub-standard, in development, essential, proactive and transformational.

The maturity level of the organisation depends on the lowest category criteria it meets. In certain
categories the maturity level may be high, but the overall maturity is limited by the maturity level of the
least developed category. National maturity level can be evaluated on the basis PSO weighted scores. For

25
example, if a PSO has reached the fourth or even fifth level, but the maturity of majority is on the first
level, then the state's information governance maturity level is 1+.

The elaboration of the Estonian strategy was based on the assumption that the information governance
objectives can be achieved in a situation where the state's comprehensive maturity has reached the
essential or third level. To achieve the overall maturity, development has to take place in all PSOs. The
measures identified in the strategy are built on the principle that they will help PSOs to move from a lower
to a higher level. National measures create preconditions for the PSO measures to be implemented.

Figure 4 presents the measures that support the information governance of the state as a whole to reach
the 3rd maturity level.

Figure 4. Information governance strategy – state and PSO measures

State measures and activities were assigned priorities based on the scale of the expected impact. The
basis for setting priorities was the table of the severity of IT processes (see Table 3).

26
Table 3. Table of priorities

Importance of the Explanation

measure

Measures and actions, without which it is impossible to achieve the objectives

Crucial
of the strategy.

The success of the measure and action will affect the achievement of the
Critical
objectives of the strategy to a significant extent.

Important Measure and activity can be compensated in another way.

Irrelevant The practical need for the measure or action is low.

3.5 Information governance strategy – state measures

The measures, recommendations and indicators proposed in the strategy are based on the studies and
analyses made in the area, on discussions that took place in the working groups and on further analysis of
the source material.

In order to achieve the goals set, actions need to be taken at the state and organisation level. The state
deals with legislation, funding, responsibility, cross-PSO coordination and public sector recruitment policy.
The actions targeted on PSOs focus on the internal organisation of work and processes. State actions are
supportive and structure creating in nature, but in order to achieve a higher maturity level, each
organisation must make an effort.

In areas related to information governance (including the provision and development of public services,
ICT, records and archive management, internal and external communication, legislation, portfolio
architecture and responsibility) a number of cross-organisation or organisation-wide measures need to be
implemented, which is not possible for each PSO without the support of the state (see Figure 5).

27
Figure 5. Information governance strategy – state measures

The main state measures are the modernisation of legislative environment, changing over to service-
based responsibilities, implementation of new recruitment and training policies, and establishing
additional requirements for the funding of ICT developments.

3.5.1 Legislation must support the development of services

The implementation of information governance in the public sector requires a supportive legal
environment.

The modernisation of regulations needs to be considered, so that legal instruments would support the
opportunities of electronic procedure more clearly. As an important aspect, it is worth providing the option
for making administrative procedures fully electronic in certain cases, so that the checks of register data
as well as operations necessary for routine administrative decisions are performed automatically. This
allows to establish clearer understanding of the current law and to reduce the number of different
interpretations of various institutions on the collection and use of data.

In order to ensure fast and effective proceeding for the person through effective information governance
and records management, PSOs and persons should be directed to use electronic means for
administration; above all, user-friendly systems need to be developed that enable to collect and store the
necessary information in relevant databases (automatically).

28
Legislation must not establish the document format requirements. In order to simplify the work of PSO,
sample forms may be used, but these should not be included in the legal instruments. It must be possible
to collect or present the required data through the state portal eesti.ee or the X-Road data exchange layer.
Legislation must, at minimum, provide the general data composition, which will be specified at the
executive level, if necessary. Asking for data that has already been collected must be avoided.

The restrictions in legal instruments on exchanging information electronically must be reviewed (including
the obligation to forward certain types of documents only by mail). In a situation where it is possible to
send documents to a person securely (e.g. in Estonia through the information gateway eesti.ee), it should
not be limited by legislation, however, the wishes and opportunities of citizens must be taken into
account. The state cannot force people against their will to communicate through a channel that requires
a certain investment (e.g. requires a person to purchase a home computer and guarantee Internet
connection).

If necessary, guidelines for the use of digital stamp and digital signature have to be developed for
institutions. Institutions assess the records prepared by them in the course of proceedings, distinguishing
administrative acts that need a digital signature from other records produced in the course of the
proceedings (announcements, invitations, correspondence, etc.) for which the institution's digital stamp is
usually sufficient. At the same time, the issue of digital signatures on administrative acts that have been
prepared without an official's discretion but are based on the state information system data needs to be
resolved.

When preparing an amendment proposal for the legislation, then the effects of the amendments must be
analysed. The analysis must take into account changes in information systems, work processes and data
usage. The analysis must not be limited to the assessment of impact on the state level, but new
obligations and additional pressure on the budgets of LGs must also be taken into account.

Currently, the problem is legislative fragmentation in information governance and records management. In
Estonia, the area is currently regulated by at least 25 different legal instruments, and 44 additional
instruments that regulate databases. The expectation of the effectiveness of administrative activity has
been set out in the General Principles of the Administrative Procedure Act – administrative proceeding
shall be purposeful, efficient and straightforward and conducted without undue delay, avoiding
superfluous costs and inconveniences to persons. However, legal instruments are still often focused on
records management and deal with the principles of information governance minimally. The common
principles of information governance may be established by issuing a new regulation, or alternatively, by
substantially supplementing the regulation of the Government on the Common Principles of
Administrative and Records Management Procedures.

While carrying out the above-mentioned possible legislative amendments, the European Union Directive
2013/37/EU on the re-use of public sector information must be taken into account among other things,
and the legal and administrative provisions provided in it must be transposed into national law by July
2015.

29
 3.5.2 Responsibility must become service-based

There are a number of measures recommended in the strategy that support new basis of responsibility,
such as:

 To change the law so that the current function-based ("silo tower") responsibility will be replaced
with service-based responsibility. It is of particularly critical importance if the service is provided
in several PSOs.

 Make the development and measurement of public services compulsory. Almost every service can
be measured and optimised.

 Appoint a central public services portfolio manager. The institution/unit that is appointed as a
portfolio manager will be engaged in portfolio management, leadership, training, standardisation
and promotion.

 Create a portfolio management information system, based on public service reference model.

 Create the position of business architect in each ministry to coordinate the public services in the
area of government. Services in the area of government of one ministry may concern several
PSOs, which is why it is necessary that all related PSOs develop the services equally and that it
would be included in work plans and budgets as a priority. Otherwise, one organisation develops a
part of its services, but the benefit expected from it will not be reaped, because it is not a priority
for the other party. The business architect will deal with the services inside of a ministry's area of
government.

 Create a governing body between the areas of government. Some services may concern the areas
of government of various ministries. In such cases, problems that cannot be solved by one
ministry's business architect arise when setting priorities. The coordinating body will help to solve
the issues of prioritisation across ministries. A body consisting of business architects of
ministries would fit for this purpose as they can, if necessary, take the issues that need to be
solved to the government for resolution.

 Designate an organisation responsible for the development of the official national communication
channel. Responsibility also includes the necessary legislation.

3.5.3 Recruitment and training policies need to support the development of services

A new approach to recruiting and training of officials is considered important in order to achieve service-
based management.

 Changing the state recruitment policy. Top managers are expected to have service-based
management experience and relevant knowledge. Service-based management requires knowledge
of the mapping of services, analysis, optimisation, pricing; the person must also understand and
support collaboration across the public sector organisations.

30
  The creation of a training program. Awareness of the links between information governance and
service-based management and its effects is low. In order to enable leadership and
implementation, a training program needs to be set up that would teach the understanding and
use of principles of information governance and service-based management. The program is
targeted at senior and middle managers. The training program is created in a reusable form, for
example, in the form of a series of video lectures.

 The compiling of a service-based management handbook. The activity is aimed at supporting the
implementation of the training program and service-based management. Of the tools already
created (see Section 3.3 "Strategy and related initiatives"), a comprehensive handbook that is
evolving over time must be created that contains, inter alia, information governance components.

3.5.4 Additional requirements for the financing of ICT solutions

One of the strategy measures is to set the following additional requirements for the financing of ICT
solutions:

 Indicators must be added to services. Only through service-based management will we

understand where the money is spent. For this purpose, during the redevelopment of a service,
indicators must be added to it. The initial set of indicators must include: the service capacity (how
much is consumed), the duration of a single service incident, satisfaction, and cost over time. As
a result of the PSO and service maturity growth, the end goal must be the implementation of
activity-based costing. In the context of information governance, it is important to understand the
impact the existence, quality and availability of the information necessary for the service delivery
has on the indicators.
 A so-called business analysis must precede the development of services. The aim is to help a
PSO identify their own needs and the needs of the service consumers and third parties, so that
prior to the redevelopment of services and the development of information systems it would be
clear, what are the effects of the planned change and what is the best way to carry it out. The
preliminary analysis of the service also includes the analysis of the information required for the
service – its existence, quality and availability.
 Better regulation of the financing measures. Financing applications must be accompanied by a
business case that must contain an analysis of effects on the economy, target groups, the state
and the PSO budget. Financing application must clearly demonstrate how the PSO service
currently works and how it will improve.

Other important state measures recommended in the strategy are the following:

 maintenance of the data in the Administration system for the state information system
RIHA33 so that in addition to IT professionals also other officials would easily find information
about which data can be asked from another institution (increasing the reuse of data);

33
Information System Authority. Administration System for the State Information System RIHA.
https://www.ria.ee/administration-system-of-the-state-information-system/

31
  aggregation of all the descriptions of the state public services in the information gateway
eesti.ee, along with the provision of access to the e-services;
 greater involvement of LGs in the development of information systems, and the creation of
central components for performing the uniform tasks of LGs and submitting data to the state;
 sample projects of services across areas in order to support a thorough preliminary analysis,
create better so-called life cycle services and provide recommendations for the management
of services across PSOs.

It is recommended to consider launching a centrally funded program, which is based on the UK success
story and which is to be carried out either with purpose-specific fixed-term internal resources or partner
agreements. The program would consist of creating a team of three to four members, each of whom would
operate in a focused way in a different PSO for a certain period of time (e.g. two weeks). During this, the
team will map the services, redesign one or two services, and proceed to the next PSO. This approach
allows for a quick launch of service management and sharing of knowledge in many PSOs and each PSO
does not need to seek help independently or organise service design procurements separately. Team
competencies should include business technology, prototyping, information governance, service design.

3.6 Information governance strategy – public sector organisation measures and indicators

In order to create an information governance strategy within a PSO, current situation has to be mapped,
information governance model has to be developed, business case has to be created and information
governance implementation has to be planned (this also includes the planning of quantitative and
qualitative indicators for data quality). Also, activities that help to achieve well-organised information
governance must be provided for (see the list in Section 2.1)

In order to assist PSOs, the information governance strategy included descriptions of specific measures
based on the maturity model categories, and indicators to evaluate the success of the measure. One
principle that has been followed is the interlinking of activities of the organisation of public services and
the transition to information governance.

The transition to information governance must take place sparingly, using the existing
organisation of work, rule set and information as much as possible.

Figure 6 shows measures necessary for the PSO at the maturity level 1 and 2 to proceed to the next level.

32
Figure 6. Information governance strategy – PSO measures

In order for a PSO to advance from the first maturity level of information governance to the second, the
following measures need to be taken: launching of service-based management, regulation of
responsibilities, notification of employees, amendment of rules. The measures leading form the second
level to the third include the development of the principles of public services' portfolio management and
information governance. Both the advancement from first level to the second and from the second to the
third is supported by the measure of eliminating legal obstacles.

3.6.1 Service-based management

The measure is taken to launch the service management in a PSO in order to map public services,
responsibilities and information assets. Given the large volume of public services, it is necessary for the
PSO to have the independent capability to map and analyse services. The goal of service-based
management is the optimisation of services. Activities of the measure are:

 Preparation of a list of services provided. Preparation of a list of services enables to form a

comprehensive view of the services offered. (The tool34 to be used: Integrated Portfolio Management
of Public Services).

 A comparison between the services provided and the functions. From the organisation's point of view,
it is important to compare whether the functions assigned by law and the services provided are

34
The tools created for service developers are introduced in Section 3.3

33
 compatible with each other. Functions and services may have become disconnected, and
consequently a service that should not belong to the specific PSO is provided.

 Defining responsibilities. It is checked whether each service has an owner. In case of absence of a
service owner the PSO determines the owner. The service owner is responsible for the service
description. (The tool to be used: Integrated Portfolio Management of Public Services).

 Mapping of services. Mapping of services provides an overview of the organisation's principles of

operation, the division of responsibilities and the use of resources. Service mapping provides the
prerequisites for the development of a functioning system of measures, and increasing organisational
efficiency. The activity will provide insight into what triggers the service, when is the accuracy of the
data checked, who decides on its delivery, who confirms it, how is the service recipient informed, and
what kind of actions are taken to perform it. (The tool to be used: Public sector processes).

 Mapping of the governed information. The activity is carried out during the mapping of services. The
information assets in the organisation are mapped – data, documents/records, metadata, and data
sets. It is specified which data and documents are original and which are derived. (The tool to be used:
Public sector processes).

 Analysis of the necessity of the information assets. PSOs collect a lot of data, but they do not use all
of it in the decision-making or proceeding process. As a result of the analysis, collecting unnecessary
data will be stopped.

 Optimisation of services. As a result of getting the overview it is possible to find activities that are
redundant for the provision of a service or that are performed in different ways in the case of similar
services. Optimisation may point to situations where the data are checked by several persons,
although the checks could be automated and performed as a single step. In this phase, the possibility
to standardise and consolidate services may also occur. Making the service proactive depends
primarily on the nature of the service. (The tool to be used: E-services design handbook).

Indicators of the maturity model:

 Service-based management has been launched.

 Information assets and service provision processes have been optimised.

Indicators of the measure impact:

 Shortening the service provision time, cost savings. Service optimisation results in reduced
service time, because it is possible to omit unnecessary steps, or automate them. It could
also mean a reduction in the service provision costs, because less work must be done to
provide the service.

 The number of invisible and proactive services and the change in their number. A PSO will
presumably find a few services that can be standardised and/or made proactive or invisible.
The indicator is the change in the technological maturity of the service.

34
 3.6.2 Regulating responsibility and informing

The measure will ensure that the PSO assigns a person generally responsible for the development of
services, and persons responsible for the management of various information assets. An understanding of
the importance of the development of information governance and services will be taken to all employees.
Activities of the measure are:

 Management's responsibility for the development of services. At least one member of the
management takes responsibility for the general management of public services. This helps to bring
the responsibility and initiative to the level of the necessary authorisations and thus, a leader with
enough power to keep the activity in focus is created. To initiate the activity, a government regulation
is used which provides that the development of public services is a natural part of the activities of a
public sector organisation.

 The appointment of persons responsible for the management of information assets. Persons
responsible for information assets need to be assigned. The organisation has to decide who is
responsible for managing a specific type of information asset (data set, records management system,
website, etc.). These can be service owners as well as records management professionals. The
measure is specifically directed towards the management of the life cycle of information assets. The
existence of responsibility contributes to the quality of information.

 The introduction of the launching of service-based management. The aim of the activity is to support
the launch of service-based management and demonstrate the benefits that result from it. The
management and staff need to understand the advantages of information governance and why
services and information assets need to be mapped and developed.

Indicators of the maturity model:

 Responsibility for the development of services is shared at the management level.

 The persons responsible for the management of information assets have been determined.

 Service-based management has been introduced to the organisation.

Indicators of the measure impact:

 PSO strategy has specified the activities intended for the development of services. A
leadership within the organisation's management has evolved and employees understand the
importance of service-based management. Thus, the activities related to the development of
services are reflected in the PSO strategy documents.

3.6.3 Amendment of rules

The measure aims to amend the PSO internal procedures and rules and remove weaknesses from them in
accordance with information governance needs. The measure focuses on taking the principles of integrity,
protection, compliance, availability, retention and disposition from the first maturity level to the second.

35
The implementation of rules must be supported by technical means to make breaking the rules as difficult
as possible. Activities of the measure are:

 Creating or amending the information governance procedure and rules. At the first level of maturity,
the information governance procedures and rules may be insufficiently provided. For example, the
rules on information retention and disposal may be unregulated with regard to some data sets, there
may be no disposal procedures, and it may not be possible to prove that the disposal procedure has
taken place.

The existing information management rules and regulations are complemented and, if necessary, new
ones are created. This includes creating or specifying the principles of cooperation between PSOs and
between the departments of PSO, information governance, staff coaching, supervision and auditing.

It must be based on PSO objectives, legislation, services, procedures, existing documentation, the
logic of PSO work and services, information governance performance, efficiency, etc. It is necessary
to avoid the situation where only the common principles of one legal instrument, for example the
records management procedures, are transferred to the PSO rules, whereas the legal instrument does
not cover information governance as a whole. If necessary, the rules and regulations of various areas
of information governance may be distinguished, for example knowledge management, data
management, document management, records management. To make it possible to comply with the
rules, activities and responsibilities should also be accompanied by the transfer of resources.

Compliance with the rules established in the course of the measure will be checked by designated
persons responsible.

 Creation of the policy paper of information availability. The rules for information storage,
management, protection, archiving and disclosure need to be provided. It must be possible to easily
identify the location of original versions and latest versions of publications (work documents).
Computer systems and the infrastructure have to ensure the availability of information.

It is advisable to establish a policy paper of availability, which includes organisational activities,

development projects of systems or interfaces and other components, including in relation to services
across areas.

Indicators of maturity model and measure impact:

 Indicators for different areas of the maturity model, such as: integrity – the number of
decision errors; protection – information security audit results; compliance – legislation
audit results; availability – no access obstacles to the provision of services, including cross-
PSO services.

3.6.4 The removal of legal barriers

The measure aims to remove obstacles from the PSO legislation to enable more efficient and effective
delivery of services. Activities of the measures are general in nature:

36
 Change in legislative thinking. Some legislation may contain provisions that prevent efficient work.
PSO may be aware of it, but continue to work in the old way, without attempting change the preventive
legislation. Activity must create a working culture where PSOs are willing and able to make proposals
for legislative amendments, as well as contribute to the initiation and conduct of legislative
amendments at the PSO level, as required.

 Electronic exchange of information. It is recommended that the legislation permits and, in some
cases, even obliges that the exchange of information and documents take place by electronic means.
Electronic information and document/record exchange could be targeted at PSOs and parties outside
governance. It is important to observe whether legislation facilitates the reuse of data.

 Digital signatures and digital stamps. It is the task of PSOs to decide when to use a digital signature
and when to use digital stamps. During the service development process it is possible to identify
which activities need an official's discretion (digital signature), and under which circumstances it is
possible to create an automatic decision (digital stamp when a decision needs to be sent outside of
the system).

 An analysis of the comprehensive impact of the amendments. Also, as in the case of legislative
amendment proposals at the state level, an analysis of the complete impact of the amendments
proposed by PSO needs to be carried out, taking into account the changes in information systems,
work processes and data usage.

Indicators of the maturity model:

 The number of legal obstacles. The number of obstacles found during the analysis of the
legal area that would be reasonable to be removed through the initiation and completion of
legislative amendment. The analysis should be repeated periodically, the target level of the
indicator is 0.

 The share of realised proposals. The proportion of the number of legislative amendment
proposals in the number of obstacles above. The indicator should be re-evaluated
periodically; the target level is 100%.

Indicators of impact:

 A comprehensive assessment of the impact of the amendments as a whole. A

comprehensive assessment can be based on the analysis of the impact of the amendments
made as a result of the PSO proposals.

3.6.5 Development of public service portfolio management

The measure is an extension to the mapping of services. Creating a portfolio of services involves
describing the services in a standardised format. This allows to develop them in a more balanced way and
to assess the effects of the development. It is also easier to find duplicated services and easier to link the
public services provided by various organisations. Activities of the measure are:

37
 The integration of the governance of the information necessary for the provision of services with
strategic planning. PSO strategy will include service management as one of the priority directions.
The goal is the standardisation and integration of services, reduction of duplicated services and the
development of services. (The tool to be used: Integrated Portfolio Management of Public Services).

 Preparation of the services portfolio. The services portfolio allows managing the life cycle of services
and optimising them effectively. For each service, it must be decided whether it needs to be
maintained, updated, modified or withdrawn. During the creation of the portfolio, each service is
assigned an indicator of technological maturity. (The tool to be used: Integrated Portfolio
Management of Public Services).

 The organisation develops service-based information flow diagrams and principles. This is an
information flow diagram that describes the movement of data, adding of metadata, the use,
processing, generation of new data and eventually the deletion of data. The result of the activity
enables to prove the authenticity and origin of the information. In case of errors, the place of error
occurrence can be easily detected.

 The PSOs use a single public services description language for describing the services. With regard
to portfolio management, it is important for the connection of services that services would be
described in a similar way so that it would be possible to compare them to each other. (The tool to be
used: Integrated Portfolio Management of Public Services).

 The optimisation of services portfolio. The PSOs are able to identify the services in their portfolios
and the activities in the services that are duplicated or the overlap of which is large enough to be
combined or standardised, where possible.

Indicators of the maturity model:

 The institution's strategy includes the management of public services.

 The existence of the services portfolio.

Indicators of impact:

 Manifestation of the real benefits of the business case. As a result of the management of
services as a portfolio, the planned benefits will actually start to unfold. Benefits are
measured continuously, and the measurement is used as a basis of prudent development
decisions.

 The number of services described in the portfolio from all services of the PSO. In the course
of the development of the service-based management a list of services was compiled. On the
completion of this measure, these services will be added to the portfolio.

38
 3.6.6 Further development of information governance principles

When taking the PSO information governance from the second level to the third, the courses of action,
plans and projects initiated at the previous level should be used as a basis. Activities of the measure are:

 The assessment of the comprehensive impact of services. It is assessed how the functioning of the
PSO has been influenced by the activities taken in Level 1, including the organisation of processes and
the amendment of the rules of the PSO. It helps to understand the effects of service management.
Since the PSO is usually not yet mature enough for the accurate measurement of impact at this level,
it can rather be considered an assessment. Based on this assessment, corrective actions are planned,
if necessary. The potential economic impact of the further development of services (including
organisational activities, development projects of systems or interfaces, etc.) is assessed. These
assessments are used for the prioritisation of projects and activities. It is highly recommended to
create a continuously working system for assessing the impact of measures and activities, the output
of which (impact assessments) acts as an input for the restructuring of processes and services.

 The realisation of the availability policy paper. The comprehensive progressive realisation of the
availability policy paper created at the maturity level 1 will take place on the second level. The goal is
to ensure the timely, efficient and accurate availability of the necessary information both within the
PSO and across organisations. The full realisation of the availability policy paper at the second
maturity level may be inexpedient, difficult or unrealistic. It is necessary to choose and realise the
priority actions proposed during the impact assessment.

 The evaluation and amendment of rules and regulations. At the first maturity level, the
supplementation of the internal rules and regulations was provided for. At the second level, the
compliance, monitoring, evaluation, and supplementation of the rules and regulations will continue, if
needed.

 The conduct of the inspection and notification procedures. It should be checked regularly that the
retention, quality and disposal procedures of information are followed, employees need to be informed
of the problems, if necessary, and these problems have to be solved. In addition to informing the
employees within the organisation, the external users should also be informed of the services and
their use.

 Supplementation and implementation of the system of indicators. The purpose of the activity is to
improve the services as well as ensure the supervision by the public of the development of the
services by the PSO. The indicators planned at the first maturity level will be supplemented and
implemented. The indicators must be publicly available and calculated, preferably automatically
updated. Indicator values must be updated at least once a year. The Service Level Agreements (SLAs)
of public services should also be considered as indicators that can be used to measure the speed of
the service, or other parameters. SLA can be different from what is provided in legislation and helps to
measure to what extent the service exceeds expectations. Introduction of the SLA may be one of the
quality management indicators of the PSO.

39
 Indicators of the maturity model:

 The percentage of realised activities of the availability policy paper. The activities of the
availability policy paper can be costly, but most part of the activities should to be attempted
to be implemented.

 The results of rules audit. In the course of an internal audit, it is reasonable to check the
content of the rules regularly, and to see whether they correspond to reality.

Indicators of impact:

 The number of services exceeding the rules and the expectations. The maximum service
provision time is usually determined In PSOs, e.g. 30 days. However, many offer the service
within a shorter time, for example a passport is received within a maximum of one week.
Setting the service levels allows to set realistic goals to services; keeping or exceeding them
shows that the organisation is continuously engaged in the development of services and
meets the satisfaction goals of citizens and businesses.

 The proportion of invisible and proactive services. Many services can be automated, so that
the recipients do not have to perform unnecessary activities.

3.7 Information governance strategy – indicators and monitoring

General indicators, with which it is possible to assess the impact of national measures and the strategy as
a whole.

 Paperless official communication. The strategy and the Digital Agenda 2020 have defined the
paperless official communication level as one of the indicators (target level of 95% by 2020).

 Maturity model achievement level. Many PSOs have been able to move to a higher level in the
information governance maturity model. The indicator is based on the maturity level indicators in the
PSO measures. The methodology and indicator of the state's information governance maturity level
must be developed. One of the possible solutions is the weighted average maturity of all the PSOs.

 The proportion of invisible and proactive services. Services which can be made invisible have to be
made invisible in order to minimise the burden on the citizens and officials. The base level can be set
if there is an understanding of the volume of the state public services portfolio.

 The share of e-services available through the information gateway. The PSOs have an obligation to
include the service descriptions in the information gateway. It is important that the e-services can
also be used from there. Thus, a suitable indicator would be the share of e-services that can be used
through the information gateway.

 The satisfaction of citizens, businesses and officials with the services. Indicators are needed to
evaluate the quality of services, user awareness and satisfaction. So, the indicators used have
included the service operability during a time period as a percentage, the response time of the service
provider in case of an error, etc. The starting point here is the study of Integrated Portfolio
Management of Public Services and the evaluation model of public services and channels developed
within its context, recommendations derived from the recommendation indicator project, and others.

40
Appendix 1. The base concept of information governance

FROM RECORDS MANAGEMENT TO INFORMATION GOVERNANCE35

Approved by the Records Management Board36 on June 14, 2013

Postulates developed and agreed at the interdisciplinary (records management, archiving, ICT) meeting on
June 13, 2013.

Background:

In May 2013, the Government of Estonia approved the Green Paper on the Development of Public Services,
issued by the Ministry of Economic Affairs and Communications. One of the challenges described in the
document is the necessity of adopting holistic information management, as records management and
administrative procedures have not been effective enough and do not support the development of
services. There is still much duplicated and manual work done, paper-based logic is yet being copied to
the electronic environment. At the same time, the necessary information is difficult to find and use.

DLM Forum37, a pan-European community acting under the observance of the European Commission have
also taken direction towards Information Governance across Europe and beyond. For achieving the
objective, cooperation between various disciplines is seen as of key importance.

The term information management has been in use for some time already, but often as a synonym for
records management. EDRMSs long known in Estonia (e.g. Amphora, Postipoiss, DocLogix, and others)
have been advertised as information management software. On the other hand, information management
has been interpreted solely as data management in information systems. A related term information
science has been used in the meaning of library science. Holistic approach has been missing. No
breakthrough has been seen.

Replacing one term with another without changing principles is not a solution!

Information governance IS NOT a synonym for records management! Nor is it a synonym for data
management, internal communications, or any other separate field of activity!

35
In Estonian, there exists no suitable linguistic equivalence for Information Governance. To convey the meaning, terviklik
infohaldus (holistic management of information) is used.
36
The Records Management Board operates at the Ministry of Economic Affairs and Communications which is responsible for the
development of state information systems, information society services and records management in the public sector of Estonia.
The Board comprises representatives of two departments of the ministry (State Information System Department and Department
of Information Society Services Development), National Archives, Estonian Information System’s Authority and developers of
records management in local governments, and records management officers of all the ministries and the Government Office.
37
Among members of DLM Forum, there are 22 national archives, authorities regulating records and/or archival management
(incl. Ministry of Economic Affairs and Communications), universities, software vendors, etc. For further information, see DLM
Forum’s website http://www.dlmforum.eu/

41
Information governance is a support function/activity/process that helps to cope with information flows.

Information governance of an agency is a “roof” over content management, records management, data
processing in information systems, etc. Information governance of the state is a “roof over roofs”.

Well-functioning information governance is creative information governance where:

- information in any form, from any source, sent/received via any channel is covered;
- information is filtered/organised/stored and preserved according to its value, while its quality is
ensured;
- information is separated, gathered together, systemized and presented according to the needs of
the particular user – an official/partner (citizen/entrepreneur/another agency).

Well-functioning information governance makes finding and using information as easy as possible and
thus:

- enables an official/partner to quickly make right decisions and thus

- ensures the achievement of objectives of the agency/state.

How to achieve it?

- identifying what information is valuable enough to be managed;

- simplifying and automating information capture and storing as much as possible;
- ensuring that information is retained as long as it is needed;
- ensuring that contextual information – metadata, descriptions, etc. – is also retained and linked;
- reducing the amount of unstructured information in favour of structured information;
- reducing the number of traditional (paper, doc, pdf, etc.) documents and records;
- using data of IT systems to mitigate risks connected with providing evidence;
- finding also a way how to capture/retain/reuse information stored in people’s minds and obtained
through learning and experience.

Information governance will be applied according to rules agreed – it will be regulated as little as possible,
but as much as necessary. In a common service environment, certain rules apply to the private sector as
well.

It is important to have good cooperation between various disciplines, and to promote and apply the
principles of information governance consistently.

42
 Appendix 2. Information governance maturity model in the Estonian context

Principle Level 1 Level 2 Level 3 Level 4 Level 5

Sub-Standard In Development Essential Proactive Transformational

Accountability Responsibility for Responsibility at The service All levels of Public service
the development the management owners responsibility act management is
of services has level exists. responsible for in accordance an important
not been Responsibility in the development with the goals of input in shaping
assigned and the organisation of services have the PSO. the goals of the
information has been been specified. PSO.
assets are not implemented Responsibility
governed. partially. and
authorisations
are balanced.

Transparency Business and Processes and Business and Transparency is Transparency is

support activities are support an important part an important part
processes are partly described processes are of the of the business,
neither described in critical areas. described and organisation, and software
nor regulated. regulated. Public business and that helps to
services are support process ensure and
described on a descriptions are manage
uniform basis. updated information has
regularly. been created.

Integrity It is not possible Metadata is The authenticity There are clear The processes to
to verify the partially used to of the requirements and ensure
authenticity of ensure the information is regulations for authenticity are
the information. authenticity of ensured, adding metadata continually
the information. metadata is and ensuring reviewed and
used. authenticity. preventive
actions are
carried out.

Protection The distribution Security rules Safety Regular security Security risks are
of access address only the regulations are trainings and reacted to
restrictions is most important comprehensive audits are carried proactively,
random and data information, and access out. regulations are
protection is of access restrictions are supplemented
low importance. restrictions are set on a and audits are
set by services. transparent carried out
basis. Security regularly.
audits are
performed.

43
Principle Level 1 Level 2 Level 3 Level 4 Level 5

Sub-Standard In Development Essential Proactive Transformational

Compliance There is no clear Regulations have Compliance with Regulatory Compliance

understanding of been identified regulations has compliance is assurance
the information on the been established ensured and procedures are
to be managed in information that and it is improvements constantly
order to ensure is needed to identifiable. The are made on a improved.
regulatory achieve business code of regular basis.
compliance. compliance with ethics has been Compliance audit
all applicable created. procedures are
regulations. effective and
efficient.

Availability Information flow The locations of Guidelines on the The making of It is possible to
within an information are collection and information measure the
organisation is partially retention of data queries is information
disrupted, documented. have been automated. governance
including created; return on
between information investment, and
departments. assets can easily changes can be
be given an planned
overview of and proactively in
shared with accordance with
external parties. actual needs.

Retention There are no Retention There is an Retention Retention

retention periods and established guidelines are processes are a
guidelines or guidelines partly procedure for the regularly natural part of
periods. exist, but there is retention of reviewed and information
no information updated as governance.
comprehensive across the necessary.
overview. institution.

Disposition Disposal Information Information Information Disposal

procedures are disposal disposal disposal procedures and
unregulated and procedures are procedures are procedures and technology is
undocumented. regulated, but regulated and compliance with continuously
there is no implemented. them have been improved.
overview of their harmonised
implementation. across the whole
organisation.

44