Author: Karl Melrose

Thinker about how to think about information governance, economics, security, risk, technology and incentives. Out to solve every optimising problem, out to make sure my thinking gets better, every day. Information Governance, Management and Records Management at informationgovernance.blog. Random thoughts at karlmelrose.blog

Reducing risk in government contractor engagements by improving information governance

The last two decades have seen a step change in the methods we use to interact with contractors. Generally speaking, the primary means of engagement is now digital. This has brought with it significant reductions in the cost of engagement, and reduced the time to commencement of work. It has also increased the volume of engagements each employee is expected to support, and the quantum of risk associated with incorrect transfers of information. In discussions with many government entities I have found a number of common areas in which expensive problems occur frequently, that I also believe can be substantially reduced by improving information governance around each engagement.

Incorrect version transmittals. In organisations that run large projects, I’ve found that transmittals are still error prone. Large transmittals (lots of documents, or large documents) generally go out as multiple emails or on physical media – paper or digital. When they do, the probability of using an incorrect document version increases substantially and has obvious consequences for the financial and completion timeline of a project.

Provision and capture of as-built documentation. As-built documentation is typically large and held in systems inaccessible outside the organisation. It almost always has changes that need to be captured in a system of record after an engagement. Content is large enough and changed exclusively digitally, so transmission needs to be via electronic medium, or post work updates become very difficult. After an engagement, capture and correct storage of updated as-built documentation is again difficult. The risks are clear, when access isn’t provided and updates aren’t captured effectively, engagements start with incorrect information that leads to variations and re-work.

Capture of compliance documentation. Compliance documentation is a fact of life for contractor engagements. Workcover, insurance, safe work method statements etc. Good contractor management dictates that this documentation should be captured and stored in an organisational system of record and preferably associated with the specific work. Breakdown in this capture process is usually only noticed when there is a project failure. It can often be explained by an over-reliance on email, and failure to follow information governance processes. Mailbox limits frequently dictate that people will archive to repositories that are typically ungoverned and which can lead to a variety of significant liability scenarios.

Proof of work. Proof of work for contractor engagements has gone electronic over the last few years, particularly where it involves small construction or physical maintenance tasks. In some scenarios, inspectors capture photos of completed work, in others, contractors provide photos to prove completion. In each scenario, the problem is the same, the photo is provided, the payment is ordered, everyone moves on to the next project, often without the proof of work being captured in a system of record. I have spoken to records managers supporting legal action who counted themselves lucky for being faced with directories of several thousand photos with descriptive names like “DSCP1101”. The reality is that photographic proof is often lost with the email archive or laptop of the employee who ordered the work.

Ultimately, each of these scenarios can lead to substantial loss, and reflects an information governance challenge that is relatively simple to address. Many of these challenges can be traced to contractors’ lack of access to information governance systems. Manual work arounds and transfers from a system of record to an ungoverned system (ie. email and paper) introduce information risk that can easily be avoided.

Good solutions to this problem start by ensuring that there is a single source of truth for engagement information, and that all staff and contractors involved have access to it. They wrap an information governance framework around the engagement processes, ensuring that when evidence of transmittal, completion, or compliance is needed, it has been captured, is available and its source is known. This is a gap I’ve often encountered within the government organisations that I deal with. Historically this gap has been caused by tool cost and the security status of cloud platforms. Recent changes to the Australian Government Protective Security Policy Framework, and Information Security Manual mean that tools like our own Objective Connect and others are now viable for use by government. If you’re having trouble controlling risks like the ones above, a tool like ours should be on your list to examine.

Advertisement

Collaboration governance and notifiable data breaches – how do you achieve certainty?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into force on the 24th of February 2018. It means that an Australian Privacy Principle (APP) entity with reasonable grounds to believe an “eligible data breach” has occurred needs to report it to both the Office of the Information Commissioner, and the affected individuals, and conduct an investigation within 30 days. Many organisations will fail to effectively service this requirement because their response will rely wholly on meta-data. Effective responses will be made possible via systems that automate the collection of both data and meta-data about content collaboration events involving external parties.

In the lead up to reporting an event, the difference between a notifiable event and the continuation of business as usual, is likely to come down to being able to answer a few specific questions –

  1. What information did we lose control of?
  2. To whom was it exposed?
  3. What is the level of certainty?

In an organisation with automated external governance capture, the answer can look like “we provided x content to y, here are the audit trails and here is the content in its original form”. This answer will likely have a high degree of stability over time.

Organisations with less mature governance frameworks will rely on machine meta-data and interview data. A response from this organisation will have a high degree of ambiguity – “we can see that x accessed y cloud service and uploaded some content that might contain z data”. Three months later, a response even at this level of certainty may be impossible as meta-data logs are routinely overwritten.

Organisations that effectively move towards maturity do it by enabling content-based processes, with tools that make process work more efficient, and capture data and meta-data as a by-product of usage. In the vast majority of cases that I have worked on, control was lost due to the lack of an approved tool rather than by accidental means or malicious attempts to circumvent controls. Once an approved tool is implemented, steps can be taken to reduce access to other tools over time – this will include putting barriers in front of physical media, internet sharing services and email.

Ultimately, good response under mandatory breach disclosure is going to come down to having both the data and the meta-data. If you’re struggling with how this will play out in your organization and you’d like to understand one approach, please reach out to me, particularly if you’re a HPE Content Manager, SharePoint or Objective ECM customer already.

If you’re looking for a good primer on notifiable data breaches, I found the link below from Clayton Utz extremely useful, you can also find lots of good information on the website for the Office of the Information Commissioner.

https://www.claytonutz.com/knowledge/2017/march/take-notice-mandatory-data-breach-notification-laws-to-take-effect-by-23-february-2018