Summary:
In this article, understand how organizations are entrusted with sensitive personal data and must act as responsible stewards by respecting privacy, protecting data, and maintaining transparency. It outlines three essential steps for effective content stewardship: understanding the content and technology in use, recognizing and mitigating associated risks, and adopting a holistic approach to content management. The benefits of good content stewardship include the following:
- It builds public trust and credibility
- It ensures legal compliance (HIPAA, FERPA)
- It enhances data security
- It improves operational efficiency
- It promotes transparency and accountability
- It supports long-term sustainability
It should no longer surprise anyone that the security of our personal data is unassured.
Headline news about privacy breaches has exposed the very real threat that our personal information can easily end up in unwanted places. As a result, public trust in government entities and private businesses that maintain our personal information is eroding. Rebuilding that trust requires committed change, but those organizations that get it right will reap measurable benefits.
So, for public service organizations that manage sensitive, personal data, the question becomes: What does it take to be a trusted, good steward of the content you manage?
What Is Good Content Stewardship and Why It Matters
First, let’s consider what good stewardship means. The private information you collect, manage, store, and dispose of for business processes is not yours. You are the steward, not the owner, and with your stewardship comes the responsibility to: Respect privacy Protect the data Be transparent Maintaining control over an ever-growing volume of content, including personal information such as health, criminal and school records, is becoming a more challenging, but a necessary part of how organizations operate. Doing this ethically, securely, efficiently, and with complete transparency is good content stewardship. It means the difference between public trust and public outcry.Compliance Is a Start, Not the Endgame
Protecting the public through information privacy begins with regulatory compliance. Public service organizations that manage protected health information (PHI), public safety information and any sensitive personal information are legally bound to protect the public against risk of exposure through laws like the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) and Patient Protection and Affordable Care Act (PPACA). However, compliance alone shouldn’t be the goal.The Goal Is Long-term Trust
After meeting compliance mandates, good stewardship means understanding processes and technology that protect personal information and identifying and addressing risk as part of an ongoing, holistic strategy. When working with our clients, we recommend these three steps to establish a framework for good content stewardship.Understand the Content You Have and the Technology You Use
The first challenge for many public entities is getting a handle on what content you have and where it is. Take inventory of sensitive content and determine where and how it’s managed, stored, and disposed of, then objectively evaluate current technologies that are used to interact with and store that information. Compare your processes, systems, and environment to industry best practices, take time to research and become well-versed on what works, and what falls short. Ask: -Where is the private content currently stored? -How is it used? -Who has access to it? -Are the files entirely paper-based or are all or some of them digital? -Are digital records stored on-premise network or in a secure cloud infrastructure? As you evaluate your systems and technology, and make improvements and investments, guide decisions by the Golden Rule. For entities entrusted with personal information, the Golden Rule means managing, storing and sharing information in expected and responsible ways. Simply put: treat other people’s personal information the way you’d want your own private information to be treated.Understand the Risk and Safeguard Against It
Good stewardship is not a one-and-done effort. It takes an ongoing understanding and review of the risks to the content you hold. You must ensure the confidentiality, integrity and availability of the data by implementing administrative, technical, and physical safeguards to protect it and minimize the risks of unauthorized or inappropriate access, use and disclosure. A good way to ensure this involves:- An infrastructure that provides maximum protection and security. This includes a reliable and secure infrastructure for digital data. For example, data stored in an isolated virtual private cloud is far more secure than an on-premises solution. When choosing a document management tool to help you access and manage digital content, look for a solution that provides cloud hosting and single-tenant options.
- Technology with security-rich features. Proper content stewardship requires policies that specify appropriate use and identify clear accountability. Role-based security aligned with organizational functions makes it easy and effective to control access to sensitive content and ensures important data is secure. Further controlling access based on document attributes and detailed activity logging provides added safeguards.
- Security procedures and training. Develop procedures and training for employees that include proper use of technology and guidelines for processes such as content redaction and document sharing. Make your data policies transparent to all stakeholders, including employees and the public. Remember the importance of accountability. Systems are necessary for detection of failure to adhere to security policies, and consequences must be enforced for accountability. Technology solutions that include security features such as secure links for sharing and configurable permission settings help in this area.
- Thorough preparation in case of a breach or disaster. Have a carefully crafted, formal plan in case of a security breach or natural disaster. The plan should consider the unique needs of all business units and stakeholders in your agency. You should also review the plan regularly and make changes as needed, then communicate the updates.