Captain to Lieutenant: “Lieutenant…see this 20ft pole? Bury it in this 10ft hole!”
Lieutenant: “Sergeant…?! See this 20ft pole?”
Government agencies are currently working on developing “Data Governance Policies” to ensure effective management of their data. As someone who has served on agency and federal data policy working groups, I can attest that agencies are taking a wide-spectrum approach to data governance, covering all elements related to data within each agency. This approach is being taken because, it appears to agencies, that higher authorities have not provided clear guidance on the matter, leaving agencies to develop their own policies.
Agencies struggle to find policy verbiage that accurately and sustainably endures for all users attempting to answer questions about data warehousing and information architecture and access controls and PII/PHI management, etc.
It’s worth noting, however, that the federal government has provided some guidance on data management through Title 44 USC Chap 31, Records Management.
This statute assigns records management responsibility to agency directors, who then pass the responsibility to the agency’s Records Management Office (RMO) director. However, at most agencies, responsibility for records management continues beyond the RMO to the individual who creates a record. This “end-user” approach to records management is still in place, even though systems now exist to manage the entire lifecycle of information management, which is a key element in data governance.
This is where the RMO can play a crucial role in dictating data’s lifecycle management. By applying 44 USC 31 beyond the records management of data from all systems to configuration management of all systems for the purposes of records management, the RMO can manage the entire data lifecycle, including the generation, storage, maintenance, and disposition of data. This extends to both mission and corporate data management systems.
By extending systems configuration to the RMOs under Chap 31, agencies can develop a unified system for accountability of all data. This system allows the RMO to define a single records management standard for mission and corporate data management systems.
The RMO now has a voice in conversations concerning data’s creation, storage, or disposal. This will enable agencies to create a comprehensive data governance policy that adheres to the business process framework prescribed by the RMO. Stakeholders who insist on the management of their own offices’ government data will need to justify their request to higher authorities.
Here’s the sample Data Policy Document. Please debate via comments.
TITLE: Sample Data Governance Policy
Policy on Configuration Management Control of Agency Systems
This policy establishes the responsibilities of the agency’s records manager for configuration management control of all systems used by the agency in accordance with applicable records management laws and regulations.
This policy applies to all systems used by the agency, including but not limited to electronic recordkeeping systems, email systems, and any other systems used to create, receive, maintain, or dispose of agency records.
This policy is established in accordance with the following authorities:
- The Federal Records Act (44 U.S.C. Chapter 31)
- The Paperwork Reduction Act (44 U.S.C. Chapter 35)
- National Archives and Records Administration (NARA) regulations implementing the Federal Records Act (36 CFR Chapter XII Subchapter B – Records Management)
- The Department of Defense (DoD) Directive 5015.2 – Records Management Program
- The DoD Records Management Metadata Standard
- The Federal Data Strategy
The agency’s records manager is responsible for ensuring that all systems used by the agency are in compliance with all applicable records management laws and regulations. In order to comply with these laws and regulations, the records manager shall:
- Develop, implement, and maintain a comprehensive configuration management plan for all systems in the agency, in accordance with applicable records management laws and regulations. (36 CFR 1236.22(b))
- Establish, document, and maintain a baseline of approved system configurations that meet the requirements of applicable records management laws and regulations. (36 CFR 1236.22(d))
- Review and approve all proposed changes to the system configurations before implementation, in accordance with applicable records management laws and regulations. (36 CFR 1236.22(e))
- Ensure the integrity and reliability of the system configurations by monitoring and tracking all changes made to the systems, in accordance with applicable records management laws and regulations. (36 CFR 1236.22(e))
- Document all changes made to the system configurations, including the date, nature of the change, and the individual responsible for the change, in accordance with applicable records management laws and regulations. (36 CFR 1236.22(e))
- Retain all documentation related to system configurations for the retention period required by applicable records management laws and regulations. (36 CFR 1236.22(g))
- Ensure that all systems used by the agency include metadata that conforms to the federally required metadata as determined by NARA, and all metadata required as standard data elements as required by the Federal and DoD data strategies. (36 CFR 1236.12(b)(6))
In exercising configuration management control over the agency’s systems, the records manager shall follow all applicable records management laws and regulations that grant the records manager authority over the configuration management of agency systems.
The records manager shall work closely with the agency’s Chief Information Officer and other relevant stakeholders to ensure that the agency’s systems are configured and managed in accordance with applicable records management laws and regulations. The records manager shall also provide training and guidance to agency personnel on records management requirements related to configuration management of systems.
Non-compliance with this policy may result in disciplinary action, up to and including termination of employment, in accordance with the agency’s personnel policies and procedures. The agency reserves the right to take appropriate action to protect the security and integrity of its systems, including legal action.
This policy is effective immediately upon publication and supersedes any prior policies or directives related to configuration management control.