Review of corporate information management

The challenges of the current and legacy information environment 

Current state

The largest repositories containing general day to day business information are:

• eRDM – the corporate documents and records management system      accessible to all core SG staff and users from a range of Agencies and NDPB’s using the SCOTS network
• G Drives – shared Windows drives allocated to business areas to manage documents
• H Drive – individual Windows drives allocated to all staff including those with no access to eRDM
• Public Folders – legacy Outlook folders designed for shared access
• Outlook – the corporate email solution

From a technical governance perspective these are all supported data stores hosted on the corporate SCOTS infrastructure. However from a business perspective, taking eRDM aside, the others are not corporate information systems. They are repositories with largely unstructured and unaudited  information which is not subject to sufficient business governance especially from a corporate perspective. This information can be difficult to access and retrieve other than for the individual users or local teams who create and manage the content. Tables A and B below highlight the scale of information that has been gathered in these electronic stores and the absence of any meaningful information governance relating to them and much of the content they contain.

It should be noted this is a quantifiable profile of data obtained from iTECS Division. It was beyond the scope and capability of the review to provide a full and meaningful qualitative assessment of this data.

Table A: the quantifiable view of the content of the ‘big five’ commonly used data stores 

Table B: a comparison of strengths and weaknesses (excluding email)

(Source: iTECS Division)

There are of course many assumptions and caveats that can be made around the data content of all these information stores. For example there is likely to be significant duplication of information across all of these repositories. Whilst that  might provide comfort that some versions of documents are correctly stored in eRDM it actually creates an issue around multiple versions of documents held in different systems leaving the business with the task of establishing what is the most up to date and accurate document or record.

Business users searching the content stored outside eRDM rely on a combination of local knowledge by individuals or teams and using basic Windows explorer search functionality. To try and meet more corporate information searching requirements, such as responding to inquiries, dedicated personnel have had to be assigned to search information at an enterprise level to provide greater surety that results would be complete and accurate. The recently implemented eDiscovery solution now provides an improved capability to more reliably search some of this unstructured content and provide greater assurance about the outputs. It is not however a solution routinely used by the general business. Section 11 also refers to eDiscovery and its benefits.

Taking email aside, in purely quantifiable terms, Table B shows that only around 28% of information items stored in the main four repositories is maintained within eRDM which is the only corporate solution which brings the full information management safeguards outlined in the same table.  

Key risks

Very limited sample eDiscovery analysis found information held in the these systems which ought to have been stored in eRDM but wasn’t. Information of a sensitive nature or containing personal data was also found. This has the risk of weakening the effectiveness of the processes and outcomes of both the IAO review of Information Asset Registers and corporate Certificates of Assurance. These data stores can create significant information risks to the organisation including: 

1. Reduced levels of legal compliance:

• Public Records (S) Act 2011 – the content is not subject to records management including retention or disposal schedules
• FOI – the content is not readily searchable and hinders efforts to meet freedom of information requests
• GDPR – the content can include sensitive personal data which is difficult to review and risk assess

2. Sub optimal capability and performance - the business does not have the degree of confidence it should around its ability to reliably search and reuse the organisation’s own information. This is a general issue which hinders routine day to day business but importantly it does not best serve the requirements of key corporate initiatives and inquiries
3. Sustaining a non-corporate culture - the availability of these alternative repositories is in itself an ‘excuse’ or blocker and can actually discourage some staff from using eRDM. This poses a risk to the credibility and integrity of eRDM but also the corporate file plan and records management plan signed off by the Keeper of the Records of Scotland.
4. Security of information – the sheer volume of unstructured information lying across a multitude of disparate repositories and sources amounts to a corporate risk in its own right which is not properly mitigated due to the lack of surety around ownership, insufficient governance and limited or no audit.
5. Inefficiency - associated with staff time wasted trawling through the various information sources which also contain multiple duplications of the same information.
6. Unnecessary costs - associated with the storage and infrastructure management overhead of the various repositories.
7. Constraining SG strategies - complexity and costs associated with the challenge of migrating huge volumes of unstructured, poorly managed data as part of a future strategic migration to the cloud. SG should be taking measures to cleanse and structure its data in readiness for any future potential migration to the cloud.

Business non-value

Some of these data stores may have some very limited administrative metadata applied to some content such as marking a file, folder or item as having restricted access or being password protected. However there is very little metadata of real business value. There is little or no descriptive information about the context, quality, condition or characteristics of the data. In general this huge collection of unstructured information offers up very limited corporate value to the SG. 

One of the priority areas of focus in a corporate IM Strategy should be measures taken to reduce the availability and use of these alternative repositories. This will also help marshal staff towards greater adoption and consistent use of the corporate eRDM system for everyday documents and records management.