Good information governance requires a framework. IBM defines an information governance framework as including the following eleven elements. We have tried to condense down the definitions for each category.
Organizational Structures and Awareness – understanding of the need for governance and the roles required to do it
Stewardship – ownership of the responsibility for governance for given information assets
Policy – the “what to do”
Value Creation – Analysis of the value of the organization’s information
Data Risk Management & Compliance – Risk assessment, analysis, and mitigation
Information Security & Privacy – Policies and practices for protecting information
Data Architecture – Tools for creating, sharing, and managing information
Data Quality Management – Methods to ensure and improve data quality
Classification & Metadata – as the name suggests.
Information Lifecycle Management – Policies and processes for collecting, using, and ultimately deleting information
Audit Information, Logging & Reporting – Processes for monitoring the overall governance effort.
Source: IBM, http://www.infogovcommunity.com/resources
So for this Tweet, where do any of these elements apply? It’s a personal account, so organizational structures and stewardship aren’t applicable and policy is difficult to enforce, especially in the age of the smart phone. Not a lot of value being created here – and therefore not a lot of concern with data risk management, compliance, information security, or privacy. It’s a hosted service, so not much to do with data architecture. Data quality management and metadata? As long as it’s on Twitter it’s Twitter’s problem; if it were stored locally it would depend on how it was captured to understand what metadata is even available. There certainly isn’t a ready mechanism for classifying it. It’s a pretty ephemeral Tweet from a data lifecycle management perspective – and again, Twitter controls that as long as it’s stored out there. And therefore there isn’t a lot of need for auditing and logging for this Tweet.
On the other hand this one pretty clearly needs some governance attention, at least in most jurisdictions, and offers more things to apply governance against including the stock ticker, the link, and the pricing. The date certainly becomes much more important here as well. And if this comes from an official account or one affiliated with the organization there is definitely a governance issue here.
~
In other words, on the one hand governance processes and practices are certainly relevant in the social media era; on the other hand, there are some unique issues based on both the nature of particular tools and on the nature of social media more broadly that warrant some additional considerations. Over the rest of this course we will identify and explore some of those issues and considerations to provide a foundation for the rest of the Social Media Governance Certificate Program.
Consider the following types of content:
~
A Facebook like;
A Twitter retweet;
Geolocational data provided through a service like Foursquare, perhaps with a comment about the quality of the food or service at a particular place;
An edit to a wiki article;
A comment to a blog post;
A video, perhaps with annotation, often with comments, likes, etc.;
And all the other “breadcrumbs of attention” that we leave behind as we create, consume, and share content on external sites as well as internal ones.
~
All of these have metadata, and many of them have quite a lot of it. But much of this metadata is either not directly visible or accessible or isn’t germane to the way users would look for this type of content in the future.
~
And many of them are quite fragmentary – the Facebook Like for example, or a conversation carried on as part of a Twitter stream or other activity stream. They tend to be even more informal and even more ephemeral compared to other types of content. Yet as we’ll see later these issues don’t eliminate the need to manage this content effectively.
~
Finally, it should go without saying that volume presents an issue here. More video is uploaded to YouTube every month than the “big 3” U.S. networks (ABC, NBC, CBS) created in their first 60 years of existence combined. Facebook stores more than 100 petabytes of data and receives more than 250 million photos a day, or more than 5 billion photos a month. There simply isn’t an analogue for all but the largest enterprises and database applications.
Another significant difference in the way content is created today is how much of it is done by third parties. For most organizations most of their content is created internally; where there is substantial interaction with outside parties it’s often in the form of fairly standardized things like invoices, checks, and the like.
~
But social media is, well, social. A wiki with one author is just Microsoft Word with a bad user interface. Social tools work when and because they provide a mechanism to interact with other content creators. In many cases this is through the same tool or page – your wiki with their edits, your Twitter stream when they include you by mention, your blog and their comments. But it’s not always so – someone could comment on your blog post with a post of their own on their own blog (and with comments at neither, one, or both).
And all of this content creation happens on a website that in all likelihood is not under your control. That is, you can set up your Facebook page, and decide whether to allow comments to your blog; but the content is stored outside the firewall in a datacenter that might not be in the same country you are.
~
This has profound information governance implications. If Facebook decides to keep everything posted to it forever, disposition policies become somewhat of a moot point. On the other hand, if Facebook decides to keep content posted for only 30 days, retention becomes a critical issue.
~
It also complicates the ability to demonstrate compliance with regulatory requirements and requests to produce information in response to litigation or audits – what is “native format” for Twitter? It’s *not* screenshots, at least in most jurisdictions. How do you authenticate the content outside of Twitter.com or a Twitter client? And so forth.
All of this also contributes to a blurring of professional and personal lives. Consider two cases. First, Rick Sanchez was a journalist working for CNN. As part of his professional life he developed contacts and created and developed a pretty impressive Twitter presence, @ricksanchezcnn, with some 140,000 followers at one point. He was subsequently fired, which raises some interesting governance questions:
Who owns the account? It says CNN in the title, but Twitter, like most social media sites, assigns ownership of the account and all content related to it to the individual who created the account.
Who owns the contacts? The individual followers can’t be forced to stop following Rick’s account (since renamed to @ricksancheznews); if this were a Facebook account could Rick be forced to stop following other people?
Who owns the content? The internet doesn’t forget….
~
Now consider another case. An individual employee gets a smart phone paid for by the organization and is expected to be available after hours. The organization is smart and allows flexible working hours. The employee uses the smart phone to check into a bar at 11 am (but through his personal Foursquare account) and then uses his personal iPad and the bar’s Wi-Fi to log into Facebook and post some unflattering remarks about the bar, the meal, and his (unspecified) job.
Some of the questions raised:
Could his remarks reflect badly on the organization, or even contradict its acceptable usage policy?
Is that policy applicable to any, some, or all of the content he created?
If the bar decides to sue, is there any liability for the organization?
And probably lots more.
~
The broader point here is that as the lines between professional and personal lives continue to blur and overlap, so do many of the elements of the governane framework so carefully crafted and implemented in many organizations. It’s not always easy to tell who has the right to speak on behalf of the organization. And many commercial social media services forbid users from creating multiple accounts (such as a personal and professional account).
~
Organizations have to be smart and balance the legitimate concerns of the organization with those of the individual employees and take into account how the tools actually work.
The first step many organizations take to manage Web 2.0 is to try to block them. This is unrealistic for a number of reasons.
Moving into mainstream
Roles and responsibilities are still required to manage social content in the context of the governance program – whether in the enterprise or using commercial services. Proliferation of SharePoint collaboration sites or uncoordinated Twitter accounts is no better for the organization than proliferation of file shares or content repositories.
~
In other words, employees still need training on governance concerns. If using enterprise solutions IT still has to deploy and maintain them. For any business use of social media records, legal, compliance, risk, etc. should be involved. HR needs to consider how employment law affects the use of social media services for hiring – and for disciplinary actions. Senior management needs to consider how to measure the effectiveness of the organization’s usage of social media, which services best support its goals, and whether to use commercial sites or enterprise solutions.
Technology changes much faster than the law or policies can keep up with. That’s why it’s better to use a comprehensive policy that can cover new technologies as they appear.
Governance exists but needs to be tweaked.
Apply what can be applied: roles & responsibilities (inc. new ones); general policy framework; training as we discuss shortly
Extrapolate from what has worked: job aids & guidelines; managing wikis instead of email for collab and the relative ease of managing wikis for compliance; use the tools appropriately (e.g. not for business if can’t manage it)
Create new stuff where required: classification, declaring as record (managing in place?), etc.
The dell model we already mentioned; demographic considerations (it will be used), SM 101, how to use the tools, how to use the tools well, how to use the tools in support of the business, how to keep the business safe
Finally, there are enterprise versions of every Web 2.0 application. These enterprise versions are often available to be hosted inside the firewall, meaning that security is much more robust. Access can be secured to them much more effectively. They can be integrated into the organization’s identity infrastructure – whether Active Directory or something else – such that any change, post, comment, edit, update, etc. can all be tracked and, more importantly, tracked to a specific named user. No anonymous postings here.
Of course, you have to pay for an enterprise version, but what you’re really paying for is a level of peace of mind. And you still get many of the same benefits – ease of use, familiarity with the type of tool, rapid and agile collaboration across geographical and time boundaries, etc. You’re just getting a more secure and robust version of it.
[twitter]Consider implementing enterprise versions. FB is FB, but internal tools might be more appropriate.[/twitter]
One final point. No single policy can cover every possible circumstance. There are simply too many tools, processes, and situations that could pop up. Different organizations will treat things differently in different contexts. So perhaps the most important thing to teach employees about social media is to be smart. The Internet doesn’t forget. Best Buy’s policy is an excellent example, and one that can be boiled down to its tagline, “Be smart. Be respectful. Be human.”
At this point I’d be pleased to entertain your questions.