Blog:
Law, Policy -- and IT?
Business intelligence is all the go these days, and increasingly confused with information management. People are wondering what these functions are exactly, whether they are the same or could be located in the same office. Short answer: no. Longer answer: Read on.
Information management is a slightly fancy term for the comprehensive set of practices and safeguards used to handle institutional information. In some sense, it is nothing new. Colleges and universities have been consciously or less than consciously "managing" their information since time immemorial, which, as a historian of higher education, I can attest because I have been in archives. On a practical day to day level, certainly since the Second World War and especially after the introduction of the Family Education Rights Privacy Act (FERPA), institutions have become increasingly purposeful about how they manage information, education records in particular. Mountains of bureaucracy, new privacy laws and technologies that route and store information have shifted the focus to a greater degree of consciousness about, well, the management of information. The multiple tasks involved in this function rise to the level of a full time employee devoted to overseeing compliance, risk management and reputation in our institutions.
An outline of that oversight might help explain what's expected. An information management official (IMO, and I just made that up) would be expected to oversee:
a. Compliance with all federal, state and local law that applies to institutional information;
b. Privacy practices and technical security safeguards, the specific responsibilities of those roles would be delegated to other offices, for example, a privacy and a security officer.
i. Privacy officers would examine the fair information practices such as notice, relevancy, technical security and disclosure of personal and other aggregated forms of institutional information.
ii. Security officers have responsibility for the administrative, technical and physical safeguards on information. For example, that person might work with an IT policy officer to craft, vet, promulgate institutional security policies, and then dedicate staff to the training and constituents to the education of these policies, as well as manage security engineers who implement and trouble shoot everything from authentication systems, firewall management, network and system scanning, intrusion detection, etc. for the purposes of maintaining the confidentiality, integrity and (appropriate) access to information.
c. Guide information stewards (those roles that have responsibility for discrete "data sets," for example, education records and student data, human resources and benefits, etc.) in the appropriate administrative, technical and physical security measures that harmonize practices and technology around campus. This role is critical in distributed environments especially in order that everyone who has a legitimate need to access and use information encounters no obstacles in their daily business, that uneven technical standards are not established for the same data elements in different departments or units, and that there are all the appropriate rules and safeguards in place to be sure that the data does not exceed authorizations. In other words, that the custodians of institutional information -- employees who use that data in the course of their employment -- know and abide by appropriate limits.
d. Work with all of the other relevant stakeholders in the larger process, from counsel to audit to archives and comptrollers as well as stewards and custodians, policy, security and quality assurance personnel to ensure the proper management of institutional information as an asset of the institution to be used efficiently and effectively to realize its missions.
Note that this is not an exhaustive list, but it is a start. More important for the purpose of this discussion, it is set out as a contrast to a business intelligence officer (BIO, and I just made that title up too!). Here is what that office would oversee … and then I will get to the punch line of why these offices should NOT be combined, or even if separate officers, not to be held in the same unit:
Business intelligence is relatively new office founded on the capabilities that information technologies offers to harvest, combine, analyze and recombine very large types and amounts of data for the purposes of institutional strategic planning and for the execution of institutional missions. Industry is so far out in the lead on this exercise that it is almost embarrassing for higher education to be acting as if it is the greatest new thing since sliced bread, but no matter: in order to maintain current and competitive in the world at large, like it or not, higher education must be engaged with these processes. Tomes are written about this work, so I will not be exhaustive here, but just to provide flavor if the picture is still unclear, this exercise requires the acquisition of all kinds of data from around the university that can be subject to analysis for … just about anything! What zip codes do the best applicants derive … or alumni gifts … just for a rather banal example. I can only imagine how detailed and complicated the analysis can be given the capabilities of technology.
And here is the rub: should someone else beside the person in that role be watching how and in what ways the institution is managing its data? We are all so very aware now of how for-profit corporations has used and abused data from search to social networking for advertising, direct marketing, profiling and categorizing individuals for credit and financial worthiness. What will higher education do with your personal information? Are there any rules safeguarding your privacy? What does your alumni affairs office know about you? What administrative, technical, and physical safeguards are they using to maintain that information? Could, would your institution sell your information to corporate entitles? That alumni information would fetch a pretty penny … and higher education is in a financial squeeze. Hmmm, there are no laws that disallow the practice, and who would be hurt in the process? Everyone does it anyway …
See what I am getting at? Information management is not business intelligence, even if "information" is the common denominator. Those roles exist for very different business purposes within an institution, and in healthy circumstances they complement each other. The first helps to maintain the integrity of the information; the second uses the information for strategic planning and business implementation from applications to human resources to alumni giving. Because market interests have so heavily influenced the law, resulting in a lacuna of clear guidance, the temptation to exceed ethical boundaries may become a genuine threat to higher education's good name. In that environment, it is good to have the complementary nature of the two positions also act as a potential check on each other.
I hope to write more about this emerging issue … but would you help? What is your institution doing about these roles, responsibilities and safeguards?