A comprehensive alphabetical glossary of Information Governance terms you may come across.
A range of measures and processes that ensure entry to a computer system, network or premises is restricted to particular and authorised users only.
A small programming procedure that solves a particular task or recurrent problem. This term is relevant to encryption.
A claim that someone has done something wrong or illegal.
Usually a combination of letters and numbers, the term is used in relation to password formation.
Information that does not directly identify an individual and cannot reasonably be used to determine identity. Anonymisation requires the removal of name, address and any other detail or combination of details that might support identification.
Process of evaluating an organisation’s activities to determine which records should be kept and for how long in order to meet the needs of the organisation, the requirements of government accountability and the expectations of users of the records.
Records that are appraised as having permanent value for evidence of ongoing rights or obligations, for historical or statistical research or as part of the corporate memory of the organisation.
Non profit professional association for records and information managers and related industry practitioners. (Formerly Association of Records Managers and Administrators).
Anything that has value to the organisation, its business operations and its ability to continue supplying a service.
A planned and documented activity to determine by investigation, examination, or evaluation of objective evidence, the adequacy and compliance with established procedures, or applicable documents, and the effectiveness of implementation.
The collection of data sets so large and complex that it becomes difficult to process using traditional data processing applications. The challenges include analysis, capture, curation, search, sharing, storage, transfer, visualisation, and privacy violations. The advantage of Big Data is the analysis of large data sets that can reveal trends and patterns to help business development and agility.
The set of techniques and tools for the transformation of raw data into meaningful and useful information for business analysis purposes. Business Intelligence has generally focused mainly on structured data held within relational databases.
BYOD – Bring Your Own Device
Refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications.
UK report on patient-identifiable information that impacts Information Governance. The Caldicott Committee reviewed the transfer of patient-identifiable information from NHS to other NHS/non-NHS organisations and recommended a common framework for this sensitive data.
A duty of confidence arises when one person discloses information to another (e.g. patient to clinician), in circumstances where it is reasonable to expect that the information will be held in confidence.
Confidentiality Code of Practice
A guide to required practice for those who work within or under contract to an organisations concerning confidentiality.
An agreement that may be explicit or implied. Acceptance without some obvious sign does not necessarily constitute consent.
Two or more actions occurring at the same time, used in the context of entering information about an event into a record at the time the event occurs, or as close as possible to that time.
Data Flow Mapping
Process of documenting the flow of information from one physical location to another and the method by which it “flows”. Data flows may be by email, fax, post/courier, text or portable electronic or removable media.
Data Protection Act UK 1998
Regulates the processing of information relating to individuals, including the holding, obtaining, recording, use or disclosure of such information.
The process of decoding data that has been encrypted into a secret format. Decryption requires a secret key or password.
The process (manual, automated or both) of identifying and permanently disposing of unneeded or valueless data.
Disaster Recovery Plan
Part of the business continuity plan that is implemented following a serious incident affecting the provision of services. It should detail how services will be brought back online within a set time frame and inform staff of alternative methods of service provision.
The divulging or provision of access to data.
Signed into US federal law in 2010. It introduced significant changes to financial regulation in the United States, affecting all federal financial regulatory agencies and the Financial Services industry.
In records management terms, refers to the act of making a new set of records when one already exists. Prevention of duplication is one of the requirements of good information quality.
Refers to discovery in civil litigation or government investigations which deals with the exchange of information in electronic format (often referred to as electronically stored information or ESI). These data are subject to local rules and agreed-upon processes, and are often reviewed for privilege and relevance before being turned over to opposing counsel.
EIR/Environmental Information Regulations
Provides public access to environmental information held by public authorities.
The use of electronic media, educational technology and information and communication technologies (ICT) in education. E-learning includes numerous types of media that deliver text, audio, images, animation, and streaming video, and includes technology applications and processes such as audio or video tape, satellite TV, CD-ROM, and computer-based learning, as well as local intranet/extranet and web-based learning.
The process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a “key”.
Business management software—usually a suite of integrated applications—that a company can use to collect, store, manage and interpret data from many business activities, including:
- Product planning, cost and development
- Manufacturing or service delivery
- Inventory management
- Shipping and payment
Electronically stored information. See also eDiscovery.
Specified circumstances in legislation that relieve certain persons from complying with responsibilities e.g. under the UK Freedom of Information Act there are exemptions under which a public authority does not have to supply requested information.
Also known as express consent, it refers to a clear and voluntary indication of preference or choice, usually oral or in writing and freely given in circumstances where the available options and their consequences have been made clear.
Federal Information Security Management Act (FISMA), recognised the importance of information security to the economic and national security interests of the United States defining a comprehensive framework to protect government information, operations and assets against natural or man made threats.
Freedom of Information Act UK
This requires all public authorities to make certain information available to the public either through regular publication or on request.
Health Insurance Portability and Accountability Act, also known as the Kennedy–Kassebaum Act. HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
IG Statement of Compliance (IGSoC)
UK agreement between NHS and approved organisations that sets out the Information Governance policy and terms and conditions for the use of NHS Connecting for Health services.
Clear and voluntary indication of preference or choice, signalled by a person’s behaviour and freely given.
A single or series of events that impacts or may impact on the organisation’s service provision leading to reduced or interrupted service, or loss of reputation. Examples of Information Governance incidents are unauthorised access to a system or location, or breach of confidentiality.
A process to ensure that an incident does not affect the normal service provision of the organisation.
Information or data; the systems and locations in which it is stored; and the means by which it is accessed.
Information Asset Register
A list of the assets a company relies on in order to carry out its day-to-day business. See also information asset.
Information Commissioner (UK)
The Information Commissioner enforces and oversees the Data Protection Act 1998 and the Freedom of Information Act 2000.
The set of multi-disciplinary structures, policies, procedures, processes and controls required to manage information in support of an organisation’s regulatory, legal, risk, environmental and operational requirements. It allows organisations and individuals to ensure information is processed legally, securely,efficiently and effectively.
Information Governance Framework
A document that sets out all the roles and responsibilities within the Information Governance programme. It outlines how information should be accessed, processed, shared and protected by users both within and external to the organisations such as stakeholders, partners and suppliers.
Information Governance Policy
Incorporates standards, guidance and codes of practice which must be adhered to by the company and associated organisations, e.g. independent contractors and business partners.
Information Governance Policy Document
A high level statement of the organisation’s intended approach towards effectively implementing Information governance.
Information Governance Steering Committee
A multi-disciplinary group of executives and business users whose role is to set strategy and plans for Information Governance. The committee – often known as the Information Governance Council – is also responsible for the budget allocation, measurement and review of programme activities.
Information Life Cycle
Activities involved in managing information throughout its life e.g. when information is obtained, created, retained, stored, retrieved, communicated, used and destroyed. See also Records management.
The collection and management of information from one or more sources and the distribution of that information to one or more audiences.
Holding, obtaining, recording, using or sharing information.
The requirement that information is:
- Free from duplication
- Free from confusion, (e.g. where different information is held in different places, possibly in different formats)
Measures put in place to prevent inappropriate access, modification or manipulation of information.
The Review of Civil Litigation Costs, or Jackson Review or Jackson Proposals, is a review of civil litigation costs in England and Wales. The reforms came into practice on 1 April 2013.
A process that an organisation uses to preserve all forms of relevant information when litigation is reasonably anticipated.
A legal obligation for which a person is responsible.
Software capable of performing an unauthorised process on an information system.
Software modules obtained from remote systems and downloaded on a local system without explicit installation or execution by the recipient. Malicious mobile code is designed with the intention of compromising the performance or security of information systems and computers.
Mobile Computing Systems
Items such as laptops, PDAs, and mobile phones that are used to store personal information or enable staff members to connect to the organisation’s system from external locations.
Online transaction processing. A class of information systems that facilitate and manage transaction-oriented applications, typically for data entry and retrieval transaction processing.
A secret series of characters that enable a user to access a restricted area, e.g. computer files, a secure room. The password helps ensure that unauthorised persons are unable to gain access.
Also referred to as “personal identifiable information” and relates to information about a person which enables that person’s identity to be established by one means or another. All information that relates to an attribute of an individual should be considered as potentially capable of identifying them to a greater or lesser extent.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle card holder information for major debit, credit, ATM and POS cards. It was created to increase controls around card holder data in order to reduce credit card fraud.
Privacy Impact Assessment (PIA)
A proactive approach to ensure that privacy concerns and safeguards are addressed and built in from the beginning of a new project.
Records Information Management (RIM)
See Records Management.
The field of management that is responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposal of records. Also known as Records Information Management or RIM.
Continued storage and maintenance of records for as long as they are required by the creating or holding organisation until their eventual disposal, according to their administrative, financial and historical evaluation.
Identification and assessment of hazards, based on the type of hazard, the likelihood of it occurring and the potential effect of this on individuals, organisations or the environment.
Provision of a statute or a regulation that specifies that certain conduct will be deemed not to violate a given rule.
Secure physical location or agreed set of administrative arrangements within the organisation to ensure confidential personal information is ommunicated safely and securely. It is a safeguard for confidential information which enters or leaves the organisation whether this is by fax, post or other means. Any members of staff handling confidential information, whether paper based or electronic, must adhere to the safe haven principles.
Category of personal information that is usually held in confidence and whose loss, misdirection or loss of integrity could impact adversely on individuals, the organisation or on the wider community.
Serious Untoward Incident (SUI)
Any incident involving actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals.
Event or incident of particular interest to the organisation, requiring consideration and discussion, possibly highlighting areas where improvements can be made.
Data that resides in a fixed field within a record or file. This includes data contained in relational databases and spreadsheets.
Subject Access Request
A written, signed request from an individual to see information held on them, a right given under the UK Data Protection Act 1998 for example.
Information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain data such as dates, numbers, and facts as well.
Virtualisation is the creation of a virtual (rather than actual) version of something, such as an operating system, server or storage device. Storage Virtualisation is the pooling of physical storage from multiple network storage devices into what appears to be a single storage device that is managed from a central console.