As a one-line summary, the clearer the IPRs the more valuable the information becomes. This might seem counter to common sense but in general in organisations very little attention is paid to information rights. Another aspect of this is the policy towards what is referred to as protective marking. Every content item should have a marking that unambiguously defines who has access rights to the material.
Organisational information management challenges
I enjoyed reading The Black Door on a recent vacation. Written by Richard Aldrich and Rory Cormac it is the story of spies, secret intelligence and British Prime Ministers from 1908 to 2017. Many of the themes in the book mirror those in any organisation, such as defining who is an ‘expert’ in a particular area, and how to bring together and assess sources of information and knowledge from a wide range of organisations, each with their own reasons for taking a particular line on a topic because of corporate interests.
As I write this article it’s the first anniversary of the publication of the Chilcott Inquiry into the involvement of the UK Government in the Iraq war and in particular the dossier on the existence (or non-existence as it turned out) of Weapons of Mass Destruction. This of course highlights the issue of information quality, as a substantial element of the dossier was plagiarised from publicly available material.
Another theme of the book is the extent to which supposedly secret documents end up being made public, and not just by Edward Snowden. Recent ransom-ware attacks have highlighted the need for IT teams to ensure that corporate systems are safe from any form of external threats and also to ensure that information held by the organisation is not transmitted digitally to unauthorised people outside of the organisation. There is also a need to ensure that internally employees cannot gain digital access to information that they do not have permission to see. An important feature of a search application is ensuring that employees cannot gain access to limited circulation information. I have added the word digitally in the above paragraph for the reason that information can easily be circulated in a paper format once it has been downloaded.
This is where protective marking becomes so important as it should ensure that every document or data item is visibility tagged in a way that there can be no dispute about the permitted readership of the document. Protective marking schemes should be set out in a corporate information security policy (ideally compliant with ISO 27001) but the question then is who decides on the circulation of a document. The critical issue is whether the labelling on the document defines unambiguously who has access to the information. Role-based labelling (“Heads of HR”) is of no value. Someone may be the local manager for HR and so regard themselves as Head of HR in the office, but that is almost certainly not the readership that the author envisaged.
A good starting point for understanding the scope of a protective marking scheme is the UK Government policy document, especially as many public-sector organisations in the UK base their own policies on the UK Government document. This document also sets out how ‘paper’ versions of documents should be managed from a protective marking perspective. The current policy dates from April 2014. In addition, there is a very good overview document on government information security management published in 2016 by National Audit Office. The point I want to make is that just seeing information security as a digital asset management topic owned by IT is to totally miss the point. The damage that printed, or printed-out, information can do in the wrong hands can not only be embarrassing but it’s very difficult to pin down the route by which the information broke out of its cage, a cage often no stronger that an attachment to an email that says “Keep this to yourself.”
As with so many aspects of the digital workplace policies have to be developed, implemented and reviewed as a combined effort of IT and the business.
How quickly can you find the current version of your organisation’s protective marking policy? All that I have written above should be covered by the corporate information management policy but in my experience this is rarely the case. I have come across instances where different parts of the same organisation have different approaches to protective marking. And life gets really interesting when organisations merge or split.
There are usually clauses in merge and demerge agreements about what are often referred to as controlled documents, but about the last description you can give to a collaboration space is that it is controlled. Indeed, the argument is probably that the less controlled it is the better. Well, the two Professors would suggest that this is not the case and the Trant v Mott case suggests that your legal team need to be involved sooner rather than later.
Consider this a warning!
______________________________________________
Martin White is the Managing Director of Intranet Focus http://intranetfocus.com/
______________________________________________
This article is an edited version of an article first published in UKeiG's eLucidate journal. For more information on eLucidate (the e-journal of CILIP special interest group UKeiG contact Gary Horrocks info.ukeig@cilip.org.uk
______________________________________________
Photo by Samuel Zeller on Unsplash.