eMail poses some interesting challenges from the information governance perspective, challenges that have been carried forth since the birth of personal computing and early misjudgements made in establishing this new computing concept.
Personal, or moreover the personalisation of user access and assignment of rights in a corporate setting being the issue, that has become an challenge for organisations trying to wrestle back ownership of corporate data, through the introduction of identity and access management solutions, and most importantly role based access control models (RBAC).
It is a fact that a great many users perceive the allocation of a user logon ID (usually some representation of their name) and the subsequent allocation of email, as something that is personal to them, and not just the means and tools provided by the corporation to help them perform their duties.
This is not helped in some respect by the right to privacy in the corporate setting automatically assigned by law, when in truth (ignoring personal use for the moment) the first claim on the corporate data contained within an email is surely with the employing organisation?
Data Protection Conundrum
This conundrum is perhaps best illustrated by the NHS own provision of a national (cloud type) email offering (NHSmail), founded on the principle of the NHS staff being allocated and email address for life! A concept that creates some potentially major information governance challenges and issues.
e.g. nurse A, works for a trust in the GNU clinic, and routinely handles sensitive and private information, not all granted necessarily in a patient identifiable form via email, but for the sake of argument assume that she has a function that warrants the use of email in this way.
Nurse A leaves the trust, and takes up post in another trust, in a difference less sensitive business function, she according to the policy for NHSmail takes her mail account with her. Unless the first trust has a very robust starters and leavers admin and management process (a great many do not), any data (unless archived off by the user), goes with her to her new post, that’s information governance issue one.
The second information governance issue concerns the loss of continuity, that arises is the fact that her replacement (and this is largely true of any mail system) will most likely never get sight of their predecessors communications.
Many staff, because they use email for personal purposes as well as business purposes, will typically clean their mailbox down, this being more about protecting their personal privacy, as opposed to protecting those individuals information they may have been privy too.
Even is a user bothers to sort and sift in deletion, to subsequently leave behind relevant info for the person following into the role, the second information governance issue of disconnection still occurs, because likely as not the mailbox never gets reassigned, instead the new user gets a new mailbox.
Of course email is just one example of a number of personalisation issues that came into existence, personal file shares, user based permissions, are other significant information governance concerns affected by the starters and leavers process.
Until identity and access management, and importantly the evolution toward RBAC takes a hold, organisations will continue to experience these issues and more that are less about breaches of privacy, and more about the perhaps less tangible aspect of discontinuity, that results in inefficient and costly working practices, of learn it all again, every time a staff role change occurs.
The commercial corporate world is moving fast with the adoption of identity assurance and RBAC solutions, because they recognise the cost and downside of not doing so, and in health of course the sterling work of the CfH Identity Management Team and NHS Spine implementation of RBAC to national apps provides a model for health, time now for this to be adopted at the local level.