Indicator 3

An overall increase in organisations that have identified their high value and/or high risk information

What we asked and why it is important

We asked how many public sector organisations have identified their high value and/or high risk information. (Q.20)

High value and/or high risk information includes that information needed to carry out core or unique functions, make key decisions and provide evidence of decision making. Typically, this will also encompass information that protects New Zealanders and New Zealanders’ entitlements and information relating to land, environment, infrastructure and research.

Creating and managing information requires an investment of time, money and resources. The business value of the information should be proportionate to the cost of maintaining it.

What we found

One hundred and forty-four (64%) organisations stated they have identified their high value and/or high risk information. For public offices, the percentage of organisations that identified high value and/or high risk information is even higher at 71%.

As Figure 5 shows, the number of local authorities that identified high value and/or high risk information is lower than those that have not. Only 43% of local authorities have identified their high value and/or high risk information.

Figure 5: Whether organisations have identified their high value and/or high risk information

Figure 5 shows that one hundred and forty-four (64%) organisations stated they have identified their high value and/or high risk information. For public offices, the percentage of organisations that identified high value and/or high risk information is even higher at 71%. As Figure 5 also shows, the number of local authorities that identified high value and/or high risk information is lower than those that have not. Only 43% of local authorities have identified their high value and/or high risk information

Figure 5 shows that one hundred and forty-four (64%) organisations stated they have identified their high value and/or high risk information. For public offices, the percentage of organisations that identified high value and/or high risk information is even higher at 71%. As Figure 5 also shows, the number of local authorities that identified high value and/or high risk information is lower than those that have not. Only 43% of local authorities have identified their high value and/or high risk information.

Once organisations have identified their high value and/or high risk information, they can prioritise, ensure risks are mitigated, and that the cost of managing and retaining this information and making it accessible is proportionate to the information’s value.

Survey participants agreed there are a number of risks to organisations’ information. Many of these risks are relevant to high value and/or high risk information and are set out below in Figure 6.

Figure 6: Risks identified to the organisation’s information

In Figure 6, survey participants identified a number of risks to organisations’ information. Many of these risks are relevant to high value and/or high risk information. These risks are as follows, in order with the risks identified by most of the organisations at the top of the list: Lack of contextual information to enable discovery and interpretation. Information stored on business systems that are out of support, Inadequate access and use controls for privacy and security, Information stored on obsolete or at-risk mediums (for example floppy disks), or on obsolete or at-risk file formats (for example Wordstar files), Deterioration (of physical information and/or digital information stored on physical mediums, Storage failure (for example loss and/or corruption of data, or data that is inaccessible), Lack of offsite backup.

In Figure 6, survey participants identified a number of risks to organisations’ information. Many of these risks are relevant to high value and/or high risk information. These risks are as follows, in order with the risks identified by most of the organisations at the top of the list: Lack of contextual information to enable discovery and interpretation. Information stored on business systems that are out of support, Inadequate access and use controls for privacy and security, Information stored on obsolete or at-risk mediums (for example floppy disks), or on obsolete or at-risk file formats (for example Wordstar files), Deterioration (of physical information and/or digital information stored on physical mediums, Storage failure (for example loss and/or corruption of data, or data that is inaccessible), Lack of offsite backup.

Many of these risks are specific to an organisation’s ICT environment and infrastructure. The lack of contextual information to enable discovery and interpretation is directly related to ensuring metadata is applied and is consistent across data. We are also concerned about information that may be stored on obsolete or at-risk mediums and platforms.

Recommendations

We recommend that public sector organisations:

  • make a start to managing high value and/or high risk information by identifying what they hold – an information asset register (IAR) will help;
  • ensure that systems specifications for business that is high value and/or high risk value includes information and records management requirements; and
  • ensure that systems specifications include minimum requirements for metadata needed to support information identification, usability, accessibility and context.
Back to: Survey of Public Sector Information Management