Many years ago, in one of my less favorite towns, but more favorite clients, we embarked on a project to clean up their shared drive environment in anticipation of a transformation to SharePoint. The preconceived process was that they would ask the “content owners” to decide what is valuable (a record) and what is not. At that point, they had a register of all the shares and who the registered “owners” were. The problems became immediately clear: 1. Most owners did not know who had access to the shares and therefore little idea of what content was on the share, and 2. Most owners did not know what a record was. The two most important keys were missing.
Content ownership is a critical component of Information Governance – since governance is all about authority and responsibility. We also recognize stakeholder or criteria governance which is the authority and responsibility for knowing and communicating the rules. Records Managers “own” the disposition rules but not the content. Data Privacy officers own the criteria for privacy definitions but don’t own the content. Content ownership is where the rubber meets the road and governance rules are enforced.
If this is a problem you are looking to attack in your transition to better governance, it is good to first think about what ownership details you can determine from shared drives or even more governed locations like M365. There are some obvious gaps in the way we have been able to track ownership over the years: some owners no longer work at your organization, and you can’t make them take ownership; some files were moved across servers or installed by IT logged in as “Administrators” which removes network identification. Be prepared that these two can be a substantial percentage of the volume on older shares.
With the right tooling to build queries from directory data, think about what you can determine about ownership:
File ownership – who last modified the file on the network – if it still exists
With that, and with an integration to a directory services or HR department you may also be able to tell department or work group, and perhaps their contact details
In a collection of files or folders, you might be able to identify the largest volume owner of files in a folder and infer their ownership
Sometimes contacting that file owner might lead you to the appropriate workgroup or overall content owner through a conversation
From folder level security you can sometimes tell who owns the security group that owns the content in that folder
From parent folders you can infer higher level ownership assuming an organization cascade
From folder and file names (in a word cloud for example), you might be able to infer a subject matter and therefore a logical owner
If you can analyze the content as well with an indexing tool, you go at that with much more detail (and time)
You might be able to see the “Author” or “Organization” from the file attributes on some files
Part of the danger here is that a folder hierarchy on a shared drive might be owned by one function or group at one level but by a completely different group deeper down. Any decisions made at one level may not cascade all the way down the line. It is common to try to identify who the level 1 or level 2 folder owner is, but as mentioned, there are lots of things that could go wrong.
With all of these pitfalls, it is a good thing to think about what you are trying to solve by identifying owners – and will that top level identification help. In the end you will need to have someone who understands the business, the rules around classification, and the content itself. The owner may have to:
Take responsibility to say “Yes you can tag records and here are the rules.” They may or may not have the rules, and the answer is complex, but is possible with good content analytics or clear lines of authority.
Take responsibility to say “Yes, you can delete it.” This is a hard thing for many Level 1 owners to answer or take responsibility for unless there clear and tested rules for these definitions.
Take responsibility to at least say “I own the top level, but I disavow any knowledge of what is below.” It is not that helpful, but better than nothing.
Take ownership of a nest of folders that represents a single application/database that has very different security, performance, and retention requirements.
Play a role in defining metadata and labeling requirements
Take the lead to tell you who else is the right person to talk to. Delegation of authority is a good strategy for large collections, but it requires tracking.
To tell you what some specific collection is. Often content is not named or organized in a way that is obvious to someone from the outside or at the top level. Try to make these decisions with someone low enough in the organization to know specifics but high enough to make as broad a decision as possible
As a last resort as the individual file owner about the individual file. In organizations with millions of files and thousands of employees, this is not very practical.
Hopefully, the majority of the content is identifiable and the decisions can be made easily. As you can see, the authority, responsibility, knowledge, and time availability will vary wildly between these personas. Sometimes, to solve problems like these, you have to think like a crime scene investigator and follow whatever leads you can. Now that you have gone through this discussion, it is a good time to stop and think how a well governed information platform like M365 can keep you from ever thinking about this again.
If you need help identifying the responsible parties for your data, or in establishing a strategy to build governance for records management in the cloud, please give is a call.