The information life cycle is important from a security viewpoint as it reduces risk.

Onboarding or acquisition

The first stage in the information life cycle is the onboarding or acquisition of data and information. This information could be computer generated, for example an access control or automatic numberplate recognition system; it can also be created manually. This might include someone filling out a form and sending it to the target organisation, perhaps by email, letter, telephone, data transfer or similar. Once that information reaches the organisation, it’s the responsibility of a designated person (the 'custodian') to collate the information to ensure its security and utilisation (in other words, the custodian needs to keep information secure as soon as they receive it). The custodian is often in an IT role, for example, an Information System Administrator. This would be overseen by the data controller.

Utilisation or usage

The next stage in the information life cycle is the utilisation or usage stage. As you might expect, this is when the data and information are put to use.

This data could be used in all sorts of ways, depending on its type. Perhaps the information captured is on the age of users of a specific product, and this needs to be analysed in order to educate an organisation on their target market, or to be published for others to understand and learn from.

Occasionally, information such as this is stored as a physical document, but far more likely it’ll exist electronically on servers or other storage devices and accessed through the Internet or a corporate network. It’s important to consider secure storage for the information even during its analysis, as well as during the processing, sharing and transmission of reports.

Archiving or disposal

Finally, at the end of the information life cycle we have the archiving or disposal stage. All information will have a finite lifespan after which it will have served its intended purpose and must be either deleted or archived in a way that prevents its theft, loss or corruption. This is known as its ‘retention period’.

It’s important to consider how long the data will be held, and how it will be disposed of. Therefore, consider validity dates, sensitivity of the data, legal and contractual obligations, disposal methods and auditing of the process at this stage.

Guiding principles

If the information you’re dealing with is a record that your organisation might need to retain, it’s important to know the legality behind the process.

Although not controlled through GDPR, some corporate documents, like board meeting minutes, financial records, and technical documents, are legally protected and must be retained for inspection over a pre-defined time period. This period varies depending on the relevant legislation. In the US for example, Sarbanes-Oxley regulations require corporate accounts to be protected from modification and deletion for a minimum of 7 years, with penalties of up to $5m and 20 years imprisonment for non-compliance.

ISO 15489 is a legal standard for Records Management Systems (RMS). It was designed to help businesses and other organisations to manage their records to keep them reliable and up to date. The Standard applies to records regardless of structure or form, in all types of business and technological environments. In some cases, legislation also dictates that data must be destroyed after a specified time period. In the event of a criminal investigation or legal dispute, an organisation could be asked to produce records, or show proof of their destruction. Failure to produce the required information could lead to fines and even imprisonment of the data owner.

Information life cycle