What Does Information Governance Mean?
Information governance (IG) is the framework that governs how an organisation manages its information throughout its entire lifecycle: from creation through storage, use, sharing, and eventual deletion or archiving. It covers digital files, paper records, email, and increasingly AI-generated content.
In practical terms, information governance answers questions like:
- Who is allowed to access client records?
- How long must we keep a signed contract before we can delete it?
- Can our staff paste customer information into ChatGPT?
- Where should HR documents be stored?
- What happens to personal information when an employee leaves?
Without a governance framework, each of these questions is answered by individual judgment — and individual judgment is inconsistent, unauditable, and legally indefensible.
Why Does Information Governance Matter in South Africa?
South Africa's Protection of Personal Information Act (POPIA), which came into full effect in 2021, creates a legal obligation for every organisation to govern personal information responsibly. The eight conditions of lawful processing under POPIA are effectively a minimum information governance standard:
- Accountability — the organisation is responsible for compliance
- Processing limitation — only collect what you need, for a specific purpose
- Purpose specification — be clear about why you collect information
- Further processing limitation — don't use information for unrelated purposes
- Information quality — keep records accurate and up to date
- Openness — be transparent about what you collect and why
- Security safeguards — protect information from loss, damage, or unauthorised access
- Data subject participation — allow individuals to access or correct their information
Each of these conditions requires active governance. You cannot comply with POPIA through good intentions alone.
What Does Information Governance Cover?
A complete information governance programme addresses:
- Document management: File naming standards, version control, folder structure, and access permissions
- Classification: Assigning sensitivity labels (Public, Internal, Confidential, Restricted) to documents
- Retention: How long each type of record must be kept and when it must be deleted
- Security: Encryption, access controls, and monitoring for breaches or unauthorised sharing
- AI and tool governance: Policies on what data may be processed using AI tools, and which tools are approved
- Approval workflows: Processes for authorising sensitive data actions with an audit trail
- Training: Ensuring all staff understand their obligations and the organisation's policies
Where Do Most South African Organisations Fail?
The most common information governance gaps in South African organisations are:
- No written policy on AI tool use (most organisations have none)
- Personal information stored in uncontrolled locations (desktops, WhatsApp, personal email)
- No classification system — staff cannot distinguish between what is confidential and what is not
- No retention schedule — files accumulate indefinitely
- No training — staff are unaware of their POPIA obligations
How Do You Get Started?
The most effective starting point is a structured assessment that establishes a baseline. Before you can fix your information governance, you need to know what your current state is. A baseline assessment identifies your highest-risk areas and gives you a prioritised action plan. From there, governance improves incrementally — policy by policy, control by control.
Find out where your business stands on this risk.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.