The Information lifecycle model consists of 9 different phases:
The information lifecycle starts with informing the data subject about the usage of his personal data.
The entity provides notice about its data protection policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
The entity describes the different choices available to the data subject with respect to the collection, use, and disclosure of personal information by the entity.
The entity secures implicit or explicit consent of the data subject regarding the collection, use and disclosure of the personal data.
Personal information is only collected by the entity for the purposes identified in the Notice phase.
The entity limits the use of personal information to the purposes identified in the Notice phase and for which the data subject has provided implicit or explicit consent.
The entity discloses personal information to third parties only for the purposes identified in the Notice phase and with the implicit or explicit consent of the data subject.
The entity stores personal information not longer than needed related to the purpose as defined in the Notice phase or as required by laws and regulations. There is a possibility that personal data will be re-used (secondary use) and flows back to the Use phase, only if the purposes for secondary use are in line with those communicated in the Notice phase.
The entity appropriately disposes personal information.
1.9 Monitoring and Enforcement
Management sets the course (e.g., data protection strategy, data protection policy, etc.) and controls how personally identifiable information moves through the various stages of the information lifecycle (incl. monitoring and enforcement). To ensure that business processes are accurate, complete, and timely, there are generally three prerequisites for personal data in the various phases of the information lifecycle.
✓ Data quality;
✓ Data access;
✓ Data security.
Finally, the information lifecycle model also presents the various external stakeholders with regard to the different phases in the processing of personal data.
This stakeholders’ concerns are:
- Data Subjects
- Data Protection Authorities
- Third parties (or data processors).
Management determines the direction and regulates the flow of personally identifiable information through the many phases of the information lifecycle (e.g., data protection strategy, data protection policy, etc). (incl. monitoring and enforcement). In the various phases of the information lifecycle, there are often three requirements for personal data in order to ensure that business processes are accurate, complete, and timely.
In the phases of the information lifecycle model, this gives a clear overview of the numerous data protection control objectives. This methodology can greatly enhance the governance of personal data within entities.