Who should own information governance in an organization, IT or legal?
The honest answer is that neither IT nor legal should “own” information governance alone. Information governance (IG) is a cross-functional discipline, and treating it as the property of a single department is one of the most common reasons programs stall. Ownership is better understood as shared accountability, anchored by senior leadership and supported by clearly defined roles.
Why It Can’t Belong to One Department
IG spans the entire lifecycle of information: how it is created, classified, secured, retained, made discoverable, and eventually destroyed. No single function sees all of those concerns:
- Legal understands litigation holds, regulatory exposure, privacy obligations, and discovery, but does not run the systems where records live.
- IT controls the platforms, security controls, storage, and disposition tooling, but is not positioned to decide what the business is legally required to keep.
- Records and information managers own retention schedules, classification, and lifecycle policy, the practical core of IG.
- The business units create most of the records and must follow the rules day to day.
When any one of these groups governs in isolation, gaps and conflicts appear: IT may delete what legal needed, or legal may demand retention the systems can’t enforce.
A Better Model: Accountability at the Top, Roles Throughout
Mature programs assign overall accountability to a senior executive or a steering body, sometimes a Chief Information Governance Officer or a cross-functional IG council. That sponsor sets direction and resolves conflicts; the supporting functions then own specific, documented responsibilities.
This mirrors recognized practice. International standards for records management emphasize that effective programs require clearly allocated responsibilities, leadership commitment, and policies that everyone is bound to follow, not ownership by a single technical or legal team.
A practical division often looks like this:
- Leadership / IG council: strategy, funding, conflict resolution, accountability.
- Records / IG team: policy, retention schedules, classification, training.
- Legal / compliance: regulatory interpretation, holds, privacy.
- IT / security: implementation, access controls, secure disposition.
The Bottom Line
Ask “who is accountable,” not “who owns it.” Put a senior sponsor in charge, give records, legal, IT, privacy, and the business defined and complementary roles, and document it in policy. For a fuller overview, see the information governance topic hub.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- ARMA International — ARMA International
How to cite this page
APA
RM University Editorial. (2026). Who should own information governance in an organization, IT or legal?. Records Management University. https://www.recordsmgmt.org/questions/who-should-own-information-governance-in-an-organization-it-or-legal/
MLA
RM University Editorial. "Who should own information governance in an organization, IT or legal?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-should-own-information-governance-in-an-organization-it-or-legal/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?