What is an Information Asset Register and do I need one?18th February 2021
“Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.” www.ico.org.uk
Your Information Asset Register is part of your accountability responsibilities. It is the document that identifies all of your Information Assets.
What is an Information Asset?
An information asset is simply a repository for similar or specific types or information and these repositories, or buckets, can be either physical or virtual. They include CRM, cloud storage or backup systems, email services or even manual filing cabinets.
Any repository where data is stored or processed is deemed to be an information asset.
Why do I need an Information Asset Register (IAR)?
In terms of information governance, your Information Asset Register reflects the risks and potential outcomes that are possible, should that Asset become lost or compromised.
An IAR is a simple way to help you understand and manage your organisation’s information assets – what you have, where they are, how they are secured, and who has access to them.
Data has both value and risk, so from a commercial point of view and a governance point of view, having an Information Asset Register really is essential.
What is an Information Asset Register?
An Information Asset Register is simply a log or index of your Information Assets. It could be a spreadsheet, a database, a table on a Word document, or something within a bespoke piece of software. Any of these formats are acceptable. The important thing is that the Register is kept up-to-date and contains accurate information.
What information should my Information Asset Register contain?
It should state who is specifically responsible for each Information Asset, i.e., the Information Asset Owner. For larger organisations, the various assets could have different owners, which should be recorded on the register.
On the register, you must note whether the Asset contains personally identifiable information and whether that information includes any ‘sensitive’ or Special Category’ personal data.
Headings for your Information Asset Register might include:
- Asset Number
- Name of Asset
- What does the Asset do?
- Where is the Asset? / Location
- Asset Owner
- Personal Data?
- Special Category Data
- Who has access?
- What format is it in?
- How long should it be retained for?
- Risks / Impact
- Is it a key asset?
(source: National Archives)
Who should be the Information Asset Owner?
The Information Asset Owner must be a senior/responsible individual involved in the running of the organisation.
Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access, with whom it is shared and why.
‘As a result, they are able to understand and address risks to the information and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their Asset annually to support the audit process.’
Information Asset Owners ‘must be trained on appointment’ and on an ongoing basis. This is a critical senior role, and this training should not be overlooked.
Source: Cabinet Office
It is highly likely, in any sizeable organisation, that you also have Information Asset Administrators who support the IAO’s. An understanding of where one role starts and the other one ends is crucial. However, to be clear – responsibility will always lie with the IAO.
Referring directly back to the Information Commissioner’s Office, they tell us that to meet their expectations, the Information Asset Owner should:
- Have a comprehensive Information Asset Register
- Be aware of the location of all of the assets they are responsible for
- Know how long the assets should be kept for
- Know the security measures deployed
One of the roles of the IAO is also to carry out risk assessments and do physical checks periodically to ensure the Asset Register remains accurate.
If a data breach should happen – you should be able to turn to the register and know precisely what is compromised and what actions you need to take. Can you say that?
There is a lot of jargon around this particular data protection responsibility. We have put together a 3-hour workshop suitable for both Information Asset Owners and Information Asset Administrators.
Discover your responsibilities and gain peace of mind.
- Defining information assets
Your staff will understand what their assets are and their responsibilities to them
- Develop practical skills
Learn practical tips on managing your assets and how to discharge your duties
- Protect your business
Recognise what actions are required to mitigate harm in case of a breach
- Tailor-made workshop
Each IAO workshop is made to fit with your unique business policies & structure
Each workshop is designed by our trainers to be relevant to your organisation’s specific data protection policies and structure.
Now available remotely.
If you would like to book or have any questions about this or any other data protection or information governance issue, please contact us. One of our specialists will be delighted to help you.