Information Asset Registers; what are they good for, absolutely everything!

Why Do You Need An Information Asset Register?

Building an Information Asset Register (IAR) isn’t necessarily a quick and easy thing to do. However, the size will depend on how much information you choose to put into it.

Information Assets are the lifeblood of any organisation. A business simply cannot run without information. Therefore it is vital to manage the information appropriately.

The National Archives defines an information asset as “a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently. Information assets have recognisable and manageable value, risk, content and lifecycles.” Furthermore, an asset can be an actual thing such as; a filing cabinet, a network drive, or an invoice.

Generally, singular pieces of paper are categorised into larger assets such as ‘XYX Invoices’. However, a singular paper can also be part of a bigger process, because an asset can also be a process.  For processes such as ‘Violent Patient Scheme’, the majority of this asset is phone calls, emails, and feedback forms. Without it, you may not have the ability to offer a service to a patient.

How Do You Compile An IAR?

Information Asset Registers are often maintained on an Excel spreadsheet. This allows you to itemise information within the easiest layout possible.   They can have thousands of lines if they belong to a large and complex organisation. In that case, a single member of staff would find it challenging to maintain and will need assistance. However, it’s also OK not to have many assets. People try to overcomplicate the information asset register at times for fear they’ve missed something. However,  if you set your register up correctly and you undertake the audit thoroughly, you cannot go wrong. The easiest way to keep an IAR up to date is for an IAO to hold a local copy that they constantly update. Alternatively,  you can store it in an easily accessible collaboration zone.

Information Asset Owners

Information Asset Owners (IAO) are usually responsible for maintaining the IARs.  The IAO will often report to a committee headed up by the Senior Information Risk Owner (SIRO).  Other common roles on this committee are the Departmental Security Officer (DSO), Information Technology Security Officer (ITSO) and Department Records Officer (DRO).  Usually, these are not full-time roles within an organisation.

The DRO usually has overall responsibility for the IAR and IAO’s often maintain a local copy. Good governance is helped by having senior management buy-in. These roles are typically found in the public sector, but there’s nothing to say that they won’t be effective in other sectors. It’s about role definition, ensure that each area is covered and a clear line of responsibility for the escalation of issues.

What Does An IAR Do?

They are a graceful way of controlling the information within any one organisation. IAR’s are spreadsheets covering records management, data protection, freedom of information, information security and information risk.  They covers topics such as

  • Ownership
  • Which directorate it belongs in
  • Purpose
  • Contact
  • Format
  • Location
  • How long to keep it
  • What’s the earliest record you have
  • If it contains personal data
  • Special category data
  • Processing condition(s)
  • The date of creation / implementation / first use
  • DPIAs
  • Was privacy by design addressed and what was the outcome
  • Risks
  • Publishing
  • Access
  • FOI Requests
  • Market-sensitive information
  • Legal Privilege
  • Exemptions

IARs and GDPR

Are information asset registers useful for GDPR?  Yes, because you can use it as a way to tease out your records of processing activities.  You are documenting your reasons for processing and the purpose of the records, together with the retention period and the earliest document you have.

By undertaking an IAR, you are also showing accountability for the information you hold. This will help with compliance towards Article 5.1(a), (b), (d), (e), (f) and 5.2. It will also assist compliance with Article 30.  This does not guarantee compliance. You may find that when you compile the register it then flags further issues for you to address.   For example, perhaps you need to undertake a  DPIA. An information asset register gives you a fantastic dashboard and overview of all of your information assets and their status. This means you no longer have to keep it all in your head!

The main thing I suggest is that you don’t rush filling it out. If you only add one processing condition per hour that’s fine!  Sometimes it’s not easy, but you’re improving information management just by starting.

Do you need assistance with the creation of an IAR? Contact me at emily@rmgirl.co.uk and I’d be happy to assist.

Information Asset Registers are like the dashboard to your Starship Enterprise. (Pic: Starship Enterprise Dashboard)

If you like this blog post, please see other posts here.

If you enjoyed my content, please consider buying me a virtual G&T or three here.

Information Asset Registers; what are they good for?