Template: Information Asset Register

About this resource

Data protection legislation requires you to keep a record of how you manage information. This resource explains why having an Information Asset Register is essential and provides you with a template you can use. 

Why recording how you manage information is important

To carry out your role as a local Healthwatch, you need to collect a range of information for different reasons and in different ways. Some of this information will contain personal data. Personal data is information that can be used on its own or with other information to identify a specific person, which relates to them and reveals something about them.

Data protection legislation requires you to keep a record of how you manage information, whether it contains standard category personal data or sensitive special category personal data or not.

Each local Healthwatch is responsible for ensuring that it is legally compliant. Maintaining an Information Asset Register is a robust way to manage information.

Having a register will clearly illustrate data flows within your organisation, show how data is protected and provides critical information for people who share their data with you. Managing a register will also help you comply with data protection requirements and demonstrate that you have good information governance procedures.

What is an Information Asset Register?

An information ‘asset’ is a category of data or type of data set routinely collected and stored in a data repository. This includes:

• Public experience information
• Employment data
• Annual reports
• CRM data
• CRM data shared with Healthwatch England

As each asset type has a different set of data contained within it, you will need to evaluate how you manage data for each dataset individually. The register provides a framework for doing this.

Template

You can use our template to help you create an Information Asset Register.

What information should you record using the register?

UK data protection law requires organisations to (a) keep "records of processing activities" and (b) be able to provide those who have entrusted data to them (known as data subjects) with information. This information should include:

• The name of the Data Controller and the name and contact details of the Data Protection Officer.
• The purpose for recording, storing and using personal data.
• The categories of personal data that you'll process.
• How long you'll store the data in line with your information retention schedule.
• The lawful basis for processing the standard category and special category personal data.

UK data protection legislation requires you to provide other information to people, which you can share through an online privacy statement.

Your Information Asset Register is for internal use only.

How to populate the register

The resource includes two worksheets: (a) a blank template and (b) an example completed register.

To help you fill in the template's columns, below, we explain each heading and the type of information you should enter under it. 

• Business function: Explain the overall function for each asset. For example, 'finance' for staff bank details.
• Asset description: Enter the type of information you hold under this asset title. For example: briefings, agendas, minutes, meeting notes, consultation documents, financial summaries, correspondence, advice, presentations, survey results and contacts.
• Where you keep the information: Log where you store data.  For example, is your information stored on a third-party survey system, CRM, or your organisation's servers?
• Purpose of processing: Briefly explain why you need this data. For example, you need staff bank details for payroll.
• Categories of individuals: Enter the types of people the data is about - for example, employees, patients, participants, practitioners, callers or stakeholders.
• Categories of personal data: Add the type of personal data you hold under this section - for example, name and details of DBS check.
• Lawful basis for collecting personal data:  State the lawful basis for collecting personal data for each of the entries.
• Lawful basis for collecting special category data: State the lawful basis for collecting special category data (if appropriate).
• General description of technical and organisational security measures: Explain the steps you take to ensure  your data is held securely and processed lawfully - for example, information access controls.
• Categories of recipients: Enter the type of organisations or people that will receive the data.
• Data processor or third-party organisation, if applicable: State here if another organisation will process the data. For example, a company providing a survey tool/online feedback centre.
• Names of third countries or international organisations that personal data is transferred to (if applicable):  State whether any of the information you collect is transferred overseas. For example, a cloud-based CRM system based in a third-party country. State which country the data is transferred to.
• Retention: Enter how long you'll retain the data and from which starting point the clock will start.