INFORMATION ASSET REGISTER
HANDBOOK
(IA Owners and IA Administrators)
(Information Asset Management)
Page 1 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
CONTENTS
WHY DO WE NEED AN INFORMATION ASSET REGISTER?
3
LINKS TO DATA PROTECTION
3
INFORMATION ASSET OWNER
4
INFORMATION ASSET ADMINISTRATOR
6
WHAT IS AN INFORMATION ASSET
7
COMPLETING THE INFORMATION ASSET MANAGEMENT TOOL
7
THE RISK ASSESSMENT TOOL AND HOW TO USE IT
10
WHO DO I CONTACT IF I HAVE ANY QUESTIONS ABOUT COMPLETING THE
SPREADSHEETS?
111
WHERE SHOULD I SEND THE COMPLETED ASSET REGISTER?
111
Page 2 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
Why do we need an Information Asset Register?
The Information Risk Management (IRM) Policy has been created to ensure that the Trust meets the
requirements of the Department of Health Information Governance policies and standards on managing
information assets.
This states that
• All NHS organisations need a clear Information Risk Management Policy
And that
•
Information Risk Management should be a fundamental component of the organisations overall
business risk management framework
Key aspects of the Information Risk Management Policy:
•
•
•
•
•
Provides support for the organisations business aims and objectives
Defines how our Trust and its delivery partners will manage its Information Risk
Identifies how risk management effectiveness is assessed and measured
Defines IRM escalation points and mechanisms
Identifies accountability, roles & responsibilities for staff
Compliance requirements of the National Policy ‘NHS Information Risk Management’ (NHS Connecting for
Health, Digital Information Authority; January 2009 Guidance) is to have knowledge of:
• What information assets we have
• Where they are
• What they hold
• How they are used
• Identify risks
The way to do this is for our Trust to have a register of all information assets as well as a review and update
programme in place. This will require ownership and regular administration hence, the creation of Information
Asset Owner and Administrator roles.
Links to Data Protection
Information Risk Management has direct links to the requirements of the Data Protection Act 1998 (DPA 1998).
Southern Health NHS Foundation Trust’s Asset Register implementation and review programme is linked to
the Data Protection and Data Custodian Framework.
Therefore, The Trust made a Board decision for Data Custodians (within the meaning of the DPA 1998) to
become our Trust Information Asset Owners thus, merging the two roles.
Page 3 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
INFORMATION ASSET OWNER
Role and Responsibilities
Responsible to: Senior Information Risk Owner / Line Manager
Summary
The Information Asset Owner (IAO) is a senior member of staff who is the nominated owner for one or more
identified information assets within the service/Trust. IAOs will work closely with other IAOs of the Trust to
ensure there is comprehensive asset ownership and clear understanding of responsibilities and
accountabilities, especially where information assets are shared by multiple services. IAOs will support the
SIRO in their overall information risk management function as defined in Trust policy.
The IAO will also undertake the role of Data Custodian, as required by the Data Protection Act 1998.
The IAO will document, understand and monitor:




What information assets are held, and for what purpose
How information is created, amended or added to over time
Who has access to the information and why
Understand and address the risk to the asset, providing assurance to the SIRO
Key responsibilities
1.
Identify and document the scope and importance of all information assets they own. This will
include identifying all information necessary in order to respond to incidents or recover from a
disaster affecting the information asset.
2.
Take ownership of their local asset control, risk assessment and management processes for the
information assets they own. This includes the identification, review and prioritisation of perceived
risks and oversight of actions agreed to mitigate those risks.
3.
Provide support to the SIRO to maintain their awareness of the risks to all information assets that
are owned by the Trust, and for report those risks as appropriate.
4.
Ensure that staff and relevant others are aware of and comply with expected information
governance and Data Protection working practices for the effective use of information assets:

Promote Data Protection & Caldicott Principles on an ongoing basis, including distributing posters,
communicating articles and giving local briefings

Promote local induction and ensure that all new starters, before they access any information
system, are given instruction on the Data Protection Act and Caldicott, as part of their first day/week
induction programme.

Ensure that all new staff attend the Corporate Induction session as soon as they are able

Ensure that all staff have access to current information on Data Protection Act and Caldicott
requirements

Ensure that all staff are aware of the Data Custodian/IAO for their area and the contact details for
the relevant Information Security Team
Page 4 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc

Ensure that all staff know the procedure for reporting information and IT security incidents
5.
Provide a focal point for the resolution and/or discussion of risk issues affecting their information
assets
6.
Ensure that the Organisation’s requirements for information incident identification, reporting,
management and response apply to the information assets they own; including ensuring completion
of Data Flow Mapping exercises when required.
7.
To ensure (via IAA) that the service’s RA Sponsors and Agents list is regularly reviewed and up
dated – reporting to the RA Co-Ordinator as appropriate.
8.
To attend information risk management training as required to ensure skills, capabilities, and any
new national requirements are kept up to date.
9.
To supervise and delegate tasks to the Information Asset Administrator.
Page 5 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
INFORMATION ASSET ADMINISTRATOR
Role and Responsibilities
Responsible to: Information Asset Owner
Summary
The Information Asset Administrator’s (IAA) primary role is to support the IAO to fulfill their responsibilities.
IAAs will ensure that policies and procedures are followed, recognise actual or potential security incidents,
consult with their IAO on incident management and ensure that information asset registers are accurate and up
to date.
Key responsibilities
Detailed responsibilities will be in agreement with the IAO – but would include:
1.
Maintenance of Information Asset Registers
2.
Ensuring compliance with Data Protection Act – data sharing agreements within the local area
3.
Ensuring information handling procedures are fit for purpose and are properly applied
4.
Under the direction of their IAO, ensuring that personal information is not unlawfully exploited
5.
Recognising new information handling requirements (e.g. a new type of information arises) and that
the IAO is consulted over appropriate procedures – e.g. completing/updating information mapping
flows
6.
Recognising potential or actual security incidents and consulting with the IAO
7.
Reporting to the IAO on current state of local information handling
8.
Ensuring that local information handling constraints (e.g. limits on who can have access to the
assets) are applied, referring any difficulties to the IAO
9.
Act as first port of call for local managers/staff seeking advice on the handling of information
10.
Under the direction of IAO, ensuring that information is securely destroyed at the end of the
designation retention period
Page 6 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
What is an Information Asset
An Information Asset is Service User, Staff or Corporate information / data, processed by us and is held in an
electronic or hard copy/manual format.
Examples of information you may have in your area:
 Electronic Patient records e.g. OpenRiO primary electronic record, eCAMIS record,
 Paper health records, OpenRiO secondary record
 Audit records
 Paper records and reports including service user and staff records
 Contracts and agreements
 Business continuity plans
 Images i.e. photographs, X-rays, MRIs,
 Manuals and training materials
 Research Information
 Investigations i.e. IMR, CIR
 Voicemail / answer phone message / message pads
 CCTV recordings
 Staff files; sickness, employment details, appraisal, leave, etc.
 Business meeting minutes/notes, including Board minutes/reports
 Clinical meeting notes
 Multi Agency Risk Area Consortium (MARAC) information
 Whiteboard
 Back-up and archive data
 Building plans
 Travel claims
 Revalidation documentation
 Birth Books
 Ward Admissions & Discharges Book
 Inventories
 Tenders
Completing the Information Asset Management Tool
The Information Asset tool is an excel spreadsheet. It is a combination of both an information asset register
and a data protection compliance checklist.
You will need to record the name of the service and team to whom the information assets relate to. As well as
recording who the Information Asset Owner is (IAO) and the Information Asset Administrator (IAA).
If you are covering more than one area you will need to use the existing register but use the additional tabs
along the bottom of the spreadsheet to create each area.
Please see example as shown below:
Page 7 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
If this is the first time an Information Asset Management Tool for this service/team has been completed then
please record the date in the ‘date this register is modified’ field.
If this is a review/update/amendment of your initial completed document, please complete the ‘Date this
register is modified’ field. In addition to entering this date you will need to ensure that the next review/risk
assessment date field on the register is also filled in with a review date, this will reflect that a review has taken
place and will provide evidence to the IGTK.
This form must be updated when a new asset is added to the tool OR when an existing information asset is
amended. Once the spreadsheet has been reviewed/ updated/ amended please use the ‘Save As’ function,
and name your sheet in the following format:
e.g. Division (CORP, AMH, LD, TQ21, ISD…, CHILDRENS) Team Name, Version & Date
CORPORATE - Information Assurance Team v2 20.07.15
Enter the name of the asset at the top and across question 1 and then simply work down the questions for
each different information asset type – refer to the documented example within the IA management tool.
Page 8 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
INFORMATION ASSET MANAGEMENT TOOL
Name of Service,site and team/s:
Information Asset Owner:
Information Asset Administrator:
Date this register is modified:
What Information/ Data do you have?
1
2
Enter as free text in appropriate column
Example:
Personnel Records
How is the information held?
From the drop down menu select: Yes or No
If this information is electronic, where is it stored?
From the drop down menu select: Yes or No
If you know the name of the drive/shared folder please state
3
Electronic
Hard Copy/ Manual
Local "C" Drive
Removable Drives:
e.g. DVDs, SD Cards &
Datasticks
Sharepoint
Network Drives: e.g.
Departmental Drive,
Home drive
Dictaphones
Database System
Enter as free text in appropriate column
4
5
6
7
8
9
10
11
12
13
14
15
16
Does the information contain Person Identifiable Data?
e.g. name, address, DOB, photograph, dental impressions, x rays/images that can identify a person?
From the drop down menu select: Yes or No
Does the information contain Sensitive Data?
e.g. ethnicity, physical or mental health details, religion, diseases, sexual
orientation, financial details, sickness/ disciplinary/ appraisal record, trade
union membership - that tells us something about the person?
From the drop down menu select: Yes or No
If yes to Question 4b, please state what sort of Personal Sensitive
Information.
e.g. Looked after/ adoption, ethnicity, physical or mental health details,
safeguarding (childrens), religion, diseases, sexual orientation, security
access (keycodes) etc.
Enter as free text in appropriate column
Does the information contain Corporate Sensitive Data?
e.g .contract tender, budget details - commercially sensitive information.
From the drop down menu select: Yes or No
If the information is in hardcopy/paper format, do you store your documents,
On-site / off- site / both?
Enter as free text On site or off site, in appropriate column
If off- site, with which archive company?
e.g. PHS Records Management , Box-It
Enter as free text in appropriate column
If stored On-site , where is it located?
e.g. Managers Offices, Admin Offices, Ward office, Consultation Room,
Personally held (like an HCP diary)
Enter as free text in appropriate column
How is the (on- site) information protected against inappropriate access?
e.g. Password protected log-on, limited access to local drives, password
protection of sensitive folders, smartcards, filing cabinets locked, office
access limited: alarm + pinpad access code.
Enter as free text in appropriate column
Please confirm whether the IAO risked assessed the asset within this
register? If no, please name the person who did?
Enter as free text in appropriate column
What is the level of risk regarding inappropriate access to the information
asset? (refer to the risk level tool)
Enter the result as free text in appropriate column
Your asset should be reviewed in accordance with the frequency determined
by the level of risk i.e. annually, 6 monthly or monthly.
Please set a date for the next review?
Enter as free text in appropriate column
What do you consider to be your main information asset risk?
Yes
Yes
No
Yes
Yes
Corporate Services Information
Governance
No
RiO
Other
Yes
Yes
Sickness,
Disciplinary,
N.O.K. Details,
Financial Details,
Employment Contract
No
Both
Box-it
Manager's Office
Locked in 4 drawer
filing cabinet
A.Sessor
10
Annually
Annually
Annually
01/05/2014
Paper records not
locked away at all
times, use of offices
by staff from other
sites
Page 9 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
The Risk Assessment Tool and How to use it
Having identified our information assets we then need to identify what information risks exist, for example:
 Inappropriate access
 Damage to the information asset
 Loss of information
 Inaccessibility to the information
and the likelihood of any of the above occurring.
The risk assessment matrix below is the preferred method to do this and must be embedded within all
services, departments and teams across the Trust.
Severity Level:



High (8-10)
Medium (5-7)
Low (1- 4)
Likelihood:





1 – 2 Very unlikely
3 – 4 Unlikely
5 – 6 Occasionally
7 – 8 Likely
9 –10 Always
Scenario 1
Medics recording discharge summaries onto a tape dicta phone which has no protection. Medic records service
user full name, DOB (PID) + clinical information including medication, diagnosis. This happens on a regular
basis.
Severity:
You may consider this to be very high because of the PID and personal sensitive information e.g. 10.
Likelihood:
You may consider, the information is recorded on a regular basis on an unprotected device/media and can
easily be lost, accessed by unauthorised person/s e.g. 10.
Risk score is: 100 so the risk will need to be reassessed monthly.
Scenario 2
Ward lists which contain Person Identifiable Data (PID), filed into a ring binder, stored on shelf in a room
unlocked when occupied, and locked when not occupied.
Severity:
You may consider this to be high because of the PID e.g. 5.
Likelihood:
You may consider that the room is occupied throughout the day, and locked when not occupied thus making this
middle of the likelihood range e.g. 5.
Risk score is: 25 so the risk will need to be reassessed 6 monthly.
Scenario 3
An administrator accesses the Trust’s network via a desktop computer, on site, to create and store service user
appointment letters into a protected folder held on a network shared drive (not C drive).
Severity:
You may consider this to be high because of the PID e.g. 7.
Likelihood:
You may consider this to be very unlikely as to access to the building is limited, access to the IT network is with
Page 10 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc
a password and network account and the folder is protected so access is restricted e.g. 1.
Risk score is: 7 so the risk will need to be reassessed annually.
Who do I contact if I have any Questions about
completing the spreadsheets?
Please contact either your local Information Governance Lead or
The Information Assurance Team and ask to speak with:
Sharon France, Information Governance Manager
Donna Woolley, Information Governance Facilitator
Karen Watts, Information Governance Facilitator
Telephone IG Team: 01962 763931
Where should I send the completed Asset Register?
Please return the completed Asset Register compliance tool to the Information Assurance Team by
NHSmail to: [email protected]
Page 11 of 11
J:\Care Services\Governance\9. Policies\4. Information Governance Policies\SH IG 21 - Information Risk Management Policy\Information Asset Register
Handbook v2 9 2016 01 05.doc