How to create an Information Asset Register (IAR)
Step-by-step guide to creating an Information Asset Register for GDPR and the NHS Digital Security Protection Toolkit (DSPT)
The digital healthcare landscape is evolving rapidly, with new technologies and data sharing practices emerging all the time. It's essential for digital health companies to ensure they're compliant with data protection regulations, like the General Data Protection Regulation (GDPR) and the NHS Data Security and Protection Toolkit (DSPT). Failing to comply puts the company and its users at risk, and can also lead to significant fines and reputational damage.
The first step towards compliance? Understanding what information you hold. This is where an Information Asset Register (IAR) comes in. It's a crucial tool for documenting the data you possess, where it's stored, and the security measures you have in place to protect it.
This blog post will guide you through the process of creating a comprehensive and compliant IAR, setting the foundation for a robust data security framework.
This is guide 1 of 3 in a series for digital health companies on Documenting your data processing activities.
What is an information asset?
An information asset can be defined as “a collection of knowledge or data that is organised, managed and valuable”. Some companies may find it useful to consider an information asset per office application or cloud service (e.g: Slack), or for some items it may be logical to consider a set of information / files with common purpose (e.g: Training Records in Google Drive / Workspace).
What is an Information Asset Register (IAR)?
An Information Asset Register (IAR) is a list of all your information assets. It is a comprehensive inventory of all the places your organisation stores personal data. Think of it as a digital roadmap for your data.
Note that, here, an information asset refers to the data and not the physical device (e.g: Laptop). Some companies may wish to include physical assets alongside their informational assets in the same register, but we find it more logical to keep them separated. Tracking physical assets is also important; devices such as laptops and servers may live in their own Physical Asset Register that you maintain, but this is outside the scope of this post.
Why is an Information Asset Register important?
An IAR is vital for maintaining control and security for three reasons:
- Transparency: It allows you to see all the data you have in one place, ensuring clarity about what information you hold and where, and avoiding duplication.
- Accountability: The IAR demonstrates your organisation's commitment to data protection by demonstrating you have a clear understanding of your data assets.
- Security: It facilitates identifying high-risk information assets, allowing you to focus security efforts on those areas most vulnerable to breaches.
What data can I store under GDPR ?
The General Data Protection Regulation (GDPR) outlines six principles ensure that personal data (any information that relates to an identified or identifiable individual) is handled with care and transparency. Whilst full details are outside the scope of this guide, there are a few key principles to keep in mind:
- You must be clear about why you’re processing personal data from the start, be able to evidence it and specify it in your privacy information to individuals. “Purpose limitation” restricts data usage to specified, legitimate purposes (more on this later).
- You must only collect personal data which is “necessary” and ensure it is kept up-to-date. This is called “data minimization” and “accuracy”. You should record why it is necessary to keep this information in your IAR.
- Store personal data for no longer than is necessary for the purpose for which the personal data is processed. This is called "storage limitation".
- Personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.
Creating your Information Asset Register
Creating your Information Asset Register
1. Choose a template:
We provide a template on our platform* with with clear and relevant examples for digital health companies - talk to us to receive a copy of this template. You can also find a templates online - the Digital Care Hub provides an example for care organisations.
2. Gather key information:
For each information asset, identify:
- Asset Name
- What information is kept and why
- Location
- Links to any contracts
- Does it contain special category data? (more on this later)
- Information Asset owner
- Sharing with external parties?
- Risks if breached
- Security measures in place
- Retention schedule (if possible)
- Audit date
- Breach history
Recording this information will help reinforce the principles around retention, lawfulness and minimization outlined above.
3. Consider if this this special category data - "What is special category data"?
As a digital health company, it may be necessary for you to process "special category" data - this is personal data that needs more protection because it is sensitive . Once you know what personal data you have, consider whether it is special category.
The UK GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
The ICO provides further detailed guidance on defining special category data.
4. Review and obtain approval
Ensure the IAR is accurate and complete. It should be reviewed and approved by relevant stakeholders such as senior management and your data protection representative.
As with all data processing activities, it is also important that you keep your records up-to-date, and continue to review your IAR at regular intervals and when making changes.
How to get started
Assuric is a platform designed from the ground up for digital health companies to achieve and manage compliance. We can help with:
- Creating an Information Asset Register (IAR) from a template specific to digital health companies.
- Keeping your IAR up-to-date with any changes
- Reviewing your IAR to ensure it meets requirements
- Complying with other aspects of GDPR, the NHS DSPT and NHS DTAC.
Talk to us to learn more or request a copy of the Information Asset Register (IAR) Template:
What next?
Once you have your IAR, we need to think about where our data comes from and where it goes. This brings us to Step 2: Creating a Record of Processing Activities (ROPA) ->.
