Governance and Compliance

Information Asset Owners

Information Asset Owners have been appointed in each of the individual Schools and Professional Services Directorates across the University and details are provided below. Along with the Data Protection Officer (Alexandra Elliott – Head of Information Management and Compliance), the Information Asset Owner will be a point of contact in relation to data protection matters. They will be pulling together an Information Asset Register which reflects how personal data is used in each area, and it will then form part of the University’s overall Register.

Their role and responsibilities include the following:

  • Having an overview of any processing activities that occur within their work area, including the repositories that hold personal data,
  • Understanding where and when data is shared with third parties, and whether that is covered by contractual or data sharing arrangements,
  • Having a broad understanding of privacy issues and where there is a need to conduct a Data Protection Impact Assessment (DPIA),
  • Ensuring that the Information Asset Register reflects all information assets within their area and how personal data is processed, and
  • Understanding any processing issues with existing or new activities and identifying where there are any further compliance issues to address.

Please click on the appropriate tab to see the list of IAOs.

Professional Services
Schools

What is an information asset?

An information asset is a set of information that is managed as a single unit for the purposes of sharing, maintaining, securing, and understanding it easily and efficiently.

For the purposes of the Information Asset Register, an asset can be understood as a ‘pot’ or ‘repository’ of data held by an individual/team, Professional Services division, or School which contains personal data. An example might be, for instance, a database of contacts or a spreadsheet containing staff or financial data; this also includes physical assets, like a cabinet containing personnel files.

What is an Information Asset Register and why is the University creating one?

An Information Asset Register (IAR) is a ‘live’ document and updating it is an iterative and ongoing process. The IAR keeps a record of all of the information assets held within an organisation (in this case, the University) and outlines why they are held, how they are used, and any risks associated with the asset. This could be risks related to the type or volume of data, the way it is processed, or the value of the data to the organisation.

The IAR should document where data is shared with third parties, where special category data is held, and any related potential privacy issues for data subjects.

Whilst an IAR is not strictly required under the General Data Protection Regulation (GDPR), the Regulation does require us to take responsibility for what we do with personal data and to be able to demonstrate compliance with the six principles of the GDPR. An Information Asset Register helps us to do this.

Article 30 of the GDPR also requires data controllers to maintain a record of processing activities and an Information Asset Register facilitates this and allows us to provide a clearer allocation of responsibilities in relation to personal data within the University. This document helps to inform and sits alongside the University’s privacy notice.

What is the role of the Information Asset Owner?

The Information Asset Owner (IAO) is a sufficiently senior representative from their School/Professional Services division who has a general overview of the assets held within their area and a broad understanding of the value/purpose of the assets and any associated risks, though they do not have to be, and are often not, the creator or primary user of the asset.

They also act as a local point of contact for data protection matters, fully supported by the Information Management team. They will assist in ensuring the IAR is kept up to date. They will also help in flagging processes or systems that might impact on privacy of data subjects, so that a Data Protection Impact Assessment can be carried out with the assistance of the Data Protection Officer.

Having designated IAOs provides additional assurance that appropriate structures and arrangements are in place locally with regard to data protection and helps to foster a culture that values and protects information and personal data within each area of the University.