Information Asset Register

Information Asset Register

The University’s Information Asset Register (IAR) is a record of all information assets held by Professional Services divisions, or by academic Schools and Faculties. The IAR helps us ensure that the University complies with the requirements of the UK General Data Protection Regulation (GDPR), and that information is managed consistently across the organisation.

What is an information asset?

An information asset is valuable information that the University holds, which would pose a significant risk to the University or to data subjects if lost. Information assets can come in the form of data (often personal) or documents and can be in digital or physical form e.g.

  • Admitting & enrolling students
  • Payroll and pensions
  • Committee papers
  • Student assessments
  • University policies
  • Research data

Information assets containing personal data (Record of Processing Activities)

The Record of Processing (ROPA) is part of the wider IAR and focuses on processes that involve personal data.  Article 30 of the UK GDPR requires us to have this in place, but aside from this, there are additional benefits of having a record of the types of information that we are collecting, where this is stored, who we are sharing this with, what security controls we have in place and how long the data should be retained for.

Assessing and recording our information assets is critical should we suffer any data breaches or cyber incidents as this allows us to carry out informed assessment of the risk to the University and to those whose data was involved. It means we have a common, consistent and unambiguous understanding of the information held, how sensitive it is and who is responsible for it. This also improves our ability to respond to subject access requests or any legal requests to access personal data held by the University.

How do we manage our IAR?

  • Our Information Assets are recorded in a platform called One Trust.
  • Information Asset Owners (IAO’s) and Information Asset Assistants (IAA’s) roles have been established with related guidance (internal SharePoint site) produced setting out the responsibilities of each role. The Information Compliance team is responsible for managing the network of IAO’s/IAA’s and will be in contact if this is relevant to you.
  • One Trust provides a tool for us to carry out assessments of our Information Assets. These assessments are similar to a survey and are sent to IAAs to complete. Once these are submitted, they are checked and approved by the Information Compliance team and then reviewed annually for any changes. Further information on completing these assessments can be found here.
  • The Information Compliance team can produce reports from One Trust which can be used when reviewing or changing your processes; these are also useful for new starters within your teams to demonstrate how information is handled in each process. This can help staff feel more confident in with day-to-day activities such as where to store information (in line with University security policies), why we are processing it and what we can legally do with it, who we can share it with and how long we should keep it.
  • Information Assets are recorded and managed according to their business function e.g. student assessments, payroll & pensions, research conduct rather than by team or division. This is an important change and aligns with our Business Classification Scheme and Records Retention Schedule. Organisational structures change frequently while business functions remain much the same. This also ensures consistent retention and disposal of records according to their function. Our IAR within One Trust has been organised in this way and you will see your information assets/processes aligned with these functions within reports and assessments.

What should I do if I am establishing a new process, project or initiative?

This may need to be recorded in the IAR. If you are considering a new process or initiative and it will involve personal data, or if you will be collecting or storing other valuable information you can contact the Information Compliance team data-protection@bristol.ac.uk for advice. For further advice on what might constitute ‘valuable’ information please see the IAO/IAA guidance here (internal SharePoint site).

If you require access to any information held in our IAR or have any other questions regarding it, please contact the Information Compliance team via email at data-protection@bristol.ac.uk.

Other information management resources

We also use the One Trust platform to carry out our Data Protection Impact Assessments (DPIA’s). These are a requirement where any processing of personal data is likely to result in a high risk to the rights of those involved in the initiative. This is a more detailed assessment than those used to produce the IAR. Where personal data is involved, a combined RoPA entry and a DPIA may be needed.  It is often required by research funders or as part of requesting a new IT product or service. Further information on DPIA’s can be found here (internal SharePoint site).

Information compliance advice relating to Data Protection, Freedom of Information and Records Management can be found here (internal SharePoint site).