An Information Asset Register (IAR) template is held by all Business Units and it is for staff in those respective Business Units to work together and catalogue the personal data they hold.
Under UK GDPR it is essential to keep records of our data processing activities to show that we are complying with the legislation. The evidence-based IAR will be one of the first elements examined should we be audited or investigated by the Information Commissioners Officer (ICO), so it needs to be as comprehensive as possible.
The document also ensures a better understanding of, not only what personal data is held, but what the flow of that data is through the organisation. This information is essential for understanding whether existing processes in place need to be looked at in closer detail to ensure we are compliant. For this reason IARs should be reviewed annually by Information Asset Owners.
The IAR is a detailed document, but it is certainly not meant to trip anybody up and additional information, definitions and drop down box options have been formatted for many of the categories to try and make it as intuitive and straightforward to complete as possible. As we get them we will extend the top tips below by sharing the answers to frequently asked questions posed by teams and members of staff.
- Please ensure that you complete the document owner box to capture the last update and next update dates.
- Business Units can decide if they wish to allocate an “Internal Ref ID” to each of the entries (column A).
- You must document the legal basis you are relying on for processing all personal data. There are 6 available legal bases set out in Article 6 of the UK GDPR. These are consent, contract, legal obligation, vital interests, public task and legitimate interests. The majority of MVDC functions are likely to fall under public task or contract.
- Remember the rules for using Consent as a legal basis for processing. For the majority of MVDC functions consent will not be appropriate.
- The special categories of personal data are those set out in Article 9 of the UK GDPR which are more sensitive as they relate to race, ethnicity, political opinion, genetic or health related data and sexual orientation. If you are processing data that falls within this category you must first record your legal basis under Article 6 and also record a separate condition for processing under Article 9. Depending on which Article 9 basis you are relying on it may also be necessary to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.
- Criminal Offence data should be recorded on a separate IAR. If you process this type of data please contact Kate Butcher, Deputy Data Protection Officer, to ensure that it is recorded correctly.
- The definitions and risk assessment tabs will help you to complete the rest of the document.
- Should you have any questions or you require a blank IAR template to complete please contact Kate Butcher in CSU or by emailing FOI@molevalley.gov.uk.