Information Asset Owner’s Role - Staff Guidance
This is the formal policy document outlining the role of the Information Asset Owner
The Information Asset Owner (IAO) is a mandated role with the individual appointed, responsible for ensuring that information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to the organisation is fully exploited.
An IAO, reports to the Senior Information Risk Owner (SIRO) who in turn reports to the Chief Executive. The IAO is expected to provide information to the SIRO and the Finance & Corporate Governance Unit for assurance purposes when requested.
Although it was created out of the Data Handling Review (DHR) which initially focused on personal data handling, the role is equally important for any sensitive information processed by the organisation, whether it includes personal information or not. The IAO also needs to manage information assets to comply with statutory obligations such as Freedom of Information Act 2000, the Public Records Act 1958, the General Data Protection Regulation 2016 and the Data Protection Act 2018.
Performing the role effectively brings significant benefits. It provides a common, consistent and unambiguous understanding of what information you hold; how important it is, how sensitive it is, how accurate it is, how reliant you are on it and who is responsible for it. It helps ensure that you can use the information you need to operate transparently and accountably, for example to meet open data standards, to unlock previously unavailable data and to improve public service.
The lawful and correct treatment of person-identifiable information by the NHSCFA is paramount to the success of the organisation and to maintaining the confidence of its stakeholders and staff. This policy will help NHSCFA ensure that all person-identifiable information is handled and processed lawfully and correctly.
This guidance document follows and adopts the best practice recommendations contained within Cabinet Office guidance.
This sets out the nature and primary responsibilities of an IAO in managing the risks to personal information and business critical information held within their department.
The Acts and Regulation highlighted in the previous section provide an overview of why the IAO role was created and what you are expected to achieve. However, IAOs have requested additional information about what that might mean in practice. This document provides an initial starting point for IAOs, providing practical guidance on:
IAOs must be senior/responsible individuals involved in running the relevant business. For NHSCFA purposes, the responsibility and accountability of IAOs has been assigned to designated members of the Senior Management Team and Leadership Team. Their role is to understand what information is held, what is added and removed, how information is moved and who has access and why. As a result, they are able to understand and address risks to the information and ensure that information is fully utilised within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process.
The IAOs must be made aware of their responsibilities on appointment and will submit as part of a collective annual report, an assessment on the security and use of their asset to the SIRO at the end of Quarter 4 of each Financial year. The Head of Intelligence & Fraud Prevention is the NHSCFA’s SIRO and is a member of the Senior Management Team. The annual report will consist of a signed declaration from each Leadership Team member to confirm they have complied with all NHSCFA polices relating to document retention and GDPR. Assurance will be provided to the Senior Management Team and to the Board via an annual Governance & Assurance exercise. The scope and size of sample data will be reviewed each year according to the risk.
Your role is about managing information not systems.
The initial driver for establishing the role of the IAO was to ensure that personal data was identified and securely handled. However, you also need to ensure you are managing the handling of other categories of sensitive or important information that the organisation relies on too. This involves making sure that it can be used in the way that you need, for as long as it is needed.
You are responsible for ensuring that information is protected appropriately and where the information is shared that the proper confidentiality, integrity and availability safeguards apply. But you are equally responsible for ensuring that its value to the organisation is fully realised and that it is used appropriately and within the law, for public good. You will also need to ensure that information is managed in accordance with the data principles - see Appendix 1.
Your role is about providing assurance and making sure that action is taken. But that does not mean you have to do everything yourself - in fact, much of the role is about understanding and where necessary coordinating the activities of others within the organisation who have specialist areas of responsibility. The organisation’s Information Governance, IT Security and Records Management functions will be key in supporting you in the role. However, if you delegate responsibility for ensuring actions are taken, you must make sure that this is properly co-ordinated and that there are clear reporting chains that everyone understands. You can delegate responsibility to particular areas that can support you in your role, but you and the SIRO retain the accountability for proper information management and handling.
You may need to work with other IAOs within the organisation to ensure your data is properly protected and its value to the organisation fully realised.
An information asset is a body of information defined and managed as a single unit, so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
The SIRO will decide what information assets you are responsible for. This should not just be a list of systems to manage but should focus on the information that needs to be managed within those systems. This could cover both sensitive personal data and non-personal information that is critical to the organisation’s business. It could be held in paper as well as electronic formats.
When you are appointed you need to discuss and be familiar with the agreed performance metrics in your business unit plan. These metrics will be delivered against the organisational business plan.
As an IAO you will need to assure against:
The lifecycle of a piece of information and how long you need to use and keep it, is often different to the lifecycle of the IT system that we have to access and use it.
You will be required to formally review the risks to the confidentiality, integrity and availability of your information assets, including for any proposed new information systems, using the organisation’s Data Protection Impact Assessment (DPIA) process at a minimum once a year or more frequently (quarterly or six monthly) depending on an identified need and to implement proportionate responses.
You must ensure that all staff with access to personal information successfully complete information risk awareness training on appointment and thereafter as appropriate according to the business unit’s needs and circumstances.
Your role is to ensure that the information in your charge is properly protected and its value to the organisation fully realised. This section of the guidance provides examples to get you thinking about your responsibilities and how that might look in practice. Some of your responsibilities require action that you must take, others are actions that you should take to assure that action is being taken by others.
You have five responsibilities:
To do this you should:
Where you have followed the above, you should then be able to answer the following questions:
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.