skip to content
 

The University's Information Asset Register is at https://iar.admin.cam.ac.uk

A recording of a demonstration session held in March 2018 is available at https://sms.cam.ac.uk/media/2720107

Access to the IAR is limited to certain groups of staff and is controlled using Raven.  The below guidance is aimed principally at Departmental Administrators and others who can view and update the register within individual Institutions.  Instructions on asking to become, and adding, an additional user are supplied below.

 

Details on how to use the Information Asset Register, which assets to include, and what to record

To help the University comply with the General Data Protection Regulation (GDPR), University Institutions (i.e. departments and equivalents) need to enter details about the information they hold into the Information Asset Register (IAR). There's no requirement to upload the data itself.

Each entry in the IAR should correspond with an information asset held by the University. This is either:

  • a single set of information (digital or printed)

  • more than one set of information (digital or printed) that is used for the same purpose

For the IAR, ‘the University’ means:

  • Schools, Faculties or Departments

  • Non-School Institutions

  • Research Centres or Units

  • UAS Divisions

We don't need to record details of assets held by Colleges or used solely by students.

Entries should be periodically reviewed (at least annually) to ensure they remain accurate and up-to-date.

 

Selecting which information assets to include

As a minimum, Institutions should record and maintain details of assets which both:

  • relate to the operational running of an Institution and

  • contain personal data – information that can be used to identify a living person either directly or indirectly

Institutions don’t need to include assets that contain centrally managed information, for example on CamSIS, CUFS or CHRIS, unless they have changed or manipulated the data.

A typical Institution is likely to have information in some or all of the following categories:

  • databases about staff, students or other people

  • student files

  • HR files and folders which include personal data, for example job titles, grades, salaries

  • case files about users of a staff or student service

  • submitted work, exam scripts and other exam records where candidates are identifiable

  • departmental committee records

  • departmental health and safety records about individual staff

  • complaint files

Each Institution is likely to have around 10 fundamental information assets, but should keep adding as many as required.

 

Adding details of academic research assets to the IAR

Institutions can also add details about academic research information assets which contain personal data. It’s not compulsory, as the University holds other relevant records about such assets (e.g. in ethics committee files), but it can help ensure the correct data security measures are in place.

When adding academic research information assets, the IAR also records the Principal Investigator.

 

What details to record about an asset

For each asset, Institutions should record the following in the IAR by filling in the boxes and answering the questions (many of these can be selected from drop-down menus):

  • what the information is used for - for example teaching, student administration

  • who the personal data belongs to - for example staff and job applicants

  • what kind of personal data it is - for example employment records, financial records, visual images

  • who the information is shared with

  • how long the information will be kept for

  • the risks if the information in the asset was lost or compromised

  • where the information is stored and if it is paper, digital or both

  • how the information is kept secure

If adding an asset which covers more than one set of information, Institutions should record details for either:

  • all the sets of information - in the sections of the IAR where it is possible to select multiple responses

  • only the most important set of information - in the sections where the IAR requires a single response

 

Request access to add to and view the register

Individual members of staff should request access to the IAR by emailing an IAR Administrator in their Institution.

Most IAR Administrators are Departmental Administrators or Heads of Department.

 

Give a person access to the IAR (if you’re an IAR Administrator)

IAR Administrators can add (and remove) additional IAR Users within their Institution using Lookup:  

  1. In Lookup, go to the group of IAR Users

  2. Go to Members > Edit

  3. Add the user > Save

 

Making an entry private or public

Register entries are visible to all University users of the IAR by default. It's possible to make entries ‘private’ - only visible to other users within an Institution. The IAR uses Lookup to identify which Institutions a user belongs to.

Central users of the IAR (like the Information Compliance Office or relevant UIS staff who keep the IAR working) can also see private entries.

 

Demonstration

A recording of a demonstration session held on 22 March 2018 is available at https://sms.cam.ac.uk/media/2720107.

 

Contact

Email the UIS service desk with any questions.