Information Asset Register guidance

Where is the Information Asset Register?

The University's Information Asset Register is at https://iar.admin.cam.ac.uk

Access to the IAR is limited to certain groups of staff who need to login using their normal cam.ac.uk credentials.  The below guidance is aimed principally at those who need to view and update the register within individual Institutions.  Instructions on asking to become, and adding, an additional user are supplied below.

 

Details on how to use the Information Asset Register, which assets to include, and what to record

To help the University comply with data protection legislation, University Institutions (i.e. departments, Divisions, and equivalents) need to enter details about the information they hold into the Information Asset Register (IAR). There's no requirement to upload copies of the data itself.

The IAR has two main purposes: (i) it helps to meet a core data protection accountability requirement, known as 'records of processing activities', which means documentation that maps out an organisation's operations that involve the processing of personal data; and (ii) it assists the University in assessing information security risks related to its current information assets.

Each entry in the IAR should correspond with an information asset held by the University. This is either:

  • a single set of information (digital or printed)
  • more than one set of information (digital or printed) that is used for the same purpose

For the IAR, ‘the University’ means:

  • Schools, Faculties or Departments
  • Non-School Institutions
  • Research Centres or Units
  • UAS Divisions

We don't need to record details of assets held by Colleges or used solely by students.

Entries should be periodically reviewed (at least annually) to ensure they remain accurate and up-to-date.  Users can download a .csv report of their Institution's entries once they are logged into the IAR in order to assist with the process of reviewing them.

 

Selecting which information assets to include

As a minimum, Institutions should record and maintain details of assets which both:

  • relate to the operational running of an Institution and
  • contain personal data – information that can be used to identify a living person either directly or indirectly

Institutions don’t need to include assets that contain centrally managed information, for example on CamSIS, CUFS or CHRIS, unless they have changed or manipulated the data and hold a 'local' copy.

A typical Institution is likely to have information in some or all of the following categories:

  • databases about staff, students or other people
  • student files
  • HR files and folders which include personal data, for example job titles, grades, salaries
  • case files about users of a staff or student service
  • submitted work, exam scripts and other exam records where candidates are identifiable
  • departmental committee records
  • departmental health and safety records about individual staff
  • complaint files

Each Institution is likely to have around 10 fundamental information assets, but should keep adding as many as required.  Those responsible for maintaining their Institution's IAR entries are encouraged to liaise with key administrative colleagues in their Institution (e.g. as appropriate and insofar as the roles/functions exist, departmental staff responsible for local IT, HR, alumni relations, office management, student administration or purchasing) to ensure that all relevant assets are captured.

The email accounts used by individual members of staff contain lots of different types of information but these accounts do not need to be added to the IAR as they are not systematically organised or controlled information assets.  However, shared email accounts associated with specific departmental functions, and used in certain fixed ways, can be added to the IAR where applicable (e.g. if an Institution used a shared email account to manage and maintain its core records about applicants or examinations).

 

Adding details of academic research assets to the IAR

While the University holds other relevant records about academic research assets (e.g. in ethics committee files), Institutions are strongly encouraged to also add details about academic research information assets which contain personal data as doing this can help ensure the correct data security measures are in place as well as creating a more comprehensive single record of information assets.

When adding academic research information assets, the IAR also asks for the Principal Investigator.

 

What details to record about an asset

For each asset, Institutions should record the following in the IAR by filling in the boxes and answering the questions (many of these can be selected from drop-down menus):

  • what the information is used for - for example teaching, student administration
  • who the personal data belongs to - for example staff and job applicants
  • what kind of personal data it is - for example employment records, financial records, visual images
  • who the information is shared with
  • how long the information will be kept for
  • the risks if the information in the asset was lost or compromised
  • where the information is stored and if it is paper, digital or both
  • how the information is kept secure

If adding an asset which covers more than one set of information, Institutions should record details for either:

  • all the sets of information - in the sections of the IAR where it is possible to select multiple responses
  • only the most important set of information - in the sections where the IAR requires a single response

 

Request access to add to and view the register

Individual members of staff should request access to the IAR by emailing an IAR Administrator in their Institution.

Most IAR Administrators are Departmental Administrators or Heads of Department.

Note that IAR Institutional affiliations follow an individual's affiliations as held on Jackdaw, the UIS database that underpins Lookup.  If these are wrong or incomplete, they can be amended by following the relevant UIS guidance.

 

Give a person access to the IAR (if you’re an IAR Administrator)

IAR Administrators can add (and remove) additional IAR Users within their Institution using Lookup:  

  1. In Lookup, go to the group of IAR Users
  2. Go to Members > Edit
  3. Add the user > Save

 

Making an entry private or public

Register entries are visible to all University users of the IAR by default. It's possible to make entries ‘private’ - only visible to other users within an Institution. The IAR uses Lookup to identify which Institutions a user belongs to.

Central users of the IAR (like the Information Compliance Office or relevant UIS staff who keep the IAR working) can also see private entries.

 

Contact

Email the UIS service desk with any questions.