URL: /partner/iar/
The Information Asset Register (IAR) records all information assets held by the practice. This is a DSPT requirement and a cornerstone of your information governance framework.
Any collection of information that has value to the practice. Assets can be digital or physical, and include:
- Patient health records
- Staff personnel files
- Financial records
- Clinical data and audit reports
- Appointment data
- Prescribing records and AES evidence
- CCTV footage
| Classification |
Description |
| OFFICIAL |
Routine business information (e.g. appointment schedules) |
| OFFICIAL-SENSITIVE |
Personal data or commercially sensitive information |
| SECRET |
Highly sensitive information with significant impact if compromised |
| TOP SECRET |
Information requiring the highest level of protection |
| Type |
Examples |
| Patient Records |
Health records, clinical notes, test results |
| Staff Records |
HR files, DBS checks, training records |
| Financial Records |
Invoices, payments, insurance claims |
| Clinical Records |
Audit reports, clinical governance documents |
| Appointment Data |
Scheduling, cancellations, DNA records |
| Prescribing Data |
Prescriptions, AES evidence, pharmacy notifications |
- Navigate to Information Asset Register
- Click Add Asset
- Complete the form:
- Name — clear identifier for the asset
- Description — what the asset contains
- Asset Type — category from the list above
- Classification — data sensitivity level
- Data Owner — senior person accountable for this asset
- Data Custodian — person/day-to-day manager
- Storage Location — where the data lives (system, physical location)
- Retention Period — how long the data must be kept
- Personal / Special Category — does it contain personal data?
- Security Controls — encryption, access controls, etc.
- Backup Frequency — how often it's backed up
- Disaster Recovery — provisions for restoring the asset
- Click Save
Each asset has a last reviewed date and next review due date. Assets overdue for review are flagged.
- Review every asset annually at minimum
- Update the asset register when new systems or data collections are introduced
- Ensure data owners are senior enough to be accountable
- Keep security control descriptions specific (e.g. "AES-256 encryption" not just "encrypted")
- The IAR feeds directly into your DSPT submission evidence