The Information Asset Owner (IAO) is a mandated role that was created following the Government’s Data Handling Review (DHR) in June 2008. Appointed individuals are responsible for ensuring that specific information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to the Trust is fully exploited.
IAOs report to the Senior Information Risk Owner (SIRO), who in turn reports to the Accountable Officer:
- Accountable Officer: Kathryn Singh, Chief Executive
- SIRO: Richard Banks, Executive Director of Business Assurance
Although it was created out of the DHR, which initially focused on personal data handling, the role is equally important for any sensitive personal data processed by the Trust, whether or not it includes personal information.
IAOs also need to manage information assets to comply with statutory obligations, e.g.: General Data Protection Regulations 2016, Data Protection Act 2018, Access to Health Records Act 1990, Freedom of Information Act 2000, Environmental Information Regulations 2005.
Key Principles of the Role
- It is about managing information, not systems
- Ensuring personal data is identified, securely handled and can be used in the ways that it is needed
- Ensuring information is appropriately protected and proper safeguards are applied when it is shared
- Ensuring information is managed appropriately during and following change
Risks to Manage
- Inappropriate access to/ disclosure of personal data
- Internal threats from staff or external parties
- Information losses during transfer or periods of business change
- Losses of immediate access to information/ continuity of access, i.e.: not being able to find, open, work with your information for a period of time
- Poor information quality
- Poor change management
- Failing to maximise the public benefits of information
- To lead and foster a culture that values, protects and uses information for public good
- To know what information each asset holds and what is transferred into or out of it
- To know who has access to assets, and why, and ensure their usage is monitored
- To understand and address risks, provide assurances to the SIRO and ensure data loss incidents are reported
- To ensure assets are used for the public good, including responding to access requests