How do they fit into health and social care?
For many in social and health care settings, the role of an Information Asset Owner (IAO) may be something of a mystery.
When a member of the team is appointed in the role, they can be integral in completing the risk registers and importantly are subsequently responsible for their information assets in the Data Security Protection Toolkit (DSPT), sharing the load when it comes to completion, which can often be a time-consuming task.
Despite that, an ICO audit of the health care organisations found 33% had no IAOs in place.
Why have an IAO?
As a Registered Manager or Data Protection Lead within a social care or health setting, having an IAO is vital to ensuring data protection compliance and will enhance your ability to complete the DSPT. IAOs are essentially the gate keepers of information assets and are critical in ensuring the information is properly and lawfully handled.
Who should be an IAO?
IAOs are usually senior/responsible individuals involved in the running of the organisation, such as HR managers, care managers or estates mangers. However, IAOs must be trained on appointment to ensure they fully understand the requirements of the role.
The responsibilities of an IAO are to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. The IAOs should be the eyes and ears on the ground; they are close to daily operations and are able to monitor processes closely.
What are the responsibilities of an IAO?
IAOs understand and address risks to the information you store and ensure that such information is fully used within the law. In order to do this effectively and compliantly they will need appropriate IAO training, particularly if they are new to the role.
IAOs are a source of advice and expertise for organisations, often by contributing to their department’s plans to achieve and monitor the right culture. To ensure compliance with the provisions of data protection legislation, IAOs must understand the organisation’s policy on the use of the information stored, regardless of department.
Best practice within organisations should include regular team meetings and high-quality information flows with support from the Information Governance team and clear reporting lines in place. The allocation of roles and responsibilities should be regularly reviewed regarding access rights to ensure that only information required for the operation of the activity or for monitoring purposes is included – this applies to staff and contracted staff as well as any third parties.
How to train your IAOs.
BLS Complaint can assist with IAO training, either through attending an open course bookable via our website or through a bespoke training session for your organisation.