Insight

Information Asset Register – Five Questions That Map Every System

An Information Asset Register (IAR) gives practices visibility of every system that touches personal data. Asking the same five questions each time keeps the register consistent and prevents key assets from slipping through the net.

11 November 20252 min read
Practice managers
IG leads
digital change managers
Information Asset Register – Five Questions That Map Every System hero illustration placeholder

Information Asset Register – Five Questions That Map Every System

An Information Asset Register (IAR) gives practices visibility of every system that touches personal data. Asking the same five questions each time keeps the register consistent and prevents key assets from slipping through the net.

Ask these five questions for every asset

  1. What is it? Describe the system, spreadsheet, or external platform in plain language so anyone can recognise it.
  2. Why do we have it? Capture the clinical or business purpose and note any statutory or contractual requirement.
  3. What data does it hold? Record categories of personal data, special category data, retention periods, and any sharing arrangements.
  4. Who uses it and where is it stored? Note user roles, hosting location, suppliers, and third party processors.
  5. What could go wrong? List risks, current mitigations, and where to find related incident or continuity plans.

Capture the information efficiently

  • Add an asset review question to new starter and leaver checklists so emerging tools are captured quickly.
  • Embed IAR updates into procurement, change control, and DPIA workflows instead of handling them separately.
  • Use colour coding or tags to flag assets that need additional assurance such as supplier audits or penetration tests.

Keep the register up to date

  • Review high risk assets quarterly and lower risk assets annually, recording the review date and outcome.
  • Archive retired systems with a short note referencing where residual data is stored or how it was destroyed.
  • Share a summary view, without sensitive detail, with PCN partners or federated services that share infrastructure.

Store evidence sensibly

  • Link to technical documentation, contracts, and risk assessments rather than duplicating them inside the register.
  • Capture decisions about remediation or decommissioning in a short comment field with owner and deadline.
  • Retain change history so inspectors can see how the register evolves over time.

Put it into practice

Pick one clinical system, one shared drive, and one third party application. Apply the five questions today and update your register. Use any gaps you uncover to discuss how premium templates, training modules, and change logs can support wider adoption across the practice or PCN.

Disclaimer

This guidance is for general information. It is not a substitute for legal, clinical, or specialist advice. Always seek professional support tailored to your practice.

This guidance is for general information. It is not a substitute for legal, clinical, or specialist advice. Always seek professional support tailored to your practice.

Looking for practice-ready templates?

Explore premium resources that save hours and support compliance.

Browse resources