Information assets and flows register (IAFR)

An IAFR is a document which holds details of all the information assets within your organisation. It includes electronic data, such as the shared care record, and physical assets, such as paper case notes.

The IAFR template from NHS England has been designed to capture both the requirements for an Information Asset Register (IAR) and for a Record of Processing Activities (ROPA).

It is a legal requirement to have an up-to-date ROPA covering all data processing.

It is a Data Security and Protection Toolkit requirement to have an up-to-date IAR covering all your organisation’s information assets.

The IAFR template combines these two requirements into one document to reduce duplication.

Maintaining an up to date IAFR gives you an important tool for understanding what data your organisation holds and processes. It helps you to assess and mitigate risks to this data and is invaluable in the event of an incident where data is compromised or unavailable.

The universal IAFR template can be used to identify and document all your organisation’s information assets and flows of data. It does not just apply to health and care data. It can be used to document information assets and data flows for a variety of purposes for example finance, personnel, staff training or complaints.

An IAFR (or equivalent) should be completed and maintained from the time you start using and sharing personal information. For example, if you are setting up a new service that involves sending people’s information to a new supplier, you should update the IAFR with information about the new data flow when the service starts.

Responsibility for creating and maintaining an IAFR should be clearly assigned by your organisation, but it can be shared amongst multiple people. This might be the DPO, the IG lead or team, or your management team.

The register should be reviewed and approved by your senior management team (in accordance with your governance structure) at least once annually.

You will need to know what information assets your organisation holds, who the asset owners are, what identifiable data is used by each asset, and where the data flows to and from.

If you do not have this information, you should consult your senior management team.

The IAFR should be kept on the system and updated whenever necessary.

Reasons for necessary updates might be:

• starting a new service or function
• stopping an existing service or function
• sharing new or different information with another organisation
• sharing the same information with another organisation for a different purpose
• changing the way you share the information

People who are assigned responsibility for information assets, known as information asset owners (IAOs), often supported by information asset administrators (IAAs), should regularly review their information assets and flows. When changes occur, they should notify the appropriate individuals to ensure the IAFR remains up to date.