Organisations must ensure that all of their information assets that hold or are personal data are protected by technical and organisational measures appropriate to the nature of the asset and the sensitivity of the data.
There is an Information Asset Register that captures all identified information assets that comprise or hold personal data and there is a clearly identified individual accountable for each asset recorded in the Register.
A documented plan has been developed to investigate and identify all remaining information assets that comprise or hold personal data and to assign appropriate responsibility for any identified, including details in the Information Asset Register.
All mandatory safeguards are in place to protect assets that comprise or hold personal data and risk assessments have been conducted to determine which additional safeguards should be in place.
All mandatory safeguards are in place to protect identified assets that comprise or hold personal data.
Safeguards employed for all items in the asset register include:
Risk assessments have been conducted to determine which, if any, additional safeguards should be deployed to protect each asset. 2
No additional safeguards were required.
The plan to identify any relevant information assets that the organisation was previously unaware of has been implemented and there is a high degree of confidence that all such assets have been identified and secured.
Latest Information Governance Review meeting
All information assets that comprise or hold personal data have been effectively secured and audit/spot checks are used to check compliance.
All information assets that comprise or hold personal data have been effectively secured and audit/spot checks are used to check compliance.
Latest Information Governance Review meeting
All new information assets that comprise or contain personal data are identified when they are created/deployed and steps taken to include them in the Information Asset Register and to secure the data.