Source of Asset Name of asset Description

information number
or ID

STAFF 1 Staff employment Holds employment information,

(including files including name, home address and
practitioners, telephone number for each employee,
students, student, volunteer, director. Training
volunteers and certificates and references, application
trustees) forms. Confidential information
relating to each employee, including ID
information, right to work in the UK,
health and medical needs, suitability
declaration forms, sickness and leave
details, return to work forms,
individual risk assessments,
employment terms and conditions and
occupational health reports.

2 Performance Holds supervision and appraisal

management files information; disciplinary information;
performance management records.

3 DBS records Includes details of spent/unspent

(including Certificate convictions, cautions, reprimands and
of Good Conduct) police issued final warnings; any
additional information held by local
police deemed relevant to the role and
checks of the DBS barred lists.

4 Self-declaration Personal information regarding an

forms individual's suitability to work with
children. Can include health
information; personal information
regarding other people living at the
same address; social care information
regarding self and family; and criminal
information.

5 Allegations against Allegation details, police/social

practitioners care/LADO information; meeting
minutes.

6 Staff meeting Minutes of staff meetings, including

minutes possible discussion about children.

7 Staff registers Details of staff present including times

of arrival and departure
 8 Payee information Includes details of wages, NI and tax
contributions; NI number, personnel
number, tax code and bank details

9 Financial Incomings and outgoings, tax details,

information bank details, profits and loss, debts,
business funding details. Also funding
details for three and four year olds;
Me2 funding; EYPP, DAF and
Inclusion funding details.

10 Emergency contacts Emergency contact details of staff,

including next of kin.

CHILDREN 11 Registration Enrolment details, including name,

forms/contracts home address, DOB, parents'/carers'
details, confirmation of parental
responsibility; involvement with other
agencies, health, medical, allergy
information; SEND information;
safeguarding/child protection details
including care status. Also includes
consent information regarding photos,
first aid, emergency treatment, sun
cream, emergency medication, outings
and more.

12 Waiting lists Contact details of parent and carer,

name and DOB of child

13 Children's registers Information on children's attendance,

including dates and times of arrival and
departure.

14 Birth certificates Copy of birth certificate including

where applicable confirmation of
parents' names.

15 Children's learning Learning and development record of

and development child, including observations, learning
files journeys, and summative assessments.
Information regarding children's daily
routines and likes and dislikes.
Communication books with other early
years providers/schools. Home
communication books with parents
comments included.
16 Cohort data / TBA
tracking information

17 Transfer documents Learning and development summary

record for a child when moving to
another setting or school.
18 SEND information Can include learning journey
information, summative assessments,
individual education plans, health care
plans, individual risk assessments,
referrals, Early Help Assessments, and
medical records.

19 Safeguarding files Early help information, Early Help

assessments, low level concern details,
Child at Risk alerts (CARAs), patterns
of behaviours, information relating to
care and welfare, observations,
discussions with parents and other
agencies.

20 Child protection files Child protection information, referrals,

minutes, child protection/in need plan
and court reports and orders. Generally
highly confidential information.

21 Accident records Information relating to accidents and

injuries occurring in the setting. Can
also include accidents involving staff or
third parties.

22 Incident records Any significant incident that occurs

relating to a child in the setting; for
example if there has been a need for
physical intervention.

23 Pre-existing injury Information relating to accidents and

injuries which have occurred to a child
outside of the setting, for example,
where the accident has occurred at
home.

24 Allergies and May include a health care plan, details

medication of medication and other health
information information
 25 Photos Including video, digitally stored
photos, online/offline storage; printed
material; social media content; work
mobile phones; cameras.

PARENTS/ 26 Personal details Relationship to the child, including

CARERS parental responsibility. Contact details,
including address. Details of
employment status, company names
and job roles. Parent ethnicity, status in
the UK, first language etc. Details of
family and friends, including contact
details.

27 Safeguarding/adult May include highly confidential

protection information, such as police information
information via CARA; details from MARAC;
DASH risk assessments; information
from safeguarding/child protection
meetings, including early help.
Information provided by other agencies
in relation to the parent/carer.

28 Parent declaration Signed declarations confirming

forms eligibility for funding.

29 Financial BACS details, credit/debit card details,

information NI number, benefit details, tax credits
information.

SUPPLIERS 30 Business information Contact details; contract details; and

financial information; details of
personnel.

GENERAL 31 Computer systems Management of setting, including

parent and child details, financial
information, business information,
learning and development records,
headcount information and more.

32 CCTV Could include internal/external cameras

and record devices. This includes all
images and recordings.

33 Social media Could include photographs; cookies; ip

addresses; user names, passwords etc.
Purpose may differ dependent on who
is allocated access and what the service
is for.
34 Complaints A complaint log maintained to record
any complaint relating to the EYFS.
Separate in depth logs and notes from
investigations for written and more
complex complaints. Additional logs
may be maintained of complaints
regarding other issues.
What is the information used for? Legislation under which Location Owner
asset is required

To ensure the suitability of staff; EYFS 2017; Computer files Mrs. A.N.
To ensure staff are contactable; Working Together to held on i-cloud; Other
To evidence appropriate recruitment Safeguard Children 2015; Archived (Nominated
checks have been undertaken; Equalities Act 2010 information person/Chair)
To meet the requirements of the EYFS stored off-line;
Paper documents
stored in secure,
fixed filing
cabinet on site.
Volume Personal Access Shared Format
data

20 current Yes; includes Access is restricted to Information is shared with Word documents;
files; sensitive named senior senior managers, Ofsted password protected
10 archived personal data managers and and the local authority spreadsheets.
files; registered person. where required for
Total 30. safeguarding and child
protection purposes.
Selected information may
also be shared with
prospective new
employers.
Retention Risks / impact Control measures Key
asset

Evidence of Loss of confidentiality: - Restricted authorised Yes

employment- personal safety impact only access to files;
60 years; on individual; Secure, locked storage;
Other - privacy impact on Information kept on site
employment individual at all times
information - 3 Loss of availability: Password protected
years - inability to contact staff electronic files;
- breach of Ofsted Regular review and
requirements update of information for
Loss of integrity: accuracy and relevance;
- unable to use Effective archiving and
information for its deletion procedures.
intended purpose
- identity theft/fraud.
Information Asset Register
An Information Asset Register (IAR) is a simple way to help you understand and manage your setting's informati
An electronic template has been provided due to the amount of information you are likely to hold and the number
A template has been provided to assist you with completing an Information Asset Register. An example of how th
complete the IAR.
Some further guidance on completing each section is provided below.

Asset Name of asset Description

number
or ID

STAFF 1 This is the name Describe as accurately as you can

your setting uses the purpose of the file and what sort
for the file or of information you may hold in it.
document. For Think particularly about any
example, some sensitive information you may hold.
settings will have
an employment
file, whilst others
may have a
personnel file or a
staff file.
nd and manage your setting's information and assets. Under the new Data Protection Act 2018, you are required to catalogue
n you are likely to hold and the number of times you are likely to update it. You will need to think about the different groups o
n Asset Register. An example of how the register needs to be completed can be found at the top of the spreadsheet on the Info

What is this information used for? Under what legislation is this information required?

Explain here why you are collecting Identify here under what legislation you are permitted to/or are
this information and for what
purpose.
required to collect such data. This includes:(a) Consent: the
individual has given clear consent for you to process their
personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have
with the individual, or because they have asked you to take
specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to
comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect
someone’s life.
(e) Public task: the processing is necessary for you to perform a
task in the public interest or for your official functions, and the
task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your
legitimate interests or the legitimate interests of a third party
unless there is a good reason to protect the individual’s personal
data which overrides those legitimate interests. This means you
need to consider:
•The balance between the interests of the controller and
•The rights and freedoms of the individual. The legitimate
interest must be a real and valid reason (not vague).
required to catalogue all the information you hold and process as a setting. The IAR will help determine whether the informa
the different groups of individuals you hold data on; how you hold that data and where you hold it.
preadsheet on the Information Asset Register tab. Also included are examples of some of the documentation you may need to

Location Owner Volume

Detail where you hold the The owner of the As accurately as

information. Remember that information is the possible, detail
documentation must be held on site, designated person within the amount of
unless you have written permission your setting responsible for each type of asset
from Ofsted to store it elsewhere. As managing the data. This is you hold.
well as paper files, you are also likely most likely to be the Remember to
to have information stored elsewhere registered person or the include 'live' files
(either physically or digitally), such manager/childminder. and 'archived'
as computer files, work mobile files.
phones, portable IT (laptop/tablets
etc.), displays, website and social
media, website surveys.
ill help determine whether the information you hold is personal or sensitive data; stored appropriately; shared safely; and reta
e you hold it.
of the documentation you may need to include. Please note this is not an exhaustive list and you will need to adapt the list an

Personal data Access

State here whether the information is Who has access to the data?
personal data or not. Personal data means Record if there is restricted
any information relating to an access to the data.
identifiable person who can be directly
identified through the information
available. Sensitive personal data means
any information relating to special
categories of data, including racial or
ethnic origin, political opinion,
religious/philosophical beliefs, trade
union membership, genetic data,
biometric data, health data and data
relating to a natural person's sex life or
sexual orientation. Remember that
personal data includes information
available digitally, such as online
identifiers (such as email addresses, user
profiles, and IP addresses). NB a 'natural'
person is a human being as opposed to a
'legal' person which is generally an
organisation.
ive data; stored appropriately; shared safely; and retained for an appropriate length of time.

exhaustive list and you will need to adapt the list and add to it to ensure it covers everything that applies to your setting. You

Shared Format

Record who the information Record here the format in

may be shared with. The with the data is held.
information may be shared
with some individuals on a
regular basis but with others
only under special
circumstances.
r an appropriate length of time.

o it to ensure it covers everything that applies to your setting. You will need to complete each column for each asset to fully

Retention

Record how long you plan to retain the data for. The Data Protection Act does not set out
any specific minimum or maximum time periods for retaining personal data. Instead, it
advices that personal data should not be kept for longer than its intended purpose. Some
suggested guidelines are available for the retention of data, but you will need to consider
these in respect of your own setting. It may be the case of keeping some data but not all.
For example, in respect of staff employment files consider how long you may need the
information for in the future. For most settings, it is likely to be beneficial to know which
staff have been employed and when over the course of the business (and longer). This
could be necessary if a safeguarding allegation was brought up at a later stage, and the
police needed to look at the individual's employment history. Other information relating to
the individual's employment history is less likely to be needed for a significant period of
time and could be destroyed a lot earlier. A good rule of thumb is to keep information
relating to the setting (staff or children) until at least the time of the next Ofsted inspection
if there is no other known reason for keeping such.
h column for each asset to fully

Risks / impact Control measures

Consider what the risk Record here the control measures you have put in
could be to yourself, place to keep your data safe. If necessary create an
staff, parents, children, action plan to enable you to consider what further
your business of losing actions may be required. Consider control
data. What could the measures that apply to both the physical and digital
impact and world. Although most data will be stored at the
repercussions be? setting, consider times when data may be taken off
site and what control measures you have in place
then. For example, how do you ensure child
protection records are delivered safely to a new
setting or school? Or if staff are only allowed to
use designated equipment for taking photos in the
setting - how do you ensure such equipment is not
taken off site or that the rules are consistently
applied when on an outing with children?
Key asset

This is a yes or no
answer. A key asset is
one which is critical to
your business and one
which your setting would
have difficulty operating
without if lost.