Professional Documents
Culture Documents
Information Asset Register Template - 0
Information Asset Register Template - 0
place of storage
Location/ system or
Lead Officer
Number
Protection Rating
Vital record
Other Security Measures
Personal Data
Lawful Basis for
if applicable if applicable Processing
Personal Data
(Article 6)
In public domain
Intended or Likely Notes
Notes Recipients
Yes
No
Guide to Protective Marking and Ratings
Column H: Government protection ratings - Is it Official Sensitive? Yes/No
Column J: Vital record Vital records are the essential records required for business continuity in the event
definition organisation cannot re-establish itself and restart its core functions. It is essential t
necessary protection.
king and Ratings
Article 6 Section 1
Processing shall be lawful only if and to the extent that at least on the of the following applies:
(a)
(b)
(c)
(d)
(e)
(f)
Column O:
(1) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of unique
identifying a natural person, data concerning health or data concerning the person's sex life or sexual orientation
shall be prohibited.
(2) This shall not apply if one of the following applies;
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(I)
(j)
Lawful Basis for Processing Personal Data
e 6 Section 1
ssing shall be lawful only if and to the extent that at least on the of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more
specific purposes
processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract
processing is necessary for compliance with a legal obligation to which the controller is subject
processing is necessary in order to protect the vital interests of the data subject or of another
natural person
processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller
processing is necessary for the purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal data, in particular where
the data subject is a child
e 9 Section 1 and 2
ocessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical
s, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely
ifying a natural person, data concerning health or data concerning the person's sex life or sexual orientation
be prohibited.
his shall not apply if one of the following applies;
the data subject has given explicit consent to the processing of those personal data for one or
more specified purposes, except where Union or Member State law provide that the prohibition
referred to in paragraph 1 may not be lifted by the data subject
processing is necessary for the purposes of carrying out the obligations and exercising specific
rights of the controller or of the data subject in the field of employment and social security and
social protection law in so far as it is authorised by Union or Member State law or a collective
agreement pursuant to Member State law providing for appropriate safeguards for the
fundamental rights and the interests of the data subject;
processing is necessary to protect the vital interests of the data subject or of another natural
person where the data subject is physically or legally incapable of giving consent
processing is carried out in the course of its legitimate activities with appropriate safeguards by a
foundation, association or any other not-for-profit body with a political, philosophical, religious or
trade union aim and on condition that the processing relates solely to the members or to former
members of the body or to persons who have regular contact with it in connection with its
purposes and that the personal data are not disclosed outside that body without the consent of
the data subjects
processing relates to personal data which are manifestly made public by the data subject;
processing is necessary for the establishment, exercise or defence of legal claims or whenever
courts are acting in their judicial capacity
processing is necessary for reasons of substantial public interest, on the basis of Union or Member
State law which shall be proportionate to the aim pursued, respect the essence of the right to
data protection and provide for suitable and specific measures to safeguard the fundamental
rights and the interests of the data subject
processing is necessary for the purposes of preventive or occupational medicine, for the
assessment of the working capacity of the employee, medical diagnosis, the provision of health or
social care or treatment or the management of health or social care systems and services on the
basis of Union or Member State law or pursuant to contract with a health professional and subject
to the conditions and safeguards referred to in paragraph 3
processing is necessary for reasons of public interest in the area of public health, such as
protecting against serious cross-border threats to health or ensuring high standards of quality and
safety of health care and of medicinal products or medical devices, on the basis of Union or
Member State law which provides for suitable and specific measures to safeguard the rights and
freedoms of the data subject, in particular professional secrecy
processing is necessary for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) based on Union or
Member State law which shall be proportionate to the aim pursued, respect the essence of the
right to data protection and provide for suitable and specific measures to safeguard the
fundamental rights and the interests of the data subject.
Column R and S: Retention of Records in Healthwatch
Employment
In general the staff records (including those of volunteers) should be retained for 6 years after the end of
employment, but need only contain sufficient information in order to provide a reference (e.g. training and
disciplinary records). Copies of any reference given should be retained for 6 years after the reference
request. Director’s files should be retained for 6 years.
Note: if an allegation has been made about the member of staff, volunteer or trustee the staff record should
be retained until they reach the normal retirement age or for 10 years, if that is longer. E.g. around
Safeguarding.
Record of Comments and other evidence, e.g. observations, interviews, enter and view notes.
Comments recorded on internal databases Retain in line with local policy
Any paper based comments recorded on the 1 year (This is in case there is a query regarding an entry on
database. the database)
Comments and or other evidence that have not
Retain in line with local policy
been recorded on the database.
Signed consent forms Destroy in line with above
DBS checks
Record disclosure reference no. and date of check and return to the volunteer or staff member.
Record of Concern Forms (ROCA)
All ROCAs and related information should be kept for 10 years. If the record relates to children and young
people the record must be kept till they are 21 years old before destroying.
Financial Records
Financial records 6 years (public funded Companies)
Income tax and NI returns, income tax records Not less than 3 years after the end of the financial year to
and correspondence with HMRC which they relate
Payroll records (also overtime, bonuses,
10 years
expenses)
Pension contribution records 6 years
Pension Scheme Investment Policies 12 years from any benefit payable under the policy
Corporate
Employers Liability Certificate 40 years
Insurance policies Permanently
Certificate of Incorporation Permanently
Minutes of Board of Trustees Permanently
Memorandum of Association Original to be kept permanently
Articles of Association Original to be kept permanently
Variations to the Governing Documents Original to be kept permanently
Statutory Registers Permanently
Membership records 20 years from commencement of membership register
Rental or Hire Purchase Agreements 6 years after expiry
Others
Deeds of Title Permanently
Leases 12 years after lease has expired
3 years from the date of the last entry (or, if the accident
Accident books involves a child/ young adult, then until that person
reaches the age of 21).
Health and Safety Policy Documents Retain until superseded
Assessment of Risks under Health and Safety
Retain until superseded
Legislation