Guidance

Guidance on the information asset owner role

Updated 1 October 2025

What the IAO role is and why it’s important

Information asset owners (IAOs) play a vital role in protecting one of the government’s most valuable resources: its information.

An information asset is a body of information, defined and managed as a single unit so it can be understood, protected, shared and exploited effectively. Information assets have recognisable and manageable value, risk, content and life cycles, and can be vital to business outcomes or service delivery.

An IAO is accountable for protecting the information assets they’re responsible for – which can be digital or hard copy – in their department or organisation. 

Information asset ownership is becoming more important as government organisations build and deploy artificial intelligence (AI) systems. AI presents huge opportunities to better exploit the information assets of an organisation. However, AI systems increase the demand for clear ownership, improving how data is analysed and securely shared with other organisations.

The IAO role is a specialist role that’s well established across most government departments. It was mandated as part of the 2008 Data Handling Review. The Information Security Review in 2023 identified that the current guidance did not meet the needs of those in IAO roles. This guidance has been updated following the review and cross-government user research.

IAOs should use this guidance, along with the supporting resources, to carry out their role.

Government organisations also need people in the IAO role to help meet the requirements of the:

• Government Functional Standard GovS 005: Digital
• Government Functional Standard GovS 007: Security

Who IAOs should be

An IAO should be a senior individual with overall accountability for the security, content, quality and distribution of an information asset.

They should have a broad understanding of the information they’re accountable for, and the authority to make decisions regarding its:

• access
• use
• retention
• disposal

This should be in line with relevant legal, regulatory and policy requirements.

An IAO might come from various professions – for example, digital and data or knowledge and information management (KIM). Some IAOs might come from a non-data background, such as policy. The part of the organisation an IAO is based in will depend on their organisation’s size and structure.

As IAOs are usually senior civil servants (SCS), when recruiting new SCS recruiters should consider whether the post will involve IAO responsibilities. If so, these responsibilities should be included in the advertised role.

IAO accountabilities

IAOs should maintain clear accountability within their area of responsibility – they can delegate operational responsibilities but not accountability.

IAOs have accountability for:

• understanding what information is held within their area of responsibility
• reviewing the risks to the confidentiality, integrity and availability of their information assets and following their organisation’s risk procedures 
• ensuring that information is appropriately protected and marked
• inputting into their departmental information asset register 
• ensuring information is used ethically and complies with all relevant legal, regulatory and policy requirements, including the:
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025
  • UK GDPR
  • Freedom of information and environmental information regulations
  • Public Records Act
  • Inquiries Act
• developing a proactive information management culture and behaviours within their area of responsibility
• identifying whether their information asset requires additional security controls or other risk management measures – such as hosting the information on a higher-tier IT system

IAO priorities and activities

The priorities and activities for IAOs, working with their information asset manager(s) and wider teams, may cover the following areas.

Security and risk

• Identifying and mitigating the risks to information assets, ensuring that:
  • information assets are managed in line with their organisation’s information risk appetite
  • Data Protection Impact Assessments (DPIAs) are conducted to identify and minimise data protection risks associated with processing personal data
• Overseeing security measures to protect information assets from unauthorised access, loss, breaches and other threats
  • this includes identifying when information should be moved up from an OFFICIAL to SECRET or TOP SECRET security classification

Information asset management

• Ensuring an accurate and up-to-date information asset register is maintained 

• Identifying and categorising all information assets within the IAO’s area of responsibility

• Ensuring that data sharing agreements and memorandums of understanding are in place to ensure assets are being used appropriately and in accordance with relevant legal, regulatory and policy requirements

• Understanding the value of information assets to the wider organisation

• Working with other stakeholders – such as digital, security, legal and compliance teams – to ensure a holistic approach to information asset management 

• Streamlining the management of information assets to ensure they’re used efficiently and effectively

  • this involves optimising processes, tools and resources to support business operations and decision making

Compliance 

• Reviewing and ensuring that the management and usage of information assets comply with relevant legal, regulatory and policy requirements, making necessary adjustments when needed 

• Engaging in the management of reporting data breaches and serious security incidents relating to information assets

• Ensuring that the information assets in the IAO’s area reflect the retention schedule and that information is being kept and deleted in accordance with legal, regulatory and policy requirements

• Overseeing that staff are appropriately trained to understand their ethical, technical and record-keeping responsibilities, including when using AI tools

Continuous improvement

• Continuously seeking ways to improve the management and protection of information assets
  • this involves staying up to date with the best practices, technologies and regulatory changes
• Ensuring that an AI service has been assessed before it’s allowed access to information, to ensure it does not pose a risk to information security, data quality or data privacy
  • in particular, IAOs should consider whether the AI system or service complies with the government’s Secure by Design Principles and if a DPIA has been carried out (if the data set contains personal data)

Who IAOs work with in their organisation

IAOs will often work for their Accounting Officer. This is usually the Permanent Secretary or Chief Executive of the department or organisation. The Accounting Officer has overall responsibility for ensuring that the information risks are assessed and mitigated to an acceptable level.

IAOs also work closely with people in the following roles, to ensure that duties are properly coordinated and assurances are provided to the relevant internal information governance boards (or equivalent):

• Departmental Record Officers (DROs) – who lead on compliance with the Public Records Act and play an important role in the management of information within government departments

• the senior person accountable for information security risk (sometimes called the SIRO) – who plays the main role in the management and protection of the organisation’s information assets, with a particular responsibility for information risk

• Data Protection Officers (DPOs) – who assist organisations to monitor internal compliance, inform and advise on their data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the Information Commissioner’s Office (ICO)

• data owners – senior individuals who are the dedicated owner of a logical grouping of data, and in-depth insights of the overall business strategy in their data remit

• information asset manager (IAM) – a delegated role working on behalf of the IAO, with regular responsibility for the proper management of information in their business area

It’s up to each organisation how these roles overlap and how the relationships operate. In some cases, one person may carry out more than one role – for example, a data owner may also be carrying out the IAO role.

IAOs also work with, and seek advice from, their:

• KIM teams
• digital and data teams
• cyber and security teams

Organisations may use different terminology for specialist teams.

Supporting resources

You can use the following resources to learn more about the IAO role and how to put it into practice.

IAO training 

The training is available on Civil Service Learning (requires login) and security.gov.uk. It covers how to designate the IAO role in your organisation, and the typical core tasks of an IAO.

IAO hub

The IAO hub on security.gov.uk explains how to:

• get started if your organisation does not yet have someone with the IAO role
• develop the role further if you already have an established IAO role

Data Ownership Model

The Data Ownership Model formalises the roles of the people in government responsible for managing data throughout its life cycle.

The guidance explains best practice, and encourages a consistent and standardised approach to data ownership across government.

Data handling principles

These principles help government and public sector organisations make better use of data to meet strategic objectives and work more effectively.

AI resources for the public sector

The resources include guidance on using AI safely, effectively and securely if you’re a government or public sector organisation. This includes the AI Playbook for the UK Government.

You can also use the ICO’s AI guidance as well as any local policies you may have in your organisation or area of responsibility.

Data Ethics Framework

The Data Ethics Framework explains how to use data appropriately and responsibly when planning, implementing and evaluating a new policy or service.