Information governance (IG) often feels like a behind-the-scenes activity: policies, toolkits, checklists, and tick boxes. But in general practice, where patient data flows through every conversation, system, and process, IG is everyone’s responsibility - not just the practice manager’s or the IT lead’s. Creating a true culture of IG awareness means going beyond training once a year. It means embedding safe data handling into the mindset and habits of every staff member, from the newest receptionist to the longest-serving GP. This guide shows how to shift your practice culture from compliance to confidence - where staff act safely not because they’ve been told to, but because it feels natural. 

Cosa intendiamo per "cultura IG"? 

An IG-aware culture is one where: 

• Il personale sa quali informazioni sono considerate sensibili.

• People challenge unsafe behaviours in a constructive way. 

• Patients feel confident that their data is handled with care. 

• Incidents are reported and learned from - not hidden. 

• Everyone understands why IG matters, not just how to comply. 

It’s the difference between someone locking their screen out of habit vs someone doing it because “it’s on the checklist”. 

 You can have the best policies in the world, but if your team: 

• Leaves smartcards in machines. 

• Chats about patients in corridors. 

• Shares logins “just this once”. 

• Prints records and forgets to collect them. 

• Uses WhatsApp for convenience. 

Then your real-world IG risk is high - regardless of what your documents say. IG breaches in general practice are more often due to human error or habit than deliberate wrongdoing. That’s why culture is key. 

1. Inizia con la visibilità della leadership

Culture comes from the top. If partners, managers, and senior clinicians model IG good practice, others are more likely to follow. That means: 

• Locking screens, wearing smartcards, and following protocols. 

• Taking IG training seriously - not just clicking through. 

• Talking about IG in team meetings in a calm, open tone. 

• Being honest about near misses — and encouraging reflection. 

Make IG a leadership behaviour, not just a task. 

2. Integra IG nelle routine quotidiane 

Find ways to make IG part of the day-to-day: 

• Remind staff during morning huddles or handovers. 

• Includi suggerimenti IG su lavagne, intranet o email di gruppo.

• Encourage “did you know?” facts - for example, DPIA reminders before projects. 

• Make sure information about secure handling is easily visible at desks. 

It’s the small, regular nudges that shape habits - not once-a-year policies. 

3. Usa storie, non solo diapositive 

People respond better to stories than to abstract rules. Use real-world examples (anonymised) to show: 

• How a breach happened in another practice. 

• What the consequences were (for example, patient upset, ICO involvement). 

• How it could have been avoided. 

You can find case studies from the ICO or your ICB. Or invite your DPO to share anonymised scenarios in a team meeting.

4. Rendere la segnalazione sicura e abituale 

Create a climate where staff feel safe to report: 

• Near misses. 

• IG concerns. 

• Accidental disclosures. 

• Unclear processes. 

Avoid blame - instead, treat each report as a chance to improve. Make reporting easy: offer a simple form, a shared inbox, or an “IG catch-up” during one-to-ones. 

5. Collegare IG alla cura e alla fiducia del paziente 

When you talk about IG, focus on patients - not penalties. 

• “We do this because it protects patient dignity.” 

• “Safe handling builds trust with our community.” 

• “Confidentiality is part of clinical care, not separate from it.” 

Framing IG this way helps staff feel proud of doing it well - not just afraid of getting it wrong. 

6. Premia i buoni comportamenti IG 

When someone spots a potential risk, completes their training early, or helps a colleague navigate a tricky situation - acknowledge it. 

You could: 

• Give a shout-out in a team meeting. 

• Add a thank-you note to the staff noticeboard. 

• Include IG awareness in appraisals or PDPs. 

Reinforcing positive behaviour builds confidence and ownership. 

• Add IG topics to your governance or staff meeting agendas. 

• Rotate a “data guardian of the month” - someone who shares a tip or checks the printer tray. 

• Use mock breach scenarios as learning exercises. 

• Schedule mini refreshers between formal training cycles. 

• Include PCN staff in your efforts - they handle your data too. 

You don’t need to become a data protection expert to lead a strong IG culture. You just need to care about how information is handled - and help others care too. By focusing on habits, leadership, and open communication, you’ll create a team where data safety is second nature. And that means safer care, stronger trust, and fewer IG headaches down the line.