Information governance (IG) often feels like a behind-the-scenes activity: policies, toolkits, checklists, and tick boxes. But in general practice, where patient data flows through every conversation, system, and process, IG is everyone’s responsibility - not just the practice manager’s or the IT lead’s. Creating a true culture of IG awareness means going beyond training once a year. It means embedding safe data handling into the mindset and habits of every staff member, from the newest receptionist to the longest-serving GP. This guide shows how to shift your practice culture from compliance to confidence - where staff act safely not because they’ve been told to, but because it feels natural. 

What do we mean by “IG culture”? 

An IG-aware culture is one where: 

• Staff know what information counts as sensitive.

• People challenge unsafe behaviours in a constructive way. 

• Patients feel confident that their data is handled with care. 

• Incidents are reported and learned from - not hidden. 

• Everyone understands why IG matters, not just how to comply. 

It’s the difference between someone locking their screen out of habit vs someone doing it because “it’s on the checklist”. 

 You can have the best policies in the world, but if your team: 

• Leaves smartcards in machines. 

• Chats about patients in corridors. 

• Shares logins “just this once”. 

• Prints records and forgets to collect them. 

• Uses WhatsApp for convenience. 

Then your real-world IG risk is high - regardless of what your documents say. IG breaches in general practice are more often due to human error or habit than deliberate wrongdoing. That’s why culture is key. 

1. Start with leadership visibility

Culture comes from the top. If partners, managers, and senior clinicians model IG good practice, others are more likely to follow. That means: 

• Locking screens, wearing smartcards, and following protocols. 

• Taking IG training seriously - not just clicking through. 

• Talking about IG in team meetings in a calm, open tone. 

• Being honest about near misses — and encouraging reflection. 

Make IG a leadership behaviour, not just a task. 

2. Embed IG into daily routines 

Find ways to make IG part of the day-to-day: 

• Remind staff during morning huddles or handovers. 

• Include IG tips on whiteboards, intranets, or team emails.

• Encourage “did you know?” facts - for example, DPIA reminders before projects. 

• Make sure information about secure handling is easily visible at desks. 

It’s the small, regular nudges that shape habits - not once-a-year policies. 

3. Use stories, not just slides 

People respond better to stories than to abstract rules. Use real-world examples (anonymised) to show: 

• How a breach happened in another practice. 

• What the consequences were (for example, patient upset, ICO involvement). 

• How it could have been avoided. 

You can find case studies from the ICO or your ICB. Or invite your DPO to share anonymised scenarios in a team meeting.

4. Make reporting safe and routine 

Create a climate where staff feel safe to report: 

• Near misses. 

• IG concerns. 

• Accidental disclosures. 

• Unclear processes. 

Avoid blame - instead, treat each report as a chance to improve. Make reporting easy: offer a simple form, a shared inbox, or an “IG catch-up” during one-to-ones. 

5. Link IG to patient care and trust 

When you talk about IG, focus on patients - not penalties. 

• “We do this because it protects patient dignity.” 

• “Safe handling builds trust with our community.” 

• “Confidentiality is part of clinical care, not separate from it.” 

Framing IG this way helps staff feel proud of doing it well - not just afraid of getting it wrong. 

6. Reward good IG behaviours 

When someone spots a potential risk, completes their training early, or helps a colleague navigate a tricky situation - acknowledge it. 

Podrías: 

• Give a shout-out in a team meeting. 

• Add a thank-you note to the staff noticeboard. 

• Include IG awareness in appraisals or PDPs. 

Reinforcing positive behaviour builds confidence and ownership. 

• Add IG topics to your governance or staff meeting agendas. 

• Rotate a “data guardian of the month” - someone who shares a tip or checks the printer tray. 

• Use mock breach scenarios as learning exercises. 

• Schedule mini refreshers between formal training cycles. 

• Include PCN staff in your efforts - they handle your data too. 

You don’t need to become a data protection expert to lead a strong IG culture. You just need to care about how information is handled - and help others care too. By focusing on habits, leadership, and open communication, you’ll create a team where data safety is second nature. And that means safer care, stronger trust, and fewer IG headaches down the line.