How to avoid IG headaches when working with PCN staff 

Primary Care Networks (PCNs) have transformed the way general practices collaborate - pooling staff, services and data to support broader patient care. But with shared working comes shared risk, especially when it comes to information governance (IG). Whether you’re hosting an ARRS-funded role, using shared access to clinical systems, or coordinating care across practice boundaries, it’s vital to understand how IG responsibilities shift - and how to avoid common pitfalls. This article offers practical guidance on working with PCN staff in a way that’s clear, compliant and headache-free. 

What’s different about PCN working?

PCN staff don’t always fit neatly into traditional employment or system models. For example: 

• A clinical pharmacist might work across four practices but be employed by one.

• A social prescriber may input into your system using a separate smartcard.

• A care coordinator might access data but not be directly line-managed by your practice. 

• A digital lead could have admin rights on multiple systems for multiple sites. 

This blurring of boundaries can create confusion over data access, confidentiality, record-keeping and incident responsibility. To prevent problems, your practice needs clear agreements - and a proactive approach to governance. 

Common IG issues with PCN staff 

• Staff using another practice’s smartcard, or being given ‘quick’ access under a different role. 

• No clear data sharing agreement in place between practices. 

• PCN staff unsure what information they’re allowed to access or record.

• Ambiguity over who is responsible if something goes wrong. 

• Documents or referrals saved in the wrong place or under the wrong code. 

• Lack of induction around local IG expectations and systems.

None of these are malicious - they’re usually the result of well-meaning staff trying to do the right thing in a grey area. But they can still lead to breaches, confusion, and operational risk. 

How to stay compliant and confident 

1. Get your data sharing agreements in place 

If your PCN staff are working across practices and handling patient information, there must be an up-to-date, signed data sharing agreement (DSA) between all relevant organisations. The agreement should include: 

• Legal basis for data processing. 

• What data is shared and why. 

• Roles and responsibilities for each party. 

• How access and records are controlled. 

• Processes for responding to incidents or subject access requests. 

Work with your DPO or ICB if you’re unsure what’s needed. 

2. Clarify employment and accountability lines

Make sure everyone understands: 

• Who the staff member is employed by. 

• Who provides day-to-day supervision. 

• Who is responsible for ensuring IG compliance and training. 

• Who investigates if there’s an IG issue. 

You can use a simple table or roles matrix to make this clear for all PCN roles. 

3. Standardise induction and access 

Don’t assume PCN staff know how your practice handles data. Provide: 

• A local IG induction - even if they’ve had one elsewhere. 

• Clear guidance on what systems they can use. 

• Named contacts for help or questions. 

• Role-appropriate smartcard access - never shared or borrowed. 

If they’re using your EMIS or SystmOne, their access must reflect their role - not just a “quick fix” to get them in. 

4. Embed PCN roles in your IG calendar and risk assessments

Treat PCN staff like part of your extended team when it comes to: 

• Annual IG training. 

• Logging and investigating incidents. 

• Reviewing access rights. 

• Participating in audits or IG spot checks. 

If they use your system, their activity is your responsibility - so build them into your IG framework. 

5. Encourage shared learning across practices

 If one practice finds a smart way to manage access or deliver induction, share it. Use PCN management meetings or Teams groups to circulate tools, templates and tips. PCNs are new ground - and the more consistent you are, the safer the shared working becomes. 

Final word: clarity beats complexity 

Working with PCN staff doesn’t need to be complicated - but it does need to be deliberate. Many IG issues arise not from malice or ignorance, but from a lack of clarity. By agreeing your data flows, responsibilities, and expectations upfront, and supporting shared staff with consistent guidance, you can protect your patients, your practice, and your people. Good IG isn’t about saying no - it’s about creating systems where saying yes is safe.