How to conduct a practice-wide IG risk assessment

Information governance (IG) is about more than data protection policies or annual staff training. At its heart, it’s about protecting patient trust and ensuring that personal, confidential data is handled safely, lawfully, and responsibly. Every general practice should conduct regular IG risk assessments. These reviews help you identify where your practice may be vulnerable - whether due to outdated systems, unclear processes, or human error - and take action before a data breach occurs. In this guide, we explain what an IG risk assessment involves, how to run one in your practice, and how to ensure it becomes a living part of your governance culture. 

Why IG risk assessments matter 

An IG risk assessment is not just a paperwork exercise to satisfy CQC or DSPT requirements. It’s a structured way of answering questions like: 

• Where could our systems or staff processes expose us to risk? 

• Are we doing what we think we’re doing when it comes to handling patient data? 

• What would happen if a laptop was lost, a folder was misplaced or a member of staff clicked a phishing link? 

By identifying weak spots before incidents occur, you reduce the chance of patient harm, reputational damage or regulatory penalties. Done well, these assessments also strengthen staff understanding and ownership of IG responsibilities. 

When to conduct an IG risk assessment

A full practice-wide IG risk assessment should ideally be carried out: 

• At least once per year as part of your governance cycle. 

• Ahead of completing your annual DSPT submission. 

• After any major change (for example, new systems, mergers, new third-party suppliers).

• Following an incident, breach, or near miss. 

• As part of preparation for a CQC inspection. 

It doesn’t have to be an overly complex process - but it should be thorough, documented, and shared with those who need to act on it. 

What to include in your IG risk assessment 

A good assessment will cover both technical systems and day-to-day human behaviours. Consider reviewing: 

1. Data access and permissions 

• Who can access clinical systems, and are permissions appropriate? 

• Are shared logins being used? 

• Are joiners, movers and leavers processes in place? 

2. Email and communication 

• Is patient information ever sent via non-secure email? 

• Do staff know how to check for verified NHSmail accounts? 

• Is there a standard process for sending referral attachments? 

3. Paper records and physical security 

• Are printed documents ever left unattended on desks or printers? 

• Is there a shred-all policy or designated confidential waste process? 

• Are consultation rooms and reception areas secure? 

4. IT infrastructure and cyber security 

• Are operating systems and antivirus software up to date? 

• Are USB ports and personal devices controlled? 

• Are backups regularly tested? 

5. Third-party providers and data processors 

• Do you have up-to-date Data Processing Agreements (DPAs)? 

• Are non-NHS software tools GDPR compliant and risk assessed? 

6. Staff behaviours and training 

• When did each staff member last complete IG training? 

• Are staff confident in handling SARs or data requests? 

• Are there clear lines of responsibility for IG issues? 

You can use templates provided by the DSPT, your ICB, or DPO as a starting point - but the most effective assessments will reflect how your practice actually works day to day. 

How to run the assessment 

1. Plan and assign responsibility

Nominate a named lead for the assessment - this may be the practice manager, Caldicott Guardian, or IG lead. Decide whether to involve team leaders or rotate responsibility across teams. 

2. Gather evidence and insight

This might include system logs, audit trails, training records, screenshots, or physical walkthroughs. Consider involving IT support or external suppliers for technical elements. 

3. Score risks and agree actions

Use a simple matrix to assess likelihood and impact. For example: 

• Low likelihood, high impact: USB port left open but no known use. 

• High likelihood, low impact: Confidential notes left briefly on printer. 

• High likelihood, high impact: No process for revoking leavers’ access. 

Agree and document what actions will be taken, by whom and by when. 

4. Report and review

Summarise findings in a clear, practical format. Highlight priority areas and present it to your partners, DPO, and governance lead. Store securely and schedule a review date. 

Embedding risk assessments into culture 

The real value of an IG risk assessment isn’t the document - it’s the change it helps create. Use the opportunity to raise awareness with your team, celebrate good practice, and build confidence in speaking up about data risks. You might include IG risk assessments as part of: 

• Annual staff appraisals. 

• Induction for new staff. 

• Your Significant Event Audit (SEA) process. 

• Your regular team or clinical governance meetings. 

Final word: Prevention is protection

A well-run IG risk assessment gives you something few other processes can: foresight. It helps you prevent breaches, protect patients, and demonstrate strong, proactive leadership. In a world where practices are increasingly reliant on digital systems and shared care models, IG risks are no longer abstract or occasional. They’re daily, embedded in almost every interaction. By making IG risk assessment a regular part of your practice’s rhythm, you create safer systems, more confident teams, and a culture where protecting patient information is second nature.