How to spot and stop internal IG risks
Why the biggest data protection threats often come from inside your own practice
Authored by Thomas Andrew Porteus, MBCSOriginally published 9 Jul 2025
Meets Patient’s editorial guidelines
- DownloadDownload
- Share
Medical Professionals
Professional Reference articles are designed for health professionals to use. They are written by UK doctors and based on research evidence, UK and European Guidelines. You may find one of our health articles more useful.
In this article:
When we think of data breaches or cyber threats in general practice, it’s easy to imagine hackers, phishing scams, or system failures. But in reality, many information governance (IG) risks don’t come from the outside - they come from within. From well-meaning staff who bypass procedures to save time, to accidental disclosures, to outdated access permissions that no one has reviewed in years. Internal IG risks are more common, and more preventable, than many practices realise. This guide explores how to identify, manage, and prevent internal IG risks, and how to foster a culture where safety is second nature.
Continue reading below
Why internal IG risks matter
Staff have direct access to patient data every day - whether on screen, in conversation, or in documents. That’s why internal risks can be so damaging:
They often go unnoticed until something goes wrong.
They can undermine patient trust.
They can lead to breaches of GDPR and CQC standards.
They’re sometimes dismissed as “just how we do things”.
Practices that neglect internal IG risks may pass the DSPT - but still fall short in real-world safety.
Common internal IG risks in general practice
Risk type | Example |
Accidental disclosure | Sending a letter to the wrong patient, or discussing the wrong record |
Inappropriate access | Staff looking up records of friends, neighbours or ex-partners |
Poor record-keeping | Clinical notes copied from old consultations or saved under the wrong patient |
Misuse of systems | Using WhatsApp for patient communication |
Unrevoked access | Former staff still having login credentials |
Unclear roles | Admin staff with unnecessary access to clinical information |
Informal processes | Storing files on desktops or unencrypted USBs |
These aren’t always malicious - but they can still cause harm.
Continue reading below
How to spot internal risks before they escalate
1. Review access levels regularly
Check that all user accounts have the right permissions for their role. Remove or update access for leavers, locums, and role-changers. Ask your IT or CSU support to provide regular user access reports. Ensure smartcard access is specific to job responsibilities. This is a common DSPT weakness - and an easy win for improvement.
2. Conduct mini audits or random spot checks
Review how records are being coded and stored. Check system logs to see if access patterns are unusual. Ask clinical leads to review a sample of notes or referrals. Look at how documents are being named and saved. Even a handful of checks per quarter can reveal habits that need attention.
3. Listen to frontline staff
Ask what workarounds people are using and why. Find out what slows them down - and leads to shortcuts. Include IG questions in team meetings and one-to-ones. Encourage anonymous suggestions for improvement. Often, risks emerge from inefficiencies - not bad intentions.
4. Pay attention to shared spaces and habits
Are screens locked when staff step away? Are printed records left on desks or at printers? Are conversations about patients held where they can be overheard? Are personal devices used to take notes or photos? Walkthroughs or visual checks can highlight small but important risks.
5. Track near misses and low-level incidents
Create a culture where staff feel safe to report things like wrong letters printed, accidental system access, or misunderstood requests for data. Log and learn from these - not just major breaches. Use anonymised examples in team learning sessions. Internal IG risks are rarely one-off accidents - they often follow a pattern.
How to reduce internal IG risk long term
Set clear expectations
Make IG part of your induction and probation. Include it in job descriptions and appraisals. Use regular reminders - posters, team briefings, email tips.
Make it easy to do the right thing
Provide enough smartcard readers, secure storage, and logins. Avoid forcing staff to share access or work around poor systems. Offer regular training that’s practical, not patronising.
Respond with support, not blame
When something goes wrong, focus on learning - not punishment. Ask “what made this happen?” rather than “who’s at fault?” Celebrate improvements and best practice. Make IG feel like a team value, not a compliance burden.
Continue reading below
Final word: it starts with what happens inside
The most advanced firewall won’t help if a letter goes to the wrong house. And no policy document can protect you from habits you don’t know are happening.
By shining a light on internal risks, listening to your team, and making safe behaviours easier, you can dramatically reduce your practice’s exposure to IG incidents.
Good governance doesn’t come from control - it comes from culture. And that culture starts with what’s happening behind your own front desk.
Article history
The information on this page is written and peer reviewed by qualified clinicians.
Next review due: 9 Jul 2028
9 Jul 2025 | Originally published
Authored by:
Thomas Andrew Porteus, MBCS
Ask, share, connect.
Browse discussions, ask questions, and share experiences across hundreds of health topics.
Feeling unwell?
Assess your symptoms online for free