How to create a practice IG calendar that actually works 

Information governance (IG) can easily feel like a series of compliance checkboxes - DSPT deadlines, annual training, risk logs, and subject access requests. For many practices, it’s something that gets hurried through once a year, often right before the deadline. But IG isn’t just an obligation - it’s a core part of how your practice protects patients, manages data, and maintains trust. Creating a practical, structured IG calendar helps spread the workload, engage your team, and avoid last-minute stress. More importantly, it keeps privacy, safety, and digital hygiene front of mind across the year. Here’s how to build an IG calendar that works for your practice, your staff, and your patients. 

Pourquoi vous avez besoin d'un calendrier IG

Without a calendar, IG tasks are easy to overlook - until something goes wrong. You might forget to renew a data-sharing agreement, delay reviewing policies, or let staff training fall behind. A calendar turns reactive compliance into proactive governance. It helps you: 

• Répartir l'effort uniformément tout au long de l'année.

• Build IG into your normal planning and meetings. 

• Demonstrate accountability to the CQC and your DPO. 

• Respond more confidently to patient queries or data incidents. 

You’re not creating extra work - you’re redistributing what already needs to happen, in a more manageable way. 

A good IG calendar includes a mix of recurring tasks, annual reviews, and ongoing improvements. Tailor it to your practice, but common elements include: 

Activités mensuelles ou trimestrielles 

• Spot checks or audits (for example, who accessed which records). 

• Reminders about secure printing and storage. 

• Cyber security tips in staff briefings. 

• IG incident reviews and lessons learned. 

• Updating the data breach log. 

• Role-based refresher sessions. 

Exigences annuelles 

• Completion of the Data Security and Protection Toolkit (DSPT). 

• Full IG risk assessment (technical and operational). 

• Staff IG and cyber training (tracked by role). 

• Policy and protocol reviews (confidentiality, access, SARs). 

• Caldicott Guardian and SIRO review/update. 

• Third-party data processor and DPA check. 

Tâches ponctuelles ou basées sur des événements 

• Update IG documentation when new software is introduced. 

• Conduct post-incident reviews when things go wrong. 

• Notify staff of national IG guidance changes. 

• Prep for CQC inspection or DSPT evidence request. 

1. Commencez par les dates clés 

Commencez par marquer les tâches annuelles non négociables, telles que la date de soumission du DSPT (généralement en mars ou en juin). Ajoutez les périodes de préparation pour la CQC ou les cycles d'audit connus.

2. Cartographier les tâches récurrentes 

Decide how often you want to review logs, provide training updates, or audit processes. Monthly or quarterly is usually manageable. 

3. Alignez-vous avec vos rythmes internes 

Consider how your IG activities can align with existing meetings, appraisals, or reviews. Could you do a training refresh at staff induction? Discuss incidents at monthly meetings? 

4. Utilisez un format visible 

Whether it’s a shared Outlook calendar, wall planner, spreadsheet, or intranet page, your calendar should be accessible to the whole team — not hidden in someone’s inbox. 

5. Attribuer la responsabilité

Decide who’s responsible for each task. For example, the practice manager may oversee policy reviews, while the IT lead runs cyber audits. Add initials or teams to each calendar item. 

Creating a calendar is the easy part. The key is to make it something you and your team use. Some tips: 

• Intégrer des tâches dans les agendas - for example, “April: check DPA renewals”. 

• Rappeler et déléguer - don’t rely on memory. Automate prompts or set recurring tasks. 

• Partagez les résultats - if you audit printer use and find a risk, feed that back to the team. 

• Ajuster en fonction des incidents - use your breach log or SAR data to inform future focus. 

You don’t need to start from scratch. Useful sources include: 

• Modèles DSPT du NHS. 

• ICB or CSU IG toolkits. 

• Local DPO-provided templates. 

• MS Excel or Google Calendar with colour-coded reminders. 

Many practices use a simple spreadsheet with columns for task, frequency, month due, owner, and date completed. 

A well-maintained IG calendar is more than a to-do list. It’s a sign your practice takes data protection seriously - not just at audit time, but every day. 

When you distribute tasks across the year, across the team, and across different types of activity, you build resilience and confidence. 

It becomes less about fear of inspection, and more about pride in doing things properly.