NHS personal data: Are the security deadlines realistic?

The government's 31 March deadline for NHS organisations to guarantee the security of patient data might produce a tick box response and not offer enough time for health bodies to get their data fully in order.


Public bodies and Person Identifiable Data, the kind that HMRC lost last year, are like the magician’s apprentice let loose with his master’s wand.

Recall the famous Disney cartoon, where Mickey Mouse casts spells to avoid his chores, and remember the catastrophic consequences of his actions. Water floods everywhere as the spells go out of control.

This is how some public bodies seem to treat sensitive data. Like the apprentice they have great opportunities at their disposal through the use of the latest tools, but they forget about how to stop things going wrong.

As if by magic, NHS Trusts must comply with a new four-stage process for the securing and handling of Person Identifiable Data by the end of March.

The NHS Chief Executive requires all NHS Organisations to undertake a series of actions to secure person identifiable data relating to both patients and staff, confirm that the methods used for transfer of data are secure, and take immediate remedial action where this is not the case. Signed assurances must be given by every NHS CEO.

This is great news, in the long term, but I question, however, if such a tight deadline is within the realms of reality for what is a huge auditing job and potentially remedial task.

It requires scrutiny of hundreds of data related processes across the UK’s entire health service. Is the Department of Health now behaving like the magician’s apprentice, expecting Trusts to wave a magic wand and come up with all the answers?

I agree that this process needs to be done, and sooner rather than later. It needs to be done thoroughly, however. If NHS Trusts simply tick boxes to say they have the security process in place, but have not had time to consider the true risk of data loss from their organisation, the Person Identifiable Data bucket will continue to run over.

Gaining total control of data across the NHS will take months if not years to complete. NHS Trusts need to get a robust and workable process for ensuring that data, whether at rest or in transit, is secure.

In my belief the new regulations do not address the granularity of data risks across large organisations like NHS Trusts. They also do not allow time for an audit of every piece of computer hardware and the data stored upon it.

No allowance is made for management of legitimate, but restricted, access to data, for example employees who can view data online at an NHS premises, but cannot print it or take information offsite.

Rushing to find a solution will result in many cases where the scope of the task is not properly considered, and the resultant technology will be insufficient. Guidelines within this timescale should not focus on proving 100 per cent compliance.

They should demonstrate where individual NHS Trusts are up to in their PID security quest, what corrective plans are in place to deal with priorities and rectify issues as part of a workable long-term solution. Furthermore, the Department of Health needs to consider how it intends to audit this process. Regulation without checks is merely box ticking.

Martin Blackhurst, is director of operations - IT security at Redstone Managed Solutions

"Recommended For You"

NHS southern trusts will procure patient systems by April NHS patient records warning from Information Commissioner