NHS trusts faced an 'impossible task' securing all information that could identify patients by the start of this week, IT directors and data security specialists have told HSJ.

They say the 31 March deadline set by the Department of Health was unrealistic and doubt that trust chief executives signing a declaration this week are on a sound footing.

By this week, trusts were to have mapped and reviewed all person-identifiable data flows, made movements of data secure, identified risky areas and taken immediate remedial action where necessary.

The exercise stemmed from a letter from NHS chief executive David Nicholson to trust chief executives on 4 December. It followed a series of embarrassing data losses from public bodies.

But trust IT directors last week warned they were nowhere near completing the task. "The basic principles are great but it's absolutely impossible within the time-scale," said one

By 12 December trusts were supposed to have mapped how data moves around a trust. But in many cases this has taken several weeks.

By the end of January trusts were supposed to have highlighted key risk areas and by the end of February to have taken remedial action and secured data flows, for example by using encryption.

However, it was not until 20 March that NHS Connecting for Health signed a contract with Trustmarque Solutions to provide the NHS with McAfee's SafeBoot for data encryption.

A DH spokesman said CfH ran a "rapid procurement" for encryption software, but it was made clear that trusts were not to wait for this procurement "if it meant putting sensitive data at risk".

Many IT directors were unwilling to speak directly, but Martin Blackhurst, a data security specialist from Redstone Managed Solutions, which works with a number of NHS trusts, said many of his contacts were equally concerned. He said: "What's being put forward is an excellent idea but people are being forced to do it far too quickly."

Iain Marsland, formerly chief information officer at Essex SHA and now an independent consultant, pointed out that trusts faced a separate deadline to sign off their compliance with the NHS information governance scheme on 31 March.

He said: "Some of the information governance leads have found it difficult to do this complex piece of work in this short space and the issue of security of person identifiable data is one of the most complex areas within this."

A DH spokesperson said: "There will inevitably be outstanding issues at 31 March - we do not underestimated the scale of the challenge - and our focus is on addressing these, not on blaming and shaming."

  • HSJ's next Intelligence supplement is published on 17 April.