NHS misses data-encryption target

A number of NHS health trusts are expected to be months late in meeting a target to encrypt all data on non-secure machines
Written by Nick Heath, Contributor

NHS trusts will not have completed encrypting patients' personal data held on their computers until later this year.

A number of health trusts are expected to be months late in meeting a target to encrypt all data on non-secure machines by 31 March, 2008.

Many trusts will be unable to meet the local targets as set by strategic health authorities (SHAs) as they had been told not to begin the work until Connecting for Health (CfH), the body co-ordinating NHS IT, procured an encryption package, which did not take place until 20 March.

The Department of Health (DoH) has confirmed that it would then take "at least six months" for each trust to complete the rollout of encryption.

That means data will not be fully protected until 10 months after NHS chief executive David Nicholson asked trusts to make the securing of personal data a priority.

There is no central monitoring within the NHS to ensure that trusts have carried out encryption, with it being left up to the strategic health authorities to check on compliance.

A spokesman for the DoH defended the time taken, saying: "The rollout of encryption is a complex matter."

"David Nicholson has sought and received assurances from the heads of all trusts that they are working to ensure encryption takes place in a timely fashion. Each of the SHAs will performance-manage this, but it is paramount that patient care is not disrupted," said the spokesman.

The target of 31 March for encryption to take place was a local deadline set by some SHAs, and CfH said there was no central target set by the DoH. CfH said the DoH had simply sought an assurance that the process was in hand by the end of March.

CfH confirmed that 700,000 licences had been issued for its chosen encryption package, McAfee's SafeBoot.

A CfH spokesperson said: "It is understood that this process can take some time as skilled technicians are required to complete the task.

"SHAs are responsible for ensuring that trusts progress with encryption as swiftly as possible and the DoH has advised SHAs to consider undertaking an independent audit of their trusts' progress," the spokesperson said.

Editorial standards