NHSmail is available to organisations with a valid reason to use it. The NHSmail Access Policy provides full details.

Whilst the design and operation of a secure email system is a key part of making sure it is secure, it is also an obligation of users to make sure they use the service properly and without doing anything to compromise the security of the information that they send or receive. For this reason, every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. This is their promise to all NHSmail users and the public and patients we serve, that they will be mindful of the importance of the information that they share over NHSmail.

Clinical Safety

The NHSmail Service is approved for the exchange of clinical/sensitive data in line with the National Clinical Safety Case. The Service is not intended for storage of clinical information. Organisations are encouraged to review local processes and guidance in line with the NHSmail Policies and National Safety Case. The Safety Case is available on request from feedback@nhs.net.

Information Management Policies

Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies listed here:

• NHSmail Information Management Policy: Defines the scope of data held.
• NHSmail Data Retention Policy: Details the recovery of data.
• NHSmail Access to Data Policy: Process for requesting data for forensic investigations.

Please note the above documents are being revised in light of the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018. Please see the section below on GDPR for additional information about the processing of personal data within the NHSmail Live Service.

NHSmail ISO Compliance Documentation

NHSmail is compliant with a number of ISO Standards (see table below).

If certificate evidence is required, the BSIs directory can be searched.

All policy and guidance documents are currently being reviewed to align to the General Data Protection Regulation legislation, which is coming into force from 25 May 2018.

GDPR guidance for the NHSmail Live Service – England

Transparency Information

Provides details on how personal data is processed within the NHSmail Live Service in England. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.

Data Protection Impact Assessment

Provides evidence to support NHS Digital’s compliance with the Data Protection principles.

Further Information on GDPR

Additional information to general queries on GDPR.

Local Administrator webinar on GDPR – 17 May 2018

Slides from the GDPR webinar on 17 May 2018 which provide information on GDPR, what the NHSmail Live Service is doing to comply with GDPR in England, Joint Controller arrangements, Subject Access Requests (SARs), communications and useful information and next steps. Please also see the recording of the webinar.

GDPR guidance for the NHSmail Live Service – Scotland

Transparency Information

Provides details on how personal data is processed within the NHSmail Live Service in Scotland. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.

Guidance on how to set up Outlook 2010, Outlook 2013, Outlook 2016 and Outlook for Mac. If you are using NHSmail in Scotland and require guidance for Outlook 2007 please contact nhsmail.scotland@nhs.net

How to Find Your Outlook Version

Guidance on how to determine what version of Outlook Destop Client your computer is running.

Guidance on maximum size of attachment and information on blocked and allowed attachment types

Guidance on the differences that you may see depending on the browser you use to access NHSmail (web users only)

Clearing Cookies and Cached Data from your Browser

Guidance on how to clear cookies and cached data from your browser.

Enabling/Disabling Outlook Web App Light

Guidance on how to enable Outlook Web App Light at www.nhs.net if your web browser does not support the full version of Outlook Web App or you require the high contrast version (OWA Light).

Guidance on how to determine what browser version (Internet Explorer, Chrome, Firefox, Safari) your computer is running.

Guidance on using shared mailboxes, including naming conventions and access requirements

Guidance on Skype for Business federation to allow the connection of an organisation's own implementation of Skype, either an on premise or online solution. A list of organisations that are federated with NHSmail is available.

Slides from the May Skype for Business Audio and Video Conferencing Webinar. Provides updates on the Skype for Business offering, demonstrations, A&VC progress to date, pricing, onboarding process, and resources. You can listen to a recording of the Webinar by clicking here.

Guidance on Skype for Business services available from NHSmail.

Guidance on the on-boarding process and considerations for organisations intending to join the NHSmail Skype for Business Service

Guidance on configuring the Skype for Business Full / Basic client

Guidance on the differences in compatibility of features across each of the Skype for Business client types (Skype for Business Full/ Basic and Outlook Web App Instant Messaging and Presence)

Guidance on the differences in compatibility of features provided through the Skype for Business Mobile Application across Windows, IOS and Android Devices.

Guidance on downloading, installing, signing in and removing the Skype for Business application on a mobile device

Guidance on how to manage your NHSmail accounts if they need to be transferred into a replacement organisation or removed from the service if your organisation is closing (ODS code has been closed) or merging with another.

Guidance on how to use Push Connectors

Guidance on how to configure filtering within TANSync to control user account provisioning

TANSync is the replacement solution for Pull Connectors. This guide provides a description of the TANSync solution and the local requirements for setting up TANSync

Guidance on how to deploy TANSync for your organisation

Guidance on the different options for adding, updating and removing user data from NHSmail

This is a guidance document and outlines the actions that users and Local Administrators should take in relation to NHSmail accounts when a user joins and/or leaves an organisation

What a Local Administrator should do if access is needed to data in an NHSmail account where the user is unavailable or unable to give permission for access

Patient Identifiable Data (PID) should only be exchanged electronically when encrypted. NHSmail email sent to secure domains is automatically encrypted and complies with the pan-government secure email standard. NHSmail is accredited to the Health and Social Care secure email standard and is suitable for sharing patient identifiable and sensitive information.

When sending emails outside of NHSmail, use [secure] at the start of the email subject. [Secure] is not case sensitive. The NHSmail service will assess whether encryption is required.
• If the domain the email is being sent to is accredited, the email will be sent securely and no further encryption is required.
• If the domain the email is being sent to is not accredited, and therefore insecure, the NHSmail service will programmatically enforce the use of the encryption tool to protect the email data. The recipient will need to log into the Trend Encryption Micro portal to unencrypt the email before it can be read.

NHSmail works with the Government Digital Service (GDS) to regularly update the list of accredited domains regularly

Guidance is available on how to use the NHSmail encryption service.

There is a sharing sensitive information guide which details how patient identifiable data should be securely exchanged.

Sending to legacy secure government domains

Email sent to legacy secure government domains listed below will automatically be sent securely and directly to the recipient’s email system:

*.gcsx.gov.uk for local government

*.gsi.gov.uk and *.gsx.gov.uk for central government

*.cjsm.net and *.pnn.police.uk for Police/Criminal Justice

*.mod.uk for Ministry of Defence

Note the legacy local and central government email domains (gcsx.gov.uk, gsi.gov.uk and gsx.gov.uk) will slowly stop being used and then switched off completely in March 2019, as all local and central government organisations migrate to using .gov.uk email addresses for all email communication as they adopt the government secure email standard.

Guidance for recipients of encrypted emails sent from an NHSmail account including: opening and reading encrypted emails and sending an encrypted reply

Guidance on how to use the NHSmail encryption service to send encrypted emails to people not using NHSmail

Windows XP users on NHSmail

If using Microsoft software to access NHSmail, only access from Microsoft software in mainstream or extended support is assured. NHSmail does not support access from products that have ended extended support, even where an organisation may have taken out a custom support agreement. Any use of XP, or indeed any other unsupported product, is done so at your own risk and has no guarantee that it will work with NHSmail.

Guidance outlining what spoofing is, why changes are being made to stop spoofing including when the changes will come into force, who will be impacted and what actions need to be taken.

Guidance to ensure your applications meet the supported NHSmail protocols

Guidance on how to keep your account and the NHSmail service safe and secure from common cyber threats including: spam, junk, spoofing and phishing

Frequently asked questions (FAQs), general information and guidance on the Email Gateway / Relay Service provided by NHSmail.

Guidance on how to find out the contact details of Local Administrator within your organisation.

This document provides an overview of the local organisation licensing requirements for NHSmail in England and Scotland.

Guidance on how to ensure you do not breach your mailbox quota and ensure your account is not prevented from receiving or sending email.

Guidance on how to access the NHSmail service via your mobile device

Frequently asked questions (FAQs) about sub-domain branding of users accounts.

If your organisation is intending to accredit a local email service or use Microsoft O365 to meet the secure email standard, please see the relevant guidance on the NHS Digital website.