NHSmail is available to organisations with a valid reason to use it. The NHSmail Access Policy provides full details.

Whilst the design and operation of a secure email system is a key part of making sure it is secure, it is also an obligation of users to make sure they use the service properly and without doing anything to compromise the security of the information that they send or receive. For this reason, every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. This is their promise to all NHSmail users and the public and patients we serve, that they will be mindful of the importance of the information that they share over NHSmail.

Clinical Safety

The NHSmail Service is approved for the exchange of clinical/sensitive data in line with the National Clinical Safety Case. The Service is not intended for storage of clinical information. Organisations are encouraged to review local processes and guidance in line with the NHSmail Policies and National Safety Case. The Safety Case is available on request from feedback@nhs.net.

Information Management Policies

Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies listed here:

• NHSmail Data Retention and Information Management Policy: Defines the scope of data held and details the recovery of data.
• NHSmail Access to Data Policy: Process for requesting data for forensic investigations. Please note this policy is being revised in light of the General Data Protection Regulation (GDPR) which came into force on 25 May 2018.

NHSmail ISO Compliance Documentation

NHSmail is compliant with a number of ISO Standards (see table below).

If certificate evidence is required, the BSIs directory can be searched.

GDPR guidance for the NHSmail Live Service – England

Transparency / Fair Processing Information

Provides details on how personal data is processed within the NHSmail Live Service in England. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.

Data Protection Impact Assessment

Provides evidence to support NHS Digital’s compliance with the Data Protection principles.

Further Information on GDPR

Additional information to general queries on GDPR.

Local Administrator webinar on GDPR – 17 May 2018

Slides from the GDPR webinar on 17 May 2018 which provide information on GDPR, what the NHSmail Live Service is doing to comply with GDPR in England, Joint Controller arrangements, Subject Access Requests (SARs), communications and useful information and next steps. Please also see the recording of the webinar and the Q&A log.

All-user broadcast on GDPR – 22 May 2018

Provides information on how the NHSmail Live Service uses your data in compliance with the new General Data Protection Legislation (GDPR).

GDPR guidance for the NHSmail Live Service – Scotland

Transparency / Fair Processing Information

Provides details on how personal data is processed within the NHSmail Live Service in Scotland. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.

Data Protection Impact Assessment

Provides evidence to support NHS Digital’s compliance with the Data Protection principles.

Guidance on how to set up Outlook 2010, Outlook 2013, Outlook 2016 and Outlook for Mac. If you are using NHSmail in Scotland and require guidance for Outlook 2007 please contact nhsmail.scotland@nhs.net

How to Find Your Outlook Version

Guidance on how to determine what version of Outlook Destop Client your computer is running.

Guidance on maximum size of attachment and information on blocked and allowed attachment types

Guidance on the differences that you may see depending on the browser you use to access NHSmail (web users only)

Clearing Cookies and Cached Data from your Browser

Guidance on how to clear cookies and cached data from your browser.

Enabling/Disabling Outlook Web App Light

Guidance on how to enable Outlook Web App Light at www.nhs.net if your web browser does not support the full version of Outlook Web App or you require the high contrast version (OWA Light).

Guidance on how to determine what browser version (Internet Explorer, Chrome, Firefox, Safari) your computer is running.

Guidance on using shared mailboxes, including naming conventions and access requirements

Address book synchronisation allows third party organisations to access NHSmail Directory entries (user details) and copy them into their own internal Microsoft Active Directory (thus making them available to applications such as Microsoft Exchange).

There are strict controls around the usage and the service is only available to those organisations who complete the partnering agreement and have approved data sharing agreements in place (i.e. signed agreements with the NHS organisations they are wishing to synchronise with).

To apply for this service, organisations must:

• provide public funded health and care services
• request the Partnering Agreement (PA) and Sharing Agreement (SA) for the address book synchronisation service by email
• complete the PA and obtain a signed SA from each of the NHSmail organisations that they are wanting to synchronise with
• ensure they have a dedicated resource available to implement the TANSync service on a server within a secure environment

This document provides organisations, seeking to federate with NHSmail Calendar, with a list of common questions and answers on federation. The document also provides a summary of the on-boarding, support and disconnection (de-federation) processes.

This document provides external federation partners with the information required to complete calendar federation with NHSmail.

Additional information to queries on the NHSmail Office 365 Hybrid Service.

Comparison of the functionality between the NHSmail Office 365 Hybrid Service and out of the box Office 365.

Provides information for Local Administrators on the on-boarding process for the NHSmail Office 365 Hybrid Service.

Overview of the NHSmail Office 365 Hybrid Service and delivery roadmap.

Guidance on Skype for Business federation to allow the connection of an organisation's own implementation of Skype, either an on premise or online solution. A list of organisations that are federated with NHSmail is available.

Slides from the May Skype for Business Audio and Video Conferencing Webinar. Provides updates on the Skype for Business offering, demonstrations, A&VC progress to date, pricing, onboarding process, and resources. You can listen to a recording of the Webinar by clicking here.

Guidance on Skype for Business services available from NHSmail.

Guidance on the on-boarding process and considerations for organisations intending to join the NHSmail Skype for Business Service

Guidance on configuring the Skype for Business Full / Basic client

Guidance on the differences in compatibility of features across each of the Skype for Business client types (Skype for Business Full/ Basic and Outlook Web App Instant Messaging and Presence)

Guidance on the differences in compatibility of features provided through the Skype for Business Mobile Application across Windows, IOS and Android Devices.

Guidance on downloading, installing, signing in and removing the Skype for Business application on a mobile device

Guidance on how to ensure you do not breach your mailbox quota and ensure your account is not prevented from receiving or sending email.

Guidance on how to manage your NHSmail accounts if they need to be transferred into a replacement organisation or removed from the service if your organisation is closing (ODS code has been closed) or merging with another.

Guidance on how to use Push Connectors

Guidance on how to configure filtering within TANSync to control user account provisioning

TANSync is the replacement solution for Pull Connectors. This guide provides a description of the TANSync solution and the local requirements for setting up TANSync

Guidance on how to deploy TANSync for your organisation

Guidance on the different options for adding, updating and removing user data from NHSmail

This is a guidance document and outlines the actions that users and Local Administrators should take in relation to NHSmail accounts when a user joins and/or leaves an organisation

What a Local Administrator should do if access is needed to data in an NHSmail account where the user is unavailable or unable to give permission for access

Patient Identifiable Data (PID) should only be exchanged electronically when encrypted. NHSmail email sent to secure domains is automatically encrypted and complies with the pan-government secure email standard. NHSmail is accredited to the Health and Social Care secure email standard and is suitable for sharing patient identifiable and sensitive information.

When sending emails outside of NHSmail, use [secure] at the start of the email subject. [Secure] is not case sensitive. The NHSmail service will assess whether encryption is required.
• If the domain the email is being sent to is accredited, the email will be sent securely and no further encryption is required.
• If the domain the email is being sent to is not accredited, and therefore insecure, the NHSmail service will programmatically enforce the use of the encryption tool to protect the email data. The recipient will need to log into the Trend Encryption Micro portal to unencrypt the email before it can be read.

Guidance is available on how to use the NHSmail encryption service.

There is a sharing sensitive information guide which details how patient identifiable data should be securely exchanged.

Sending to legacy secure government domains

Email sent to legacy secure government domains listed below will automatically be sent securely and directly to the recipient’s email system:

*.gcsx.gov.uk for local government

*.gsi.gov.uk and *.gsx.gov.uk for central government

*.cjsm.net and *.pnn.police.uk for Police/Criminal Justice

*.mod.uk for Ministry of Defence

Note the legacy local and central government email domains (gcsx.gov.uk, gsi.gov.uk and gsx.gov.uk) will slowly stop being used and then switched off completely in March 2019, as all local and central government organisations migrate to using .gov.uk email addresses for all email communication as they adopt the government secure email standard.

Guidance for recipients of encrypted emails sent from an NHSmail account including: opening and reading encrypted emails and sending an encrypted reply

Guidance on how to use the NHSmail encryption service to send encrypted emails to people not using NHSmail

Guidance on how to resolve frequent account lockout issues.

Anti-spoofing controls

Spoofing controls on the NHSmail Service

Guidance outlining what spoofing is, why changes are being made to stop spoofing and who is being impacted and what actions need to be taken.

Anti-spoofing webinar – 26 October 2018

Slides from the anti-spoofing webinar providing an overview of the spoofing controls being introduced. Please also see the recording of the webinar.

Application guide for Mailchimp

Guidance on setting the correct configuration when using the Mailchimp application with NHSmail.

Guidance to ensure your applications meet the supported NHSmail protocols

Guidance on how to keep your account and the NHSmail service safe and secure from common cyber threats including: spam, junk, spoofing and phishing

Frequently asked questions (FAQs), general information and guidance on the Email Gateway / Relay Service provided by NHSmail.

Guidance on how to find the contact details of the Local Administrator within your organisation.

Guidance on granting access, security considerations and management of Impersonation accounts.

This document provides an overview of the local organisation licensing requirements for NHSmail in England and Scotland.

Guidance on how to access the NHSmail service via your mobile device

Guidance for Primary / Local Administrators on how to register for Multi-Factor Authentication (MFA) on your NHSmail account. Please note this relates to NHSmail accounts in England only.

Technical guidance on the NHSmail Single Sign On process.

Frequently asked questions (FAQs) about sub-domain branding of users' accounts.

Windows XP users on NHSmail

If using Microsoft software to access NHSmail, only access from Microsoft software in mainstream or extended support is assured. NHSmail does not support access from products that have ended extended support, even where an organisation may have taken out a custom support agreement. Any use of XP, or indeed any other unsupported product, is done so at your own risk and has no guarantee that it will work with NHSmail.

If your organisation is intending to accredit a local email service or use Microsoft O365 to meet the secure email standard, please see the relevant guidance on the NHS Digital website.