Policy and Guidance Materials
Welcome to the Policy and Guidance page. From this page, you can access all the policy and guidance materials you will need when using the NHSmail service.
As a user of the NHSmail platform you must operate in accordance to a clear set of guidance, policies and procedures to ensure you are using the service effectively, appropriately and safely. Please refer to the materials below to ensure you are adhering to all NHSmail guidance and policies.
If you have a complaint or wish to raise an escalation with the NHSmail service, please see the guidance available on the Service Status page under ‘Complaints and Escalations Process’.
Access Policy
NHSmail is available to organisations with a valid reason to use it. The NHSmail Access Policy provides full details.
Acceptable Use Policy
Whilst the design and operation of a secure email system is a key part of making sure it is secure, it is also an obligation of users to make sure they use the service properly and without doing anything to compromise the security of the information that they send or receive. For this reason, every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. This is their promise to all NHSmail users and the public and patients we serve, that they will be mindful of the importance of the information that they share over NHSmail.
Clinical Safety
The NHSmail Service is approved for the exchange of clinical/sensitive data in line with the National Clinical Safety Case. The Service is not intended for storage of clinical information. Organisations are encouraged to review local processes and guidance in line with the NHSmail Policies and National Safety Case. The Safety Case is available on request from feedback@nhs.net.
Information Management Policies
Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies listed here:
NHSmail ISO Compliance Documentation
NHSmail is compliant with a number of ISO Standards (see table below).
Accreditation |
Certificate Number |
ISO 9001:2015 |
FS 571552 |
ISO/IEC 20000-1:2011 |
ITMS 535634 |
ISO/IEC 20000-1:2011 |
ITMS 571355 |
ISO 22301:2012 |
BCMS 523309 |
ISO 22301:2012 |
BCMS 556058 |
ISO/IEC 27001:2013 |
IS 589293 |
If certificate evidence is required, the BSIs directory can be searched.
GDPR guidance for the NHSmail Live Service – England
Transparency / Fair Processing Information
Provides details on how personal data is processed within the NHSmail Live Service in England. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.
Data Protection Impact Assessment
Provides evidence to support NHS Digital’s compliance with the Data Protection principles.
Additional information to general queries on GDPR.
Local Administrator webinar on GDPR – 17 May 2018
Slides from the GDPR webinar on 17 May 2018 which provide information on GDPR, what the NHSmail Live Service is doing to comply with GDPR in England, Joint Controller arrangements, Subject Access Requests (SARs), communications and useful information and next steps. Please also see the recording of the webinar and the Q&A log.
All-user broadcast on GDPR – 22 May 2018
Provides information on how the NHSmail Live Service uses your data in compliance with the new General Data Protection Legislation (GDPR).
GDPR guidance for the NHSmail Live Service – Scotland
Transparency / Fair Processing Information
Provides details on how personal data is processed within the NHSmail Live Service in Scotland. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.
Data Protection Impact Assessment
Provides evidence to support NHS Digital’s compliance with the Data Protection principles.
Desktop Configuration Guide
Guidance on how to set up Outlook 2010, Outlook 2013, Outlook 2016 and Outlook for Mac. If you are using NHSmail in Scotland and require guidance for Outlook 2007 please contact nhsmail.scotland@nhs.net
How to Find Your Outlook Version
Guidance on how to determine what version of Outlook Destop Client your computer is running.
Attachments Guide
Guidance on maximum size of attachment and information on blocked and allowed attachment types
Browser Differences
Guidance on the differences that you may see depending on the browser you use to access NHSmail (web users only)
Clearing Cookies and Cached Data from your Browser
Guidance on how to clear cookies and cached data from your browser.
Enabling/Disabling Outlook Web App Light
Guidance on how to enable Outlook Web App Light at www.nhs.net if your web browser does not support the full version of Outlook Web App or you require the high contrast version (OWA Light).
How to Find Your Browser Version
Guidance on how to determine what browser version (Internet Explorer, Chrome, Firefox, Safari) your computer is running.
Shared Mailbox Guide
Guidance on using shared mailboxes, including naming conventions and access requirements
Technical guidance on configuring address book synchronisation software
Address book synchronisation allows third party organisations to access NHSmail Directory entries (user details) and copy them into their own internal Microsoft Active Directory (thus making them available to applications such as Microsoft Exchange).
There are strict controls around the usage and the service is only available to those organisations who complete the partnering agreement and have approved data sharing agreements in place (i.e. signed agreements with the NHS organisations they are wishing to synchronise with).
To apply for this service, organisations must:
Guidance to federate (share) calendars with NHSmail
This document provides organisations seeking to federate with NHSmail calendar with a list of common questions and answers on federation. The document also provides a summary of the on-boarding, support and disconnection (de-federation) processes.
NHSmail calendar federation partner guidance
This document provides external federation partners with the information required to complete calendar federation with NHSmail. A list of organisations that are federated with NHSmail is available.
Frequently Asked Questions
Additional information to queries on the NHSmail Office 365 Hybrid Service.
Functional Comparison
Comparison of the functionality between the NHSmail Office 365 Hybrid Service and out of the box Office 365.
Onboarding Guide for Local Administrators
Provides information for Local Administrators on the onboarding process for the NHSmail Office 365 Hybrid Service.
Service Briefing
Overview of the NHSmail Office 365 Hybrid Service and delivery roadmap.
Skype for Business Federation
Guidance on Skype for Business federation to allow the connection of an organisation's own implementation of Skype, either an on premise or online solution. A list of organisations that are federated with NHSmail is available.
Skype for Business Audio and Video Conferencing Webinar
Slides from the May Skype for Business Audio and Video Conferencing Webinar. Provides updates on the Skype for Business offering, demonstrations, A&VC progress to date, pricing, onboarding process, and resources. You can listen to a recording of the Webinar by clicking here.
Skype for Business Service Description
Guidance on Skype for Business services available from NHSmail.
Skype for Business On-boarding Approach
Guidance on the on-boarding process and considerations for organisations intending to join the NHSmail Skype for Business Service
Skype for Business Service Configuration Guide
Guidance on configuring the Skype for Business Full / Basic client
Skype for Business Client Comparison Guide
Guidance on the differences in compatibility of features across each of the Skype for Business client types (Skype for Business Full/ Basic and Outlook Web App Instant Messaging and Presence)
Skype for Business Mobile Client Comparison Guide
Guidance on the differences in compatibility of features provided through the Skype for Business Mobile Application across Windows, IOS and Android Devices.
Skype for Business Mobile Device Installation Guide
Guidance on downloading, installing, signing in and removing the Skype for Business application on a mobile device
Skype for Business Handbook
Guidance for users to help get started with Skype for Business.
Managing your mailbox quota
Guidance on how to ensure you do not breach your mailbox quota and ensure your account is not prevented from receiving or sending email.
Managing Accounts in Closed Organisations
Guidance on how to manage your NHSmail accounts if they need to be transferred into a replacement organisation or removed from the service if your organisation is closing (ODS code has been closed) or merging with another.
Push Connector Guide
Guidance on how to use Push Connectors
TANSync Filter Configuration Guide
Guidance on how to configure filtering within TANSync to control user account provisioning
TANSync Overview
TANSync is the replacement solution for Pull Connectors. This guide provides a description of the TANSync solution and the local requirements for setting up TANSync
TANSync Deployment Guide
Guidance on how to deploy TANSync for your organisation
User Provisioning Guide
Guidance on the different options for adding, updating and removing user data from NHSmail
Leavers and Joiners Guidance
This is a guidance document and outlines the actions that users and Local Administrators should take in relation to NHSmail accounts when a user joins and/or leaves an organisation
Accessing Mailbox Data
What a Local Administrator should do if access is needed to data in an NHSmail account where the user is unavailable or unable to give permission for access
Personal Confidential Data (PCD) should only be exchanged electronically when encrypted. NHSmail email sent to trusted domains is automatically encrypted and complies with the pan-government secure email standard. NHSmail is accredited to the Health and Social Care secure email standard and is suitable for sharing Personal Confidential Data.
When sending emails outside of NHSmail, if the domain is not trusted use [secure] at the start of the email subject. [Secure] is not case sensitive.
Trusted domains that need no additional action or protection:
*.secure.nhs.uk
*.gov.uk
*.cjsm.net
*.pnn.police.uk
*.mod.uk
*.parliament.uk
Guidance is available on how to use the NHSmail encryption service.
Guidance is available which details how Personal Confidential Data should be securely exchanged:
Guide for Health and Social Care Email Users
Accessing Encrypted Emails Guide
Guidance for recipients of encrypted emails sent from an NHSmail account including: opening and reading encrypted emails and sending an encrypted reply
Encryption Guide for Senders
Guidance on how to use the NHSmail encryption service to send encrypted emails to people not using NHSmail
Account Lockout Guide
Guidance on how to resolve frequent account lockout issues.
Anti-spoofing controls
Spoofing controls on the NHSmail Service
Guidance outlining what spoofing is, why changes are being made to stop spoofing and who is being impacted and what actions need to be taken.
Anti-spoofing webinar – 6 February 2019
Slides from the anti-spoofing webinar providing details of background information and pipeline activities, actions taken to date, what you need to do, additional resources and questions. Please also see the recording of the webinar.
Anti-spoofing webinar – 26 October 2018
Slides from the anti-spoofing webinar providing an overview of the spoofing controls being introduced. Please also see the recording of the webinar.
Application guide for Mailchimp
Guidance on setting the correct configuration when using the Mailchimp application with NHSmail.
Applications Guide
Guidance to ensure your applications meet the supported NHSmail protocols
Cyber Security Guide
Guidance on how to keep your account and the NHSmail service safe and secure from common cyber threats including: spam, junk, spoofing and phishing
Email Gateway / Relay Service
Frequently asked questions (FAQs), general information and guidance on the Email Gateway / Relay Service provided by NHSmail.
Finding the contact details of your Local Administrator
Guidance on how to find the contact details of the Local Administrator within your organisation.
Impersonation Accounts Guide
Guidance on granting access, security considerations and management of Impersonation accounts.
Licensing Guide
This document provides an overview of the local organisation licensing requirements for NHSmail in England and Scotland.
Mobile Configuration Guide
Guidance on how to access the NHSmail service via your mobile device
Multi-Factor Authentication (MFA)
Guidance for Primary / Local Administrators on how to register for Multi-Factor Authentication (MFA) on your NHSmail account. Please note this relates to NHSmail accounts in England only.
Single Sign-On Guide
Technical guidance on the NHSmail Single Sign On process.
Sub-domain Branding Guide
Frequently asked questions (FAQs) about sub-domain branding of users' accounts.
Windows XP users on NHSmail
If using Microsoft software to access NHSmail, only access from Microsoft software in mainstream or extended support is assured. NHSmail does not support access from products that have ended extended support, even where an organisation may have taken out a custom support agreement. Any use of XP, or indeed any other unsupported product, is done so at your own risk and has no guarantee that it will work with NHSmail.
If your organisation is intending to accredit a local email service or use Microsoft O365 to meet the secure email standard, please see the relevant guidance on the NHS Digital website.