NHSmail Enabling collaboration for health and social care

Help

Policy and Guidance Materials

Welcome to the Policy and Guidance page. From this page, you can access all the policy and guidance materials you will need when using the NHSmail service.

As a user of the NHSmail platform you must operate in accordance to a clear set of guidance, policies and procedures to ensure you are using the service effectively, appropriately and safely. Please refer to the materials below to ensure you are adhering to all NHSmail guidance and policies.

If you have a complaint or wish to raise an escalation with the NHSmail service, please see the guidance available on the Service Status page under ‘Complaints and Escalations Process’.

  • Access Policy

    NHSmail is available to organisations with a valid reason to use it. The NHSmail Access Policy provides full details.

  • Acceptable Use Policy

    Whilst the design and operation of a secure email system is a key part of making sure it is secure, it is also an obligation of users to make sure they use the service properly and without doing anything to compromise the security of the information that they send or receive. For this reason, every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. This is their promise to all NHSmail users and the public and patients we serve, that they will be mindful of the importance of the information that they share over NHSmail.

  • Clinical Safety

    The NHSmail Service is approved for the exchange of clinical/sensitive data in line with the National Clinical Safety Case. The Service is not intended for storage of clinical information. Organisations are encouraged to review local processes and guidance in line with the NHSmail Policies and National Safety Case. The Safety Case is available on request from feedback@nhs.net.

  • Information Management Policies

    Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies listed here:

  • NHSmail ISO Compliance Documentation

    NHSmail is compliant with a number of ISO Standards (see table below).

    Accreditation

    Certificate Number

    ISO 9001:2015

    FS 571552

    ISO/IEC 20000-1:2011

    ITMS 535634

    ISO/IEC 20000-1:2011

    ITMS 571355

    ISO 22301:2012

    BCMS 523309

    ISO 22301:2012

    BCMS 556058

    ISO/IEC 27001:2013

    IS 589293

    If certificate evidence is required, the BSIs directory can be searched.

  • GDPR guidance for the NHSmail Live Service – England

    Transparency / Fair Processing Information

    Provides details on how personal data is processed within the NHSmail Live Service in England. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.

    Data Protection Impact Assessment

    Provides evidence to support NHS Digital’s compliance with the Data Protection principles.

    Further Information on GDPR

    Additional information to general queries on GDPR.

    Local Administrator webinar on GDPR – 17 May 2018

    Slides from the GDPR webinar on 17 May 2018 which provide information on GDPR, what the NHSmail Live Service is doing to comply with GDPR in England, Joint Controller arrangements, Subject Access Requests (SARs), communications and useful information and next steps. Please also see the recording of the webinar and the Q&A log.

    All-user broadcast on GDPR – 22 May 2018

    Provides information on how the NHSmail Live Service uses your data in compliance with the new General Data Protection Legislation (GDPR).

  • GDPR guidance for the NHSmail Live Service – Scotland

    Transparency / Fair Processing Information

    Provides details on how personal data is processed within the NHSmail Live Service in Scotland. Contains information on NHS Digital as the Joint Data Controller, contacting the Data Protection Officer, the types of information collected about you, the legal basis and how the NHSmail Live Service uses your personal data, how your personal data is shared, where your data is stored and processed, how long your personal data is kept for and what your rights are.

    Data Protection Impact Assessment

    Provides evidence to support NHS Digital’s compliance with the Data Protection principles.

  • Technical guidance on configuring address book synchronisation software

    Address book synchronisation allows third party organisations to access NHSmail Directory entries (user details) and copy them into their own internal Microsoft Active Directory (thus making them available to applications such as Microsoft Exchange).

    There are strict controls around the usage and the service is only available to those organisations who complete the partnering agreement and have approved data sharing agreements in place (i.e. signed agreements with the NHS organisations they are wishing to synchronise with).

    To apply for this service, organisations must:

    • provide public funded health and care services
    • request the Partnering Agreement (PA) and Sharing Agreement (SA) for the address book synchronisation service by email
    • complete the PA and obtain a signed SA from each of the NHSmail organisations that they are wanting to synchronise with
    • ensure they have a dedicated resource available to implement the TANSync service on a server within a secure environment

  • Managing your mailbox quota

    Guidance on how to ensure you do not breach your mailbox quota and ensure your account is not prevented from receiving or sending email.

  • Managing Accounts in Closed Organisations

    Guidance on how to manage your NHSmail accounts if they need to be transferred into a replacement organisation or removed from the service if your organisation is closing (ODS code has been closed) or merging with another.

  • Push Connector Guide

    Guidance on how to use Push Connectors

  • TANSync Filter Configuration Guide

    Guidance on how to configure filtering within TANSync to control user account provisioning

  • TANSync Overview

    TANSync is the replacement solution for Pull Connectors. This guide provides a description of the TANSync solution and the local requirements for setting up TANSync

  • TANSync Deployment Guide

    Guidance on how to deploy TANSync for your organisation

  • User Provisioning Guide

    Guidance on the different options for adding, updating and removing user data from NHSmail

  • Leavers and Joiners Guidance

    This is a guidance document and outlines the actions that users and Local Administrators should take in relation to NHSmail accounts when a user joins and/or leaves an organisation

  • Accessing Mailbox Data

    What a Local Administrator should do if access is needed to data in an NHSmail account where the user is unavailable or unable to give permission for access

  • Patient Identifiable Data (PID) should only be exchanged electronically when encrypted. NHSmail email sent to secure domains is automatically encrypted and complies with the pan-government secure email standard. NHSmail is accredited to the Health and Social Care secure email standard and is suitable for sharing patient identifiable and sensitive information.

    When sending emails outside of NHSmail, use [secure] at the start of the email subject. [Secure] is not case sensitive. The NHSmail service will assess whether encryption is required.
    • If the domain the email is being sent to is accredited, the email will be sent securely and no further encryption is required.
    • If the domain the email is being sent to is not accredited, and therefore insecure, the NHSmail service will programmatically enforce the use of the encryption tool to protect the email data. The recipient will need to log into the Trend Encryption Micro portal to unencrypt the email before it can be read.

    Guidance is available on how to use the NHSmail encryption service.

    There is a sharing sensitive information guide which details how patient identifiable data should be securely exchanged.

    Sending to legacy secure government domains

    Email sent to legacy secure government domains listed below will automatically be sent securely and directly to the recipient’s email system:

    *.gcsx.gov.uk for local government

    *.gsi.gov.uk and *.gsx.gov.uk for central government

    *.cjsm.net and *.pnn.police.uk for Police/Criminal Justice

    *.mod.uk for Ministry of Defence

    Note the legacy local and central government email domains (gcsx.gov.uk, gsi.gov.uk and gsx.gov.uk) will slowly stop being used and then switched off completely in March 2019, as all local and central government organisations migrate to using .gov.uk email addresses for all email communication as they adopt the government secure email standard.

  • Accessing Encrypted Emails Guide

    Guidance for recipients of encrypted emails sent from an NHSmail account including: opening and reading encrypted emails and sending an encrypted reply

  • Encryption Guide for Senders

    Guidance on how to use the NHSmail encryption service to send encrypted emails to people not using NHSmail

  • Account Lockout Guide

    Guidance on how to resolve frequent account lockout issues.

  • Anti-spoofing controls

    Spoofing controls on the NHSmail Service

    Guidance outlining what spoofing is, why changes are being made to stop spoofing and who is being impacted and what actions need to be taken.

    Anti-spoofing webinar – 26 October 2018

    Slides from the anti-spoofing webinar providing an overview of the spoofing controls being introduced. Please also see the recording of the webinar.

    Application guide for Mailchimp

    Guidance on setting the correct configuration when using the Mailchimp application with NHSmail.

  • Applications Guide

    Guidance to ensure your applications meet the supported NHSmail protocols

  • Cyber Security Guide

    Guidance on how to keep your account and the NHSmail service safe and secure from common cyber threats including: spam, junk, spoofing and phishing

  • Email Gateway / Relay Service

    Frequently asked questions (FAQs), general information and guidance on the Email Gateway / Relay Service provided by NHSmail.

  • Finding the contact details of your Local Administrator

    Guidance on how to find the contact details of the Local Administrator within your organisation.

  • Impersonation Accounts Guide

    Guidance on granting access, security considerations and management of Impersonation accounts.

  • Licensing Guide

    This document provides an overview of the local organisation licensing requirements for NHSmail in England and Scotland.

  • Mobile Configuration Guide

    Guidance on how to access the NHSmail service via your mobile device

  • Multi-Factor Authentication (MFA)

    Guidance for Primary / Local Administrators on how to register for Multi-Factor Authentication (MFA) on your NHSmail account. Please note this relates to NHSmail accounts in England only.

  • Single Sign-On Guide

    Technical guidance on the NHSmail Single Sign On process.

  • Sub-domain Branding Guide

    Frequently asked questions (FAQs) about sub-domain branding of users' accounts.

  • Windows XP users on NHSmail

    If using Microsoft software to access NHSmail, only access from Microsoft software in mainstream or extended support is assured. NHSmail does not support access from products that have ended extended support, even where an organisation may have taken out a custom support agreement. Any use of XP, or indeed any other unsupported product, is done so at your own risk and has no guarantee that it will work with NHSmail.