NHSmail Enabling collaboration for health and social care

Acceptable Use Policy

1. Introduction

2. General information about NHSmail

3. Your responsibilities when using the NHSmail

3.1 General responsibilities when using NHSmail

3.2 Responsibilities when using the NHSmail email service:

3.3 Responsibilities when using the NHS Directory service:

3.4 Information governance issues

4. Using NHSmail services to exchange sensitive information

1. Introduction

This document explains how the NHSmail service should be used. It is your responsibility to ensure you understand and comply with this policy. It ensures that:

As an NHSmail account holder, you should expect to receive ad-hoc communications about NHSmail from NHS Digital if you are based in England and National Services Scotland if you are based in Scotland informing you of changes or updates to the service that may impact your use.

If you have any questions about these terms and conditions, you should contact the NHSmail team at feedback@nhs.net (England) or nhsmail.scotland@nhs.net (Scotland) .

The NHSmail team reserves the right to update this document as necessary. A copy of the current version can be found at https://portal.nhs.net/Home/AcceptablePolicy

Supporting information can be found via the NHSmail support pages at: https://portal.nhs.net/Help/

2. General information about NHSmail


The NHSmail service includes the core services of secure email, the NHS Directory, Skype for Business Instant Messaging and Presence (IM&P), administration tools and a series of top-up services. The top-up services available to you will depend on your individual organisation.


The NHSmail services have been provided to aid the provision of health and social care and this should be your main use of the service.


There may be circumstances under which it is necessary for a designated and authorised person other than you, to view the contents of your files and folders within NHSmail. For example, if you have a secretary or PA that organises your diary.


If you are a member of clinical or care staff you may use NHSmail services in relation to the treatment of private patients in accordance with your own professional codes of conduct.


Health and social care staff contact details are provided in the NHS Directory to support the delivery of health and care - these details will be shared across the entire NHSmail health and social care community.


All data retained within the service remains the property of the NHS.


NHSmail accounts are owned by:


and are provided to NHS staff for their use. Where accounts are no longer used they are automatically removed after a period of inactivity as defined in the Data Retention Policy.


The NHSmail programme reserves the right to withdraw an NHSmail account from use should operational requirements dictate. This may include limiting service or complete de-activation.

3. Your responsibilities when using NHSmail

3.1 General responsibilities when using NHSmail:


You must not use NHSmail to violate any laws or regulations of the United Kingdom or other countries. Use of the service for illegal activity is grounds for immediate dismissal and any illegal activity will be reported to the police. Illegal activity includes, but is not limited to, sending or receiving material related to paedophilia, terrorism, incitement to racial harassment, stalking, sexual harassment and treason. Use of the service for illegal activity will result in the immediate disablement of your NHSmail account.


You must not use any of the NHSmail services for commercial gain. This includes, but is not limited to: unsolicited marketing, advertising and selling goods or services.


You must not attempt to interfere with the technical components, both hardware and software, of the NHSmail system in any way.


When you set up your NHSmail account you must identify yourself honestly, accurately and completely.


You must ensure your password and answers to your security questions for the NHSmail services are kept confidential and secure at all times. You should notify your Local Administrator if you become aware of any unauthorised access to your NHSmail account. You must never input your NHSmail password into any other website other than nhs.net sites. You will never be asked for your NHSmail password. Do not divulge this information to anyone, even if asked.


Email messages are increasingly a source of viruses which often sit within attached documents. NHSmail is protected by anti-virus and anti-spam software although occasionally, as with any email service, a new virus or spam message may not be immediately detected. If you are unsure of the source of an email or attachment you should leave it unopened and inform your local IT services. If you receive spam messages you should forward them to spamreports@nhs.net. You must not introduce or forward any virus or any other computer programme that may cause damage to NHS or social care computers or systems. If you are found to be deliberately responsible for introducing or forwarding a programme that causes any loss of service, NHS Digital or National Services Scotland may seek financial reparation from your employing organisation.


You must not use the NHSmail service to disable or overload any computer system or network. Where excessive account activity is detected your account could be suspended, without notice, to safeguard the service for all other users.


All communication you send through the NHSmail services is assumed to be official correspondence from you acting in your official capacity on behalf of your organisation. This should be in accordance with your local organisation's policies for exchanging data. Should you need to, by exception, send communication of a personal nature you must clearly state that your message is a personal message and not sent in your official capacity. This includes Instant Messaging.


You must familiarise yourself with the NHSmail support pages which include important policy documentation, service status information, training and guidance materials, information about known issues with the service and user/administration guides.


If you are accessing your NHSmail account from a non-corporate device i.e. a home computer, personally owned laptop or in an internet cafe, you should only access the service via the web at www.nhs.net and not through an email programme such as Microsoft Outlook, unless you have explicit permission from your own organisation to do so.

3.2 Responsibilities when using the NHSmail email service:


You must not attempt to disguise your identity, your sending address or send email from other systems pretending to originate from the NHSmail service.


You must not send any material by email that could cause distress or offence to another user. You must not send any material that is obscene, sexually explicit or pornographic. If you need to transmit sexually explicit material for a valid clinical reason then you must obtain permission from your local Caldicott Guardian. [Note: GPs may need to refer to the Caldicott Guardian at their local CCG].


You must not use the NHSmail service to harass other users or groups by sending persistent emails to individuals or distribution lists.


You must not forward chain emails or other frivolous material to individuals or distribution lists.


It is your responsibility to check that you are sending email to the correct recipient, as there may be more than one person with the same name using the service. Always check that you have the correct email address for the person you wish to send to - this can be done by checking their entry in the NHS Directory.


Email is admissible as evidence in a court of law and messages can be classified as legal documents. Internal emails may also need to be disclosed under the Freedom of Information Act 2000, the Data Protection Act 1998 and amendments and Freedom of Information (Scotland) Act 2002. Emails should be treated like any other clinical communication and care should be taken to ensure that content is accurate and the tone is appropriate.

3.3 Responsibilities when using the NHS Directory service:


It is your responsibility to make sure your details in the NHS Directory are correct and up to date.


You must not use the NHS Directory to identify individuals or groups of individuals to target for marketing or commercial gain, either on your behalf or on that of a third party.

3.4 Information governance issues:


The General Medical Council (GMC) Good Medical Practice guidance requires doctors to keep clear, accurate and legible records. It is important that emails and Instant Messages do not hinder this. You should ensure that relevant data contained in emails or Instant Messages are immediately attached to the patient record. Failure to do so could have implications on patient safety.


NHSmail is a communication tool to support the secure exchange of information and is not designed as a document management system. Documents, emails or messages that are required for retention/compliance purposes should be stored within your organisation's document management system in accordance with local Information Governance policies.


Your organisation is entitled to seek access to the contents of your mailbox, sent/received messages or other audit data as required to support information governance processes without your prior consent. Such requests are strictly regulated with the process detailed in the NHSmail support pages.


When moving your NHSmail account between health and care organisations, it is your responsibility to ensure any data relating to your role is archived appropriately and is not transferred to your new employing organisation in error. Guidance is available in the Leavers and Joiners section in the NHSmail support pages.

4. Using NHSmail services to exchange sensitive information


The NHSmail service is a secure service. This means NHSmail is authorised for sending sensitive information, such as clinical data, between NHSmail and:


If you need to exchange sensitive data outside of NHSmail or other email systems that do not comply with the SCCI 1596 secure email standard or the pan-government secure email standard, the NHSmail encryption tool must be used in accordance with the guidance materials available on the NHSmail support pages. Sending an email with [secure] in the subject line will automatically protect the message for you if you are unsure if the system you are sending to is secure or not.


If you intend to use the service to exchange sensitive information you should adhere to the following guidelines:


You should make sure that any exchange of sensitive information is part of an agreed process. This means that both those sending and receiving the information know what is to be sent, what it is for and have agreed how the information will be treated.


Caldicott and local Information Governance principles should apply whenever sensitive information is exchanged.


As with printed information, care should be taken that sensitive or personal information is not left anywhere it can be accessed by other people, e.g. on a public computer without password protection.


When you are sending sensitive information you should always request a delivery and read receipt (Email) or recipient acknowledgement (Instant Messaging) so that you can be sure the information has been received safely. This is especially important for time-sensitive information such as referrals.


You must not hold sensitive or personal data in your calendar if your calendar may be accessed by other people who are not involved in the care of that person.


If personal identifiable information is visible to other people, it is your responsibility to make sure those people have a valid relationship with the person.


You must always be sure you have the correct contact details for the person (or group) that you are sending the information to. If in doubt, you should check the contact details in the NHS Directory or use the search bar within IM&P.


If it is likely you may be sent personal and/or sensitive information you must make sure that the data is protected. You should only access your account from secure, encrypted devices which are password protected and unattended devices must be locked to ensure that data is protected in the event of the device being lost or stolen.


Remember that personal information is accessible to the data subject i.e. the patient, under Data Protection legislation.