Policy and Guidance Materials

Welcome to the Policy and Guidance page. From this page, you can access all the policy and guidance materials you will need when using the NHSmail service.

As a user of the NHSmail platform you must operate in accordance to a clear set of guidance, policies and procedures to ensure you are using the service effectively, appropriately and safely. Please refer to the materials below to ensure you are adhering to all NHSmail guidance and policies.

  • Access Policy

    NHSmail is available to organisations with a valid reason to use it. The NHSmail Access Policy provides full details.

  • Acceptable Use Policy

    Whilst the design and operation of a secure email system is a key part of making sure it is secure, it is also an obligation of users to make sure they use the service properly and without doing anything to compromise the security of the information that they send or receive. For this reason, every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. This is their promise to all NHSmail users and the public and patients we serve, that they will be mindful of the importance of the information that they share over NHSmail.

  • Clinical Safety

    The NHSmail Service is approved for the exchange of clinical/sensitive data in line with the National Clinical Safety Case. The Service is not intended for storage of clinical information. Organisations are encouraged to review local processes and guidance in line with the NHSmail Policies and National Safety Case. The Safety Case is available on request from

  • Information Management Policies

    Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies listed here:

  • Patient Identifiable Data (PID) should only be exchanged electronically when encrypted. NHSmail email sent to secure domains is automatically encrypted and complies with the pan-government secure email standard. NHSmail is accredited to the NHS secure email standard and is suitable for sharing patient identifiable and sensitive information.

    When sending emails outside of NHSmail, use [secure] at the start of the email subject. [Secure] is not case sensitive. The NHSmail service will assess whether encryption is required.
    • If the domain the email is being sent to is accredited, the email will be sent securely and no further encryption is required.
    • If the domain the email is being sent to is not accredited, and therefore insecure, the NHSmail service will programmatically enforce the use of the encryption tool to protect the email data. The recipient will need to log into the Trend Encryption Micro portal to unencrypt the email before it can be read.

    The Cabinet Office and NHS Digital will hold a list of all the domains that are accredited which NHSmail will refresh on a daily basis to ensure that emails are encrypted as required.

    Guidance is available on how to use the NHSmail encryption service.

    There is a sharing sensitive information guide which details how patient identifiable data should be securely exchanged.

  • Accessing Encrypted Emails Guide

    Guidance for recipients of encrypted emails sent from an NHSmail account including: opening and reading encrypted emails and sending an encrypted reply

  • Encryption Guide for Senders

    Guidance on how to use the NHSmail encryption service to send encrypted emails to people not using NHSmail