Policy and Guidance Materials

Welcome to the Policy and Guidance page. From this page, you can access all the policy and guidance materials you will need when using the NHSmail service.

As a user of the NHSmail platform you must operate in accordance to a clear set of guidance, policies and procedures to ensure you are using the service effectively, appropriately and safely. Please refer to the materials below to ensure you are adhering to all NHSmail guidance and policies.

  • Access Policy

    NHSmail is available to organisations with a valid reason to use it. The NHSmail Access Policy provides full details.

  • Acceptable Use Policy

    Whilst the design and operation of a secure email system is a key part of making sure it is secure, it is also an obligation of users to make sure they use the service properly and without doing anything to compromise the security of the information that they send or receive. For this reason, every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. This is their promise to all NHSmail users and the public and patients we serve, that they will be mindful of the importance of the information that they share over NHSmail.

  • Clinical Safety

    The NHSmail Service is approved for the exchange of clinical/sensitive data in line with the National Clinical Safety Case. The Service is not intended for storage of clinical information. Organisations are encouraged to review local processes and guidance in line with the NHSmail Policies and National Safety Case. The Safety Case is available on request from

  • Information Management Policies

    Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies listed here:

  • Patient Identifiable Data (PID) should only be exchanged electronically when encrypted. NHSmail email sent to secure domains is automatically encrypted and complies to the pan-government email standard .There are a number of government and police systems that have not yet been verified as conforming to the pan-government secure email standard. Whilst NHSmail traffic to these organisations will be secure, the return path may not be. Therefore these non-secure domains should not be sent sensitive information until it has been confirmed that they are secure. Please keep checking this list as it will change.

    There is a sharing sensitive information guide which details how patient identifiable data should be securely exchanged to non-accredited email domains and the non-secure government domains until they are verified.

    The list of secure and non-secure email domains is available here. Whilst NHSmail provides a safe path for sending sensitive data via email it remains your responsibility to ensure that the recipient is appropriate and able to handle the sensitive data in accordance with your organisations local Information Governance / Data Security policies.

    Central Government :
    • * (excluding
    • *

    Secure email domains in the Ministry of Defence :
    • *
    • *

    Criminal Justice Services secure email domains:
    • *

    Secure email domains in Local Government/Social Services:
    • * (excluding

    For PNN (Police) and GSI addresses please refer to the spreadsheet.

    If in doubt use [SECURE] in the email subject at the beginning when sending from NHSmail. This will automatically encrypt the email if there is no guaranteed secure delivery route (where secure delivery routes exist the message is not unnecessarily encrypted). Guidance is available on how to use the NHSmail encryption service.

  • Accessing Encrypted Emails Guide

    Guidance for recipients of encrypted emails sent from an NHSmail account including: opening and reading encrypted emails and sending an encrypted reply

  • Encryption Guide

    Guidance on how to use the NHSmail encryption service to send encrypted emails to people not using NHSmail