Meeting the secure email standard

If you do not use NHSmail, you must use an email service which meets the secure email standard (DCB1596). This is the minimum requirements for email systems in health and social care.  

Meeting the secure email standard means that your email system is secure enough to keep sensitive information safe.

This process for meeting the standard is different depending on whether you

  • use Office 365 or Google Workspace
  • use a different email service, which you must self-accredit 

To check if your organisation’s email system is already accredited, download the list of DCB1596 accredited organisations from the NHS Digital website. 

Using Office 365 or Google Workspace securely

Office 365 and Google Workspace are compliant email services, but you must demonstrate that you’re using these systems securely and that they’re configured correctly. 

To be eligible to meet the secure email standard, you must:

  • be a public, private or third sector organisation supporting the delivery of publicly funded health or adult social care
  • have an active Organisation Data Services (ODS) code
  • be based in England

To register compliance and demonstrate your email system is configured appropriately, you must:

  • download a Conformance Template for either Microsoft Office 365 or Google Workspace and fill in your details and the names of documents you are providing
  • send this along with the required evidence to feedback@nhs.net 

You will need support from your internal IT support or IT supplier to complete this. If you do not have the necessary IT support to complete the accreditation process, we recommend using an already secure provider, such as NHSmail.

The criteria you must meet to be compliant includes:

  • putting in place a process to notify the NHSmail team if there is a security breach at your organisation (including an actual, potential or attempted breach, or threat to your security policy or systems)
  • setting policies and procedures for staff who use the secure email service to ensure they can use it appropriately and safely, including how they should send emails to insecure email systems (such as to service users or their families)
  • configuring your email service to securely communicate with NHSmail - NHS England provides a Microsoft Office 365: Secure email configuration guide and a Google Workspace secure email configuration guide (these open as PDFs)
  • setting policies and procedures for the secure use of email on mobile devices 
  • complying with the conditions set out in the Clinical Risk Management Standard (DCB0160) – this includes having a clinical risk management process in place and completing a risk assessment or hazard log relating to your email service

You will need to re-accredit on a yearly basis, providing up-to-date evidence as part of this process.

Getting accreditation for another email service 

If you do not use NHSmail, Office 365 or Google Workspace, your organisation can accredit your existing email system with NHS England to meet the secure email standard. 

To do this, you must:

You will retain your own domain name for your email addresses. (Previously, you were required to change your domain name to @secure.nhs.com, but this requirement has now been dropped)

To register compliance, you must:

You will need support from your internal IT support or IT supplier to complete this. If you do not have the necessary IT support to complete the accreditation process, we recommend using an already secure provider, such as NHSmail.

You will need to re-accredit on a yearly basis, and provide up-to-date evidence as part of this process.

Letting others know you are accredited

Once your email system is accredited, you will be added to the list of accredited organisations on the NHS England website. 

This means that NHSmail users can be assured that emails sent from your addresses are secure. 

However, many people won’t be aware of the list of accredited organisations, so may not know that your email is secure. You should make partners that you regularly share information with aware that your email domain is accredited. You could encourage them to add your domain to their safe senders list (also called a whitelist). 

You could also ask your IT supplier to add other accredited organisations to your safe senders list, and use an encryption tool for emails from non-accredited senders. 

You will need to update your safe senders list regularly, as organisations are added and removed from the accredited list throughout the year.