NHSmail Access Policy - (England) April 2019 Version 5 - Amazon S3
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
NHSmail Access Policy (England) April 2019 Version 5 Copyright © 2019 NHS Digital
NHSmail Access Policy
Contents
Target audience 3
Introduction 3
Who can use NHSmail? 3
Pre-requisites 4
Sharing information securely 4
Delegation / impersonation 4
No longer eligible for NHSmail? 5
Copyright © 2019 NHS Digital
2NHSmail Access Policy
Target audience
Any organisation commissioned to deliver NHS healthcare or related activities with a
requirement to share information securely about health, public health and adult social care in
support of public sector business.
Introduction
This document defines who is entitled to a Department of Health and Social Care funded
NHSmail email account in England
For details on setting up NHSmail accounts please see the NHSmail Access Process
document.
If you are based in Scotland, then please contact nhsmail.scotland@nhs.net
Who can use NHSmail?
NHSmail email accounts will be provided to organisations delivering publicly funded health,
public health or adult social care including Arm’s Length Bodies, whether delivered by the
public or private sector.
A maximum of 50 accounts can be provided to support secure email for those organisations
choosing to stay with their own email solution. Where account numbers exceed this,
organisations should consider uplifting their current email service to meet the secure email
standard.
There are two ways to meet the secure email standard and organisations must select one of
these methods to comply.
1. Implement an already compliant service such as NHSmail or Office 365 for all staff at
your organisation.
2. Demonstrate your own service is compliant to the secure email standard by following
the secure email accreditation process.
Note: NHSmail is not to be used for non-publicly funded business or for marketing or
commercial gain.
NHSmail will not be provided where users already have another publicly funded email
account, for example a locally provided email service, with two exceptions.
1. A small (1 - 20) number of email accounts can be hosted by a commissioning body
for organisations that have a regular, defined or frequent requirement to securely
exchange personal or sensitive information whilst carrying out public sector business
and do not themselves have a secure email service.
2. Clinical professionals under the training of local education and training boards
(previously known as postgraduate medical deaneries) will be provided with NHSmail
accounts for the duration of their clinical training.
This list is not definitive so please seek guidance from feedback@nhs.net if clarity is required
about a specific case.
NHSmail accounts are limited by the nationally set budget and will be provided on a first
come first served basis.
Copyright © 2019 NHS Digital
3NHSmail Access Policy
Pre-requisites
In order to use NHSmail, health and care organisations must meet, or exceed, the below
criteria.
• Complete an annual Data Security and Protection Toolkit (DSPT) return to ensure that
NHSmail users have completed Information Governance (IG) training.
▪ For social care providers a rating of ‘Entry Level’ as a stepping stone to
achieving the full standard.
Note: A rating of ‘Entry Level’ is a minimum and will not be sufficient to meet
wider contractual and regulatory requirements to connect to other NHS Digital
services.
▪ For all other organisations all assertions and mandatory evidence items must
be completed.
• Responsible for ensuring that all staff and / or devices, including mobile devices, are
licensed appropriately. Further information is available in the NHSmail Licensing
Guide.
• Responsible for nominating a Local Administrator (LA). For user groups such as
independent midwives, pharmacies, dentists and social care the National
Administration Service (NAS) provides the LA function.
All NHSmail users are expected to abide by the Acceptable Use Policy (AUP). If the AUP is
breached or operational requirements dictate, the NHSmail service reserves the right to
withdraw access to the NHSmail service without notice.
Further information is given in the NHSmail Access Process document, including how to set
up the first account.
Sharing information securely
The documents below provide guidance specifically for health and social care organisations
and government organisations on sharing information securely.
Guide for Health and Social Care Organisations
Guide for Government Organisations
Further information around sharing email securely is available on the NHSmail Portal help
pages.
Delegation / impersonation
NHSmail includes the capability for users to give delegated access to their mailbox which
can allow other people to send email on their behalf. A similar capability is available for
applications to programmatically do the same through impersonation rights.
Where there is a need to provide someone else with the ability to send email on behalf of a
user this should be done by the user via the delegation controls within the service. Where an
organisation wishes to send email on behalf of its staff the organisation may request the
ability to do this for accounts in its organisation via the NHSmail helpdesk.
Further information is available in the Impersonation Accounts Guide.
Copyright © 2019 NHS Digital
4NHSmail Access Policy
No longer eligible for NHSmail?
If your organisation no longer meets the criteria outlined in this policy to use NHSmail, you
will need to move to an alternative method for secure communication.
• For a provider at the end of their contract, all NHSmail accounts should be marked as
a ‘leaver’ on the last day of service provision.
• For staff moving into a new provider organisation, their NHSmail account can be
marked as a ‘joiner’ within 30 days to avoid the account being deleted. All other
accounts will be permanently deleted along with any data contained within them.
• Guidance is available in the Leavers and Joiners Management Guide.
Copyright © 2019 NHS Digital
5You can also read
