We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
You must never send personal, sensitive or confidential information to a non-secure email address unless it is encrypted.
Sending sensitive information to non-secure email addresses (including patients)
Encryption is an additional security tool which means users can communicate securely to any type of email account.
How to use encryption when sending from NHSmail
All you need to do is add the word [secure] in the subject line of a message - with the inclusion of the square brackets.
Before using the service:
- check local organisation policies and processes on sharing personal confidential data and sensitive information first which will take precedence over this guidance
- ensure you are familiar with the NHSmail Encryption guidance and process
You should only use the NHSmail encryption capability if approved to do so locally.
When a patient receives an encrypted email, they will need to register for the service if they haven't done so already.
Once registered they can then open the email in their internet browser. After logging in they will be able to view and reply to the email, confident that their information is safe and secure.
Patients will receive an email which looks like this:
You have received an email message secured by Private Post. Please open the file called Encrypted_Message.htm to read the message.
Using [secure] in the subject line if sending an email from one NHSmail address to another
When sending email from NHSmail to another secure service you do not need to take any action.
You will know if you have an NHSmail email address because it will end in nhs.net.
Please note that nhs.uk systems who have not met the accreditation standards are not considered secure.
Email addresses which meet the same high accreditation and security standards as NHSmail are rare. You can spot them by their endings. They will end in:
- nhs.uk domains accredited to the DCB1596 secure email standard
Sending sensitive information to patients if you don't use NHSmail
You must never send confidential information to or from an email address which does not meet the necessary standards of security.
Your email provider may have a way for you to encrypt emails so that you can send confidential information securely and to the appropriate security standards. Please refer to your organisation’s IT policies for guidance or speak to a member of your IT team for further information.
Further information is available in the full encryption guide for NHSmail.