The secure email standard

Emails sent to and from health and social care organisations must meet the secure email standard (DCB1596) so that everyone can be sure that sensitive and confidential information is kept secure.

Page contents

Top tasks

Download the full secure email specification (DCB1596)

Meeting the secure email standard

There are two ways to meet the secure email standard. Organisations must select one of these methods to comply.

Implement an already compliant service such as NHSmail or Office 365 for all staff at your organisation.
Demonstrate your own service is compliant with the secure email standard by following the secure email accreditation process.

Implement an already compliant service

NHSmail

Meet the organisation requirements of the standard by following the steps below.

Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
Health and care organisations SHOULD comply with the provisions of DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems such as those used by patients.
Migrate all users / staff to the NHSmail email service: To migrate all email users to NHSmail follow the migration guidance on the NHSmail support site.

Microsoft Office 365 (O365): Secure email configuration guide

Meet the organisation requirements of the standard by following the steps below.

Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
Health and care organisations SHOULD comply with the provisions of DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems such as those used by patients.
Register compliance with the NHSmail team:

Microsoft Office 365 (O365) accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail. The Microsoft Office 365: Secure email configuration guide has been co-produced with Microsoft, allowing instances of O365 to be enabled to securely route emails to and from NHSmail.

Exchange, hybrid or other email services

In addition to completing the organisation section of the standard, those hosting their own email services must submit assertions and evidence that they meet the ICT Service Provider elements of the standard. These will be reviewed by the NHS Digital Data Security Centre.

To help organisations with their accreditation process to the DCB1596 standard, we have provided some guidance to help you understand what actions organisations need to take to make the changes in the DCB1596 secure email standard.

Secure email accreditation process

The steps below illustrate the end to end accreditation process.

Submission of a signed self-accreditation statement, with evidence
Evidence checked by the NHS Digital Data Security Centre and NHSmail team
Rectification of findings and re-submission to the NHSmail team
DCB1596 met

Secure email accreditation templates

The templates to accredit your email service to the secure email standard are listed below and should be returned with the required evidence to feedback@nhs.net.

DCB1596 Microsoft Office 365 Conformance Template
DCB1596 Self Accreditation Conformance Template
DCB1596 ICT Service Provider Template

Note: In the 'Health and Care Organisation' section of the templates, please provide the name and date of the policy or document covering each requirement and ensure the requisite approvals are in place.

Conformance statements

The statements below confirm how NHSmail and Microsoft Office 365 meet their email security obligations:

DCB 1596 conformance statement for NHSmail
ISB 1596 conformance statement for Microsoft Office 365

Re-accreditation

Accreditations to the secure email standard last for one calendar year. After this period organisations are required to re-accredit.

The re-accreditation process will involve the organisation re-submitting evidence for review. In most instances this will be very similar to the information previously submitted.

Penetration test results and ISO27001 certificates must be within the last 12 months.

As accreditations come to the end of their term the NHSmail team will send out a reminder to each organisation.

When suppliers and organisations meet the published standard, they are listed here. The conformance table below confirms how organisations meet their security obligations (arranged A-Z):

Organisation name	Date accredited	Accreditation type
Berkshire Healthcare NHS Foundation Trust	26 October 2018	Office 365
Bolton Hospitals NHS Foundation Trust	14 February 2019	Exchange
BMI Healthcare	26 September 2018	Office 365
Bradford District Care NHS Foundation Trust	28 February 2018	Office 365
Coloplast Limited	10 October 2019	Office 365
Coventry and Warwickshire Partnership NHS Trust	14 September 2018	Exchange
East of England Ambulance Service	9 October 2019	Office 365
Herefordshire CCG	28 September 2018	Exchange
Mid Cheshire Hospital Foundation Trust	14 September 2018	Office 365
Mountbatten Group	10 October 2019	Office 365
Norfolk and Suffolk NHS Foundation Trust	8 February 2018	Office 365
Norfolk Community Health & Care NHS Trust	24 August 2018	Office 365
Nuffield Health	1 January 2019	Office 365
Southern Health NHS Foundation Trust	24 September 2018	Exchange
Staffordshire & Shropshire Health Informatics Service	10 October 2019	Exchange
Sussex Partnership Foundation Trust	5 August 2019	Exchange
Swindon CCG	20 March 2018	Office 365
University Hospitals Birmingham NHS Foundation Trust	22 August 2018	Exchange
University Hospitals of Leicester NHS Trust	10 October 2019	Exchange
West Suffolk NHS Foundation Trust	6 September 2019	Exchange
Wye Valley NHS Trust	27 July 2018	Exchange

Contact

For any further queries regarding the secure email standard please contact feedback@nhs.net. You will receive a response within 5 working days.

Last edited: 14 October 2019 3:23 pm