Your organisation may prefer to accredit your existing email system with NHS Digital to demonstrate compliance with the standard. To do this you must have:
If you accredit your system, you will retain your own domain name for your email system. Once the accreditation has been processed, your organisation will be added to NHS Digital’s list of accredited organisations.
You can access the current list of DCB1596 accredited organisations here: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard. Any organisation on this list is accredited. This list is publicly available and needs to be downloaded. It is available as a CSV file (e.g. it can be opened with Microsoft Excel, Google Sheets or similar).
You may be aware that DCB1596 previously required organisations to change their domain names, i.e. “…@…..secure.nhs.uk”. This requirement has now been dropped.
To accredit your system you must follow these steps:
Note that the DCB1596 process is completely separate from the Data Security and Protection Toolkit, which will still be a requirement
If you use Office 365 email, the accreditation process is much simpler than for other self-managed services. You should do the following:
Microsoft Office 365 accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail. The Microsoft Office 365: Secure email configuration guide has been co-produced with Microsoft this allows O365 to be enabled to securely route emails to and from NHSmail.
You can download the self-accreditation template from the secure accreditation page: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard
If you are using an email system other than Office 365 you must complete the Organisation section of the standard and also submit assertions and evidence that they meet the ICT Service Provider elements of the standard.
The templates for this can be downloaded from the secure accreditation page: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard
Once accredited, your domain will be added to the NHS Digital list of DCB1596 accredited organisations. This means that NHSmail users can be assured that emails sent between your addresses and NHSmail are secure.
However, in practice, most users will not be aware of the list of DCB1596 accredited organisations, and so may not immediately recognise your email as secure. Therefore you should also have conversations with the partners that you regularly share information with, to explain to them that your email domain is accredited. You can encourage them to add the NHS Digital list of accredited organisations to their internal email whitelists (this will also be happening for NHSmail in the near future).
You can use the list to apply your own transport rules such as to invoke local message based encryption tool for non-accredited domains or create your own Mail Tips.
You will have to implement a policy on how frequently you will update your own Whitelist as organisations will be added and removed throughout the year.
Your accreditation will last one calendar year. After this, you will need to reaccredit your organisation.
Reaccreditation requires you to resubmit evidence for review. Generally, this will be similar to what you have previously had to submit. Penetration test results and ISO27001 certificates must be within the last 12 months.
It is your responsibility to ensure that your organisation re-accredits every year.
You can access statements on how NHSmail and Office 365 comply with email security obligations from the secure accreditation page: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard
To help us improve this website, we’d like to know more about your visit today.
Please leave any feedback below :