Secure Email Standard Accreditation

Your organisation may prefer to accredit your existing email system with NHS Digital to demonstrate compliance with the standard. To do this you must have:

• An existing Office 365 email service or your own self-managed service (i.e. not a Hotmail/gmail account)
• Access to internal or external IT support
• The ability to provide evidence that you meet the requirements of the standard
• Resources to annually renew your accreditation

If you accredit your system, you will retain your own domain name for your email system. Once the accreditation has been processed, your organisation will be added to NHS Digital’s list of accredited organisations.

You can access the current list of DCB1596 accredited organisations here: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard. Any organisation on this list is accredited. This list is publicly available and needs to be downloaded. It is available as a CSV file (e.g. it can be opened with Microsoft Excel, Google Sheets or similar).

You may be aware that DCB1596 previously required organisations to change their domain names, i.e. “…@…..secure.nhs.uk”. This requirement has now been dropped.

The Accreditation Process

To accredit your system you must follow these steps:

1. Submit a signed self-accreditation statement with evidence. The accreditation statements are available below.
2. Submit the self-accreditation statement and evidence to [email protected]
3. Have your evidence checked by the NHS Digital Data Security Centre and NHSmail team
4. Rectify any findings and re-submit to the NHSmail team
5. DCB1596 met
6. Renew on an annual basis

Note that the DCB1596 process is completely separate from the Data Security and Protection Toolkit, which will still be a requirement

1.     Microsoft Office 365 – accreditation process

If you use Office 365 email, the accreditation process is much simpler than for other self-managed services. You should do the following:

1. Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services.
2. Have policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them.
3. If applicable to your organisation, comply with the provisions of DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
4. Have policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems (e.g. those used by service users/clients and their friends and relatives)
5. Register compliance with the NHSmail team.

Microsoft Office 365 accreditations must include confirmation that the email service has been configured to securely communicate with NHSmail. The Microsoft Office 365: Secure email configuration guide has been co-produced with Microsoft this allows O365 to be enabled to securely route emails to and from NHSmail.

You can download the self-accreditation template from the secure accreditation page: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard

2.     Exchange, hybrid or other email services

If you are using an email system other than Office 365 you must complete the Organisation section of the standard and also submit assertions and evidence that they meet the ICT Service Provider elements of the standard.

The templates for this can be downloaded from the secure accreditation page: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard

3.     What to do once you have achieved accreditation

Once accredited, your domain will be added to the NHS Digital list of DCB1596 accredited organisations. This means that NHSmail users can be assured that emails sent between your addresses and NHSmail are secure.

However, in practice, most users will not be aware of the list of DCB1596 accredited organisations, and so may not immediately recognise your email as secure. Therefore you should also have conversations with the partners that you regularly share information with, to explain to them that your email domain is accredited. You can encourage them to add the NHS Digital list of accredited organisations to their internal email whitelists (this will also be happening for NHSmail in the near future).

You can use the list to apply your own transport rules such as to invoke local message based encryption tool for non-accredited domains or create your own Mail Tips.

You will have to implement a policy on how frequently you will update your own Whitelist as organisations will be added and removed throughout the year.

4.     Re-accreditation

Your accreditation will last one calendar year. After this, you will need to reaccredit your organisation.

Reaccreditation requires you to resubmit evidence for review. Generally, this will be similar to what you have previously had to submit. Penetration test results and ISO27001 certificates must be within the last 12 months.

It is your responsibility to ensure that your organisation re-accredits every year.

Additional information

You can access statements on how NHSmail and Office 365 comply with email security obligations from the secure accreditation page: https://digital.nhs.uk/services/nhsmail/the-secure-email-standard