All staff are responsible for making sure emails are sent to the right individual(s), using the correct process and only containing the minimum necessary information which is essential and appropriate (in line with Data Protection legislation and Caldicott Principles). 

To protect confidential, person-identifiable information staff must ensure the following is adhered to when sending via email:

  • Only use Trust-approved email accounts (ending or
  • Never put person-identifiable information into the subject line of an email
  • Only use a person's initials and another identifier (eg NHS number, employee number, etc.) in the body of an email
  • Never use person-identifiable information to name any attachments
  • Ensure that a recipient's email address has been entered accurately or selected correctly from a provided address list.

Please note that the use of password protected documents is no longer Trust policy.


Please see NHS Cheshire and Merseyside's guidance on sending secure emails.

Any emails containing person confidential information going external to the Trust's network that are not covered by the guidance above MUST be further protected by adding encryption. 

How to apply encryption to an email

Mersey Care email address

NHS Mail email address



Type [secure] at the start of the email subject line.

Please note that [ENCRYPT] and [RW4ENCRYPT] can also be used.

Type [secure] at the start of the email subject line.

Please see the IM&T Security Standard SS03 - Internet & Email Security for further details.

Further Staff Guidance