All staff are responsible for making sure emails are sent to the right individual(s), using the correct process and only containing the minimum necessary information which is essential and appropriate (in line with Data Protection legislation and Caldicott Principles).
To protect confidential, person-identifiable information staff must ensure the following is adhered to when sending via email:
- Only use Trust-approved email accounts (ending merseycare.nhs.uk or nhs.net)
- Never put person-identifiable information into the subject line of an email
- Only use a person's initials and another identifier (eg NHS number, employee number, etc.) in the body of an email
- Never use person-identifiable information to name any attachments
- Ensure that a recipient's email address has been entered accurately or selected correctly from a provided address list.
Please note that the use of password protected documents is no longer Trust policy.
EXTERNAL EMAILS
Emails containing person confidential information going external to the Trust's network (e.g to another NHS organisation or an external third party) MUST be further protected by adding encryption.
How to apply encryption to an email
Mersey Care email address |
NHS Mail email address |
---|---|
From @merseycare.nhs.uk | From @nhs.net |
Type [secure] at the start of the email subject line. Please note that [ENCRYPT] and [RW4ENCRYPT] can also be used. |
Type [secure] at the start of the email subject line. |
Please see the IM&T Security Standard SS03 - Internet & Email Security for further details.
Further Staff Guidance
-
The Secure Email Quick Reference Guide provides clarification on secure email addresses and the necessary action required when sending to insecure email addresses.
-
Email Security Poster - the three key areas which staff must consider before sending an email.