Avoiding email dangers

Security and protection of personal data is a key concern when emailing clinical information.

  • Make sure patient information is sent securely.
  • Take care when sending bulk emails to many recipients.
  • Comply with regulations for use of personal information under data protection law.

Send and receive messages securely

Many health professionals use NHSmail to communicate about clinical matters, including patient referrals, test requests and cancellations. The system allows information to be encrypted and sent securely.

To maintain patient safety and minimise clinical risk even further, the NHS advises that all NHSmail users consider the following advice when sending emails.

  • Make sure you have a process of checking when clinical communications have been received, so you don't miss referrals or test requests.
  • Have in place a business continuity plan, in case NHSmail becomes suddenly unavailable. More advice can be found on the NHS England website.
  • Check you're meeting the SCCI0160 standard in how NHSmail is used by staff.

The NHS has published a full policy on NHSmail use and best practice.

Take care when multi-tasking

If you're juggling multiple email accounts - like NHSmail, your employer's account and any personal accounts - make sure you're in the habit of regularly checking them. An email about a claim or a request for a patient's record, for example, demands a specific deadline for a response.

  • Check accounts regularly, or set up an automated response directing senders to your main address.
  • Keep email signatures, letterheads or website contact details up to date.
  • If you discover an important email has been overlooked, it is important to offer a prompt explanation and apology. You should also tell the sender when they can expect a response to their request.

Remember that if you are dealing with multiple email accounts, you should keep clinical information and patient data to your professional accounts only. Emailing confidential information to a potentially unsecure email address poses a security risk, and could lead to a breach of confidentiality. Some information can be difficult to erase permanently from a hard drive.

Bulk emails and protecting the privacy of your recipients

In recent years there have been several cases - including one high-profile incident at a London clinic - in which a breach of confidentiality occurred when patients' details were revealed through a mass email.

Here are some tips to help protect confidential information and avoid putting patients at risk.

  • Use 'Bcc' when sending an email to several people. This means a copy of the email goes to every recipient, but only your email address is visible.
  • Using the 'To' or 'Cc' email fields means all recipients will be able to see each other's email addresses. If the email is then forwarded, all the addresses will be included in the forwarded email as well.
  • If confidentiality is breached by sending bulk emails to several recipients, patients may be put at risk and/or complain.
  • If a mistake is made and bulk emails are sent in this way, tell the affected patients quickly so they can take appropriate steps if they want.
  • You should also consider informing the ICO if there's a risk to the data subject or if special category personal data is involved. See the ICO website for more details.

Other pitfalls can arise in the case of misdirected emails.

  • When sending confidential patient information, take a moment to check the recipient's email address is correct. For example, an.other@nhs.net could easily be mistaken for am.other@nhs.net.

Use of personal information

  • The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 govern the use of personal information. This includes using personal information for marketing purposes.
  • Unsolicited marketing can only be carried out if the person you're contacting has given you permission to do so.
  • There is a 'soft opt-in' rule, which applies if the messages are only 'marketing similar' products or services and where the person's details have been obtained in the course of providing that service.
  • In a GP practice, patients have to be given a simple opportunity to decline contact about future services both at the time their details are collected and in future messages.

Emails and text messages are also specifically covered by the Privacy and Electronic Communications Regulations. These place restrictions on how unsolicited direct marketing by electronic mail is carried out.

  • 'Electronic mail' encompasses email, text, picture, video, voicemail and answer phone messages, but not faxes.
  • Under the revised regulations, you must notify the Information Commissioner if a personal data breach occurs relating to the personal data you use for marketing.
  • Keep a log of any such breaches, including personal data you use for other purposes.
  • If you're sending bulk emails to patients, you will have to comply with GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.
  • Check you have the appropriate consent from the patient to approach them by email.
  • Make sure they can opt out of receiving such messages at any time.

This page was correct at publication on 31/01/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

You may also be interested in

Guide

GDPR: data breaches

An unaddressed data breach is likely to have a significant effect on individuals, and can result in heavy fines for those responsible.

Read more
Guide

Freedom of information

What are your responsibilities for making information available to the public under the Freedom of Information Act?

Read more
Guide

CCTV in healthcare

The use of surveillance in healthcare settings can be problematic because of the need to protect patients' confidentiality.

Read more