Avoiding email dangers

Security and protection of personal data is a key concern when emailing clinical information.

  • Make sure patient information is sent securely.
  • Take care when sending bulk emails to many recipients.
  • Comply with regulations for use of personal information under data protection law.

Send and receive messages securely

Many health professionals use NHSmail to communicate about clinical matters, including patient referrals, test requests and cancellations. The system allows information to be encrypted and sent securely.

To further maintain patient safety and minimise clinical risk, the NHS advises that all NHSmail users consider the following when sending emails:

  • Make sure you have a process of checking when clinical communications have been received, so that you don't miss referrals or test requests.
  • Have in place a business continuity plan, in case NHSmail becomes suddenly unavailable. Further advice can be found on the NHS England website.
  • Check that you are meeting the SCCI0160 standard in how NHSmail is used by staff.

The NHS has published a full policy on NHSmail use and best practice, available on its website.

Take care when multi-tasking

If you are juggling multiple email accounts – such as NHSmail, your employer's account and any personal accounts – make sure you are in the habit of regularly checking them. An email about a claim or a request for a patient's record, for example, demands a specific deadline for a response.

  • Check accounts regularly, or set up an automated response directing senders to your main address.
  • Keep email signatures, letterheads or website contact details up to date.
  • If you discover an important email has been overlooked, it is important to offer a prompt explanation and apology. You should also tell the sender when they can expect a response to their request.

Remember that if you are dealing with multiple email accounts, you should keep clinical information and patient data to your professional accounts only. Emailing confidential information to a potentially unsecure email address poses a security risk, and could lead to a breach of confidentiality. Some information can be difficult to erase permanently from a hard drive.

Bulk emails and protecting the privacy of your recipients

In recent years there have been several cases – including one high-profile incident at a London clinic – in which a breach of confidentiality occurred when patients' details were revealed through a mass email.

To help protect confidential information and avoid putting patients at risk, remember:

  • Use 'Bcc' when sending an email to several people. This means a copy of the email goes to every recipient, but only your email address is visible.
  • Using the 'To' or 'Cc' email fields means all recipients will be able to see each other's email addresses. If the email is then forwarded, all the addresses will be included in the forwarded email as well.
  • If confidentiality is breached by sending bulk emails to several recipients, patients may be put at risk and/or complain.
  • If a mistake is made and bulk emails are sent in this fashion, inform the patients affected promptly so that they can take appropriate steps if they wish.
  • You should also consider informing the ICO if there is a risk to the data subject or if special category personal data is involved. See the ICO website for more details.

Other pitfalls can arise in the case of misdirected emails.

  • When sending confidential patient information, take a moment to check the recipient's email address is correct. For example, an.other@nhs.net can at first glance look very similar to an2.other@nhs.net.

Use of personal information

  • The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 govern the use of personal information. This includes using personal information for marketing purposes.
  • Unsolicited marketing can only be carried out if the person you are contacting has given you permission to do so.
  • There is a 'soft opt-in' rule, which applies if the messages are only 'marketing similar' products or services and where the person's details have been obtained in the course of providing that service.
  • In a GP practice, patients have to be given a simple opportunity to decline contact about future services both at the time their details are collected and in future messages.

Emails and text messages are also specifically covered by the Privacy and Electronic Communications Regulations*. These place restrictions on how unsolicited direct marketing by electronic mail is carried out.

  • 'Electronic mail' encompasses email, text, picture, video, voicemail and answer phone messages, but not faxes.
  • Under the revised regulations, you are required to notify the Information Commissioner if a personal data breach occurs relating to the personal data you use for marketing.
  • Keep a log of any such breaches, including personal data you use for other purposes.
  • If you are sending bulk emails to patients, you will have to comply with GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.
  • Check you have the appropriate consent from the patient to approach them by email.
  • Make sure that they can opt out of receiving such messages at any time.

* The EU is in the process of replacing the Privacy and Electronic Communications Regulations with ePrivacy Regulation. This is likely to come into force in 2019.

This guidance was correct at publication 30/08/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

You may also be interested in


CCTV in healthcare

The use of surveillance in healthcare settings can be problematic because of the need to protect patients' confidentiality.

Read more

Breaking bad news

Breaking bad news is a complex and sensitive task which requires practice and a considered, tactful approach.

Read more

Freedom of information

What are your responsibilities for making information available to the public under the Freedom of Information Act?

Read more