Acceptable use policy: NHS Notify

All End User Organisations using the NHS Notify service should read and abide by this NHS Notify acceptable use policy and the connection agreement acceptable use policy. 

You can also read our transparency notice to learn how we process your data in NHS Notify.

NHS Notify Directions 2025 outline the permitted uses and purposes for which NHS England may provide the NHS Notify service to support End User Organisations to perform statutory functions or to provide commissioned services.

This NHS Notify acceptable use policy sets out permitted uses and terms applicable to the use of the NHS Notify service by End User Organisations in England only to contact Recipients.

This policy ensures that the NHS Notify service is used in a safe, secure and appropriate manner that protects Recipients’ rights and promotes effective communication between health and care providers and intended Recipients. 

Ensuring that all End User Organisations are fully conversant with permitted use is a key step in protecting both the End User Organisations and Recipients by helping to: 

• protect Recipients from receiving any nuisance or unlawful communication 
• reduce unsolicited and unwanted communications 
• maintain trust and public confidence that NHS and health and care organisations will only contact Recipients with appropriate communications and information 
• ensure compliance with UK General Data Protection Regulations (GDPR) and other legal requirements governing the use of personal information and electronic communications 
• protect NHS and health and care organisations from potential litigation or regulatory enforcement resulting from the incorrect, unsecure, unwanted or unlawful communication to Recipients - read Content considerations and clinical safety

This NHS Notify acceptable use policy applies to all End User Organisations that use the NHS Notify service in order to communicate with Recipients. This includes but is not limited to:

• adult social care providers
• NHS trusts
• GP practices
• community health services
• arms-length bodies
• organisations undertaking health or adult social care research
• any other health or social care providers

This NHS Notify acceptable use policy may be amended from time to time. 

NHS England may vary, replace or remove any aspects of this NHS Notify acceptable use policy and any of the documentation that is referred to in it. Any variation shall be effective from the date of its publication.

Each End User Organisation is an independent data controller and responsible for their communications and compliance with this policy as further detailed in End User Organisations: roles and responsibilities. 

NHS England is an independent data controller in relation to its provision of the NHS Notify service, as detailed further in the NHS Notify Directions 2025 . 

A connecting party may be a processor for End User Organisations, an End User Organisation itself, or have such other bespoke relationships as are identified in its agreements with End User Organisations and the connection agreement.

Compliance with this NHS Notify acceptable use policy is mandatory for End User Organisations in order to use the NHS Notify service.

NHS England reserves the right to take any action in response to non-compliance, such as disconnecting or suspending access to the NHS Notify service or requiring the connecting party to disconnect or suspend access to an End User Organisation.

If any complaints or misuse are reported to NHS England these will be investigated and steps will be taken as required with End User Organisations. 

End User Organisations are permitted to use the NHS Notify service:

• to communicate with Recipients for direct care and service messaging purposes
• to support health and care related research
• for other health and adult social care purposes provided these do not fall within the prohibited purposes detailed below

Examples of permitted purposes include, but are not limited to:  

• appointment management - sending reminders, confirmations, cancellations or rescheduling of appointments

• health information - providing relevant health information, updates on care, test results and follow-up instructions

• medication management - sending notifications related to prescriptions, medication reviews and adherence support

• patient engagement - facilitate individual care or treatment, engagement in health promotion activities, health care reminders, preventative care advice and self-care tips 

• service or business tasks and functions - informing Recipients about business changes or service promotion and availability, seeking feedback for service improvement

• care coordination - communicating care plans, referrals or instructions related to ongoing care, availability and invitations to healthcare services and treatments 

• research - communications to support research activity, such as (but not limited to) arrangement of appointments, completion of questionnaires, communication of information

• research - communications to support recruitment of Recipients to research

• planning - population health management

• proxy and dependents - communications in respect of those for whom Recipients have a recognised role or responsibility

The NHS Notify service must not be used for the following purposes:

• marketing or promotional content - any form of marketing, advertising, or promotional content, including political messaging and campaigning - read guidance on ‘What is and isn’t direct marketing’ for further information
• inappropriate or unlawful communication content - the content of communications that could be deemed insulting, offensive or unlawful solicitation - soliciting of donations or participation in activities not directly related to the Recipient’s health or care
• malicious activity - NHS Notify cannot be used:
  • in a way that could damage, disable, overburden, impair or compromise systems or security
  • in any unlawful manner or for any unlawful purpose
  • to act fraudulently or maliciously
  • to transmit, send or upload any data that contains viruses, Trojan horses, worms, spyware or any other harmful programs designed to adversely affect the operation of computer software or hardware
  • in connection with any kind of denial of service attack

Role

End User Organisations are independent controllers and responsible for determining:

• the purpose of communication

• content of communications

• whether to use, and if so which, NHS Notify messaging templates to be used

• the NHS numbers to be contacted such that the right Recipients receive communications

• whether contact details as stored in the Personal Demographics Service (PDS) are to be used, or, if not, upon agreement with the NHS Notify Implementation Board providing alternative contact details to be used for communications

• the best and appropriate messaging channel for a Recipient to be communicated with

• the communication channel routing configuration for communications, including: 

  • any variances to take account of any reasonable adjustments or accessibility adjustments required by Recipients or communication preferences expressed by Recipients

  • considerations as to what NHS Notify template and content is appropriate to send via what channel

  • providing this data and information to the NHS Notify service (via a connecting party as applicable) using the API or MESH

NHS England advises using the NHS App as the initial communication channel and implementing a contingency fallback mechanism (read Volume and frequency of contact) by using another messaging channel available through the service, for example email, SMS text message, or letters. This is defined in the routing configuration. 

End User Organisations remain responsible for their own compliance with all data protection, equality and other legislation, including, but not limited to:

• ensuring they have a specific legal basis, under both UK GDPR and common law duty of confidentiality, to contact the Recipient regarding the purpose of that specific communication

• maintaining a data protection impact assessment in relation to communications

• providing transparency information to Recipients

• ensuring data subjects are able to exercise any applicable rights, and managing any data subject requests or complaints

• maintaining an equality and healthcare impact assessment in relation to communications

• ensuring communications are accessible for all Recipients and take account of specific reasonable adjustments required by specific Recipients

Where an End User Organisation is sending any communication for purposes related to health and social care research the End User Organisation shall be responsible for (in addition to compliance with the remainder of this NHS Notify acceptable use policy): 

• compliance with specific research related provisions of UK GDPR, Data Protection Act 2018 and associated guidance, including having appropriate safeguards in place per Article 89 UK GDPR and section 19 Data Protection Act 2018, and following the ICO guidance on research related provisions (available at, as may be amended from time to time, The research provisions | ICO)

• obtaining any necessary NHS Health Research Authority, university, funder, or sponsor approvals and following the UK Policy Framework for Health and Social Care Research as published by the NHS Health Research Authority (available at, as may be amended from time to time, UK Policy Framework for Health and Social Care Research - Health Research Authority)

• ensuring that any opt-out including the national data opt-out are being taken into account of when considering which Recipients to send communications to, including, but not limited to, in relation to any recruitment activity or other unsolicited contact

• ensuring where the applicable legal basis for any communication is consent that this has been freely given and is a specific, informed, affirmative and unambiguous indication of the data subject’s wishes, and there are processes to manage withdrawal of such consent

End User Organisations must: 

• only send communications that are relevant to the Recipient

• ensure only staff with appropriate role-based access controls are authorised to use NHS Notify  

• ensure communications include the minimum amount of confidential patient information necessary to achieve the purpose for which they are sent

• ensure that their commissioned connecting party keeps a record of each generated message ID against the initial communication sent to the service API and the corresponding message, which is used for auditing and traceability between the organisations

• ensure that messages that specify an NHS App sender override use the appropriate ODS code of the sending organisation

• assess any potential risk posed by the content of proposed communications (which may include personal or special category data) when planning and sending communications to patients or public 

• where applicable, take account of this guidance (as may be amended from time to time) Email and text message communications - NHS Transformation Directorate

• where applicable, take account of DCB3051 Identity Verification and Authentication Standard for Digital Health and Care Services - NHS England Digital to aid decisions as to what level of verification is applicable for a Recipient to be able to access the content of, or content linked from, communications and which channels are appropriate

• where applicable, ensure the End User Organisation complies with the mandatory Clinical Safety Standard DCB0160, and that connecting parties comply with DCB0129 in respect of use and development of any system using the NHS Notify service

• ensure communication content and formatting takes account of any guidance or standards applicable to the channel and content, including NHS digital service manual and NHS England Accessible Information Standard

• ensure communications contain sufficient information for the Recipient to understand the purpose of the communication and any actions they need to take

• take reasonable measures to ensure any downstream services linked to from communication are also accessible and usable

• ensure that the content of communications is appropriate for the method of communication and does not pose undue risk to the individual 

Time critical content

Time critical content is anything medically important, where there would be a clinical risk if the user was either not informed or did not perform a requested action in a specific timeframe. NHS England does not guarantee how quickly communications will be processed and sent to Recipients. 

Examples of time critical content include, but are not limited to: 

• reminding a diabetic user to take their insulin 

• informing Recipients their appointment later that day has been cancelled, and they need to rearrange 

• requesting information, for example requesting photographs during a telephone appointment 

NHS England advises that you must have consideration when sending any communications with time-critical content due to potential limitations and consider a contingency fallback communication channel mechanism. 

Preferences

The indication of contact preferences does not mean that patients cannot be contacted via other communication mechanisms where this is necessary for their care. However, where someone has indicated a preference, and it is possible to respect this, it is good practice to do so. 

Objections

If a patient specifically objects to contact by a specific method, this should be upheld unless there are compelling legitimate grounds to process their data to communicate with them in that way.  

End User Organisations are responsible for managing Recipients’ objections and contact preferences (expressions of preference made by Recipients, often locally, and distinct from reasonable adjustments as recognised by the Equality Act 2010) and must: 

• plan how Recipients can specify their preferred channel and method for receiving communications including accessibility and request that they do not receive certain types of communications

• where possible respect Recipients’ existing contact preferences and requests not to receive communications and send through their preferred channels

• uphold objections to communication by specific methods unless there are compelling legitimate grounds not to do so 

End User Organisations take responsibility for the decision to determine how they are to send communications to intended Recipients with consideration of any communication preferences, including reasonable adjustments and accessibility, taking into account any relevant policies or guidance about communication preferences for the particular service.

End User Organisations must consider these communication preferences when determining the routing configuration for the messaging channels.

Replies to messages 

The service currently does not provide functionality to allow Recipients to reply directly to communications they have received via the service. NHS Notify can set up a reply-to address for email communications. The End User Organisation will need to provide an appropriate contact email mailbox. It must be considered how the Recipient can reply to the communications, including other contact information as required. 

End User Organisations must provide all digital and letter communication content in English. Digital channel communication is in English only.

The End User Organisation takes responsibility for the decision to send a message in a language other than English and ensuring that this meets that Recipient’s needs.

End User Organisations must provide letter translated communication content in the languages as required, and the intended Recipients who require messages in languages other than English. End User Organisations must take into consideration:  

• any relevant policies or guidance about language provision for the particular service 

• NHS Notify can identify Recipient language preferences from PDS if instructed by the Recipient 

• the service interfaces are only available in English 

• the service only supports non-English language communications using the letter messaging channel 

• the service does not provide non-English language translations of communication content, this must be provided by the End User Organisation

For further information, read Letters in other languages.

End User Organisations:

• must put suitable measures in place to consider feedback from Recipients who report inappropriate or undesired communication

• must ensure Recipients are not overburdened with the volume of messages - NHS England research has shown that patient, public or an individual’s engagement with messages falls if they receive too many communications that are not relevant to them. You should avoid sending too many messages to a Recipient that might be considered a nuisance, unless necessary for their health and care

• should refer to the section on time critical content in Content considerations and clinical safety

• unless agreed by the NHS Notify Implementation Board, should not use multiple simultaneous communication channels for the same messaging, as this risks over-burdening Recipients with volumes of communication

• are recommended to, where possible, select an initial communication channel method and when appropriate decide a secondary channel method to be used as a contingency fallback mechanism in case of an unsuccessful communication channel contact attempt. Take into account the purpose of the message, the status of the message (or other signals from other systems), and the time elapsed since the last status update

A contingency mechanism could be to send: 

• a fallback communication via another service channel, such as SMS text message, email, letter or a phone call 

• another message through the service, for example a follow-up or reminder to the initial message, or the same message again 

This is defined by the End User Organisation within the NHS Notify channel routing configuration prior to the issue of any communications. 

End User Organisations must update and publish their transparency or privacy notice:

• about their use of the NHS Notify service, and what it means for how and why the Recipient will receive communications

• about how their front-line staff and service desks will handle queries from Recipients and resolve issues in relation to communications

The End User Organisation acknowledges that: 

• NHS Notify will send email, SMS text messages, NHS App notifications and letter communications according to respective delivery timeframes
• any communication requests to NHS Notify outside of these hours will be processed during the next sending period

• the End User Organisation must consider these timescales when considering the purpose and channel of any communication, and if a communication is urgent alternative methods of contact (for example, telephone) should be used

End User Organisations acknowledge that NHS England: 

• shall, except where the End User Organisation has provided preferred patient contact details, obtain contact details from PDS and validate these

• shall identify any Recipients with any restricted PDS access, for example sensitive flagged or PDS reason for removal code applicable, for example deceased patients, and filter out to exclude these individuals from communications

• shall, where NHS England uses third party providers to support with delivery of NHS Notify, allocate such activity as it sees fit in its discretion

• shall not make any checks associated with or apply any reasonable adjustments other than as specified by the End User Organisation

• shall not make any checks associated with or apply any communication preferences (unless for reasonable adjustment purposes) other than as specified by the End User Organisation

• shall monitor and provide statistics of the volumes of communications to Recipients 

• shall not undertake any verification as to who the Recipient is beyond the validation of NHS number and contact details in PDS

• shall not review, proof or approve the message content in any communication, unless for adherence to NHS Notify technical processes 

• will instruct the Recipient to contact the End User Organisation if NHS England directly receives any Recipient’s requests to stop or start receiving communication through the service

The following table provides terms used in NHS Notify's acceptable use policy: