The accreditation process

Submit the evidence via NHS England ServiceNow where it will be reviewed by the secure email team. A list of organisations, and their date of accreditation, is available on our website. Organisations who do not re-accredit by the expiry date will be removed from the secure email web page. 

The length of time to accredit depends on the resources of the accrediting organisations and the ability to provide all necessary supporting documentation. 

O365 accreditations can take between one to three months and self-management accreditations have ranged between six months to one year. With the ability to use the Data security and protection toolkit this is expected to reduce timescales. 

These timescales may be longer depending on:

• resources and expertise available to the organisation
• planning and timescales for completing the accreditation requirements
• any issues or errors in the accreditation, creating further delays. 

NHSmail is accredited to the DCB1596 secure email standard and is a secure national collaboration service which enables the safe and secure exchange of official sensitive data within NHSmail and from NHSmail to other suitably accredited email systems. 

Model policies have been provided and organisations using NHSmail should ensure that they either implement the NHSmail policies or put in place their own local policies and procedures: 

1. Ensure there is a process in place to notify the NHSmail team upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and / or the security of the services or the systems used to provide the services. 

2. Health and care organisations SHOULD set policies and procedures for the use of secure email using mobile devices and ensure the email service enforces them either with the model policies or their own. 

3. Health and care organisations SHOULD comply with the provisions of DCB0160:Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems. Wherever there is a clinical workflow using NHSmail, each clinical workflow should have a clinical safety case and a hazard log. 

4.Health and care organisations MUST set policies and procedures for staff who use the secure email service to ensure that they understand how to use it appropriately and safely, including how to send emails to insecure email systems, such as those used by patients. This can be with the model policies or locally provided policies.  

Ensure that your organisation accredits to the DCB1596 secure email standard following the self-management route. 

Upon accreditation, follow the practices is recorded in the sharing sensitive Information guidance and ensure this is communicated to your users. 

Re-accredit on an annual basis to ensure that requirements are accurate and up to date. 

Ensure that your organisation accredits to the DCB1596 secure email standard following the Office 365 route. 

As part of your accreditation follow the technical requirements detailed in the Microsoft Office 365: Secure email configuration guide.

Upon accreditation follow the practices given in the sharing sensitive Information guidance and ensure this is communicated to your users.  

Ensure that your organisation accredits to the DCB1596 secure email standard following either the Office 365 or self-management route. 

Upon accreditation follow the practices detailed in the sharing sensitive information guidance and ensure this is communicated to your users.