Getting a secure email account

All organisations that access or use NHS patient data must show that they have met the standards set out in the Data Security and Protection Toolkit (DSPT).

All organisations that use personal data (including health and care organisations) also need to be registered with the Office of the Information Commissioner. If your organisation is not already registered, you can apply online.

Completing the Data Security and Protection Toolkit

The DSPT is an online self-assessment tool that measures your organisation’s level of data security against a set of ten national standards.

There are two levels to work towards:

If your organisation has not registered and completed a DSPT assessment for compliance already, at least to entry level, you will have to do this before you can apply for NHSmail.

Note: During the COVID-19 response, to ensure that all care homes could provide effective care NHS mail (or other secure email) has been implemented. To speed this up the DSPT requirement has been temporarily waived until the 30 June 2021. After this date the DSPT must be completed.

Larger care providers with several sites may already have completed the DSPT and have an accredited secure email system registered with NHS Digital. Please check with your own organisation’s data protection or information governance teams for local information.

DSPT standards met level

We recommend that all social care organisations with an entry level assessment work towards the full ‘standards met’ accreditation within a year.

View the next sections in this guide: