Skip to Content Skip to navigation
General Policy
Digital & Information
GP/E6
Information Security Manager
Corporate Records Manager / Information Governance & Security
Director of Digital & Information
01 January 2007
28 May 2026
28 May 2029
7

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy/procedure statements and aims to review policies within the timescales set out.

New policies/procedures will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies/procedures will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy/procedure is past its review date, then the content will remain extant until such time as the policy/procedure review is complete and the new version published.

This policy has been written to comply with current legislation, and the policy will be updated appropriately to suit new and/or modified legislation. The references appendix will be updated to reflect this legislation.

1. FUNCTION

This policy details the framework within which NHS Fife supports the use of email. This policy forms part of the Information Security Management System (ISMS) and should be read in conjunction with all the Information Security policies.

The purpose of this policy is to ensure that email is used effectively and securely across NHS Fife.

This policy contains important rules covering email. Email is an official and core communication tool, used within NHS Fife to support operational and administrative activities. Its primary functions include:

  • Internal Communication between all staff, departments, and teams for Personal Identifiable Information (PII) and Business sensitive data.
  • External Communication with patients, partner organisations, suppliers, and stakeholders using secure practices.

1.1 Definitions

The below definitions are terms relating email use or functions.

Spamming - Spam is unsolicited commercial email, the electronic equivalent of the junk mail that comes through your letterbox.

Phishing - Phishing is the use of fraudulent emails and websites to trick an email user into supplying confidential and personal information.

Chain Letters - A chain letter is an electronic email that urges you to forward copies to other people.

Outlook - Microsoft Outlook is the organisation’s platform for managing email communication but also provides functionality fulfils other functions such as calendar, task management, and integration with other M365 applications. Para 5 refers.

2. SCOPE

This policy is intended for all NHS Fife staff to maintain information security. Many of the rules apply equally to NHS Fife’s other methods of external communication such as letters social media and other external communication methods.

Further guidance on external communications can be found in GP/O2 Corporate Communications Policy

In the interests of clarity all references to ‘staff’ includes:

  • all staff within NHS Fife
  • all volunteer staff directly engaged with NHS Fife operations
  • all 3rd party employees directly engaged in service provision or embedded with NHS Fife departments
  • all staff who are employed, engaged or partners within primary care settings (contracted to NHS Fife)
  • all General Practices any other category of independently employed contractor
  • all personnel regardless of employment status who have been issued with and @nhs.scot email account.

3. RESPONSIBILITIES

3.1 Digital & Information Department (D&I)

Digital and Information are responsible for the issuing and ongoing management of management NHS Fife’s Email platform. This includes creating accounts in alignment of approved requests, assigning appropriate role-based access controls (RBACs) and ensuring compliance with NHS Fifes wider Information Security Policies. D&I will manage/enforce periodic additional security controls including multi factor authentication and password management to protect the confidentiality, integrity and availability of NHS Fife data.

NHS Fife reserves the right, consistent with UK legislation including Data Protection Act 2018/UK GDPR, to conduct Lawful business monitoring of IT systems. It is essential for maintaining the confidentiality, integrity and availability of NHS Fife’s digital infrastructure. No member of staff should consider information sent/received through the Internet as their private information and email communication may be requested inline with a legitimate Freedom of Information request.

Any issue with email should be directed to the D&I service desk.

3.2 All Staff using Email

It is the responsibility of all staff to manage their inboxes and to comply with this policy, GP/D3 Data protection, GP/R4 Records management and all other Information Security Policies listed at section 7. Section 4 provides specific instruction on the operational system, but users are also reminded to:

  • Ensure sensitive or personal data is only shared with authorised recipients.
  • Use encryption or secure email methods when sending confidential information.
  • Avoid including patient sensitive information unless absolutely necessary.
  • Not to share their issued email account with another user (unless the terms of 4.12 apply)
  • Refuse access to the NHS Fife email system to unauthorised individuals.

Email users should be aware that they neither own the documents that they or their colleagues create, nor have intellectual property rights there.

3.3 Information Governance and Security (IG&S) Department

The IG&S Department will monitor the use of the Email systems and oversee policy enforcement. All Email is centrally stored, and NHS Fife may have legitimate business need to access emails or the email account of the user. 

Reasons for monitoring include, but are not limited to:

  • Preventing or detecting misuse.
  • Preventing or detecting crime.
  • Ensuring email is operating correctly.
  • In response to a service led investigation.
  • In response to a Cyber incident.

The IG&S Department will notify the respective Line Manager and Workforce any breaches of this policy.

3.4 Line Managers

It is the responsibility of Line Managers to ensure that all staff adhere to the contents of this policy.

Responsibility for taking any appropriate disciplinary action following a breach of this policy lies with the relevant Line Manager having taken advice from Workforce.

4. OPERATIONAL SYSTEM

4.1 When to use Email

It is the responsibility of the person sending an email message to decide whether email is the most appropriate method to communicate the information. The decision to send an email should be based on a number of factors including:

  • The subject of the message;
    • The recipient’s availability;
    • The speed of transmission;
    • The speed of response required;
    • The number of recipients of the email.
    • The “sensitivity” of information being shared.

4.2 Writing Work Related Email Messages

When writing a work-related email, it is important that consideration is given to the way in which the message is conveyed. This includes thinking about the title, the text and the addressees. All communications must reflect NHS Fife’s values and standards.
Refer to GP/E6 Appendix 1 - Email Good Practice Guidelines for more information.

Email messages constitute a formal record and can be requested in support legislative requirements including Freedom of Information request, organisational or criminal investigation.

4.3 Personal Use

NHS Fife defines reasonable personal use as ‘transactions of personal affairs’ which cannot be avoided during working hours.

Staff who have access to email for business purposes may make personal use of email facilities provided by NHS Fife. The personal use should be kept to a minimum and is permitted only during authorised break times where it:

  • does not interfere with the performance of your duties;
  • does not overburden the system;
  • does not create any additional expense to the organisation.
  • do not use your NHS provided email to register for non-business-related 3rd party websites or services.

4.4 Security

Each email account, whether a personal or group account, is protected by access control measures i.e. identity management, username, and password requirements.

Individual users must take personal precautions to ensure the security of their email account including logging off from the PC before leaving it unattended. This will prevent others reading your email or sending phishing emails in your name. Staff are prompted to be cautious of phishing emails and not click on suspicious links or open unknown attachments.

It is possible to permit other email account holders to open your mailbox or send email on your behalf. Employees must contact the Digital and Information Service Desk if this is required before this practice takes place.

Archiving: The storing of personal data (within the meaning afforded to it with the Data Protection Act 2018, UK GDPR and Public Records (Scotland) Act 2011) is subject to the same controls as any other personal data and is therefore subject to Freedom of Information requests.

Virus Protection: The most common way of receiving a computer virus is through email. Windows defender is NHS Fife enterprise level malware solution and will scan emails and their attachments at point of entry to the network.

At individual level it is the responsibility of all email account holders to:

  • delete any messages from unknown origin.
  • contact the Digital and Information Service Desk immediately should they receive notification that an email sent to or by them contains a virus.
  • report any phishing or junk emails.

4.5 Confidentiality/Sending Patient Identifiable Information

NHS Fife accepts that NHS email is the only method by which personal identifiable information can be securely sent by email. If there is a business need to share patient identifiable information, then the following email domains are considered trusted:

Organisation

Domain

NHS

*.nhs.net
*.nhs.uk
*.nhs.scot

Central Government

*.gsi.gov.uk
*.gse.gov.uk
*.gsx.gov.uk

Ministry of Defence

*.mod.uk

Secure Police National Network/Criminal Justice Services

*.police.uk
*.pnn.police.uk
*.scn.gov.uk
*.cjsm.net

Local Government/Social Services

*.gcsx.gov.uk



Where patient identifiable information is to be transmitted to external organisations, there is a much greater risk of unencrypted emails being intercepted with a consequent breach of patient confidentiality.

Always verify recipient addresses before sending sensitive data and use the Secure Encrypted Email function in Outlook when sending patient identifiable information.

Avoid sending large attachments unless absolutely necessary. 25Mb is the maximum file size that can be sent over M365 Outlook. Internally please use other means to share files i.e network drives or Team sites. Should you need to send large files or sensitive detail to a 3rd party, the SWAN Secure File Transfer Service is the approved platform. Contact the IT service desk for details of how to access this service.

Further guidance can be found at Scottish Government Mobile Data Standard (CEL 25, 2012).

If you have reason to send Patient identifiable Information to an untrusted/unknown 3rd party, then this is to be communicated through Information Governance. The purpose and volume of any sharing may require further assurance measures or an alternate communication method, such as the SWAN Secure File Transfer Service, may be recommended.

It is not acceptable to send personal identifiable information out with NHS Fife by the route webmail. (Gmail. Yahoo, Hotmail etc)

Should there be an unavoidable business reason for his, the following criteria are to be met:

  • Information Governance approval is granted for the method used i.e patient consent, Data Privacy Impact Assessment (DPIA), compliance with the Data Protection Act 2018, UK GDPR and any addition legislation relevant to the subject.
  • The NHS Fife department has approved processes and procedures in place to reduce the risks of using the method applied to send emails.
  • The use of the inbuilt encryption has been utilised to send the email.

The NHS Fife Data Protection department has produced guidelines and procedures to assist this process. Please refer to the following when transmitting patient identifiable information with patients through email:

4.7 Misuse and Abuse of Email

The sending of email which can or does cause distress will be dealt with by the appropriate NHS Fife Human Resources policy.

The transmission of any kind of sexually explicit image or document is expressly forbidden. Should there be a requirement to transmit sexually explicit images or documents for a valid clinical reason, the permission of the Caldicott Guardian must be sought in advance.

Behaviour or comments that are not permitted in the spoken or paper environment are also not permitted in email messages.

Email messages containing inaccurate information in the form of opinion or fact about an individual or organisation, may result in legal action being taken against the person sending the email message and anyone forwarding the email message on to others.

4.8 Housekeeping

It is the responsibility of all members of staff to manage their email messages appropriately. Email is a format of information, and not all emails will constitute a record. NHS Fife personal must be diligent when deleting emails and ensure they have considered any potential future business requirement for that communication. When emails need to be retained, they must be preserved in their entirety, including any attachments, to protect their integrity. They should be saved to NHS Fife’s approved records repositories; this may be the network shares or where the information is directly connected to the patient pathway, it could be the holding patient record system.

To manage email messages appropriately all NHS Fife staff must identify email messages that are records of their business activities and ensure that appropriate policies and legislation are followed. The deletion of emails of business significance may result in a legislative breach contrary to the Freedom of Information (Scotland) Act 2002 (FOISA).

Records Management Code of Practice for Health and Social Care, DPA 2018, UK GDPR and GP/R4 Records Management policy all apply.

A storage limit is set on all email boxes. Users will receive a warning message informing they are reaching their limit.

4.9 Global Email

Although email is often considered to be a good way of disseminating information to large groups, it should be noted that there are some restrictions. The ability to send an email to everyone in NHS Fife is restricted to the Digital and Information Service Desk, the Communications Department and designated staff.

If a message is deemed for all staff awareness, an email should be sent to the Communications Department requesting that they send an email to everyone detailing the nature of the information. If the message is Digital and Information related, then the request for a global email should be sent to the Digital and Information Service Desk.

If staff are to send a bulk use email, use the BCC (Blind Carbon Copy) function to send which ensures the recipient understands that it is a “target all” email and not intended as a personal communication.

4.10 Unsolicited Email (spamming)

NHS Fife Email system has enterprise level protection for spam emails however, there are instances where these may not be detected. Using the following guidance to best protect against SPAM -

  • Always be cautious when the sender/domain of the email is unknown.
  • Never respond to spam or click on links within it.
  • Never give your email address on the internet.
  • Only give your email address to people you trust.
  • Never make a purchase from unsolicited email.

4.11 Hoaxes, Scams & Chain Letters

If staff receive any form of the above in emails do not forward them to anyone, delete them immediately and inform the Digital and Information Service Desk.

4.12 Accessing the Mailbox of another Member of Staff

There may be occasions when it is necessary to access email messages from an individual’s mailbox when a person is away from the office for an extended period, for example sick leave. The reasons for accessing an individual’s mailbox are to action:

  • Subject access request under the Data Protection Act 2018.
  • Freedom of Information requests.
  • Evidence in legal proceedings.
  • Urgent line of business enquiry.
  • In support of an investigation which may result in disciplinary action.

Where it is not possible to ask the permission of the member of staff whose mailbox needs to be accessed, the procedure for gaining access to their mailbox is:

  • Gain authorisation from the Head of Department.
  • Submit a request to the eHealth Service Desk.
  • A record will be made of the reason for accessing the mailbox together with the names of the people involved.
  • Inform the person whose mailbox was accessed.

It is less likely that this procedure will need to be followed if the mailbox access has been delegated to a trusted third party.

4.13 Shared/Generic Mailboxes

Shared mailboxes should be used where there is a group of people responsible for the same area of work or a team to ensure that queries are answered quickly when members of the team are away from the office.

Access to a shared mailbox is initially given by the D&I Department and can also be requested by raising a ticket.

4.14 Disclaimer

An NHS Fife disclaimer can be appended to every email message sent from an NHS Fife email system. Reasons to add a disclaimer may include.

  • Confidentiality Notice
  • Regulatory/Data Protection
  • Limitation of Liability

The list is not exhaustive but should be a consideration to departments that routinely communicate with external organisations.

4.15 Security Summary

  • DO protect the Security and Confidentiality of the system and information.
  • DO regular Housekeeping.
  • DO read and action the email good practice guide.
  • DO NOT misuse or abuse the system.
  • DO NOT email anything that could result in criminal or civil prosecution, or which could lead to disciplinary proceedings against you.
  • DO NOT send a Global Email without careful consideration.

5. M365 PRODUCTS

5.1 Integrated Services

Microsoft Outlook is the organisation’s platform for managing email, calendars, and communication. As part of the wider Microsoft 365 suite, Outlook is integrated with services such as Teams, OneDrive, SharePoint, and Microsoft Copilot, enabling secure collaboration, file sharing, scheduling, and information management. All staff must use these tools in accordance with existing NHS Fife guidance and/or acceptable use policies ensuring that emails, attachments, shared documents, and collaborative workspaces are managed appropriately. Users must not bypass approved M365 services for communication or storage, and must follow all relevant acceptable use policies as listed below;

  • NHS Fife Acceptable Use Policy MS Outlook.
  • NHS Fife Acceptable Use Policy MS Teams.
  • NHS Fife Acceptable Use Policy OneDrive.
  • NHS Fife Acceptable Use Policy Copilot.

6. RISK MANAGEMENT

NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities, is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

With regard to the Health & Social Care Partnership (H&SCP), the Partnership Management Group will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and arrangements, and review these to ensure they comply with any changes made to the Partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

Technical controls such as spam filtering, antivirus scanning, and encryption are implemented to reduce risk. Email systems are monitored for potential threats including phishing, malware, data leakage, and unauthorised access.

All suspected incidents or breaches must be recorded and escalated in accordance with the GP/I9 Adverse Events Policy

7. APPENDICIES

8. RELATED DOCUMENTS

  • GP/I5 Information Security Policy
  • GP/D3 - Information Governance and Data Protection Policy
  • GP/A4 Acceptable Use Policy
  • GP/G1- Generative AI Policy
  • GP/M5 - Device Management Policy
  • GP/O2 – Corporate Communication Policy
  • GP/R4 – Records Management Policy
  • GP/I9 - Adverse Events Policy

9. REFERENCES

The principal Acts of Parliament, Scottish Government circulars, and internal guidance documents relevant to this policy are:

  • Network and Information Systems Regulations 2018 (NIS Regulations)
  • CEL 25 (2012) NHS Scotland Mobile Data Protection Standard
  • Computer Misuse Act 1998
  • UK GDPR
  • Data Protection Act 2018
  • Freedom of Information (Scotland) Act 2002
  • Public Records (Scotland) Act 2011
  • Regulation of Investigatory Powers (Scotland) Act 2000
  • Records Management Code of Practice for Health and Social Care - 2024
  • The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000