Ensuring secure email communications
This is local and national support for providers to achieve data security and protection compliance.
Better security, better care is a national and local support programme funded by NHSX to help adult social care providers to store and share information safely in both digital and paper formats. The programme will help you understand the importance of data and cyber security and complete the annual, online self-assessment using the data security and protection toolkit (DSPT).
Lots of support is available on the Digital Social Care website which is a dedicated space for information, support and guidance on information sharing and technology including best practice webinars. Resources available include:
Free introductory webinars to help providers complete the toolkit are being run by the local support partner for Staffordshire and Stoke-on-Trent (Staffordshire Association of Registered Care Providers in conjunction with Quality of Care) on the following dates in January:
- 18 January 2022 at 10am
- 19 January 2022 at 2 pm
- 25 January 2022 at 10 am
- 26 January 2022 at 10 am
Register on their website for the January webinars.
Having attended a webinar you will receive an invitation to sign up for one of the workshops. Here you will be guided step-by-step through the DSPT to completion.
To find out more about the local programme, including how to achieve a level of compliance or update your current compliance please email: DSPTsupport@sarcp.com.
These essential opportunities are free and time-limited. Please make use of them whilst they are available.
Day service providers, including those which are not registered with CQC, can access national support from the Better Security, Better Care programme. Please visit the Digital Social Care website for details of what support is available and how to access it. The national programme is also offering support with the DSPT to large care provider groups with services in multiple parts of the country.
NHSX are extending the device support package for care homes who have previously received NHSX iPads until summer 2022. This is part of the Winter Plan to support social care. This means that care homes with NHSX iPads won't lose access to a mobile device management service over the winter period, and will be able to access NHSmail and other services that require a secure connection.
The extension is offered on an opt-out basis and all iPads will be transferred to the extended MDM with no change to their set-up, unless a care home or provider chain gets in touch with NHSX to opt-out of the extension. Care providers and staff who want to continue to have NHSX funded support don't have to take any action. If you want to opt-out of this extension, NHSX will be issuing a survey soon.
NHSX won't be continuing to fund the sim card package for the iPads over winter and care homes will need to use their own Wi-Fi (which most are already doing) or purchase a data only sim themselves. If you have any questions, please email iPad.Offer@nhsx.nhs.uk.
NHSX has commissioned Revealing Reality to do an independent evaluation of the iPads project. They want to use the evaluation to help better meet people's needs with future projects. To do this, they want to hear from a range of care staff and providers in the research.
If you'd like to take part, and share your views, please register via this link.
Contact firstname.lastname@example.org for more information.
Fast track access to NHSmail is no longer available and you will need to be DSPT compliant in order to register for an NHSmail account. Please visit the Digital Social Care website for guidance on how to access NHSmail and set up an NHSmail account.
The Digital Social Care website has full instructions for care providers on how to set up NHSmail, how to access and activate your account, plus a range of helpful resources including an NHSmail User Guide for Care Providers, videos addressing frequently asked questions.
You can find information on how to make the online application for your NHSmail account on the NHS Digital website.
- use only one form per care home site registered with the CQC i.e. a provider with multiple homes / sites will need to send a form for each home
- individuals can only be linked to one site currently
- ensure you provide mobile phone numbers not landlines. These are required for initial password and future password resets which are sent by text. They must be unique to the individual and can be hidden from view to other users on NHSmail. If they are not received, NHSmail cannot be set up.
- email addresses must be unique to the individual, so private email addresses (e.g. Hotmail or Gmail) can be used. They are only used to send applicants their initial activation notice and user guide information.
- please ensure you insert 3 security questions when you activate your account to enable you to reset your password
- where possible, ensure that the answer to your security questions is no longer than 1 word in length, so that they are easier for you to remember
NHSmail accounts that have been inactive for more than 90 days are likely to be deleted and we recommend that you regularly use your NHSmail account.
If you cannot email from the shared mailbox, for example, if the members/owners have come inactive, they can reactivate their account by logging into their NHSmail account.
If you or a member of staff is leaving the organisation, you should follow the guidance on how to close your NHSmail account.
If the shared mailbox members/owners are no longer present, please contact email@example.com or call 0333 200 1133 to go through the authentication options to enable the linking of new users to the mailbox.
Further information on NHSmail including advice on how to manage your account such as resetting your password, access via a mobile device and the wider support being provided for Microsoft Teams can be found on the NHSmail portal.
This is also available as an alternative to NHSmail and can be used to demonstrate the security of an email system against the NHS secure email standard. However, this is a rigorous and lengthy process for an organisation to undertake with NHS Digital.
A number of large providers have already looked into accrediting their email systems through this process. A list of accredited organisation accounts that meet this standard are published by NHS Digital and can be accessed here: secure email accreditation.
Non-CQC registered organisations who are required by their commissioners to hold an NHSmail account are advised to visit relevant information on the Digital Social Care website.
Digital Social Care continue to offer a dedicated telephone helpline to provide digital support to care which was set up in response to the Coronavirus pandemic. Care providers can get help with troubleshooting technical problems as well as in depth one-to-one support.
The helpline is open between 9 a.m. and 5 p.m. Monday to Friday by calling 0208 133 3430 or by email at firstname.lastname@example.org.
Does DSPT compliance apply to me?
Current DSC guidance states that:
- all CQC registered adult social care services in England are strongly recommended to complete the DSPT
- the usual process is that if you want or need to continue using NHSmail, the expectation is that you need to become DSPT compliant following the end of the fast track process
- you need to have demonstrated DSPT compliance to be part of any of the projects and initiatives that allow care services to directly access NHS patient information systems, for example, GP records and shared care records
- if you have services funded by the NHS, for example under continuing healthcare, there is a legal requirement to complete the DSPT every year
- you don’t need to have completed or to register with the DSPT just to have video appointments with NHS services, but it is strongly recommended
If you have previously had fast track access to NHSmail, you are required to register with the DSPT now. If you don’t register with the DSPT, then at some point in the future, you may no longer be able to use NHSmail.
The DSPT remains a requirement for organisations who wish to hold Continuing Healthcare contracts and continue to have online access to NHS patient information systems (e.g. for online prescription ordering). Increasingly social care commissioners are requiring DSPT compliance in their contracts and even if it is not stipulated the requirement for DSPT compliance helps to demonstrate compliance with data protection standards.
Version 4 of the data security and protection toolkit is now live. Key messages from NHS Digital about the launch are below:
- the DSPT is an annual self-assessment and the deadline for the 2021-22 publication is 30 June 2022
- following publication of the 2021-22 DSPT version, organisations will no longer be able to publish a 2020-21 DSPT and should continue to work on their 2021-22 DSPT
- where evidence items are unchanged, details recorded can be carried forward from the latest submission
- social care organisations as well as primary care (excluding GPs), charity/hospice, researchers/universities, companies, Local Authorities, NHS business partners) all fall under Category 3.
- Big Picture guides are also now available along with Audit guides to support self-completion.
If you're having general problems with NHSmail or the Toolkit please refer to the frequently asked questions section before requesting further support.
You may find these pages useful:
- our top tips before you get started on the data security and protection toolkit