An outstanding experience for every patient
Go to home page
For patients and visitors
About Us
Why choose us?
Keeping healthy

Acceptable Use of Email and SMS Text Messaging Policy 

Post Holder Responsible for Policy:
Senior Information Risk Owner
Directorate Responsible for Policy:
Chief Executive
Contact Details:
01722 336262 Ext 4133
Date Written:
November 2010
Date Revised:
August 2014
Approved By:
Operational Management Board
Date Approved:
18th September 2014
Next Due for Revision:
1st September 2017
Date Policy Becomes Live:
1st March 2011

Version Information

Version No. Author Review Date Description of Changes
Information Governance Officer
August 2014
Significant Review & Update – Amalgamation with Acceptable Use of SMS Text Messaging Policy

Table Of Contents

1. Introduction
2. Purpose
3. Scope and Background
4. Responsibilities
5. Email Use
6. SMS Text Message Use
7. Handling Sensitive, Confidential & Clinical Information in Emails & SMS Text Messages
8.  Corresponding with Patients via Email
9.  Best Practice Guidelines for Email Use
10.  Written Correspondence Best Practice
11. Reporting Breaches
12.  Communication & Implementation
13. Disclosure of the Content of Emails & SMS Text Messages
14. Monitoring
15.  Review   
16.  Associated Documentation & References
17.  Equality Analysis  
18.  Privacy Impact Assessment

1. Introduction


This policy provides rules and standards governing the use of emails, Short Message Service (SMS) text messages and related services, systems and facilities, within Salisbury NHS Foundation Trust (The Trust) and is affiliated to the Trust’s Information Risk and Security Policy and Acceptable Use of Information Policy.

E-mail is now established as a primary means of communication within the NHS. The Trust provides authorised users with email facilities to assist with communications relating to the business of the Trust and/or the wider NHS.

SMS text messaging is an attractive technology for quick communication of short messages and is a widely accepted form of communication. Service users therefore increasingly expect the Trust to communicate with them in this way for simple transactions such as appointment reminders. This will help to empower patients and staff by connecting patients with information and clinicians.

Advantages of using SMS to communicate with service users are:

·         Quick and easy communication without delays.

·         Reduced postage costs.

·         Reduced possibility of communications going astray through incorrect

    postal addresses, changing addresses of service users etc.

·         Ability to reduce DNAs. 

The Trust endorses the use of SMS text messages to communicate with service users provided this is for simple communications such as appointment reminders, and provided strict Trust protocol (outlined within this policy) is followed.


2. Purpose


The purpose of this policy is to define corporate standards for all emails and SMS text messaging within the Trust. Adherence to these standards will ensure the Trust’s compliance with legislation and NHS guidance.

In addition, the general public will view emails and SMS text messages originating from the Trust, as official views or policy statements. Adherence to the standards detailed within this policy will promote best practice and reassure recipients of emails and SMS text messages that they are corresponding with a professional organisation which is easy to identify.


3. Scope and Background


This policy covers appropriate use of any email sent from both and email addresses and SMS text messages sent by or on behalf of the Trust by any means. The Policy applies to all employees, contractors, third party partner organisations, suppliers, directors, governors, volunteer’s honorary contracted staff and all other authorised users.

3.1  Background

The Data Protection Act 1998 (DPA) imposes constraints and legal responsibilities on the Trust regarding the processing of personal information in relation to living individuals. This includes the use of email and SMS text messaging. Compliance with the policy will ensure the Trust and staff comply with this legislation.

Furthermore, email and SMS text messaging systems used by the Trust are business communication tools and users are obliged to use this tool in a responsible, effective and lawful manner. Although both email and SMS text messages may be regarded as less formal than other forms of communication, the same laws and standards must be applied as to any other form of business communication. Therefore, it is vital that all staff are aware of their responsibilities and the legal risks of using these communication methods.

If emails or SMS text messages are sent or forwarded with any derogatory, libellous, defamatory, offensive, harassing, racist, obscene or pornographic remarks or depictions, both the individual authorised user and the Trust can be held liable.

If confidential information, personally identifiable information, or sensitive information regarding any individual is sent or forwarded via email which is unsecure, this will result in a breach of the Principle 7 of the DPA. Principle 7 states the Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

Similarly, should confidential or sensitive commercial information be unlawfully shared via email and/or SMS text message, the Trust and/or the authorised could be held liable.

Compliance with this policy will also ensure that information is not retained longer than necessary; this will assist the Trust in complying with Principle 5 of the Data Protection Act 1998. Principle 5 tastes Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’

3.2  Using Emails or SMS Text Messages for Marketing – Regulatory Position

These activities are principally governed and regulated by the DPA and the Privacy and Electronic Communications Regulations 2003 (amended 2011).

Section 11 of the DPA refers to direct marketing as ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’. The Information Commissioners Office (ICO) regard direct marketing as covering a wide range of activities that apply not just to the offer for sale of goods or services, but also to the promotion of an organisation’s aims and ideals.

The policy will define appropriate standards for all authorised users of emails and SMS text messaging with the Trust. Although some activities undertaken by the Trust may not directly fall within the Electronic Communications Regulations 2003 (amended 2011), sending appointment reminders via an SMS text message, could potentially fall within the regulations and therefore the standards established by this policy will apply to all uses of email and SMS text messages.


4. Responsibilities


      4.1  Trust Responsibilities

It is the responsibility of the Trust to ensure that all authorised users are provided with formal training, which includes the appropriate use of email and SMS text messaging prior to using the system managing these communications.

Salisbury NHS Foundation Trust will take reasonable steps to ensure that users of email and SMS text messaging services are aware of policies, procedures, protocols, and legal obligations relating to their use. Following initial training, this will be cascaded to staff through additional training, departmental briefings and Trust wide communications.

4.2 Managers Responsibilities

Before a new authorised user commences work and is permitted to start using the Trust email and SMS text messaging systems, their manager must ensure they have completed the appropriate training.

During annual appraisals, managers must review their staff compliance  with this policy, including encouraging staff to regularly archive emails required for future reference within an appropriate filing structure, apportion to other members of staff emails which are no longer relevant to them, or delete any emails which are no longer required.

Before a member of staff leaves the Trust, the relevant line manager must, with the member of staff, carry out a review of all emails retained by the member of staff. These emails must be either be filed in the appropriate filing structure, apportioned to other members of staff, or deleted. Immediately before the member of staff leaves the Trust, the manager must notify the Trust’s IT Service Desk via email, specifying a date on which the email account must be closed.  An appropriate Out of Office reply must be placed on the email account directing enquiries to named individuals or departments. For further guidance refer to section 6.4 of this policy. 

Emails held within the account of authorised users who have left the Trust will not be retained and will be deleted as soon as possible following the date of departure. Any exception to this must be authorised and recorded by the Director of Informatics.

4.3  Employees Responsibilities

It is the responsibility of all staff members, including those identified in Section 3.0 of this policy, to ensure that they operate within the framework of this policy. Failure to comply with this policy may result in disciplinary action or potentially, referral to the police or other authorities for criminal investigation.

It is the responsibility of all authorised users to read and act on information sent to them via this means. Users must regularly access and review emails sent to them, ideally at least once during every working day, or more frequently when appropriate.

4.4  Information Asset Administrator (IAA) Responsibilities

The IAAs responsible for the Trust’s email and SMS text message systems will also be responsible for ensuring that appropriate and up to date training is available to all authorised users.

IAAs are also be responsible for ensuring that any new or amended initiative to communicate with patients, or others via email and or SMS text messages has completed and implemented the findings of a Privacy Impact Assessment, in compliance with the Trust’s Privacy Impact Assessment Policy and Information Risk & Security Policy.

IAA’s will audit compliance with this policy at least annually and will report finding to their Information Asset Owner (IAO).

4.5 Ownership

All email accounts and contents therein and all systems used for the management of SMS text messaging which are maintained, managed, or authorised by Salisbury NHS Foundation Trust remain the property of the Trust at all times.

The IAA for the Trust email systems and SMS text management systems will twice a year provide a report to the Information Governance Steering Group, which will include details of any instances of inappropriate use and numbers of emails containing

4.6 Prohibited Activities

It is strictly prohibited to send or forward emails or SMS text messages containing derogatory, libellous, defamatory, offensive, harassing, racist, obscene or pornographic remarks or depictions.

·       You must not forward confidential messages without acquiring permission from the sender first.

·       You must not send unsolicited (unwelcome or unwanted) email or SMS text messages.

·       You must not forge or attempt to forge email or SMS text messages.

·       You must not send email messages using another person’s email account unless authorised via delegate rights.

·       You must not breach copyright or licensing laws composing or forwarding emails and email attachments.

·       You must not send confidential, commercially sensitive, personal or sensitive information via a non secure email.

·       You must not use Trust SMS text messaging facilities to send or receive non Trust related messages.

·       Staff must not commence any new or amended initiative to communicate with patients, or others via email and or   SMS text messages without the approval of the Information Asset Administrator, or the Information Governance Manager.

Other than instances requiring criminal prosecution, the Trust is the final arbiter on ‘offensive’ material or prohibited activities.

4.7 What to do if you receive prohibited content

If an authorised user receives an email that contains such material, the user should not immediately delete it but report the matter to the IT Service Desk on Ext 2040. Such emails should only be kept for sufficient time for the matter to be reported to the IT Service Desk and, if necessary, an investigation will be carried out.


5. Email Use


Employees and other parties must use the Trust approved email software e.g. Microsoft Outlook or NHS Mail.

5.1   Purpose of Your Email Account

The Trust provides authorised users with an email account to assist and support communications relating to the business of the Trust, or other NHS organisations. Trust email facilities must only be used for Trust business, or for limited incidental personal use. Please refer to Appendix A.

The Trust email system must not be used to send games, jokes, video clips, chain mails or any other files that aren’t directly related to the Trust’s business purposes. It should be noted that the Trust’s email system automatically generates audit logs which can record copies of the email sent, record the sender, the recipient and size of all email messages sent and received. These logs are screened and any activity trends which contravene this policy are brought to the attention of the appropriate line manager for possible further action.

5.2   Email System Passwords

All users of the Trust IT network will be issued with a network username and password, both of which are necessary to access a Trust email account. New users will be given a default password and will be prompted to change this during their IT Induction Training. A user must not divulge their password to any other person. Sharing passwords is strictly forbidden. The use of passwords affords important protection against unauthorised use or access to the IT network, systems or email, confidential patient and staff data, as well as corporate records.

If a breach of security or an instance of inappropriate use is recorded under a staff member’s username, the burden of proof will be with the member of staff to show that you are not responsible for the breach.

5.3 Accessing Someone Else’s Email Account

The email system within the Trust allows a user to ‘delegate’ access to another user(s) – before going on holiday for example. If the requirement for access was not foreseen and

no other available user has delegate access, emergency delegate access may be requested for purpose of managing emails received by the absent party. This can be done by obtaining written authority from the line manager or the directorate manager of the absent party.

This must be sent via email to the IT Service Desk at  and will be authorised by the Information Governance Manager or Information Governance Officer, or one of the Informatics Senior Managers.

5.4  Out of Office Replies:

All authorised users are required to use the ‘Out of Office’ facility to improve communication during absences, or where the authorised user has left the Trust. The email system will then send an automatic response to anyone who has emailed the user during their absence. The out of office email must contain an alternative point of contact

and ideally, a period for which the authorised user will be absent. The reason for absence should not be included. For Example:

Thank you for your email. Jane Smith will not be available to collect emails between the 25th December 2014 and 1st January 2015. During this period you may wish to contact David Jones, who can be reached on 01722 336262 ext xxxxx or

5.5 Automatic Forwarding of Emails:

To ensure the confidentiality, security and integrity of sensitive personal information and/or corporate information, staff are not permitted to automatically forward their emails from their account, to any other email account.

5.6 Forwarding & Replying to Emails:

Best practice when forwarding emails is to always review the content before doing so. Consider whether the information it contains is confidential to the Trust, or an individual.

Therefore, when replying or forwarding emails, review the information carefully and delete confidential, excessive, irrelevant, sensitive, or personal information not required before you send it. Always include a full signature, include your telephone number and department details where applicable.

When replying to emails, try to avoid the use of ‘reply to all’ unless it is absolutely necessary. All recipients don’t necessarily all need to, nor have the legal right know the details and contents of the email, plus this will reduce the number of irrelevant emails sent/received.

5.7 Standard Email Signatures

In order to improve communication and efficiency within the Trust and to ensure recipients such as the visually impaired amongst other, receive a consistent Trust standard, all staff are required to ensure that all emails sent within, or externally to the Trust contain an appropriate signature and contact information as detailed below:

The style and font used must clearly legible and professional. Elaborate or pictographic styles or fonts must not be used.

5.7.1 Internal Signature must contain:


 Job Title


 Internal Extension Number


5.7.2  External Signature must contain:


Job Title

Salisbury NHS Foundation Trust


Salisbury District Hospital



Tel: 01722 336262 Ext:

Email Address:


5.8 Personal Email Addresses

All staff are required to use the Trust or email accounts for business related correspondence. The use of personal email addresses such as, but not limited to; hotmail, Gmail, Googlemail, yahoo etc, for the purposes of undertaking Trust business is not permitted. These and many personal email facilities do not offer suitable levels of security and could potentially lead to a significant breach of data protection legislation.

5.9 Broadcast Emails

The broadcast email facility within the Trust provides a quick method of disseminating information to the greatest number of staff, in the shortest possible time frame.

The use of broadcast emails must be limited to Trust wide issues, which either all staff or large parts of the organisation must be made aware of, such as Cascade Briefings, changes to policies or procedures etc. Over use of this facility will result in a dilution of the effectiveness of such communications.


6. SMS Text Message Use


  6.1 Consent

Where service users, patients or members of the public are the intended recipients of a communication via SMS text message the consent of the individual must be obtained and recorded before this method of communication commences. This could be achieved at the time of recording a mobile phone number. It is also good practice to make the recipient aware of their responsibility to inform the Trust of any change to their contact information and of the potential risks of communicating with them via SMS text message. An information leaflet is available as Appendix B.

Systems used to record the consent must be fully risk assessed and the data quality of patient contact details assured as part of the privacy impact assessment process prior to deployment.

Service Users, patients or members of the public may withdraw their consent to receive SMS text messages at any time by informing the relevant Health Professional, who must act on this at the earliest possible opportunity. In compliance with the Privacy and Electronic Communications Regulations 2003 (amended 2011), the recipient must be given a simple means of refusing (free of charge except for the cost of transmission) the use of their contact details.  Therefore the message itself must contain a point of contact or method by which the recipient can opt out of future messages. This instruction must be followed.

6.2 Information Governance Considerations

Whilst there are undoubted values of SMS text messages as a business tool, there are also legal obligations and potential dangers and pitfalls to be managed. Inappropriate or careless use of SMS text messages by staff may expose the Trust and patients to information risks capable of impacting business and care processes and are likely in breach of data protection legislation. Messaging errors or modifications can occur and messages may not reach their intended recipients.

SMS messages stored on Trust and/or NHS owned systems are subject to the same data protection and Freedom of Information obligations as other information assets. Trust Information Asset Owners must therefore ensure these aspects are fully considered and risk assessed when designing and implementing Trust SMS text messaging services.

The following examples of potential risks are for illustration only and are not exhaustive of all possibilities:


·      Implementing SMS text messaging services without proper planning may adversely impact upon other information services of the organisation e.g. reduced bandwidth and performance;

·      Insufficient testing may result in systems interoperability problems and exploitation constraints;

·      Not planning for training and education can lead to poor use, support and maintenance of SMS text messaging facilities that may adversely impact on patient care and the reputation of the organisation;

·      Insufficient planning for potential SMS service disruptions may lead to missed patient appointments, data losses and ineffective recovery processes.


7. Handling Sensitive, Confidential & Clinical Information in Emails & SMS Text Messages


It is a breach of the DPA Principle 7 to send personal identifiable information without adequate security. Any personal identifiable data received or sent by the Trust which is inadequately protected will be in contravention of the Trust’s Information Risk & Security Policy and any subsequent investigation will be undertaken by the Information Governance department.

7.1 Sending Confidential, Personal or Sensitive Information within the Trust (email only)

Internal: (emails sent to

Information sent between two email address ending is secure, however information of a confidential nature, personal information and/or sensitive information must be kept to a minimum. Therefore when corresponding internally the following should be followed:

·    The patient’s name must not be included in the subject line

·    Ensure the patient in question is appropriately and accurately identified

·    Use the minimum amount of information to identify the patient i.e. Initials, Hospital Number, NHS Number, date of birth

·    Clinical information is clearly marked CONFIDENTIAL

·    Emails are addressed to the right people and not forwarded inappropriately

·    When forwarding emails, always ensure that you review the email and remove excessive or irrelevant information before forwarding

·    Information sent  and or received by email must be safely stored and archived as well as being incorporated into patients records

7.2 Sending Confidential, Personal or Sensitive Information Outside of Trust (via email)

Confidential, sensitive and personal identifiable information must only be sent by email to and from the Trust via an mail account (i.e. from an email address ending to an email address ending in, or to one of the following secure email accounts):

Central Government:

·       *

·       *

·       *

The Police National Network/Criminal Justice Service Secure email Domains:

·       *

·       *

·       *

·       * 

Secure email domains in Local Government/Social service:

·       *

Sending to an email account to any other address not listed above, will mean that the correspondence is not secure.

If the recipient is not part of the NHS or a Trusted third party (i.e. can be provided with a sponsored NHSmail account) and does not have access to one of the email domains listed above, the user will need to contact the IT Service Desk on Ext 2040 to discuss other options for encryption of the email to maintain security.


8.  Corresponding with Patients via Email


There are a number of risks associated with corresponding with patients by email. However, the Trust is committed to improving communication with patients in a manner which supports their continued care. Therefore, the Trust has a legal duty to inform patients of the risks associated with email correspondence containing personal and/or health care information, before this method of correspondence is used.

All patients wishing to receive email correspondence from the Trust must be provided with a copy of the Patient Leaflet: Appendix B. They must also sign and date and return to the Trust, Appendix C the Patient Consent to Communicate Medical Information by Email Form. This consent must be retained and filed in the patient’s notes for future reference and all email correspondence must be printed off and included in the patient’s record for future reference.


9.  Best Practice Guidelines for Email Use


The Trust considers email to be an essential means of communication and recognises the importance of proper email content and speedy replies in conveying a professional image and delivering efficient services. Therefore, the Trust provides specific best practice guidelines which staff must adhere to when corresponding by email. A full copy of the Best Practice Guidelines is included with this policy as Appendix D.


10.  Written Correspondence Best Practice

Please refer to appendix E.

11. Reporting Breaches


Where staff witness or have evidence of activities contrary to the standards set in this policy, this must be immediately reported to a line manager and the Information Governance Manager. The incident must also be reported via the usual incident reporting procedures. Additional Information on how to report incidents is available in the Trust Risk Management Policy.


12.  Communication & Implementation


This policy is to be made available to all Trust staff and observed by all members of staff, both clinical and administrative.  To ensure the success of this policy is integrated appropriately within the Trust, the Information Governance Department have developed an Implementation Plan. This is included as Appendix G.


13. Disclosure of the Content of Emails & SMS Text Messages


13.1      Data Protection Act 1998

The DPA provides individuals with a legal right of access to copies of information written about them. Therefore, any patient, member of the public, or member of staff may request copies of NHS records (including emails, SMS text messages and other electronic files) which contain information about them.

Authorised users creating emails and SMS text messages must ensure that they are of a high standard, containing only accurate and factual information relating to the topic under discussion. The inclusion of clinical information within SMS text messages should be avoided where ever possible and only included where an appropriate Privacy Impact Assessment has been completed.

All requests for copies of correspondence are dealt with by either the Trust’s Medical Records Department, or the Information Governance Department. Should a request from a patient or a member of staff be received by an authorised user, this must be referred to the Information Governance Department for action.

On receipt of a request for copies of correspondence by an authorised user from either of the above departments, the authorised user must immediately provide copies of all specified correspondence. The authorised user must not withhold, destroy or amend any correspondence or other documents requested.

13.2 Freedom of Information Act 2000

Salisbury NHS Foundation Trust is a Public authority, and therefore, in compliance with the Freedom of Information Act 2000, the Trust can be obligated to release information to the public if requested. This can include correspondence via emails and potentially, SMS text message.

It is therefore important for all staff to file emails regularly in order to be able to access information efficiently when needed and to delete emails which are no longer required. Similarly, systems deployed to send SMS text messages must include a suitable method to retrieve messages if requested.

All requests for information and documents relating to a request received by the Trust under The Freedom of Information Act 2000 are dealt with by Trust’s Information Governance Department. Should a request from a patient or a member of staff be received by an authorised user, this must be referred to the Information Governance Department for action.

On receipt of a request for copies of correspondence by an authorised user from either the Information Governance department, or a Senior Manager, the authorised user must immediately provide copies of all specified correspondence. The authorised user must not withhold, destroy, or amend any correspondence or other documents requested.

Information relating to Trust business held by authorised users within non Trust email facilities and personal email accounts is also potentially subject to release under The Freedom of Information Act 2000. Any such information must be provided to the Information Governance department on request.


14. Monitoring


The Trust reserves the right to monitor the use of its information and communication systems. Audit trails recording user activity will be retained by the Trust.

All documents and records, including emails and SMS text messages stored on Trust owned or commissioned systems, may be accessed by the Informatics Department, for the purpose of investigation of alleged or suspected breaches of this policy, unlawful acts, system failure or system misuse.

Routine monitoring will also be undertaken to confirm system efficiency, capacity and appropriate use.

If the Trust receives a complaint or is informed about emails or SMS text massages containing inappropriate content, the authorised user will be identified and a judgement as to whether to access their records without consent will be taken by senior management in line with the Information Commissioners “The Employment Practices Code”.


15.  Review   
16.  Associated Documentation & References
17.  Equality Analysis  
18.  Privacy Impact Assessment

15. Review

This policy and associated documents will be reviewed annually by the Information Governance Department and every three years by the Information Governance Steering Group or earlier if appropriate, to take into account any changes to legislation that may occur, and/or guidance from the Department of Health and/or the NHS Executive.

16. Associated Documentation & References

This policy forms an integral part of the Information Security & Risk Strategy and Information Governance Assurance Framework within the Trust. It directly relates to the overarching Acceptable Use of Information Policy and should be read in conjunction with: 

Data Protection Act 1998

Freedom of Information Act 2000

NHS Code of Confidentiality

Information Security Management Code of Practice 2007

Information Security & Risk Policy

Information Governance Policy

Data Protection Confidentiality & Disclosure Policy

Acceptable Use of Information Policy

The Privacy & Electronic Communications Regulations 2003 (Amended 2011)

17. Equality Analysis

Salisbury NHS Foundation Trust aims to design and implement services and policies that meet the diverse needs of its services, population and workforce, ensuring that none are placed at a disadvantage over others. This document has been assessed using  the Trust’s Equality Analysis Tool. A copy of the completed Impact Assessment has been included as Appendix  F.

18. Privacy Impact Assessment

 A Privacy Impact Assessment is attached as Appendix H.



 Appendix  Description  Attachment
 A  Personal use of email Terms & Conditions  
 B  Patient Leaflet  
 C  Patient Consent to Use Email correspondence  
 D  Best Practice Guidelines for the Use of Email Leaflet  
 E  Written Correspondence Best Practice Guidelines  
 F  Equality Analysis  
 G  Communication & Implementation Plan  
 H  Privacy Impact Assessment  
 I  Text Messaging Standards  

Page Last Updated: 23/08/2016 09:56 
Printed from Salisbury NHS Foundation Website