Texting, emailing and messaging patients and service users

You will sometimes receive messages about your health and care services or on behalf of someone you care for. These might be texts, emails or other messages, such as messages in the NHS App and other messaging apps. This guidance explains how health and care organisations send these messages to you legally and responsibly.

Messages from health and care organisations

Health and care organisations might send you messages about your care. Examples include:

• messages about treatment you have received
• messages about an appointment you need to attend
• messages about a prescription to collect
• messages about vaccinations
• messages about screening for illnesses

Suspicious messages

You should not open or respond to messages that seem suspicious. Examples of suspicious messages include:

• messages asking you to pay for missing an appointment with a link to a payment website
• messages asking you to book appointments with a link to a fake website (please see Stop! Think Fraud guidance for information on how to identify a fake website)

These may be sent by people trying to illegally obtain your data or defraud you. Other common features of scam messages include:

• wrong spellings and poor grammar
• links to illegitimate websites
• urgency and emotion

You should never click on any links or provide any personal details if a message looks suspicious, or you do not know why it has been sent. If you are not sure, contact your health and care organisation who can confirm whether the message is safe.

Contact preferences

Some health and care organisations may ask you how you prefer to be contacted, as part of registering or confirming contact details. For example, you may be asked if you are happy to be contacted by text, and email.

If you express a preference, as part of this your health and care organisation should use the method of contact you state when it is possible. There may be times when they need to use a different method of contact to make sure you get an important message, such as if your appointment is cancelled.

Objecting to receiving messages

Objecting

You can ask to never receive messages from your health and care organisation. This includes asking never to be contacted in certain ways, for example email or text. This is called ‘objecting’. Your right to object to your personal data being used by an organisation includes being able to object to your personal data being used to send you messages.

To object to receiving messages, you need to:

• get in touch with your health and care organisation
• ask not to be contacted, either entirely or in a certain way
• give a reason why

The more information you can provide to your health and care organisation for your reason, the easier it is for them to understand your situation.

What will happen if you object

If you tell your health and care organisation not to send you messages, they will explain what could happen. After hearing your reason they may be able to respond to your concerns so that you decide your objection is no longer needed.

If your health or care organisation is not able to send you messages, this may make you have a worse experience using their services. For example, you may have to wait longer to receive messages about your care by post.

When you may still receive a message after objecting

Your health and care organisation would need to have a strong reason to message you by text, email or another method after you have objected to being contacted in that way and given a specific reason why.

See the example below for a situation where this might apply.

A decision to override an objection is made carefully, based on your situation and reasons for objecting.

Communicating with someone else on your behalf

Messages about your care are confidential and can generally only be sent to you. They can only be sent to another person if:

• you have given your consent for another person to receive messages about your care, acting as a proxy
• you do not have capacity to make decisions about your health and care, and it has been agreed that another person can act as a proxy. This person would also need approval to receive messages on your behalf

You can ask to receive messages on behalf of someone else if they consent (agree) to it. If they do not have the ability to make decisions about their health and care, you can ask to receive messages for them if any of the below apply:

• you have parental responsibility (if the person is under 18 years old)
• you have a lasting power of attorney for health and welfare for them, which has been activated
• you are a court-appointed deputy for them
• you can provide evidence that you are acting in the person’s best interests

Based on your situation, a health or care organisation will decide whether they can give you access. Sometimes they won’t be able to. To find out more, you should ask the health and care organisation looking after the person you want to receive messages for.

Protecting your privacy

To protect your privacy, your health and care organisation will:

• only include confidential health information in messages where it is necessary to do so
• use messaging apps and services which have been approved by the organisation’s data security teams
• ensure staff follow security policies, for example encrypting emails which is a way of electronically protecting them

There are also things which you can do to protect your own privacy.

• Sign up to use messaging services with good security features. For example, the NHS App. You can use the NHS App by creating an NHS login account and downloading it from your app store of choice. This enables health and care organisations to contact you in a secure way, in a place where only you can access the messages.
• Do not share access to your phone, email or messaging apps. If another person has access, they will be able to see messages about your care. If you must share access to a phone, make sure to log out of your health messaging apps after you have used them.
• Think about how you send messages. You may not be able to electronically protect the information you send when messaging your health or care organisation. It is sensible to not share any personal information in your messages unless it is necessary. You can always call your health organisation instead.
• Keep your contact details updated. You are responsible for ensuring you provide the correct email address and mobile number to your health or care organisation. You must inform your health or care organisation of any changes. This will make sure your health and care messages are not sent to the wrong person.

This guidance is about ways you can legally and responsibly send texts, emails and other messages to patients and service users about their care and your services.

It does not cover messages sent between you and other colleagues, or messages which are not related to health and care services, such as messages about charitable causes or research. See NHS England guidance on what is and isn’t direct marketing for practical examples of messages about health and care services, and an explanation of other types of messages which would be treated differently.

Recording information

You should keep a record of all the emails, texts or other messages you send to patients and service users in their health or care record. Your entries in the record may be an exact copy of the text used in the messages you have sent, or a summary of what the message said. This will then be retained in line with the health or care record.

You may have systems that automatically store your communications with patients and service users for you. If this is the case, you don’t need to do it manually.

Recording information is important both for knowing what has been communicated to a patient or service user as part of their care, and for retrieving the information if the individual asks for it.

Consent

You do not need the consent of patients and service users to send them texts, emails or other messages about their individual care. Please see the section for IG professionals for further information on the lawful basis for contacting patients about their care.

Sending messages to people acting on someone else’s behalf

You should generally only send texts, emails and other messages about health and care services to people who the services directly relate to. For example:

• where an appointment reminder is being sent, it should only be sent to the person who the appointment has been made for
• where test results are sent, they should only be sent to the person who has been tested

There are only a few exceptional circumstances where it may be appropriate to send health and care messages to people who the services do not relate to. These are when:

• they have parental responsibility and are a proxy for the individual you wish to message
• an individual you wish to message does not have capacity and a best interests decision has been made for you to communicate with another person acting as their proxy
• you have the explicit consent of an individual you care for to share their health and care information with a proxy

For the circumstances described above, there should be notes written in the individual’s health and care record confirming that other people can receive messages on their behalf.

Services individuals may feel sensitive about

Even if you have explicit consent to share health and care messages with a proxy, you may occasionally be sending messages about services an individual feels particularly sensitive about, which would make it inappropriate to notify a proxy without checking with the individual first.

For example, you may be sending a message which reads “Your appointment is confirmed for today at 10:30”, with the context being that you are providing a Hepatitis B vaccine following a sexual assault or a liver function test which may indicate high alcohol intake. Although there is no sensitive information in the message itself, it may prompt the proxy to ask the individual unwelcome questions about the nature of their appointment. Speak to your Caldicott Guardian if you are ever unsure about sending communications related to services individuals might feel sensitive about.

Contact preferences

It is good practice as part of registering and interacting with patients and service users to confirm their contact details and allow patients and service users to indicate their contact preferences. You should respect the contact preferences of patients and service users wherever it is possible to do so.

However, contact preferences do not prevent you from using non-preferred methods where patients and service users might not receive messages that are important for their care. For example, if a patient has indicated a contact preference for texts or letter rather than emails, but email is the only practical and affordable way to send important medical information, it would be acceptable to use email.

Objections to receiving messages

Objections

Objections are different to contact preferences. An objection is when a patient or service user contacts your organisation to ask never to be contacted in a certain way and gives a specific reason why. They can object to receiving all messages from your organisation, or object to specific types of messaging such as text or email.

It is important to understand the reason for the patient or service user’s objection so you can discuss it with them and make decisions about whether you have a strong reason to override it (see Overriding objections section below).

You may have other information, not directly given by the patient or service user when objecting, which indicates to you the reason for their objection. In this case, you should discreetly have a conversation with the patient to understand the situation.

What to do when someone objects

You should explain to the patient or service user how their objection to receiving messages about their care at all or via a particular communication method might impact their care. You may be able to resolve their concerns. However, you should generally respect their decision and ensure the objection is noted in their record.

You should always check whether an individual has registered an objection before communicating with them.

Overriding objections

In certain circumstances, you may have a very strong reason to send a message to an individual which overrides their objection.

Any decision to overrule an individual’s objection should be considered carefully on a case-by-case basis, taking into account their circumstances and reasons for not wanting to be contacted. See Right to object in the IG professionals section of this guidance for more information.

Objections relating to serious harm

In the rare circumstance that a patient or service user is at risk of serious harm if they are contacted by a particular communication method, a conversation should be had as early as possible about whether it is appropriate to entirely remove details of that communication method from their record. For example, if texts might reveal details of medical treatment to an abuser, you may discuss with a patient or service user that their mobile contact number could be removed from their record entirely.

Support with managing objections

If you are unsure what your organisation’s process is for identifying those who have objected to receiving messages or whether you can override an individual’s objection, ask your Data Protection Officer (DPO), Caldicott Guardian, IG team, or a senior member of staff within your organisation.

Minimising confidential information in messages

Each time you send a message to a patient or service user, there is a risk that the information will be compromised or seen by someone other than the intended recipient.

You should think carefully about what information you include in messages to reduce the risk of this happening. This is particularly important when sending emails, texts and other messages where the content might appear on devices’ locked screens.

It is acceptable to include confidential information in messages which you send through secure platforms, such as encrypted email or the NHS app, which require individuals to log in or enter a password to see the content of the message.

Unless you are using a platform which your organisation has approved for sending sensitive information, you should only include confidential patient information in messages where it is necessary to do so. For example, when sending text messages about test results, it is better to indicate that results are ready and advise the recipient to call you directly or access them via a patient portal, than to refer directly to an individual’s health condition in the message. Where removing confidential information is impractical, you should keep it to the minimum amount necessary.

Helping patients and service users identify suspicious messages

To help patients and service users recognise suspicious messages, you should take care to ensure your messages are drafted using professional, neutral language and good grammar.

See Stop! Think Fraud guidance for more information on the typical features of scam messages.

Using acceptable apps, services, platforms and devices

You should not use any app, service, platform or device which has not been approved by your organisation, except for in emergencies (see Emergencies section below). Doing so exposes your organisation and any information you are sending to unnecessary risk.

Your organisation may have a policy about the communication methods which are acceptable for sending confidential patient information such as test results. For example, the policy may say that confidential patient information can be sent via encrypted email or via instant message using a particular secure platform such as the NHS App, but not via text.

Your organisation may also have specific policies about the use of personal devices.

You should take time to familiarise yourself with your organisation’s policies and procedures so that you can be assured that you are upholding your obligation to keep information safe whilst sending messages that are necessary to deliver your health and care services. If you are unsure, always check with your DPO, IG team, or a senior member of staff within your organisation.

Emergencies

If there is a genuine emergency where you urgently need to send a message to protect patients or service users, the safety of your patients and service users should take priority. You should send the message using the most practical communication method for the circumstances of the emergency.

If there is a senior member of staff on hand or an advice service you can discuss the decision with, you should do so, but you may have to make the decision yourself if no one is immediately available.

Once the emergency has been resolved, information governance issues outlined in this guidance should be discussed and addressed with your DPO, IG team or a senior member of staff.

Please see NHS England’s IG guidance on sharing health and care information during major incidents and emergencies for further advice.

This section provides guidance for IG professionals implementing responsible uses of text, email or other messaging platforms to communicate with patients and service users about their care.

UK GDPR

Where messages are sent to patients or service users about their care, the UK General Data Protection Regulation (UK GDPR) legal bases most likely to apply are:

• 6(1)(e) public task
• 9(1)(h) provision of health and social care services

This is because it is necessary for you to send individuals messages about their care for you to effectively perform your public task or function.

Common law duty of confidentiality

Contacting individuals to communicate with them about their own care does not contravene the common law duty of confidentiality because the purpose is to share information with the patients or service users themselves.

However, the common law duty of confidentiality is engaged where information is used by, or disclosed to, health and care professionals and support staff for the purposes of communicating with individuals about their direct care. For example, where health records are accessed by a staff member to decide which patients should be messaged about vaccinations before the messages are sent. It is appropriate to rely on implied consent to communicate with people about their care, as patients will reasonably expect their confidential patient information to be disclosed to relevant staff members who will use it to send them messages as part of providing their care.

Where a proxy is nominated to receive messages on someone else’s behalf, the common law basis for communication with the proxy for direct care purposes remains implied consent, as the proxy effectively becomes a stand-in for the patient. The proxy relationship itself may exist as a result of explicit consent or another basis, but once the proxy relationship is established, your common law basis for communicating with proxies is the same as the one for communicating with patients.

There are some situations where you will need to consider ethical implications of sending a particular message beyond whether or not it is legal. See Services individuals may feel sensitive about in the healthcare workers section for a practical example, and consider whether your organisation needs to produce any specific guidelines for staff members.

Contact preferences

It is good practice as part of registering and interacting with patients and service users to confirm their contact details and allow patients and service users to indicate their contact preferences. However, contact preferences should be considered as a separate issue to legal bases and objections.

Patients and service users expressing a contact preference, for example to be contacted by letter or text rather than instant messaging, is not equivalent to them giving consent under UK GDPR or common law to be contacted exclusively or at all by those methods. The appropriate legal bases for processing information to contact people under UK GDPR and common law are set out in the UK GDPR and Common law duty of confidentiality sections above.

Not selecting a method of contact is also not equivalent to an objection. Although it is good practice to respect contact preferences wherever possible, if a message needs to be sent to a person about their care and their preferred methods of contact are not possible or impractical, non-preferred methods of contact can be used.

Right to object

Objections

Objections are different to contact preferences. An individual exercises the right to object under UK GDPR by contacting your organisation, asking for their data not to be used to contact them in a particular way, and giving a specific reason why.

An individual can object to:

• the processing of their personal data for the purposes of their care, for example their individual care entirely or a specific health and care service such as screening
• the processing of their personal data using a particular communication method, whilst not objecting to the processing of their personal data for the purposes of their care. For example, objecting to be contacted by electronic forms of communication such as email, text or messaging app because they want to be contacted by letter instead

There is a legal obligation to uphold a person’s objection to the processing of their personal data for the particular purpose unless you demonstrate that there are compelling legitimate grounds to override it. For this reason, it is important to understand the individual’s specific reason for objecting.

Compelling legitimate grounds

In some circumstances, you may be able to demonstrate that you have compelling legitimate grounds to override a patient or service user’s objection to the processing of their personal data using a specific communication method to send them information about their care. You would need to demonstrate that your reasons for using the particular method to communicate with the person about their care override the interests of the individual who has objected.

Examples of situations where compelling legitimate grounds may override a patient or service user’s objection to receiving messages via a certain method include:

• where individuals have a communicable disease which might put others at risk if they are not quickly made aware of it, so you need to issue a communication advising all of them to call your organisation immediately
• verifying if individuals on a waiting list still require treatment, where the list is so long that it is not practical to call or send letters to each person individually
• informing patients or service users that appointments they have within 48 hours are cancelled, postponed or changed location, where allowing them to turn up for the appointment with no warning would cause wasted time and frustration
• contacting vulnerable people following extreme weather, power or water outages
• where a primary contact method does not work, for example a mobile number is not recognised or an email receives a bounce back, so the individual is uncontactable without using a method they have objected to
• sending invites for virtual consultations, where it is not possible to issue the correct link to click on without using digital methods of contact such as email, text and secure messaging
• where credible threats are made about an individual in the presence of a health and care worker, so the individual needs to be immediately messaged with an instruction to contact their health organisation so they can be appropriately notified
• where an individual has been prescribed incorrect medication, and they need to be urgently informed to contact your health organisation before doing anything with their prescription to avoid harm

Any decision to overrule an individual’s objection should be taken on a case-by-case basis and considered carefully, taking into account an individual’s circumstances and reasons for objecting to the processing of their personal data by using a particular communication method to contact them. It may be helpful to involve your Caldicott Guardian and make a shared decision on whether to override an objection.

Procedures for objections

Where a patient or service user objects to communications that are about their individual care, either entirely or by using a particular communication method which is likely to be the most effective and timely way of communicating with them about their care, measures should be put in place to ensure that they are aware of the potential negative implications of their objection for their health and wellbeing.

You should also have a process in place for ensuring that patients or service users who have objected to the processing of their personal data to receive communication about their care, either entirely or by a particular communication method, are easily identifiable to staff to ensure objections are upheld. For example, they could be identifiable via a note in their record for individual messages, or via an internal list of objected recipients for larger group messages.

Implementing appropriate messaging apps, services and platforms

Meeting the secure email standard is a requirement for health and care organisations. This affects which services your organisation is likely to choose for sending emails to patients and service users. While not mandatory, NHS.net Connect (previously NHSmail) is strongly recommended for all NHS and social care organisations in England. All providers are also expected to prioritise using the NHS App to send messages.

While you should have regard to recommendations made nationally for messaging, it is up to your organisation as the controller to decide which messaging apps, services and platforms are appropriate for your staff members to use for communicating with individuals about their care. Before using a new messaging app, service or platform, you should:

• Ensure the app, service or platform is fit for purpose. You should compare the app, service or platform against other available options, evaluating features relevant to information governance and security, and determining whether it is practical for health and care messaging purposes. You may find that the messaging functionalities you are looking for are available in products your organisation already owns and uses, in which case it would be easier to promote and encourage wider use of those.
• Conduct a data protection impact assessment (DPIA). This will help you identify privacy and security risks associated with the service or supplier offering the messaging service before processing any personal data. You can apply mitigations to risks and demonstrate how use of the service will comply with your data protection obligations. You may need to contact the supplier directly to ask questions during this process if the product information needed for the DPIA is not publicly available.
• Establish staff policies, procedures and security controls. Implement policies or procedures outlining how staff members should responsibly use the messaging app, service or platform to keep data safe. These should be accompanied by appropriate security controls on the messaging app, service or platform to reduce the possibility of it being used inappropriately by staff members or accessed by individuals without authorisation. For more information, see the Policies and procedures for staff members and Security controls for messaging devices, apps, services and platforms sections below.

NHS Notify

NHS Notify is a messaging service operated by NHS England that is integrated with the Personal Demographics Service (PDS). It can be used to send NHS App messages, emails, texts and letters to patients, service users and the public.

Although the PDS system used by NHS Notify holds some details relating to your patients’ and service users’ contact preferences, you are likely to hold more information locally. You are responsible for ensuring that each communication delivered through NHS Notify is configured appropriately to reflect the contact preferences, objections and reasonable adjustments of your patients and service users.

Policies and procedures for staff members

Staff members should be made aware of any procedures they need to follow when messaging patients and service users about their care to minimise risks to confidentiality. Determining what policies and procedures need to be in place is your responsibility, based on the privacy risks associated with using the app, service or platform.

Policies and procedures need to be created with staff behaviours in mind. For example, if you approve a messaging service for limited use and prohibit sending confidential patient information, but staff members are nonetheless likely to use the service for sending confidential patient information out of convenience, you need to plan for that scenario. This may mean running a training and awareness program to make staff aware of the potential consequences of using the service inappropriately, or asking that messages are reviewed by a second pair of eyes before being issued.

Areas where policies or procedures may be useful include:

• Acceptable apps, services and platforms. You should have a list of approved apps, services and platforms for messaging patients and service users. These are ones that your organisation has risk assessed and judged to be fit for purpose, following the steps outlined in the Implementing appropriate messaging apps, services and platforms section above. Your staff members need to be made aware of the approved list, and reasonable technical or procedural measures should be in place to prevent staff members from using unauthorised messaging products.
• Acceptable use cases. It is a good idea to establish acceptable use cases for how messaging methods such as text, email and other messaging should be used by your organisation. These help staff members choose an appropriate method for messaging patients and service users based on the type of information they need to send. For example, you may decide it is appropriate to send confidential patient information such as test results in an encrypted message using an email service that meets the secure email standard, but not via text due to the less robust security assurances.
• Data minimisation. The way your staff members message individuals about their care should be guided by the principle of using the least amount of information necessary for the purpose. For example, messages about test results could invite individuals to contact your organisation to discuss the outcome or access the information via a patient portal rather than including sensitive information about individuals’ health and care conditions in the message. This reduces the potential for harmful impact if the message is seen by unintended recipients.
• Verifying message recipients. One of the main risks when sending health and care messages is the message being received by the wrong recipient. Some ways your organisation can minimise the possibility of this happening are using secure messaging services requiring identity verification such as the NHS App, having procedures for staff members to check individuals’ contact details whenever they use your services, ensuring details are accurate before sending a communication via the NHS Spine where appropriate, and ensuring staff members are aware of the consequences of inattention when entering contact details into messaging apps, services and platforms as part of their training.
• Right of access. If an individual makes a subject access request, their right of access would apply to all information held by your organisation about them, including texts, emails and other messages sent via apps, services and platforms. This means that you should have procedures for ensuring that relevant messages sent to individuals about their care are retrievable, for example, by ensuring that they are also entered into their health and care record or by using messaging services with built-in audit capabilities.
• Individual accounts and passwords. All activity on messaging apps, services or platforms must be attributable to individual members of staff wherever this is possible. Staff members should be made aware of their obligation not to share devices or passwords.

Security controls for messaging devices, apps, services and platforms

You are responsible for determining which security controls should be in place for:

• devices used for messaging – for example, phones which are used to message an individual about their care. You may want to think about specific risks posed by staff using personal devices for this purpose, and how best to mitigate them depending on the services your organisation delivers
• apps, services and platforms used for messaging – for example, an email service which staff members can log into from any device

Controls should be applied based on the security and privacy risks associated with the particular device, app, service or platform. Important measures include:

• applying multi-factor authentication (MFA)
• disabling the ability to install unapproved software and add-ons
• encrypting data at rest
• enabling remote wiping for devices used to send messages
• minimising staff access permissions to what is strictly necessary for them to perform their role

If you assure your information security practices using the Data Security and Protection Toolkit, you will already have applied some of the most important security controls to your devices, apps, services and platforms. You should speak to your cyber security or IT teams for more information or assurance on security controls in place for your organisation.

Transparency

You must be transparent about how you process data, including the communication methods your organisation uses. Where you use text, email, or other messaging apps to contact individuals about their care, this should be reflected in your privacy information.

You should also inform individuals about their right to object in your privacy information. This can be a general statement about individuals’ right to object to your uses of their personal information. It does not have to specifically be about their right to object to texting, emailing and messaging.

In line with Information Commissioner’s Office (ICO) guidance on transparency in health and social care, you should think about additional ways of communicating information about your organisation’s messaging practices which are most effective for your patients and service users.

Suspicious messages

You can establish guidelines for staff members to follow when drafting messages to help individuals differentiate suspicious messages from your organisation’s genuine ones. See Suspicious messages in the patients section of this guidance for more information.

You can also help raise patient and service user awareness of scam messages through face-to-face interactions, patient participation groups, and local campaigns using posters and leaflets.

If you are made aware of a particular scam message being fraudulently sent in the name of your organisation or being received by people in your local area, consider issuing a public communication with specific details of the message. Patients and service users would then have confirmation of the message’s inauthenticity without having to directly contact you.