Skip to content
Contents

Email Storage and Retention

Reference: 24-25513

Date response sent: 07/03/2025

Details of enquiry

This FOI relates to Information Governance and IT policies, and NHS policies for email storage at the Trust.   The FOI questions are asked on the assumption that your trust is using nhs.uk email addresses and not NHSMail.

  1. What is the email retention policy at your trust for official NHS clinical staff emails related to patient care. Also, what is the retention policy for deleted clinical emails, deleted by staff from their mailbox?

a. Does your trust require that clinical emails related to patient care be placed in the patient’s record?

2. What is the back-up policy at your trust for backing up clinical staff/doctor’s emails related to patient care? How often are the clinical emails backed-up and how long are the back-ups kept? Are the back-ups automated?

3. Are deleted clinical emails (deleted by staff) recoverable on the email system at your trust, either from onsite or offsite storage? How long after the emails are deleted by staff, can the emails be recovered from the different locations they are stored?

4. Your trust uses ukemail so NHSMail helpdesk cannot assist with forensic discovery of emails. Hence, does your trust perform a forensic discovery equivalent to the forensic discovery provided by NHSmail help desk to retrieve deleted NHSmail (dot net) emails up to 2 years after they were created/sent even if deleted prior to 2 years by staff?

a. ie Can your trust retrieve deleted ukemails up to 2 years after they were created/received?

5. Do your doctor’s have the ability to permanently delete emails from all locations without IT system administrative privileges? Do the  doctors at your trust have IT system administrative privileges?

6. When emails are deleted by clinical staff without significant knowledge and access rights, there are other possible places where the deleted emails can be recovered from: For example, local offline storage, where emails are cached on the local machine in an offline storage file (OST) which even when emails are deleted from the mailbox, can leave fully recoverable items, unless the OST file is forensically destroyed. Does your trust maintain an email OST for the staff NHS emails?

7. Are clinical staff emails archived off into different locations? If yes, what are these locations.

8. Can your trust IT team identify and create a log of  emails deleted by a specified doctor working at your trust? How long after email deletion can the log still be created?

9. When emails are deleted on the local staff computer and need to be retrieved, administrators can perform a search across the entire MS 365 environment to establish the presence of any of these emails in other user mail-boxes and non-email storage locations – is this a process that your trust can perform via the IT team or other team?

10. If staff emails related to patient’s clinical care are requested under DPA 2018 SAR, what is the IT process undertaken at your trust to identify and retrieve the emails. Are offline storage searched and all locations as mentioned in this FOI or only the staff local computer/mailbox? Can you retrieve clinical emails requested under SAR DPA 2018 for up to 2 years after creation/send even if the staff have deleted them?

11. NHS’s data retention and information management policy states that “an email will be retained and available for forensic discovery in NHSMail for two years after it was sent/received or until it is deleted from the mailbox by staff, whichever is later.” Does your trust adhere to this policy with your ukemail system? ie your trust must be able to retrieve a clinical email for 2 years after it was created or sent, even if it was deleted by staff prior to 2 years – NHSMail helpdesk cannot assist – so does your IT team have a process to ensure compliance with NHS’s policy highlighted above?.

Response sent

  1. What is the email retention policy at your trust for official NHS clinical staff emails related to patient care. Also, what is the retention policy for deleted clinical emails, deleted by staff from their mailbox?

i. The Trust confirms that patient-centric emails, (about a patient’s health and care), which were sent/received and subsequently replicated and uploaded into an electronic patient record (EPR), which is backed up on a daily basis. This is in line with the NHSE Records Management Code of Practice. All staff are blocked from making deletions to EPR, (which includes uploaded emails), unless special grounds and permissions to locate and delete were granted, eg information uploaded to wrong patient record, and would only be conducted by the IMT department.

ii. The Trust also confirms that its staff manage their own email accounts and shared mailboxes as a means to communicate internally and externally and this includes clinical emails. The Trust does not monitor email deletions from staffs’ own and/or shared email mailboxes, and so unless emails about a patient’s health and care are uploaded to the EPR, email would remain subject to the Trust’s general email management and email retention procedures.

iii. All emails are automatically retained and are backed up daily to cloud, deleted emails can be exceptionally resurrected by IMT upon request – subject to justification and permission from the mailbox owner and/or relevant Executive Director. This is generally for emails up to two years old. In exceptional cases we might be able to retrieve older emails as policies varied over time. Clinical staff emails are not treated differently to other staff emails.

a. Does your trust require that clinical emails related to patient care be placed in the patient’s record?

See our response at point 1.i above

  1. What is the back-up policy at your trust for backing up clinical staff/doctor’s emails related to patient care?

See our response at point 1.i above

a. How often are the clinical emails backed-up and how long are the back-ups kept? Are the back-ups automated?

See our response at point 1.iii above

  1. Are deleted clinical emails (deleted by staff) recoverable on the email system at your trust, either from onsite or offsite storage?

See our response at point 1.iii above

a. How long after the emails are deleted by staff, can the emails be recovered from the different locations they are stored?

See our response at point 1.iii above

  1. Your trust uses ukemail so NHSMail helpdesk cannot assist with forensic discovery of emails. Hence, does your trust perform a forensic discovery equivalent to the forensic discovery provided by NHSmail help desk to retrieve deleted NHSmail (dot net) emails up to 2 years after they were created/sent even if deleted prior to 2 years by staff?

Yes

a. ie Can your trust retrieve deleted ukemails up to 2 years after they were created/received?

Yes

  1. Do your doctor’s have the ability to permanently delete emails from all locations without IT system administrative privileges?

No, they do not have IT system administrative privileges, they can only delete emails from their own mailbox and their shared mailboxes.

a. Do the  doctors at your trust have IT system administrative privileges?

No

  1. When emails are deleted by clinical staff without significant knowledge and access rights, there are other possible places where the deleted emails can be recovered from: For example, local offline storage, where emails are cached on the local machine in an offline storage file (OST) which even when emails are deleted from the mailbox, can leave fully recoverable items, unless the OST file is forensically destroyed.

This statement is incorrect – Staff cannot delete emails to which they do not have access rights.  Please refer to our response to Q 1.ii above.

a. Does your trust maintain an email OST for the staff NHS emails?

No

  1. Are clinical staff emails archived off into different locations? If yes, what are these locations.

See our response to questions 1.i and 1.iii above

  1. Can your trust IT team identify and create a log of  emails deleted by a specified doctor working at your trust?

No

a. How long after email deletion can the log still be created?

See our response to question 8 above

  1. When emails are deleted on the local staff computer and need to be retrieved, administrators can perform a search across the entire MS 365 environment to establish the presence of any of these emails in other user mail-boxes and non-email storage locations – is this a process that your trust can perform via the IT team or other team?

See our response to question 1.iii above

  1. If staff emails related to patient’s clinical care are requested under DPA 2018 SAR, what is the IT process undertaken at your trust to identify and retrieve the emails. Are offline storage searched and all locations as mentioned in this FOI or only the staff local computer/mailbox? Can you retrieve clinical emails requested under SAR DPA 2018 for up to 2 years after creation/send even if the staff have deleted them?

See our response to question 1.i and 1.iii above

  1. NHS’s data retention and information management policy states that “an email will be retained and available for forensic discovery in NHSMail for two years after it was sent/received or until it is deleted from the mailbox by staff, whichever is later.” Does your trust adhere to this policy with your ukemail system? ie your trust must be able to retrieve a clinical email for 2 years after it was created or sent, even if it was deleted by staff prior to 2 years – NHSMail helpdesk cannot assist – so does your IT team have a process to ensure compliance with NHS’s policy highlighted above?.

The Trust does not follow the NHSMail policy.  The Trust’s IMT Department are able to assist with retrieving emails archived within the last two years.

Back to top