With more and more of us working remotely, we are being asked about accessing emails and sensitive data from abroad. We know instances where practice staff are leaving the profession as they plan to move abroad for part of the year. Practice’s want to keep their experienced staff and so we hope this information below helps.
Reference: information received from Paul Cauldrey, DPO, PCDC
As long as patients are aware of the employee processing their data outside of the UK and appropriate security is in place (NHSE VPN two factor ID policy compiled with) then NHSE seem to have no issues with this. Accessing NHS mail from outside of the UK is effectively processing data, as such accessing NHS.net from outside of the UK is now prohibited unless your organisation has MFA applied to our account.
When users access their account from outside of the UK and non-corporate VPNs are used, they face the risk of being blocked. Where there are valid use cases for accessing NHSmail services outside of the UK, we recommend Multi-Factor Authentication (MFA) is applied to the user accounts by their organisation before they leave the UK.
From Friday 10 February 2023, if users access their account from outside of the UK and do not have a secure mechanism for connecting to NHSmail, their access will be blocked.
Users who wish to continue to access their accounts from outside of the UK, will either:
- Require suitable corporate VPN access provided by your organisation. This is not something NHSmail can provide.
- Or require MFA to be applied to their account. MFA can be applied via the NHSmail Portal before going or while abroad either by users themselves to self-enrol or administrators.
We have written to all users identified as connecting from outside of the UK advising this and how to self-enrol MFA.
User Guidance on how to self-enrol MFA and Admi Guidance on how to apply MFA can be found on this NHSmail support page - https://support.nhs.net/article-categories/user-guides/