Skip to main content

Texting, emailing and messaging patients and service users guidance for IG professionals

Guidance for information governance (IG) professionals implementing responsible uses of text, email or other messaging platforms to communicate with patients and service users about their care.

Page contents

UK GDPR

Where messages are sent to patients or service users about their care, the UK General Data Protection Regulation (UK GDPR) legal bases most likely to apply are:

  • 6(1)(e) public task
  • 9(2)(h) provision of health and social care services

This is because it is necessary for you to send individuals messages about their care for you to effectively perform your public task or function.

Common law duty of confidentiality

Contacting individuals to communicate with them about their own care does not contravene the common law duty of confidentiality because the purpose is to share information with the patients or service users themselves.

However, the common law duty of confidentiality is engaged where information is used by, or disclosed to, health and care professionals and support staff for the purposes of communicating with individuals about their direct care.

For example, where health records are accessed by a staff member to decide which patients should be messaged about vaccinations before the messages are sent.

It is appropriate to rely on implied consent to communicate with people about their care, as patients will reasonably expect their confidential patient information to be disclosed to relevant staff members who will use it to send them messages as part of providing their care.

Where a proxy is nominated to receive messages on someone else’s behalf, the common law basis for communication with the proxy for direct care purposes remains implied consent, as the proxy effectively becomes a stand-in for the patient.

The proxy relationship itself may exist as a result of explicit consent or another basis, but once the proxy relationship is established, your common law basis for communicating with proxies is the same as the one for communicating with patients.

There are some situations where you will need to consider ethical implications of sending a particular message beyond whether or not it is legal.

See the services individuals may feel sensitive about in the health and care professionals section for a practical example, and consider whether your organisation needs to produce any specific guidelines for staff members.

Contact preferences

It is good practice as part of registering and interacting with patients and service users to confirm their contact details and allow patients and service users to indicate their contact preferences. However, contact preferences should be considered as a separate issue to legal bases and objections.

Patients and service users expressing a contact preference, for example to be contacted by letter or text rather than instant messaging, is not equivalent to them giving consent under UK GDPR or common law to be contacted exclusively or at all by those methods. The appropriate legal bases for processing information to contact people under UK GDPR and common law are set out in the UK GDPR and Common law duty of confidentiality sections above.

Not selecting a method of contact is also not equivalent to an objection. Although it is good practice to respect contact preferences wherever possible, if a message needs to be sent to a person about their care and their preferred methods of contact are not possible or impractical, non-preferred methods of contact can be used.

Right to object

Objections

Objections are different to contact preferences. An individual exercises the right to object under UK GDPR by contacting your organisation, asking for their data not to be used to contact them in a particular way, and giving a specific reason why.

An individual can object to:

  • the processing of their personal data for the purposes of their care, for example their individual care entirely or a specific health and care service such as screening
  • the processing of their personal data using a particular communication method, whilst not objecting to the processing of their personal data for the purposes of their care. For example, objecting to be contacted by electronic forms of communication such as email, text or messaging app because they want to be contacted by letter instead

There is a legal obligation to uphold a person’s objection to the processing of their personal data for the particular purpose unless you demonstrate that there are compelling legitimate grounds to override it. For this reason, it is important to understand the individual’s specific reason for objecting.

Compelling legitimate grounds

In some circumstances, you may be able to demonstrate that you have compelling legitimate grounds to override a patient or service user’s objection to the processing of their personal data using a specific communication method to send them information about their care. You would need to demonstrate that your reasons for using the particular method to communicate with the person about their care override the interests of the individual who has objected.

Examples of situations where compelling legitimate grounds may override a patient or service user’s objection to receiving messages via a certain method include:

  • where individuals have a communicable disease which might put others at risk if they are not quickly made aware of it, so you need to issue a communication advising all of them to call your organisation immediately
  • verifying if individuals on a waiting list still require treatment, where the list is so long that it is not practical to call or send letters to each person individually
  • informing patients or service users that appointments they have within 48 hours are cancelled, postponed or changed location, where allowing them to turn up for the appointment with no warning would cause wasted time and frustration
  • contacting vulnerable people following extreme weather, power or water outages
  • where a primary contact method does not work, for example a mobile number is not recognised or an email receives a bounce back, so the individual is uncontactable without using a method they have objected to
  • sending invites for virtual consultations, where it is not possible to issue the correct link to click on without using digital methods of contact such as email, text and secure messaging
  • where credible threats are made about an individual in the presence of a health and care worker, so the individual needs to be immediately messaged with an instruction to contact their health organisation so they can be appropriately notified
  • where an individual has been prescribed incorrect medication, and they need to be urgently informed to contact your health organisation before doing anything with their prescription to avoid harm

Any decision to overrule an individual’s objection should be taken on a case-by-case basis and considered carefully, taking into account an individual’s circumstances and reasons for objecting to the processing of their personal data by using a particular communication method to contact them. It may be helpful to involve your Caldicott Guardian and make a shared decision on whether to override an objection.

Procedures for objections

Where a patient or service user objects to communications that are about their individual care, either entirely or by using a particular communication method which is likely to be the most effective and timely way of communicating with them about their care, measures should be put in place to ensure that they are aware of the potential negative implications of their objection for their health and wellbeing.

You should also have a process in place for ensuring that patients or service users who have objected to the processing of their personal data to receive communication about their care, either entirely or by a particular communication method, are easily identifiable to staff to ensure objections are upheld.

For example, they could be identifiable via a note in their record for individual messages, or via an internal list of objected recipients for larger group messages.

Implementing appropriate messaging apps, services and platforms

Meeting the secure email standard is a requirement for health and care organisations. This affects which services your organisation is likely to choose for sending emails to patients and service users. While not mandatory, NHS.net Connect (previously NHSmail) is strongly recommended for all NHS and social care organisations in England. All providers are also expected to prioritise using the NHS App to send messages.

While you should have regard to recommendations made nationally for messaging, it is up to your organisation as the controller to decide which messaging apps, services and platforms are appropriate for your staff members to use for communicating with individuals about their care. Before using a new messaging app, service or platform, you should:

Ensure the app, service or platform is fit for purpose
Ensure the app, service or platform is fit for purpose

You should compare the app, service or platform against other available options, evaluating features relevant to information governance and security, and determining whether it is practical for health and care messaging purposes. You may find that the messaging functionalities you are looking for are available in products your organisation already owns and uses, in which case it would be easier to promote and encourage wider use of those.

Conduct a data protection impact assessment (DPIA)
Conduct a data protection impact assessment (DPIA)

This will help you identify privacy and security risks associated with the service or supplier offering the messaging service before processing any personal data. You can apply mitigations to risks and demonstrate how use of the service will comply with your data protection obligations. You may need to contact the supplier directly to ask questions during this process if the product information needed for the DPIA is not publicly available.

Establish staff policies, procedures and security controls
Establish staff policies, procedures and security controls

Implement policies or procedures outlining how staff members should responsibly use the messaging app, service or platform to keep data safe. These should be accompanied by appropriate security controls on the messaging app, service or platform to reduce the possibility of it being used inappropriately by staff members or accessed by individuals without authorisation. For more information, see the policies and procedures for staff members and the security controls for messaging devices, apps, services and platforms sections.

NHS Notify

NHS Notify is a messaging service operated by NHS England that is integrated with the Personal Demographics Service (PDS). It can be used to send NHS App messages, emails, texts and letters to patients, service users and the public.

Although the PDS system used by NHS Notify holds some details relating to your patients’ and service users’ contact preferences, you are likely to hold more information locally. You are responsible for ensuring that each communication delivered through NHS Notify is configured appropriately to reflect the contact preferences, objections and reasonable adjustments of your patients and service users.

Policies and procedures for staff members

Staff members should be made aware of any procedures they need to follow when messaging patients and service users about their care to minimise risks to confidentiality. Determining what policies and procedures need to be in place is your responsibility, based on the privacy risks associated with using the app, service or platform.

Policies and procedures need to be created with staff behaviours in mind. For example, if you approve a messaging service for limited use and prohibit sending confidential patient information, but staff members are nonetheless likely to use the service for sending confidential patient information out of convenience, you need to plan for that scenario. This may mean running a training and awareness program to make staff aware of the potential consequences of using the service inappropriately, or asking that messages are reviewed by a second pair of eyes before being issued.

Areas where policies or procedures may be useful include:

Acceptable apps, services and platforms
Acceptable apps, services and platforms

You should have a list of approved apps, services and platforms for messaging patients and service users. These are ones that your organisation has risk assessed and judged to be fit for purpose, following the steps outlined in the implementing appropriate messaging apps, services and platforms section above.

Your staff members need to be made aware of the approved list, and reasonable technical or procedural measures should be in place to prevent staff members from using unauthorised messaging products.

Acceptable use cases
Acceptable use cases

It is a good idea to establish acceptable use cases for how messaging methods such as text, email and other messaging should be used by your organisation.

These help staff members choose an appropriate method for messaging patients and service users based on the type of information they need to send.

For example, you may decide it is appropriate to send confidential patient information such as test results in an encrypted message using an email service that meets the secure email standard, but not via text due to the less robust security assurances.

Data minimisation
Data minimisation

The way your staff members message individuals about their care should be guided by the principle of using the least amount of information necessary for the purpose.

For example, messages about test results could invite individuals to contact your organisation to discuss the outcome or access the information via a patient portal rather than including sensitive information about individuals’ health and care conditions in the message.

This reduces the potential for harmful impact if the message is seen by unintended recipients.

Verifying message recipients.
Verifying message recipients.

One of the main risks when sending health and care messages is the message being received by the wrong recipient.

Some ways your organisation can minimise the possibility of this happening are using secure messaging services requiring identity verification such as the NHS App, having procedures for staff members to check individuals’ contact details whenever they use your services, ensuring details are accurate before sending a communication via the NHS Spine where appropriate, and ensuring staff members are aware of the consequences of inattention when entering contact details into messaging apps, services and platforms as part of their training.

Right of access
Right of access

If an individual makes a subject access request, their right of access would apply to all information held by your organisation about them, including texts, emails and other messages sent via apps, services and platforms.

This means that you should have procedures for ensuring that relevant messages sent to individuals about their care are retrievable, for example, by ensuring that they are also entered into their health and care record or by using messaging services with built-in audit capabilities.

Individual accounts and passwords
Individual accounts and passwords

All activity on messaging apps, services or platforms must be attributable to individual members of staff wherever this is possible. Staff members should be made aware of their obligation not to share devices or passwords.

Security controls for messaging devices, apps, services and platforms

You are responsible for determining which security controls should be in place for:

  • devices used for messaging – for example, phones which are used to message an individual about their care. You may want to think about specific risks posed by staff using personal devices for this purpose, and how best to mitigate them depending on the services your organisation delivers
  • apps, services and platforms used for messaging – for example, an email service which staff members can log into from any device

Controls should be applied based on the security and privacy risks associated with the particular device, app, service or platform. Important measures include:

  • applying multi-factor authentication (MFA)
  • disabling the ability to install unapproved software and add-ons
  • encrypting data at rest
  • enabling remote wiping for devices used to send messages
  • minimising staff access permissions to what is strictly necessary for them to perform their role

If you assure your information security practices using the Data Security and Protection Toolkit, you will already have applied some of the most important security controls to your devices, apps, services and platforms. You should speak to your cyber security or IT teams for more information or assurance on security controls in place for your organisation.

Transparency

You must be transparent about how you process data, including the communication methods your organisation uses. Where you use text, email, or other messaging apps to contact individuals about their care, this should be reflected in your privacy information.

You should also inform individuals about their right to object in your privacy information. This can be a general statement about individuals’ right to object to your uses of their personal information. It does not have to specifically be about their right to object to texting, emailing and messaging.

In line with Information Commissioner’s Office (ICO) guidance on transparency in health and social care, you should think about additional ways of communicating information about your organisation’s messaging practices which are most effective for your patients and service users.

Suspicious messages

You can establish guidelines for staff members to follow when drafting messages to help individuals differentiate suspicious messages from your organisation’s genuine ones. See suspicious messages in the patients section of this guidance for more information.

You can also help raise patient and service user awareness of scam messages through face-to-face interactions, patient participation groups, and local campaigns using posters and leaflets.

If you are made aware of a particular scam message being fraudulently sent in the name of your organisation or being received by people in your local area, consider issuing a public communication with specific details of the message. Patients and service users would then have confirmation of the message’s inauthenticity without having to directly contact you

Guidance for patients and service users

Guidance for health and care professionals

Last edited: 7 May 2026 12:51 pm