Freedom of Information Request – Ref: FOI 371-2025
Thank you for your recent Freedom of Information request. Please find our response below.
You asked:
1. What is the email retention policy at your trust for official NHS clinical staff emails related to patient care. Also, what is the retention policy for deleted clinical emails, deleted by staff from their mailbox?
Our response:
Microsoft 365 retention policy – After deletion, mailbox items remain in deleted items for 14 days. After this period, items are moved to the user’s recoverable items folder, where they can be recovered for an additional 30 days (total of 44 days).
If not deleted, emails remain in the mailbox until deleted or until the user leaves the Trust
You asked:
1a) Does your trust require that clinical emails related to patient care be placed in the patient’s record?
Our response:
Yes, the policy states:
“All significant emails should be referred to in the health record. If the email is considered to be of great significance to the record of healthcare, a copy should be saved and uploaded to the EPR.”
You asked:
2. What is the back-up policy at your trust for backing up clinical staff/doctor’s emails related to patient care? How often are the clinical emails backed-up and how long are the back-ups kept? Are the back-ups automated?
Our response:
No current back up is in place for Microsoft 365 email, if a user leaves, their mailbox is moved to on prem server and can be retrieved in the state it was archived via an.ost file
You asked:
3. Are deleted clinical emails (deleted by staff) recoverable on the email system at your trust, either from onsite or offsite storage? How long after the emails are deleted by staff, can the emails be recovered from the different locations they are stored?
Our response:
Microsoft 365 retention policy – After deletion, mailbox items remain in deleted items for 14 days. After this period, items are moved to the user’s recoverable items folder, where they can be recovered for an additional 30 days (total of 44 days). If a user leaves, their mailbox is moved to on prem server and can be retrieved in the state it was archived via an.ost file.
You asked:
4. Your trust uses nhs.uk email so NHSMail helpdesk cannot assist with forensic discovery of emails. Hence, does your trust perform a forensic discovery equivalent to the forensic discovery provided by NHSmail help desk to retrieve deleted NHSmail (dot net) emails up to 2 years after they were created/sent even if deleted prior to 2 years by staff? ie Can your trust retrieve deleted nhs.uk emails up to 2 years after they were created/received?
Our response:
If a user leaves, their mailbox is moved to on prem server and can be retrieved in the state it was archived via an.ost file
You asked:
5. Do your doctor’s have the ability to permanently delete emails from all locations without IT system administrative privileges? Do the doctors at your trust have IT system administrative privileges?
Our response:
Doctors do not have administrative privileges. Emails can be deleted permanently from “recoverable items”
You asked:
6. When emails are deleted by clinical staff without significant knowledge and access rights, there are other possible places where the deleted emails can be recovered from: For example, local offline storage, where emails are cached on the local machine in an offline storage file (OST) which even when emails are deleted from the mailbox, can leave fully recoverable items, unless the OST file is forensically destroyed. Does your trust maintain an email OST for the staff NHS emails?
Our response:
MS Purview used if within 90 days. If a user leaves, their mailbox is moved to on prem server and can be retrieved in the state it was archived via an.ost file
You asked:
7. Are clinical staff emails archived off into different locations? If yes, what are these locations
Our response:
No
You asked:
8. Can your trust IT team identify and create a log of emails deleted by a specified doctor working at your trust? How long after email deletion can the log still be created?
Our response:
Yes for 90 days, longer for manual search by viewing .ost file
You asked:
9. When emails are deleted on the local staff computer and need to be retrieved, administrators can perform a search across the entire MS 365 environment to establish the presence of any of these emails in other user mail-boxes and non-email storage locations – is this a process that your trust can perform via the IT team or other team?
Our response:
Yes
You asked:
10. If staff emails related to patient’s clinical care are requested under DPA 2018 SAR, what is the IT process undertaken at your trust to identify and retrieve the emails. Are offline storage searched and all locations as mentioned in this FOI or only the staff local computer/mailbox? Can you retrieve clinical emails requested under SAR DPA 2018 for up to 2 years after creation/send even if the staff have deleted them?
Our response:
We do not search offline caches as we cannot always be aware of their existence.
Our searches are done through Microsoft 365 compliance centre and are done on the basis of least info to retrieve the required information.
We can retrieve emails from any age as long as the email still exists. If staff have deleted it and it has gone past the retention period, the email is lost.
You asked:
11. NHS’s data retention and information management policy states that “an email will be retained and available for forensic discovery in NHSMail for two years after it was sent/received or until it is deleted from the mailbox by staff, whichever is later.” Does your trust adhere to this policy with your nhs.uk email system? ie your trust must be able to retrieve a clinical email for 2 years after it was created or sent, even if it was deleted by staff prior to 2 years – NHSMail helpdesk cannot assist – so does your IT team have a process to ensure compliance with NHS’s policy highlighted above?
Our response:
Yes
Next steps:
Should you have any queries in relation to our response, please do not hesitate to contact us. If you are unhappy with the response you have received in relation to your request and wish to ask us to review our response, you should write to:
Louise Moss
Head of Legal Services / Associate Director of Corporate Governance
c/o Gloucestershire Health and Care NHS Foundation Trust
Edward Jenner Court
1010 Pioneer Avenue
Gloucester Business Park
Brockworth, GL3 4AW
E-mail: louise.moss@ghc.nhs.uk
If you are not content with the outcome of any review, you may apply directly to the Information Commissioner’s Office (ICO) for further advice/guidance. Generally, the ICO will not consider your case unless you have exhausted your enquiries with the Trust which should include considering the use of the Trust’s formal complaints procedure. The ICO can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.