FOI 25-090 NHS Email Recovery
Freedom of Information Request
- Reference
- FOI 25-090 NHS Email Recovery
- Request Date
- 20 Feb 2025
- Response Date
- 18 Mar 2025
- Information Requested
SLA measurements, as relating to the requests and incidents for access, as established through SAS Service Management and Service Catalogues.
- Response
It is important to note that the Scottish Ambulance Service is a tenant on the Microsoft Contract; this is owned by NHS National Service Scotland and therefore have limited control over mitigating account incidents.
There is no current policy/procedure in place in relation to requests and incidents for access to emails.
Inactive accounts have licences removed after 60 or more continuous days of inactivity (National directive)
Accounts that have been descoped from Microsoft Entra are classed as being in a Soft Delete state for 30 days, during this stage, SAS are able to recover them intact and exactly as they were (https://learn.microsoft.com/en-us/entra/architecture/recover-from-deletions#soft-deletions)
Accounts that have been in a Soft Delete state for 30 days are then Hard Deleted. Recovery during this window requires involvement from the national team but would result in the account being intact and exactly as it was (https://learn.microsoft.com/en-us/entra/architecture/recover-from-deletions#hard-deletions)
Regardless of the stage that accounts are deleted at, we retain the ability to recover data. If an account is hard deleted and therefore the only option is to recreate from scratch, we can restore data to the new account.
In regard to email addresses, these are created automatically by MIM (Microsoft Identity Manager) based on the First name and Surname, NHS boards have no control over the address that it provides. After an address has fallen into inactivity, it isn’t returned to the pool of available addresses as there would be Information Governance concerns about new-starts being allocated an address that’s been used by someone else and potentially receiving sensitive information accidentally. When accounts are onboarded after a hard-delete, it is no different than a new account and they will be allocated an email address from the “allowed” list and not one that’s been in use over the past 5 years. It is possible to allocate an address that has been used before via manual intervention; however, this is not advised as MIM wouldn’t know about this and therefore may cause conflicts in the future. To achieve this properly would take considerable effort and require NSS to make manual changes to the national MIM automated system
