Skip to main content

End user organisation acceptable use policy

What we expect from you if you're an organisation using healthcare software in the NHS in England that makes use of our APIs and services.

Overview

If your organisation is using healthcare software in the NHS in England, and that software is making use of our APIs and services, this policy might apply to you.

Your software provider will tell you that it applies if they have signed a Connection Agreement with us or have accepted our API terms of use.

The policy explains what we, and your software provider, expect of you as an "end user organisation".

If you have any questions about this policy, contact us.


Version control

This is version 1 of the online end user organisation acceptable use policy.

There are no previous versions.

This version is only suitable for APIs that do not give access to personally identifiable data (PID).


General

This is the 'End user organisation acceptable use policy' referred to in our online connection agreement for the use of NHS England services that do not transact personal data.

The Connecting Party shall incorporate or otherwise alert the End User Organisations to the End User Organisation AUP as updated from time to time.

The Connecting Party has entered into a Connection Agreement with NHS England. The Connecting Party’s products or services integrate or make use of Service(s) provided by NHS England. This End User Organisation AUP has been drafted to support the provision of the Connecting Party’s products and services to the End User Organisation in relation to the integration or use of Service(s).  

We recognise that there could be many arrangements in relation to different products and services provided by the Connecting Party.  

It is recognised that: 

1)    not all Connecting Parties will have End User Organisations associated with all Services;
2)    in some circumstances a lead public sector End User Organisation will be authorised to act for a number of End User Organisations, and takes responsibility for disseminating the obligations set out in this End User Organisation AUP to the other End User Organisations and individuals within them;
3)    the Connecting Party’s products or services may be delivered by the Connecting Party directly to Individual End Users.


Status

  • This End User Organisation AUP shall govern connection to and use of the Services by all End User Organisation(s).

End User Organisation obligations

  • End User Organisations are responsible for (together with any End User Organisation which is the public sector commissioning entity where relevant): choosing the Connecting Party’s products and services; ensuring that the Connecting Party’s products and services meet its requirements and are secure, clinically safe and legally compliant; ensuring that the Connecting Party provides updates to and maintains its products and services, provides helpdesk and incident management services and shares any incidents impacting Services with NHS England; all arrangements with the Connecting Party for the testing, local assurance, acceptance and deployment to the End User Organisation of the Connecting Party 's products and services; on boarding, service management and delivery of the Connecting Party’s products and services to Individual End Users.  
  • End User Organisations are responsible for compliance with DCB0160 (as updated), including but not limited to management of clinical risk including establishment of a framework within which the clinical risks associated with the deployment and implementation of a new or modified health IT system are managed, its local Hazard Log, management of risks transferred by the Connecting Party and implementation of appropriate mitigation actions and controls. 
  • Where personal data is being processed by or on behalf of End User Organisations they are responsible for complying with all applicable law, DHSC, government and regulators’ guidance and policies, and for registering with and maintaining a current latest status rating of at least ‘standards met’ in respect of the Data Security and Protection Toolkit.
  • NHS England may ask the Connecting Party to provide contact information and summary information in relation to its End User Organisations. For example, to understand users of the Services and in circumstances where there is a service interruption, or a data breach, or a clinical risk issue associated with the data.  End User Organisations must co-operate in the provision of such information on request from the Connecting Party.
  • End User Organisations shall use the Service(s) in a manner that is consistent and compliant with this End User Organisation AUP. The End User Organisation shall ensure that the content of this End User Organisation AUP is disseminated to all staff, employees or contractors and shall incorporate it into training (where relevant). 
  • End User Organisations shall not include any terms in its arrangements with Individual End Users which conflict with the Connection Agreement or this End User Organisation AUP.
  • To note, if an End User Organisation does not comply with its End User Organisation AUP, NHS England may itself, or may require the Connecting Party to disconnect the End User Organisation and/or suspend the End User Organisation's access to the Connecting Party’s products or services, or otherwise, to the extent necessary to protect the Services as a whole.
  • End User Organisations shall:
    • use the Services and the Connecting Party’s products or services for their lawfully intended purposes only.
    • not use any of the Services and the Connecting Party’s products or services in a way that could damage, disable, overburden, impair or compromise security of any system, service or product.
    • co-operate with investigations and resolution of clinical safety, data protection and/or security incidents reported by the End User Organisation, an Individual End User or the relevant Connecting Party to NHS England.
    • not knowingly transmit any data, send or upload any material that contains viruses, trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.

Connecting Party obligations

  • The Connecting Party shall only process personal data in accordance with the law and applicable DHSC, government and regulators’ guidance and policies.
  • The Connecting Party is fully accountable and responsible for the identification, onboarding and management of its End User Organisations (including for the service, management and delivery of its products and services to End User Organisations and Individual End Users), unless agreed otherwise with NHS England
  • The Connecting Party is responsible for bringing these terms to the attention of End User Organisations and Individual End Users, unless agreed otherwise with NHS England
  • NHS England is not responsible for verifying the terms of the Connecting Party’s arrangements with the End User Organisations. In particular the terms and conditions governing security, information governance, clinical safety and any other applicable regulatory or compliance topics are detailed in the Connecting Party’s contract with the commissioning party (which may also be the/one of the End User Organisation(s)). 
  • The Connecting Party shall, upon request from NHS England, provide to NHS England the identity and details of all End User Organisations associated with any Service(s) within such reasonable timescales as NHS England may request. 
  • The Connecting Party shall not include any terms in its arrangements with End User Organisations or Individual End Users which conflict with this End User Organisation AUP.
  • The Connecting Party must provide the End User Organisation, on request, with details of the requirements, specifications, policies, guidance and documents associated with the Connection Agreement and any information provided to NHS England in the course of completing the digital onboarding process.

NHS England's role

  • NHS England provides access to its Services for the benefit of health and social care in England.
  • NHS England has not carried out any assurance or testing of the Connecting Party’s products or services as being suitable for the End User Organisation’s intended use or purpose. 
  • NHS England shall have no responsibility for the management or enforcement of End User Organisation’s / commissioning party’s contract(s) for the provision of products and services by the Connecting Party.
  • There are no service levels associated with the NHS England provision of Services, and there may be Service interruptions from time to time. NHS England does not provide anyone (including End User Organisations, Individual End User or the Connecting Party) with any commitment with regards to performance. 
  • End User Organisations understand the circumstances in which access to the Connecting Party’s products and services may be altered or suspended due to the Connecting Party’s failure to comply with this Connection Agreement.

Confidentiality

  • This End User Organisation AUP is not confidential, does not contain any confidential information, and may be published.

Variation

  • NHS England is providing standard services and may need to make changes to the scope and delivery of those Services from time to time. 
  • NHS England is providing government services, and as such these may be cancelled at any time.
  • NHS England may vary, replace or delete any part of this End User Organisation AUP and any of the documents referred to in it. Each varied End User Organisation AUP shall be effective from its date of publication.

Terms used in this End User Organisation AUP

  • “Connection Agreement” means the agreement entered into between the Connecting Party and NHS England;
  • “Connecting Party” means the supplier of products or services;
  • "End User Organisation" means any recipient or commissioning body using or commissioning a Connecting Party’s products or services which interface with Service(s) (whether directly, or indirectly via an agent or other commissioning body);
  • “End User Organisation AUP” means this End User Organisation acceptable use policy; 
  • "Individual End User" means an individual recipient using the Connecting Party’s products or services which interface with Service(s) as an individual not an organisation;
  • "Service(s)" means each of the selected products and services which NHS England makes available and with which the Connecting Party is interfacing.

Help and support

If you are an End User Organisation and have any questions about this End User Organisation AUP, contact us.

Last edited: 9 November 2023 11:54 am