Skip to main content

API acceptable use policy


Summary

The Directory of Service (DoS) contains information for a wide range of health and care services across England. It is a core part of the urgent and emergency care system workflow and is responsible for directing patients to appropriate services  every hour of every day.  Further information on the DoS and APIs is available.  

Our Acceptable Use Policy (AUP) explains what we prohibit when any party uses the Directory of Services APIs (referred to as “DoS APIs” or “the services”).

This AUP has examples of restricted behaviour but does not list all restricted behaviours. Ultimately, NHS Digital will decide whether your use violates the AUP.

We may modify this policy from time to time. By using the services, you agree to the latest version of this policy. If you violate the policy or authorise or help others to do so, we may suspend or terminate your use of the services.

We issue an AUP to all new consumers of the DoS APIs. For the most part these are a standard set of guidelines for API usage, however we may tailor the AUPs to individual API consumers based on the intended use cases.

While we’ve done our best to make our AUP complete, readable, and understandable, you may still have additional questions. If so, email the DoS team and we can discuss your specific use cases.

The policy

Be responsible when displaying information publicly

Not all service information is appropriate for displaying directly to the public - many services are only available via professional referral routes and are not appropriate for self-referral by a member of the public. The information you display to the public could influence decision-making which could introduce an amount of clinical responsibility and risk on your part.

If you are planning to present DoS information directly to the public, you should:

  • Ensure patient safety is NOT compromised through the use of this API or the presentation of the data
  • Discuss your use case with the NHS Digital DoS team and gain explicit permission to display information publicly
  • Make contact with the NHS England DoS Team and appropriate local commissioning / DoS teams to discuss your use case and gain explicit permission to operate within their area
  • Ensure your clinical decision support product is compliant with current information standards DCB 0129 and DCB 0160.

Keep data fresh  

You shouldn’t cache DoS service information within your application. You should always retrieve the most recent information available via the API at the point it is required by your users.

If you feel you have an exceptional need to cache DoS service information locally, you should discuss this with the NHS Digital DoS team and gain explicit permission for that usage pattern. 

Don't crawl the API  

You are not allowed to systematically crawl the API. Any activity resembling crawling activity will be monitored, investigated, and could lead to your API access being suspended or revoked.

Monitoring and enforcement

We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services or Website.

We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information.

We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this policy

How we will respond if your activity contravenes the policy  

When identifying activity that contravenes the policy, we will always first refer to the agreed usage between you as a consumer and us as the service provider. For this reason, prior agreement around your specific use cases will help us to ensure your service is not interrupted unnecessarily.

If you wish to modify your use case you will need to submit an updated request for access.

If we believe that your activity is not compliant with our Acceptable Use Policy or with any explicit agreement we have, we will first perform an impact assessment to decide the level of risk posed by your activity.

Where we identify a significant risk to the service as a result of your usage, our priority will be to protect the service and so we may immediately suspend your access without prior notice.

Where we don’t feel that your usage poses an immediate risk, we will make contact with you to discuss your usage in order to agree a way forward, advising of our intention to suspend your access if the usage is not made compliant within a reasonable timeframe.

How we will respond if your activity contravenes the policy

When identifying activity that contravenes the policy, we will always first refer to the agreed usage between you as a consumer and us as the service provider. For this reason, prior agreement around your specific use cases will help us to ensure your service is not interrupted unnecessarily.

If you wish to modify your use case you will need to submit an updated request for access.

If we believe that your activity is not compliant with our Acceptable Use Policy or with any explicit agreement we have, we will first perform an impact assessment to decide the level of risk posed by your activity.

Where we identify a significant risk to the service as a result of your usage, our priority will be to protect the service and so we may immediately suspend your access without prior notice.

Where we don’t feel that your usage poses an immediate risk, we will make contact with you to discuss your usage in order to agree a way forward, advising of our intention to suspend your access if the usage is not made compliant within a reasonable timeframe.

Information governance

The API provides access to information about NHS services, which can include service contact information and information about level and types of service provided.

You must ensure that you have consent to make use of, and share, the service data contained within the DoS.

You must ensure that you comply with the Data Protection Act 2018 (GDPR) when working with data about individuals.

You are NOT allowed to sell, manipulate, or otherwise distribute API data for commercial purposes,  unless explicit documented permission has been obtained. 

Published list of API connections

Approved API consumers, and a summary of their use cases will be published publicly.

If there is a reason that you feel your use of the API should not be publicly reflected on this list, you must discuss with NHS Digital prior to commencing use.

Last edited: 1 October 2019 11:41 am