Terms of use

This page describes the terms of use for the NHS Digital Onboarding Service, API Management Developer Portal and Developer Community, together with the associated privacy and cookie policies.

Index


Terms of use of the NHS Digital Onboarding Service, API Management Developer Portal and Developer Community

  1. Introduction
    1. The websites at NHS Digital Onboarding Service, My developer account and Developer Community provide the Digital Onboarding Service and the associated API Management Developer Portal and the Developer Community (together the "API Service"). The API Service is owned by the Health and Social Care Information Centre, a non-departmental public body established under primary legislation and known as NHS England. References in these terms of use to “we”, “our” and “us” are references to NHS England. If you need to get in touch you can contact us.
    2. We have developed the API Service to enable you to:
      1. learn more about the APIs you can access
      2. register one or more applications (systems) to work with our APIs, and delete such applications
      3. select/deselect one or more APIs for use with each application
      4. access test area and dummy data as default
      5. provide details and conformance information about your systems and products as part of your organisation’s application to connect to our APIs via an appropriate NHS England process (collectively known as “Onboarding”) by completing an online workflow and uploading documents
      6. obtain security credentials (subject to NHS England approval following assurance and onboarding of your organisation and applications via Onboarding and signature of applicable terms and conditions (a “Connection Agreement”) that will allow access to the APIs in production and non-production environments and live data;
      7. create and maintain one or more teams and link a team to an application; and
      8. register for updates about the platform and associated APIs - service updates and more general progress updates.
      9. get help and support from us at NHS England and our developer community on integrating your software with our APIs.
    3. Find out more about who we are and our role. You can learn more about the API Management programme, where you can read more about the programme and find out how to contact us.
    4. If we need to contact you specifically, we will do so by email, SMS or telephone call using the contact details you have provided.
  2. When these terms of use apply
    1. You may access and use the API Service if you agree to be legally bound by these terms and conditions ("terms of use"). If you do not agree to this please do not access and/or use the API Service.
    2. You should read these terms of use before using the API Service. Whenever you use the API Service you agree to our terms of use.
    3. You should also read:
      1. our privacy policy as may be updated from time to time, which sets out the terms on which we process any personal data we collect from you, or that you provide to us via the API Service;
      2. our cookies policy as may be updated from time to time, which sets out information about the cookies we use and how we use them when you access and use the API Service.
    4. We may, at any time and in our sole discretion, amend these terms of use for any reason, for example, to comply with law or reflect changes to the API Service. You will be legally bound by these terms of use and any updates from the first time that you use the API Service after publication. We will inform you via the API Service and request your continued agreement if we make any significant changes to these terms of use.
    5. These terms of use apply to your personal use of the API Service. Your receipt of security credentials allowing access to the APIs in production and non-production environments and live data is conditional upon your organisation’s successful Onboarding and Connection Agreement.
  3. How to register for the API Service
    1. The API Service is free and available to anyone.
    2. The API Service is intended for use in association with products to be used in England. References in these terms to "the NHS" mean "the NHS in England" unless otherwise stated. Services and arrangement may differ elsewhere in the United Kingdom.
    3. In order to access the API Service, you will need to register and create an account. You will need to provide a unique username and password, which you should keep secure and should not share with anyone.
    4. As a minimum, passwords you set for use with the API Service must have a level of complexity which ensures they cannot be easily guessed by hackers or malicious software. They should:
      1. be at least twelve characters long
      2. not contain your user name, real name, or organisation name
      3. not appear in the list of top 10,000 passwords
      4. not use sequential key characters on the keyboard (e.g. qwerty, asdfg, 12345).
    5. In line with Government best practice, we recommend using the ‘three random words’ approach, which uses three or more randomly chosen words like ‘saloonbadgertree’ or ‘coffeetrainfish’. These words should be random, and not related personally to you (so not involving a favourite thing, holiday, relative).
    6. You are responsible for making all arrangements necessary for you to access the API Service, including but not limited to a secure internet connection and an appropriate device, operating system and browser. You should use your own virus protection software.
    7. NHS England aims to make the API Service accessible to as many people as possible. The API Service is designed to work with the latest versions of Microsoft Edge, Google Chrome, Mozilla Firefox and Apple Safari, and uses standards which should work on the majority of browsers in use. We offer no warranty for the API Service working in any particular browser or configuration. Please note that you may see inconsistencies in the presentation of pages if you are using an older or deprecated version of a browser. Read further information on the accessibility of this website.
    8. If you know or suspect that anyone other than you knows your username or password, you must promptly reset your password to something only you know.
    9. We have many measures in place to keep your data safe. But it is important that you also play your part – visit the government's Cyber Aware website for advice.
    10. We are giving you personally the right to access and use the API Service. If others in your organisation wish to access the API Service, they should create their own account. There is no limit to how many accounts an organisation may have.
  4. Using the API Service
    1. You agree that:
      1. your use of the API Service does not constitute any assurance or endorsement of any of your products or services by NHS England; and
      2. issue of security credentials allowing access to the APIs in production and non-production environments and live data is given at NHS England’s sole discretion and your organisation will need to comply with all Onboarding requirements, and enter into and comply with a Connection Agreement in order for you to receive and retain these.
    2. You may link to our home page, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it. You must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part. We reserve the right to withdraw linking permission without notice. You shall not make any press announcements without the prior written consent of NHS England. Subject to clause 5.3.1 you shall not use NHS England’s name, logo or brand, or any other NHS names, logos or branding without the prior written consent of NHS England, and in each case, only as permitted by the NHS identity guidelines.
    3. We do not guarantee that the API Service will always be available or that access to it will be error free or uninterrupted. We may suspend, withdraw, discontinue or change all or any part of the API Service without notice. We do not guarantee that the API Service will be secure or free from bugs or viruses.
    4. You must not, in relation to your use of the API Service:
      1. use our intellectual property rights other than as allowed by these terms of use
      2. transmit any material that is defamatory, offensive or otherwise objectionable
      3. collect any data from our systems or attempt to decipher any transmissions to or from our servers
      4. use it in a way that could damage, disable, overburden, impair or compromise our systems or security or interfere with other users
      5. use it in any unlawful manner, for any unlawful purpose, or in any manner inconsistent with these terms of use, or act fraudulently or maliciously, for example, by hacking into or inserting malicious code, such as viruses or harmful data
      6. use it in any way that constitutes improper use or otherwise in a manner not reasonably contemplated by these terms of use
    5. In the event of such a breach, your right to use the API Service will cease immediately.
  5. License
    1. NHS England own or have the right to use all intellectual property rights in the API Service or used for the provision of the API Service. This includes rights in copyright, patents, database rights, trademarks and other intellectual property rights. Those works are subject to crown copyright protection and protected by intellectual property right laws and treaties around the world. All such rights are reserved.
    2. You are allowed to use the API Service and any intellectual property rights in it for the purposes set out in clause 1.2, subject to these terms of use.
    3. You can use copyright and database rights in this website and the API Service under the current version of the Open Government Licence (“OGL”) for any purpose, provided you follow these terms of use and the terms of the OGL. The OGL terms do not apply to the following:
      1. any logos, visuals, image rights, trademarks, trade names and design styles (except where these are integral to a document or data set, in which case you must not alter, adapt, edit or modify any such material) and any other intellectual property rights, including but not limited to patents, design rights and trademarks
      2. personal data
      3. information or components owned by third parties which we are not authorised to licence to you. This includes the API platform and associated backend services, but if you are in doubt please contact us using the details in section 1 above.
    4. Your right to use personal data contained within the APIs in production and non-production environments and live data is conditional upon you having received appropriate security credentials and complying with applicable conditions, as set out in clauses 1.2.5, 2.5 and 4.1.2.
  6. Ending your use of the API Service
    1. You may stop using the API Service and/or cancel your API Service account at any time. If you wish to cancel your account, you should contact us.
    2. If you breach any of these terms of use, we may prevent you from accessing the API Service and cancel your API Service account. If we terminate (or suspend) your access to the API Service, we will notify you. If what you have done can be put right, we will tell you and give you a reasonable opportunity to do so.
    3. If you cancel your API Service account or we end your rights to use the API Service:
      1. you must stop all activities authorised by these terms of use, including use of the API Service; and
      2. all rights granted to you under these terms of use shall automatically cease without further notice (although your statutory rights - for example in respect of data protection as described in the privacy policy - are not affected).
  7. Liability
    1. Please read this clause carefully, as it sets out the limits of our liability to you under these terms of use. Your organisation’s liability to us pursuant to its Onboarding is separate and governed by its Connection Agreement.
    2. Although we make reasonable efforts to update it the API Service is provided "as is" and, to the extent permitted by law, we make no representations, warranties or guarantees, whether express or implied (including but not limited to the implied warranties of satisfactory quality, fitness for a particular purpose, non-infringement, compatibility, security and accuracy), that (a) the API Service is accurate, complete or up-to-date; (b) the API Service will meet your particular requirements or needs; or (c) access to, or use of, the same will be uninterrupted or completely secure.
    3. You acknowledge and agree that we will not be responsible for any injury, loss, damage, costs or expenses (whether direct or indirect) arising out of, or relating to the use or misuse of the API Service, except to the extent that such liability cannot be excluded by law (i.e. our liability for death or personal injury arising from our negligence, or our fraud or fraudulent misrepresentation or any other liability that cannot be excluded or limited under English law).
    4. This means that we have no liability to you (or anyone else you may use the API Service on behalf of) for any:
      1. business loss (including but not limited to loss of profits, revenue, contracts, anticipated savings, data, goodwill or wasted expenditure)
      2. loss or damage where this is not caused by our negligence
      3. loss or damage arising from an inability to access and/or use the API Service in whole or in part
      4. loss or damage caused by a virus, distributed denial-of-service attack, or other technologically harmful material that may infect your device, computer equipment, computer programmes, data or other proprietary material due to your use of the API Service
      5. other loss or damage whether arising under tort (including negligence), breach of contract, breach of statutory duty or otherwise.
  8. General
    1. You may link directly to the API Service, but we reserve the right to move or change this website’s URLs at any time.
    2. We are not responsible for the content or reliability of any websites we link to and do not necessarily endorse the views expressed within them. We cannot guarantee that these links will always work as we have no control over the availability of other sites.
    3. If any part of these terms of use is determined to be illegal, invalid or otherwise unenforceable then all the remaining parts of these terms of use shall remain in full force and effect.
    4. If we delay in enforcing these terms of use, we can still enforce them later. If we do not insist right away that you follow the requirements within these terms of use, or we delay in taking steps against you if you break them, this will not prevent us from taking steps against you or prevent your need to follow the requirements at a later date.
    5. We may transfer our rights and obligations under these terms of use to another organisation. We will ensure that the transfer will not affect your rights under these terms of use. You may not transfer your rights or your obligations under these terms of use to another person.
    6. These terms of use set out the entire agreement between you personally and us in respect of your use of the API Service. Your organisation is subject to the terms of its Connection Agreement.
    7. These terms of use do not give rise to any rights for any third party to enforce any term of these terms of use.
    8. We do not give permission to suggest that your applications, products or website is associated, or endorsed by us.
    9. The laws of England apply exclusively to these terms and conditions and to all matters relating to use of the API Service. Any cause of action arising under or in connection with these terms and conditions or your use of the API Service shall be subject to the exclusive jurisdiction of the courts of England.

Privacy Policy

Privacy Notice Applicable to use of the NHS Digital Onboarding Service, API Management Developer Portal and Developer Community

Your privacy is important to us. This privacy notice covers what personal information we collect and how we use, disclose, transfer and store your information if you choose to use the NHS Digital Onboarding Service or API Management Developer Portal. Our transparency notice sets out how we use personal data.

  1. Who we are

    NHS England was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. We exist to help patients, clinicians, commissioners, analysts and researchers. Our goal is to improve health and social care in England by making better use of technology, data and information.

    Find out more about us.

    We have developed the API Management Developer Portal, the NHS Digital Onboarding Service and the Developer Community (the "API Service") to enable you to:

    • learn more about the APIs you can access
    • register one or more applications (systems) to work with our APIs, and delete such applications
    • select/deselect one or more APIs for use with each application
    • access test area and dummy data as default
    • provide details and conformance information about your systems and products as part of your organisation’s application to connect to our APIs via an appropriate NHS England process (collectively known as “Onboarding”) by completing an online workflow and uploading documents
    • obtain security credentials (subject to NHS England approval following assurance and onboarding of your organisation and applications via Onboarding and signature of applicable terms and conditions (a “Connection Agreement”)) that will allow access to the APIs in production and non-production environments and live data
    • create and maintain one or more teams and link a team to an application
    • register for updates about the platform and associated APIs - service updates and more general progress updates
    • get help and support from us at NHS England and our developer community on integrating your software with our APIs

    Mentions of "us" and "we" mean NHS England and "you" means anyone using the API Service.

    NHS England is the controller for the personal information we process, unless otherwise stated. In particular, our developer community is hosted by Discourse who collect basic operational information as described in their privacy policy.

  2. What personal information we collect about you

    We collect your basic personal details needed to process your onboarding and developer account used to access the API Service, including:

    • first name
    • last name
    • email address
    • organisation you work for
    • organisation contact telephone number

    We also collect technical information needed for security and to set up and manage your account. This includes:

    • log and audit data
    • identifiers relating to you and your device

  3. Why we collect your personal information

    We collect personal information from you to:

    • create an account so you can access and use the API Service
    • receive updates relating to the API Service
    • diagnose problems, understand usage by individuals and manage and improve our service
  4. Our legal basis for using your information

    The legal basis for processing is

    • Health and Social Care Act (2012) – Schedule 18, part 10 (1)
    • UK GDPR: Article 6 (1c) Legal Obligation (General Powers)
      • No special category data will be processed as a result of your use of the API Service
    • DPA 2018: Schedule 1, Part 1, paragraph 2 - Health or social care purpose
  5. How we process your personal information

    We use hosted containers for in-transit processing on AWS (Amazon Web Services), using the London data region (two Availability Zones) for the NHS England Onboarding Service.

    We use Google Apigee as our processer on the API Management Developer Portal, acting only under our instructions and the terms of a legally binding agreement. The personal information that they access in order to carry out this role is:

    • Name
    • Email address
    • Employer (Organisation)

    We use email to communicate with you in relation to the API Service.

  6. Who we share your personal information with

    We will not share your personal data with other organisations unless required to do so by law.

  7. How we protect your personal information

    We take the security of your personal information very seriously. We have set up security measures, policies and procedures to make sure your personal information is protected.

    We protect your personal information by:

    • training staff to understand data and security protection
    • restricting access to personal information to only those staff who need access to perform their role
    • ensuring security and confidentiality policies are in place for our staff who have access to personal information
    • monitoring our service to keep your personal information secure
    • following good practice guidance
    • using legally binding agreements with all organisations we use to process your personal information on our behalf

  8. How long we store your personal information

    We store your personal information for as long as is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice for Health and Social Care (2016). The retention periods are explained here.

    Category of Information Retention Period
    User Accounts Personal information relating to your use of the API Service will be stored for 3 years minimum from completion of the API development work. You can delete your account anytime. If you delete your account, you must create a new account if you ever want to use the API Service in the future. The personal information within your API Service account is:
    • first name
    • last name
    • email address
    • organisation you work for
    Log and audit data Log and audit data are stored for 400 days in a number of locations across the platform. This information lets us record:
    • when you use your account
    • details of activities performed when you use your account
  9. Where your personal information is stored and processed

    We store and process your information in the UK and the EEA. We will make sure your information is given the level of protection required by law and NHS policies.

  10. Cookies

    We put small files called cookies onto your device, like your mobile phone or computer. We put strictly necessary cookies on your device for the API Service to work, to capture your preferences and to support analytics. Read more about cookies in our Cookie Policy.

  11. Your rights

    Data protection laws provide you with a number of rights which you can exercise by contacting the controller.

    These general rights allow you to:

    • know how your personal information will be collected, processed and stored, and for what purposes
    • request a copy of your personal information by completing a subject access request form
    • change your information if it is wrong or incomplete
    • request we delete your personal data. We may not be able to delete your information if there is a legal reason for us to not delete it
    • request a restriction on the use of your personal information – if it is wrong and would like it to be changed before being used again

    You can read more about your rights and when they apply on the Information Commissioner's Office's (ICO) website.

  12. Contact Us

    You can contact us by post, telephone or email. More details are available on our contact page.

    Our postal address is:
    7 and 8 Wellington Place
    Leeds
    West Yorkshire
    LS1 4AP

    Telephone: 0300 303 5678
    Email: enquiries@nhsdigital.nhs.uk

    Our Data Protection Officer, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, can be contacted via enquiries@nhsdigital.nhs.uk.

  13. Complaints

    You have the right to complain about how we process your personal information. You can do this by emailing enquiries@nhsdigital.nhs.uk or you can go through the Information Complaints Office (ICO). The ICO is the regulator for data protection.

  14. Changes to our privacy notice

    Our privacy notice may change. The latest version of our privacy notice will be accessible through the API Service. We will inform you through your API Service account if we make any material changes to our privacy notice, cookies policy or terms and conditions. This will allow you to refresh your consent if you wish to continue using the API Service.


Cookie policy

What are cookies?

Cookies are files saved on your phone, tablet or computer when you visit a website.

They store information about how you use the website, such as the pages you visit.

Cookies are not viruses or computer programs. They are very small so do not take up much space.

How we use cookies

We use cookies to:

  • make the website work, for example by keeping it secure or to manage performance
  • measure how users use the site, such as which links you click on

The table below is a list of the cookies used on the NHS Digital Onboarding Service:

Cookie Name Purpose Expires
Cookie Name _ga Purpose Used to distinguish users on the Google Analytics platform. Expires 2 years
Cookie Name _ga_G85CS3QSTZ Purpose Used to persist session state. Expires 2 years
Cookie Name antiforgery-dos Purpose Used to prevent form interception and fraud. Expires 1 hour
Cookie Name user-session-dos Purpose User session cookie. Expires 1 hour
Cookie Name user-core-session-dos Purpose User session information. Expires 1 hour
Cookie Name temp-data-dos Purpose Used to store temporary data. Expires 1 hour
Cookie Name seen_cookie_message Purpose Used to define if the user has seen the cookie message. Expires 90 days

The table below is a list of the cookies used in the Developer Portal (My developer account | NHS England):

Cookie Name Purpose Expires
Cookie Name _ga Purpose Used to distinguish users on the Google Analytics platform. Expires 2 years
Cookie Name _Secure-3PAPISID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name _Secure-3PSID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name _Secure-3PSIDCC Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 14 days
Cookie Name _Secure-APISID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 14 days
Cookie Name _Secure-HSID Purpose Stores log-in information to enable navigation between pages and to protect user’s data. Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 14 days
Cookie Name _Secure-SSID Purpose Used to capture information about website usage and interactions. Expires 14 days
Cookie Name _stripe_mid Purpose Enables credit card payments via the web. Expires 368 days
Cookie Name _stripe_sid Purpose Enables credit card payments via the web. Expires 1 day
Cookie Name _utma Purpose Used by Google Analytics to capture information about website usage and interactions. Expires 2 years
Cookie Name _utmz Purpose Used by Google Analytics to capture information about website usage and interactions. Expires 6 months
Cookie Name 1P_JAR Purpose Part of a group of cookies that sets a unique ID to remember your preferences (such as language) and other information such as website statistics and track conversion rates. Used to support delivery of relevant or personalised advertising. Expires 1 month
Cookie Name ANID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 389 days
Cookie Name APISID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name CONSENT Purpose Part of a group of cookies that sets a unique ID to remember your preferences (such as language) and other information such as website statistics and track conversion rates. Used to support delivery of relevant or personalised advertising. Expires 18 years
Cookie Name HSID Purpose Stores log-in information to enable navigation between pages and to protect user’s data. Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name JSESSIONID Purpose Supports the essential functioning of the website. Expires When you close the browser
Cookie Name NID Purpose Part of a group of cookies that sets a unique ID to remember your preferences (such as language) and other information such as website statistics and track conversion rates. Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 6 months
Cookie Name portalDefaultDomain Purpose Technical session cookie. Expires When you close the browser
Cookie Name portalEmail Purpose Technical session cookie. Expires 1 day
Cookie Name portalRefresh Purpose Technical session cookie. Expires 1 day
Cookie Name portalSession Purpose Technical session cookie. Expires 1 day
Cookie Name route Purpose Technical session cookie. Expires When you close the browser
Cookie Name SAPISID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name SID Purpose Stores log-in information to enable navigation between pages and to protect user’s data. Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name SIDCC Purpose Used to protect user’s data from unauthorised access. Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 1 year
Cookie Name SSID Purpose Used to build a profile of interests to support delivery of relevant or personalised advertising. Expires 2 years
Cookie Name X-Apigee-CSRF Purpose Protects against cross-site request forgery. Expires When you close the browser

The table below is a list of the cookies used on the Developer Community:

Cookie Name Purpose Expires
Cookie Name email Purpose Used during account creation Expires When you close the browser
Cookie Name destination_url Purpose Used during login to redirect to the requested page Expires When you close the browser
Cookie Name sso_destination_url Purpose Used during SSO login to redirect to the requested page Expires When you close the browser
Cookie Name authentication_data Purpose Used during full-screen login to return data to the JavaScript application Expires On next page view
Cookie Name fsl Purpose Full screen login client setting Expires When you close the browser
Cookie Name theme_key Purpose Client theme personalization. Only used when “Make this my default theme on all my devices” unselected. Expires None
Cookie Name cn Purpose Client clear notifications. Expires None
Cookie Name _bypass_cache Purpose Used with ‘fsl’ for full screen login Expires When you close the browser
Cookie Name _t Purpose User authentication token cookie. SiteSetting.maximum_session_age.hours.from_now Expires 1440 hours
Cookie Name _forum_session Purpose Session cookie Expires When you close the browser
Cookie Name dosp Purpose Temporary cookie that informs client denial of service protection is in place. Expires On next page view
Cookie Name __profilin Purpose Developer only, used by rack-mini-profiler to bypass work Expires When you close the browser
Cookie Name _ga Purpose Google Analytics cookie. ONLY set if configured to use GA Expires 2 years
Cookie Name _gat Purpose Google Analytics cookie. ONLY set if configured to use GA Expires 2 years
Cookie Name _gid Purpose Google Analytics cookie. ONLY set if configured to use GA Expires 24 hours

Change your cookie settings

You can use the settings within your browser to determine how cookies are used. You can also update the settings to block certain types of cookies and delete cookies that have been stored on your phone, tablet or computer.

How you do this depends on which internet browser you use. To find out, you can consult the help function of your internet browser or visit AboutCookies.org, which describes how to delete or control cookies for different browsers.

You can find more information about cookies at:
AllAboutCookies.org