End User Organisation Acceptable Use Policy (AUP)
The Connecting Party shall incorporate or otherwise alert the End User Organisations to the End User Organisation AUP as updated from time to time. A copy is available on the NHS Digital website, but the current version is set out below.
End User Organisation Acceptable Use Policy
The Connecting Party has signed a Connection Agreement with NHS Digital. The Connecting Party’s products or services integrate or make use of Service(s) provided by NHS Digital. This End User Organisation AUP has been drafted to support the provision of the Connecting Party’s products and services to the End User Organisation in relation to the integration or use of Service(s).
NHS Digital recognises that there could be many arrangements in relation to different products and services provided by the Connecting Party and their delivery of, access to and receipt of NHS data.
It is recognised that:
1) not all Connecting Parties will have End User Organisations associated with all Services;
2) in some circumstances a lead public sector End User Organisation will be authorised to act for a number of End User Organisations, and takes responsibility for disseminating the obligations set out in this End User Organisation AUP to the other End User Organisations and individuals within them;
3) some Services may be commissioned by a public sector body, but delivered by the Connecting Party directly to Individual End Users.
This End User Organisation AUP shall govern connection to and use of the Services by all End User Organisation(s).
End User Organisation Obligations:
All End User Organisations shall only share data in accordance with the law and applicable DHSC, government and regulators’ guidance and policies.
An End User Organisation cannot receive data until it has fully registered with the Data Security and Protection Toolkit and has a current latest status rating of at least ‘standards met’.
The End User Organisation is responsible for (together with any End User Organisation which is the public sector commissioning entity where relevant): choosing the Connecting Party’s systems and services; ensuring that the Connecting Party’s systems and services meet its requirements and are secure, clinically safe and legally compliant; ensuring that the Connecting Party provides updates to and maintains its systems and services, provides helpdesk and incident management services and shares any incidents impacting NHS Digital services with NHS Digital; all arrangements with the Connecting Party for the testing, local assurance, acceptance and deployment to the End User Organisation of the Connecting Party 's systems and services; on boarding, service management and delivery of the Connecting Party’s systems and services to Individual End Users.
The End User Organisation is responsible for compliance with DCB0160 (as updated), including but not limited to management of clinical risk including establishment of a framework within which the clinical risks associated with the deployment and implementation of a new or modified health IT system are managed, its local Hazard Log, management of risks transferred by the Connecting Party and implementation of appropriate mitigation actions and controls.
· NHS Digital may ask the Connecting Party to provide contact information and summary information in relation to its End User Organisations. For example, to understand users of the Services and in circumstances where there is a service interruption, or a data breach, or a clinical risk issue associated with the data. End User Organisations must co-operate in the provision of such information on request from the Connecting Party.
· End User Organisations shall use the Service(s) in a manner that is consistent and compliant with this End User Organisation AUP. The End User Organisation shall ensure that the content of this End User Organisation AUP is disseminated to all staff, employees or contractors and shall incorporate it into training (where relevant).
· End User Organisations shall not include any terms in its arrangements with Individual End Users which conflict with the Connection Agreement or this End User Organisation AUP.
· To note, if an End User Organisation does not comply with its End User Organisation AUP, NHS Digital may itself, or may require the Connecting Party to disconnect the End User Organisation and/or suspend the End User Organisation's access to the Connecting Party’s products or services, or otherwise, to the extent necessary to protect the Services as a whole.
End User Organisations shall:
use the Services and the Connecting Party’s products or services for their lawfully intended purposes only.
not use any of the Services and the Connecting Party’s products or services in a way that could damage, disable, overburden, impair or compromise security of any system, service or capability.
co-operate with investigations and resolution of clinical safety, data protection and/or security incidents reported by the End User Organisation, an Individual End User or the relevant Connecting Party to NHS Digital.
o not knowingly transmit any data, send or upload any material that contains viruses, trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.
Connecting Party Obligations:
The Connecting Party shall only share data in accordance with the law and applicable DHSC, government and regulators’ guidance and policies.
The Connecting Party is fully accountable and responsible for the identification, onboarding and management of its End User Organisations (including for the service, management and delivery of its services to End User Organisations and Individual End Users), unless agreed otherwise with NHS Digital.
The Connecting Party is responsible for bringing these terms to the attention of End User Organisations and Individual End Users, unless agreed otherwise with NHS Digital.
NHS Digital is not responsible for verifying the terms of the Connecting Party’s arrangements with the End User Organisations. In particular the terms and conditions governing security, information governance, clinical safety and any other applicable regulatory or compliance topics are detailed in the Connecting Party’s contract with the commissioning party (which may also be the/one of the End User Organisation(s)).
The Connecting Party shall, upon request from NHS Digital, provide to NHS Digital the identity and details of all End User Organisations associated with any Service(s) within such reasonable timescales as NHS Digital may request.
The Connecting Party shall not include any terms in its arrangements with End User Organisations or Individual End Users which conflict with this End User Organisation AUP.
The Connecting Party must provide the End User Organisation, on request, with details of the requirements, specifications, policies, guidance and documents associated with the Connection Agreement and any conformance documentation (being any information, self-assessment or other documentation used to assess or demonstrate the Connecting Party’s compliance with the Connection Agreement, including the supplier conformance assessment list (SCAL), or such alternatives as NHS Digital may require from time to time).
NHS Digital’s Role:
NHS Digital provides access to its Services (being systems, services and capabilities) for the benefit of health and social care in England.
NHS Digital has not carried out any assurance or testing of the Connecting Party’s products or services as being suitable for the End User Organisation’s intended use or purpose. NHS Digital will carry out a conformance assessment of the Connecting Party’s connection method, against the requirements of the Service the End User Organisation wishes to connect to.
NHS Digital shall have no responsibility for the management or enforcement of End User Organisation’s / commissioning party’s contract(s) for the provision of services and products by the Connecting Party.
There are no service levels associated with the NHS Digital provision of Services, and there may be Service interruptions from time to time. NHS Digital does not provide anyone (including End User Organisations, Individual End User or the Connecting Party) with any commitment with regards to performance.
End User Organisations understand the circumstances in which access to the Connecting Party’s products and services may be altered or suspended due to the Connecting Party’s failure to comply with this Connection Agreement.
UK GDPR and Data Protection Act 2018
· NHS Digital has a general role to support the wider NHS and the need to respect and promote the privacy of recipients of health services and of adult social care in England under the terms of the Health and Social Care Act 2012. It is generally the case that the Connecting Party is not the controller of the data received from NHS Digital, and rather it is the processor providing services to public sector entities. NHS Digital will make basic enquiries regarding the role of the Connecting Party in relation to the management of confidential and personal data. These enquiries do not replace the End User Organisation’s (and any commissioning party’s) role in ensuring that the Connecting Party is meeting its responsibilities in law.
The End User Organisation shall ensure it does all that is required to comply with UK GDPR and the Data Protection Act 2018, and shall conduct any data protection impact assessments required in connection with any processing in accordance with article 35 of the UK GDPR, and
where the End User Organisation is joint controller with the Connecting Party, in particular it remains responsible for putting in place an arrangement which complies with the requirements of article 26 of the UK GDPR,
where the End User Organisation is the independent controller of the data received and the Connecting Party is the processor, in particular it remains responsible for putting in place a written contract that complies with the requirements of article 28(3) of the UK GDPR.
The End User Organisation (together with any commissioning party) shall, and shall ensure the Connecting Party shall, abide by the Caldicott Principles, NHS Code and the NHS Constitution.
The End User Organisation shall comply with the Data Security Protection Toolkit, cyber security guidance and policy. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. It shall notify of incidents in accordance with DSP Toolkit guidance and the Data Security and Protection Incident Reporting Tool. It shall cooperate with NHS Digital in relation to any management of a personal data breach incident.
If a Service requires identity verification of an Individual End User, the End User Organisation shall comply with DCB3051 (Identity Verification and Authentication Standard for Digital Health and Care Services) (as may be amended or replaced from time to time).
This End User Organisation AUP is not confidential, does not contain any confidential information, and may be published.
NHS Digital is providing standard services and may need to make changes to the scope and delivery of those services from time to time.
NHS Digital is providing government services, and as such these may be cancelled at any time.
NHS Digital may vary, replace or delete any part of this End User Organisation AUP and any of the documents referred to in it. Each varied End User Organisation AUP shall be effective from the date of publication set out below.
Terms used in this End User Organisation AUP:
“Connection Agreement” means the agreement signed by and between the Connecting Party and NHS Digital;
“Connecting Party” means the supplier of products or services;
"End User Organisation" means any recipient or commissioning body using or commissioning a Connecting Party’s products or services which interface with Service(s) (whether directly, or indirectly via an agent or other commissioning body);
“End User Organisation AUP” means this End User Organisation acceptable use policy;
"Individual End User" means an individual recipient accessing any of the Services using the Connecting Party’s products or services which interface with Service(s) as an individual not an organisation;
"Service(s)" means each of the selected products and services identified on the Services Form, which NHS Digital makes available and with which the Connecting Party is interfacing.
If you are an End User Organisation and have any questions about this End User Organisation AUP, please contact NHS Digital at: [email protected]