NHSE End User Acceptable Use Policy

As IT Operations, we support the ‘maintain’ aspects of live service management. We work with three main parties: 

• NHS England, (this includes programmes, projects, subject matter experts and directorates)
• our technology partners, such as third-party system developers and suppliers and NHS England development teams
• health and social care organisations 

Our two core roles are transition and BAU operations. 

The primary role of the operations function is to provide a permanent home for products and services after they have been developed by programmes, projects or development teams and are ready to be made available to our external customers. Moving home involves a process called transition (to ops).  

Our second role is to put products, services and applications in the hands of health and care professionals, 'to transform the NHS and social care'. There are various ‘BAU operations’ processes to achieve this, depending on the type of data or service and the external organisations involved. These include the following processes.

Onboarding

This process involves a technology partner requesting access to an NHS England dataset or service so that they can integrate it with their health and social care application or system. The onboarding process has a risk management and assurance focus to ensure that we, our partners and health and social care organisations take appropriate responsibility for using data safely to provide health and social care services.

Monitoring

Once an NHS England product, service or application is being used by an health and social care organisation, IT Operations continues to monitor partners and the organisations using their products, for compliance with core requirements, standards and specifications (these vary with the data, product or service and cover technical/functional, clinical safety, Information Governance and Security). As with the onboarding process, the emphasis is upon self-assurance by our partners and deploying organisations, but IT Operations provides an oversight and governance role.

Product management

As the demand on NHS England’s services changes, our products, services and applications need to evolve to meet those changing demands. Our product management role is to assess changes and developments and implement them based on impact and urgency. These changes may be mandated, imposed due to statutory changes or needed to improve functionality.

Onboarding is NHS England's process for allowing connecting Systems to integrate with national services. Connecting systems are developed by technology partners to provide healthcare organisations and individuals with access to national services, in support of the provision of direct care.

There are three main approaches to Onboarding and NHS England is working towards standardising these. GPIT, IM1 and full integration approaches are separate to the following 'self-declared compliance' approach, which uses a Supplier Conformance Assessment List (SCAL) and Connection Agreement (CA). We are currently digitalising the SCAL onto the Digital Onboarding Service (DOS).  We reference the SCAL documentation as "conformance documentation" within the connection agreement.  

The NHS England services and APIs that currently follow this onboarding approach include:

• Ambulance Data Submission - FHIR API
• Booking and Referral Standard (BARS) 
• Care Identity Service 2 (CIS2) - formerly NHS Identity 
• Child Protection Information Sharing (CP-IS)
• Electronic Prescription Service (EPS) Prescription Tracker API
• Electronic Prescription Service (EPS) HL7 and FHIR APIs
• Electronic Prescription Service (EPS) Prescriptions for Patients FHIR API
• Electronic Prescription Service (EPS) Prescription Status Update FHIR API
• Electronic Referrals Service APIs (e-RS)
• GP Connect Products such as Access Document, Access Record: HTML and Structured, Appointment Management,  Send Document and Update Record.
• Immunisation History - FHIR API (Application & User Restricted Access for COVID19 and FLU vaccination history)
• Message Exchange for Social Care and Health (MESH) API
• National Care Record Service (NCRS) 
• National Event Management Services (NEMS) with PDS data 
• National Event Management Services with Digital Child Health (NEMS-DCH)
• National Record Locator (NRL)
• NHS App
• NHS App Notification and Messaging
• NHS login
• NHS Notify
• Patient Care Aggregator FHIR API (Appointments; Documents; Questionnaires & MIv2)
• Patient Flag API – Female Genital Mutilation Digital Flag
• PDS FHIR API (Application Restricted Access; Health Worker Access; Health Worker Access with Update; Patient Access)

• Register with a GP Surgery API

• Urgent and Emergency Care (UEC) Appointment Booking

The onboarding process is risk-based and:

• assesses the technical conformance of the connecting system with the integration standards and requirements of the service
• requires self-declared compliance with specified standards for data protection, clinical safety, information governance and security

The aim of the onboarding process is for all parties to work together to ensure the safe and secure transmission and/or sharing of data for healthcare purposes.

The parties involved in onboarding are:

• NHS England the owner of the National Service
• the connecting party an individual or organisation that develops, owns, and maintains the connecting system that connects to one or more national service or services - this is sometimes called a partner or supplier
• the end user organisation, the recipient or commissioning body wishing to use or commission a connecting system to access a national service or services - the end user organisation often represents individual end users for example, healthcare professionals or patients

Each party is responsible for their own information governance, data protection, information security, clinical risk management and incident management. The connection agreement explains the responsibilities, obligations and terms of use and is signed by the connecting party. The end user acceptable use policy explains the responsibilities, obligations, and terms of use for every end user organisation. 

Each national service also has a web page or portal, that contains the technical, functional, and non-functional standards and requirements that a connecting system must meet in order to integrate to the national service. For more information, please search on the API catalogue.  

There is a Supplier Conformance Assessment List (SCAL), currently presented as a workbook. This is completed by the connecting party to create a record of the technical conformance of its connecting system with the technical requirements of the national service being integrated. It also contains declarations of organisational compliance with standards, regulations, and policies. 

We are in the process of digitalising all our SCAL's using the Digital Onboarding Service (DOS). Once a developer account has been set up, the connecting party must register their organisation, to which they may register multiple products, each product may onboard with multiple APIs within the one record. When an organisation, product and its associated APIs are added, the supplier will be presented with the appropriate question set for the APIs they are onboarding too and may commence completion of the assurance questions. Users can upload documents and evidence as directed by the question sets and the onboarding teams. The NHS England will review, request more information, and approve the question sets.

When you begin the onboarding process for a national service, you will be guided on how to complete the correct versions of these documents. These downloadable files are samples.

The SCAL (conformance documentation) sample is currently presented in an excel document, which has or is in the process of been digitalised using the Digital Onboarding Service for the services listed within the Onboarding section.

This sample sets out the assurance questions that applies to all NHSE service listed to demonstrate that your organisation and product has processes in place to handle data securely, manage clinical risk and use our production environments. Each of the NHSE services will contain service specific technical conformance question which will be on the service specific SCAL. There is also a section where you provide details about your organisation and product, and for some APIs you must demonstrate you are eligible or have an appropriate use case.

The end user organisation acceptable use policy (EUO AUP) - explains the responsibilities, obligations, and terms of use for every end user organisation. This may be updated from time to time. The latest copy is published here, a change log is also available here on the connection agreement published changes document. The connecting party shall incorporate or otherwise alert the End User Organisations to the End User Organisation AUP as updated and published on this webpage.

If you are an End User Organisation and have any questions about this End User Organisation AUP, please contact NHS England at liveserviceonboarding@nhs.net

The connection agreement – NHSE publish the latest version here shown as a sample. The current version is 5.18.

Details of change/version and effective from date for each change to the connection agreement and EUO AUP can be found here on the connection agreement published changes.

If you have any questions about the published changes, please contact liveserviceonboarding@nhs.net