End User Policy
The Health and Social Care Information Centre of Trevelyan Square, Leeds, also known as NHS Digital ("NHS Digital") has drafted this End User Policy to govern the use of certain systems, functionality, data and services which are described on NHS Digital's online landing page and supporting repository of information and documents ("Portal").
References to "End User" and "you" and "your" in this End User Policy shall refer to the entity or persons which accepts the terms of this End User Policy.
The End User Policy shall govern the connection to, and use by the End User of, the Services selected below:
P Tick which Services applyMenu of Services / Yes / No
SMSP (https://developer.nhs.uk/library/systems/nhs-digital-smsp-pds/)
1. By signing this End User Policy, you confirm that:
1.1 you agree to and will comply with this End User Policy; and
1.2 you have read, understood and agree to all the information referred to in this End User Policy; and
1.3 you shall comply with all the obligations and processes set out on the Portal which are applicable to End Users.
2. The relevant services to you are provided by a third party IT services supplier ("Supplier") with whom you have a separate contract either directly or through a commissioning body ("Services"). As such, NHS Digital shall have no responsibility for the management or enforcement of your contract(s) for the Services.
3. NHS Digital has permitted a connection to certain systems, functionality and/or data to your Supplier which is governed by a 'Connection Agreement' between NHS Digital and your Supplier. That connection can be suspended and/or terminated in accordance with the terms of the Connection Agreement. NHS Digital provides these systems, functionality and/or data as a shared resource for the health and social care service in England and therefore NHS Digital does not provide your Supplier with any commitments with regards to performance.
4. Whilst NHS Digital does carry out assurance of some aspects of your Supplier’s connection method as part of the Connection Agreement, it does not assure the Supplier’s systems or Services. Via the self certification tool published on the Portal which is used for assurance, onboarding and lifecycle management (“Target Operating Model” or "TOM"), NHS Digital intends to collect information from your Supplier to assist you in: (a) carrying out your responsibilities described in clause 5 below and (b) optimising your use of the Services.
5. You are solely responsible for:
(a) choosing the Services;
(b) ensuring that the Supplier’s systems and Services meet your requirements, are secure and clinically safe, and/or compliant with laws;
(c) all arrangements with the Supplier for the testing, assurance, acceptance and deployment to you of the Supplier's IT system or the Services; and
(d) ensuring that your Supplier provides updates to and maintains its systems and Services and provides helpdesk and incident management services.
6. Your Supplier’s Connection Agreement prescribes a number of processes (for example assurance, onboarding, and lifecycle management) including the TOM. You are required to populate the relevant sections of the TOM as part of your acceptance of the Services, and to ensure that such information is updated.
7. NHS Digital shall be entitled (acting reasonably) to request evidence from you regarding compliance with the TOM and you are expected to cooperate to maintain compliance. NHSD Digital will request evidence no more than annually except where there is a reasonable likelihood that non-compliance has occurred or will occur.
8. NHS Digital shall be entitled to retain a copy of your completed TOM and any evidence or supplemental documents provided in accordance with clause 7 for as long as required.
9. You shall use the Services and any of the systems, functionality and/or data of NHS Digital, or facilitated by NHS Digital, only for their intended purposes and lawful purposes and within any fair usage policies, and you shall not use any of such systems, functionality and/or data in a way that could damage, disable, overburden, impair or compromise any systems or security or interfere with other users. You shall operate within the approved use case(s) submitted to NHS Digital via the TOM and you shall ensure that you and the Supplier comply with all obligations set out or referred to on the Portal including in relation to information governance and the requirements for the Services.
10. In order to protect yourselves and all other users of the Services, you shall report to NHS Digital, and co-operate with investigations and resolution of, clinical safety and/or security incidents which are of interest to or under the remit of NHS Digital.
11. You shall not knowingly transmit any data, send or upload any material that contains viruses, trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.
12. Without prejudice to your status, role and/or obligations as a Data Controller (as defined in the Data Protection Act 1998/General Data Protection Regulation), you shall execute and comply with data sharing agreements and/or data processing agreements if such agreements are required.
13. Where there is evidence of a possible or potential breach of the End User requirements of the TOM particularly those relating to clinical safety, data handling and fair use, NHS Digital will raise its concerns with you. Should NHS Digital feel it may need to suspend and/or terminate (itself or by notifying the Supplier to do so) your right to access or receive the Services, it will provide reasons in a report. Following your review of such report, you shall be entitled to raise any concerns with NHS Digital (via your Supplier unless directed otherwise by NHS Digital) and to submit any supporting evidence and/or a proposed plan for remediation of the underlying issues. Any such remediation plan shall be subject to approval by NHS Digital, consulting with the Supplier, and if such approval is granted:
(a) you will provide evidence to NHS Digital, or the Supplier if directed to by NHS Digital, of the actions taken as part of the remediation plan at specified points during the period agreed for implementation of the remediation plan; and
(b) NHS Digital will not exercise the discretion to suspend and/or terminate your right to access or receive the Services as described above until the period for implementation of the remediation plan has expired or earlier if there is evidence of a likely or actual failure which cannot be further remedied.
14. End Users are responsible for meeting all of their own costs associated with achieving and maintaining compliance with this End User Policy and any conditions imposed on your Supplier(s) by NHS Digital.
15. The Services may operate a governance structure regarding the operation and future of the services it provides to your Supplier, involving different supplier and end user parties, and you may contribute to and attend relevant meetings at your own cost subject to limits on the numbers of attendees which may be set by NHS Digital.
16. This End User Policy may be updated from time to time by NHS Digital and updates or new versions shall take effect from the date you are notified of the change.
17. This End User Policy shall be governed by the laws of England and Wales and the courts of England shall have exclusive jurisdiction.
By signing below the End User agrees to this End User Policy:
Signed for and on behalf of the End User Organisation by:Signature:
Name:
Position:
Date:
2