NHS England Secure Data Environment End User Access Agreement (EUAA)

1.1 Please read this EUAA carefully before you start to use the NHS England SDE. The obligations set out in this EUAA are also obligations under the Data Sharing Framework Contract and the Data Sharing Agreement that your organisation has agreed with NHS England. Please ensure that you are familiar with the terms and conditions of your organisation's Data Sharing Agreement before accessing and using the NHS England SDE.

1.2 Your use of the SDE is also subject to your compliance with your organisation's DSFC and the relevant DSA(s).

1.3 This is version 2.0 of this EUAA, which was most recently updated in November 2024 with changes following the introduction of the User Manager role in the SDE portal.

2.1 The following definitions are used in this EUAA:

Authorised Users means any permitted users of the SDE Service as added and/or updated by the relevant User Manager to the SDE Portal.

Data has the same meaning as set out in the Data Sharing Framework Contract.

Data Sharing Agreement or DSA means the agreement(s) which an organisation must enter into after signing a Data Sharing Framework Contract to allow access to particular NHS England data, copies of which are available to you in the SDE.

Data Sharing Framework Contract or DSFC means the agreement which an organisation must enter into if it wishes to receive and use any of NHS England's data, including personal data, setting out the legally binding terms which will apply to each and every occasion data is used by you or an organisation, as referenced in the DSA.

End-User Access Agreement or EUAA means this agreement (together with the documents and links referred to in it) setting out the terms and conditions on which you may use the NHS England Secure Data Environment.

Intellectual Property Rights has the same meaning as set out in the Data Sharing Framework Contract.

Login details means the username and password which you use to access the NHS England Secure Data Environment.

Network provider means the provider of your network or other facility which you use to obtain internet connectivity and access.

NHS England content means the material in the Secure Data Environment, which may include:

• login details and associated information, website and portal designs, commercial data, information, text, standards, images, interactive services, reports, and any other works or materials,
• but excludes the data as defined in the DSFC.

Organisation means the entity authorised by NHS England to access the Secure Data Environment after entering into a Data Sharing Framework Contract and applicable Data Sharing Agreements.

Privacy policy means that policy identified in paragraph 5.1.

SDE Portal means the online self-service portal by which the User Manager can add and/or update other User Managers and/or Authorised Users to the SDE.

Secure Data Environment or SDE means the secured way for you to access, analyse, and/or save reports related to certain NHS England content, which can be accessed from NHS England, or by using your login details.

Third-party tool(s) means certain third-party tools, products, or services (including any enhancements, upgrades or versions thereof) which we make available to you from time to time for use in the management, analysis and/or modelling of NHS England content or data within the SDE.

Third-party tool provider means the provider of a third-party tool.

User manager means the individual or individuals identified as such in the Data Sharing Agreement, as updated from time-to-time (whether through amendment to the Data Sharing Agreement or as added and/or updated via the SDE Portal.

Virus means computer viruses, trojans, worms, logic bombs, disabling code or routines, or other materials which are malicious or technologically harmful.

We, our, us, and NHS England are references to the Health and Social Care Information Centre, a non-departmental public body established under Section 252 of the Health and Social Care Act 2012.

You or your means the personnel, contractor, agent, or authorised representative of an organisation accessing and using the NHS England Secure Data Environment.

3.1 This EUAA (together with the documents and links referred to in it) set out the terms and conditions on which you may use the SDE.

3.2 You may access and use the SDE only if you: (i) are an authorised user of the SDE under an applicable valid Data Sharing Agreement of an authorised organisation; (ii) personally agree to be legally bound by this EUAA every time you access the SDE; and (iii) only as directed by us (for example) if you have provided access through a third party workspace such as AWS, you will not attempt to make direct connection to the SDE). If at any time you do not agree to be legally bound by this EUAA you may not access or use the SDE.

3.3 By using the SDE, you are: (i) accepting and consenting to the terms described in this EUAA (such use of the SDE includes accessing, viewing, interacting with, logging in to, downloading materials or data from, uploading content, or using the SDE in any other way); and (ii) confirming that you accept this EUAA and that you agree to comply with it.

4.1 We may make changes at our discretion to the content and features of the SDE, this EUAA, the terms and conditions applicable to any third-party tool, Appendix A, the privacy policy, and any other policies or links applicable to your use of the SDE, at any time and for any reason without providing notice of those changes to you.

4.2 Every time you wish to use the SDE, please ensure that you understand and agree to the provisions that apply at the time. The date of the most current version of this EUAA is set out above in paragraph 1.3.

4.3 Your access and continued use of the SDE after an update has been made signifies your acceptance of those changes. Depending on the update, you may not be able to use the SDE (or any of its functions, or access Data) unless you have accepted any new or additional terms.

5.1 When you access the SDE, we process information about you. We will only use your personal information in accordance with our privacy policy. By using the SDE you warrant that all data provided by you for verification of identity, access, and security purposes is accurate.

5.2 You acknowledge and agree that we and our licensors may collect certain usage data regarding your usage of the SDE ("Usage Data") and that the relevant licensor shall be the owner of such Usage Data.  You acknowledge and agree that the relevant licensor is acting as NHS England's processor of any personal data you submit into the SDE and is not acting as your direct processor.  You agree that you will bring any requests or concerns regarding personal data, privacy, data protection or security to NHS England rather than any licensor.

5.3 Subject to the rest of this EUAA, we are responsible for managing the SDE and your access to the SDE and will therefore have access to any data and any analysis done by you within the SDE.

6.1 The data rights and responsibilities of NHS England are governed by the Freedom of Information Act 2000, the General Data Protection Regulation 2016/679, and the Data Protection Act 2018.

Find our policy and other information on this topic. 

7.1 Your status as a user of the SDE requires your organisation to enter into a DSFC and a DSA with us, and then to receive our confirmation as to your status, which we may give or remove at any time at our discretion for any reason. Your organisation must then also authorise you to access the SDE.

7.2. As further set out in the relevant DSA, you recognise that we may on occasion need to recall and resupply data.

7.3. Our assumption is that your access to the SDE will be from within England, and we are not responsible or liable for your compliance with any local laws, should you seek to access the SDE outside of England. We may limit the availability of the SDE to any person or geographic area at any time at our discretion.

7.4. You recognise that the SDE is a service with other users, and that access or capacity may on occasion be limited. You will comply with any guidance as to fair use that may be given by us from time to time. You recognise that we may need to suspend or throttle usage that is in excess of fair usage at our discretion or where we consider it may impact other users.

7.5. You may only use and save data from the SDE within the SDE, unless we have provided you with permission to download, use, and save that particular data in a secured location outside of the SDE as set out in the applicable DSA. This permission may be granted or withdrawn in accordance with that DSA.

7.6. Uploading your own content to the SDE is only permitted where this is set out and agreed in the applicable DSA. Should you wish to upload content to the SDE you must provide such content to us for us to upload to the SDE.

7.7. Your use of any of the third-party tools available within the SDE may require you to agree to additional terms and conditions in relation to that particular third-party tool before it may be used. Further, your use of any third-party tool will also at all times be subject to: (i) us making that third-party tool available to you; (ii) any controls and/or reasonable use restrictions which we put in place; (iii) the end-user obligations set out in Appendix A; and (v) the terms of the applicable DSA. The availability of any third-party tool will be solely at our discretion.

User managers

7.8 User Managers are granted access to the SDE portal for the purpose of facilitating access to the SDE Portal by User Managers and/or facilitating access to Authorised Users to the SDE (subject to any applicable policies, conditions or guidance issued by authorised organisations or NHS England).

7.9 You may access the SDE Portal only if you: (i) are an authorised User Manager of the SDE under an applicable valid Data Sharing Agreement of an authorised organisation; (ii) access solely for the purposes set out in paragraph 7.8 of this section and as contained within the terms and conditions for the purchase and use of SDE services as signed by your authorised organisation, and (iii) personally agree to be legally bound by the relevant terms set out in this EUAA every time you access the SDE Portal.

7.10 By accessing the SDE Portal, you agree to the terms contained within this EUAA, insofar that where such terms refer to access and/or use of the SDE, reference is to be taken as access to the SDE Portal.

7.11 For the avoidance of doubt, the obligations contained in the following sections apply expressly to User Managers accessing the SDE Portal:

7.11.1 Section 9 – Registration, log in and security
7.11.2 Section 10 - Prohibited use of the SDE 
7.11.3 Section 16 - Viruses

7.12 Notwithstanding paragraph 7.9 - 7.11, you confirm that you will use the access rights granted to you in your role as User Manager appropriately and will not grant access to any third party who does not have appropriate authorisation to access such system(s), or delete or amend any User Manager or Authorised User's access to the SDE or SDE Portal for any reason outside of those contained in your organisation's terms and conditions for the purchase and use of SDE services and/or as set out in any applicable policies, conditions or guidance issued by your authorised organisations or NHS England. 

7.13 Your continued access and use of the SDE Portal after an update to this EUAA has been made in accordance with section 4 (Changes and Updates) signifies your acceptance of those changes. Depending on the update, you may not be able to use the SDE Portal unless you have accepted any new or additional terms.

8.1 We aim to make the SDE accessible (subject to the controls) and comply with standards which should work on the majority of browsers in use. However, we offer no warranty for the SDE working in any particular browser or configuration. Please note that you may see inconsistencies in the presentation of pages if you are using an older or deprecated version of a browser, or the SDE may not work at all.

Find out more about accessibility.

9.1 In order to use the SDE and/or access certain content, systems, or features of the SDE, your organisation will first need to identify you as an authorised user in relation to the applicable DSA. You may need to complete an online registration form and create or update login details. These login details will consist of a user identification name and password. You may be asked to provide additional information as required as part of our security procedures.

9.2 As a minimum, passwords you use to access the SDE must have a level of complexity which ensures they cannot be easily guessed by hackers or malicious software and be in accordance with government best practice.

9.3 We may ask you to change your login details, or manually enter your login details from time to time as a security measure. We do not recommend using biometric data (such as fingerprints or facial recognition) to store your login details if other people can also access your device using their biometric data.

9.4 You agree to provide true, accurate, current and complete information about yourself when registering for and using the SDE and you agree to keep this information up to date and accurate at all times.

9.5 Unless directly caused by us, you are responsible for, and agree to hold us harmless from, any unauthorised access or changes made to your login details or account resulting from shared or unauthorised access to your device or other individuals having access to your login details.

9.6 You must treat your login details as confidential and you must not disclose it to anyone. If you know or suspect that anyone other than you knows your login details or that your access to the SDE has been compromised, you must promptly: (i) notify the NHS England National Service Desk by writing to [email protected] or by calling +44 300 303 5035; and (ii) if possible to do so, change your login details.

9.7 If you cease to be authorised by the organisation at any time then you must cease using your login details and accessing the SDE immediately. You or your organisation is required to notify us as set out in the DSA.

10.1 You may only use the SDE for lawful purposes and in accordance with this EUAA, and agree not to access without authority, interfere with, damage or disrupt:
    (i) any part of the SDE or any of the Data found therein;
    (ii) any equipment or network on which the SDE is stored;
    (iii) any software or services used in the provision of the SDE; and/or
    (iv) any equipment or network or software owned or used by any third-party.

10.2 You may not use the SDE:
    (i) in any way that breaches this EUAA or any applicable local, national, or international law or regulation;
    (ii) in any way that breaches your Organisation's DSFC and applicable DSA(s);
    (iii) unlawfully, fraudulently, maliciously, or in any way that is harmful to us, any Third-Party Tool Provider or other users, that has any unlawful, fraudulent, malicious, or harmful purpose or effect;
    (iv) to send, knowingly receive, upload, paste-in, download, use or re-use any material which you do not have the right to do so or which does not comply with this EUAA;
    (v) to transmit, or procure the sending of any (a) unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam) or (b) bank, credit card or other financial account related data or credentials;
    (vi) to knowingly send or transmit any data that contains Viruses;
    (vii) with the Login Details of another user, or permit any unauthorised person to use your Login Details to use the SDE;
    (viii) in any way which would change the SDE or infringe on any intellectual property rights in relation to using the SDE;
    (ix) in any way which attempts to unencrypt or otherwise intercept any transmission of data to or from the SDE or any applicable third parties; and/or
    (x) in any way which could disable or compromise the security of the SDE, or that belonging

11.1 The Intellectual Property Rights pertaining to your use of the Data are set out in your Organisation's DSFC and/or the applicable DSA.

11.2 NHS England or its licensors own all Intellectual Property Rights in the SDE and the NHS England content. Your licence to use the SDE and the NHS England content is as set out in the DSFC and DSA, and applies whilst you are an authorised user of the SDE.

12.1 Unless otherwise permitted by the applicable DSA, you may not upload, or attempt to upload, any content to the SDE. Under no circumstances may you upload any content to the SDE which is not owned by your organisation or which you are not authorised to upload on behalf of your organisation, and which has not been approved by NHS England through the application process associated with the DSA applicable to your use of the SDE.

13.1 We are not responsible for the content or reliability of any external websites we may link to from the SDE and do not endorse the views expressed within them. We aim to replace broken links to websites but cannot guarantee that these links will always work as we have no control over the availability of those websites.

13.2 Due to the very nature of the internet we cannot guarantee the SDE or any websites we link to will always be available to you.

14.1 NHS England's liability position in relation to this EUAA is set out in the DSFC.

14.2 For the avoidance of doubt, we will not be liable to you for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with: (i) use of, or inability to use, the SDE; or (ii) any loss in connection with any error, omission, defect, virus, or system failure.

14.3 We will not be liable for any loss or damage caused by a Virus which may infect your device, computer equipment, computer programs, data or other proprietary material due to your use of the SDE or in relation to your downloading of any content or data from the SDE, or on or from any third party website linked to the SDE.

14.4 We do not assume any responsibility for the content of third-party websites which may be linked on the SDE. Such links should not be interpreted as an endorsement of those linked websites. We will not be liable for any loss or damage that may arise from your use of them.

14.5 To the extent permitted by law, we exclude all other conditions, warranties, representations or other terms which may apply to the SDE or any data or content on it, whether express or implied.

14.6 You agree to reimburse us for any losses that we incur as a result of your: (i) breach of, or failure to comply with, this EUAA; or (ii) unauthorised use of the SDE.

15.1 We do not guarantee that the SDE will always be available or that your use of the SDE will be uninterrupted. Access to the SDE is permitted on a temporary basis.

15.2 We may suspend, withdraw, discontinue or change all or any parts of the SDE without notice and without compensation to you.

15.3 We may, at any time, suspend or terminate your Login Details and/or use of the SDE (in whole or in part) temporarily or permanently. We may do this:
    (i) if we, or a third party which provides some or all of the services related to the SDE, are making repairs, updates, or  conducting maintenance on our tools and systems or those related to the third party companies or services;
    (ii) if we have concerns about the security of the SDE;
    (iii) if we suspect that your Login Details have been compromised or used fraudulently or in an unauthorised way;
    (iv) if we suspect that you may be using the SDE or any data in a fraudulent or unauthorised way or in violation of this EUAA;
    (v) if there are legal obligations which we have to meet;
    (vi) if we are prevented from providing the SDE for any reason beyond our reasonable control;
    (vii) if you have not accessed or used the SDE for a period of 12 months or more; or
    (viii) for any other reason at our absolute discretion.

15.4 We will endeavour to give you advance notice of any suspension or termination, but may not be able to do so in all circumstances. We will not provide notice to you if providing that notice would compromise our security measures or is unlawful.

15.5 You may request the reactivation of your Login Details if we suspended or terminated your access, but we are under no obligation to do so.

15.6 We will not be liable to you if for any reason any part of the SDE is unavailable or inaccessible to you at any time or for any period.

15.7 You can terminate your use of the SDE at any time by writing to [email protected] or by calling +44 300 303 5035 and by no longer using your login details. It is your responsibility to remove any saved login details from your device if you wish to terminate your use of the SDE, or if you change your device or otherwise dispose of it, or if you cease to be authorised by your organisation.

15.8 On termination of this EUAA or your right to use the SDE, you must stop using the SDE and any Third-Party Tools immediately and permanently remove from your systems any copies of Third-Party Tools (and associated documentation), if any. Promptly (but within 30 days) after a request from us, you must certify that you have done do (or, if applicable, that no such copies existed)

16.1 We do not guarantee or warrant that the SDE will be secure or free from viruses, that the functions of the SDE will be uninterrupted or error free, that defects will be corrected, or represent the full functionality, accuracy, or reliability of the materials or data.

16.2 You are responsible for configuring your accessing device in order to access the SDE safely. You should use and maintain your own virus protection software.

16.3 You must not misuse the SDE by knowingly introducing viruses. You must not attempt to gain unauthorised access to the SDE, the server on which the SDE or related data is stored, or any server, computer or database connected to the SDE. You must not attack the SDE via a denial-of-service attack or a distributed denial-of service attack.

16.4 In using the SDE you are giving us, or an agent or representative appointed on our behalf, permission to: (i) carry out an audit at any time and without notice to you in relation to your use of the SDE; and (ii) share information with your organisation in relation to that audit and its findings.

17.1 By registering to use the SDE and receiving login details, you are giving us permission to contact you or your organisation from time to time by using any of the methods which you have authorised during the registration process, or as set out in the applicable DSA. You may update your preference at any time by making the appropriate selection when logged in on the SDE.

17.2 You are responsible for keeping us updated if your contact details change. We are not responsible if we are not able to contact you, or if your contact details are out of date

18.1 If any part of this EUAA becomes or is held by a court to be invalid, illegal, or unenforceable, this will not affect the validity of the remaining provision which will remain in full force and effect.

18.2 Ceasing to use the SDE does not affect any provision of this EUAA, which are expressly or by implication intended to continue on in effect.

18.3 We may transfer our rights and obligations under this EUAA to another organisation at any time and at our discretion. You may not transfer your rights or obligations to anyone else

18.4 No attempt by you to vary this EUAA will be valid.

18.5 This EUAA, its subject matter and formation (and any non-contractual disputes or claims), and the use of the website, are governed by English law. We both agree to the exclusive jurisdiction of the courts of England in respect of any disputes or causes of action arising under these terms and conditions or the use of the SDE.

19.1 If you have any queries about the use of the SDE or this EUAA, please contact us by email or post.

Email: [email protected] - include the following in your email subject line: NHS England Secure Data Environment and your NIC number

Post: NHS England, 7 and 8 Wellington Place, Leeds, West Yorkshire, LS1 4AP, United Kingdom - include the following reference in your letter: NHS England Secure Data Environment and your NIC number.