The Acceptable Use Policy (“AUP”) describes actions that NHS Digital prohibits when any party uses the Directory of Services APIs (referred to as “DoS APIs” or “the Services”).
This AUP has examples of restricted behaviour, but does not list all restricted behaviours. Ultimately, NHS Digital will decide whether your use violates the AUP.
We may modify this Policy from time to time. By using the Services, you agree to the latest version of this Policy. If you violate the Policy or authorise or help others to do so, we may suspend or terminate your use of the Services.
We issue an AUP to all new consumers of the DoS APIs. On the most part these are a standard set of guidelines for API usage, however we may tailor the AUPs to individual API consumers based on the intended use cases.
While we’ve done our best to make our AUP complete, readable, and understandable, you may still have additional questions. If so, make contact with us at email@example.com and we can discuss your specific use cases.
Be responsible when displaying information publicly
Not all service information is appropriate for displaying directly to the public - many services are only available via professional referral routes and are not appropriate for self-referral by a member of the public. The information you display to the public could influence decision-making which could introduce an amount of clinical responsibility on your part.
If you are planning to present DoS information directly to the public you should:
- Discuss your use case with the NHS Digital team and gain explicit permission to display information publicly
- Make contact with both the NHS England DoS Team and your local DoS Team to discuss your use case
- Gain explicit permission from the DoS Lead(s) responsible for the information you wish to use
- Ensure you have a valid Clinical Safety Case / Hazard Assessment for your product (SCCI0129)
Keep data fresh
You shouldn’t cache DoS service information within your application. You should always retrieve the most recent information available via the API at the point it is required by your users.
If you feel you have an exceptional need to cache DoS service information locally, you should discuss this with the DoS team and gain explicit permission for that usage pattern.
Don’t crawl the API
You are not allowed to systematically crawl the API. Any activity resembling crawling activity will be monitored, investigated, and could lead to your API access being suspected or revoked.
Monitoring and enforcement
We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services or Website.
We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information.
We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.
How we will respond if your activity contravenes the policy
When identifying activity that contravenes the policy, we will always first refer to the agreed usage between you as a consumer and us as the service provider. For this reason, prior agreement around your specific use cases will help us to ensure your service is not interrupted unnecessarily.
If we believe that your activity is not compliant with our Acceptable Usage Policy or with an explicit agreement we have, we will first perform an impact assessment to decide the level of risk posed by your activity.
Where we identify a significant risk to the service as a result of your usage, our priority will be to protect the service and so we may suspend your access without prior notice.
Where we don’t feel that your usage poses an immediate risk, we will make contact with you to discuss your usage in order to agree a way forward.