Skip to main content Skip to footer

ePACT2 user agreement (EUA)

This ePACT2 User Agreement (EUA) is a legal agreement between you (either an individual or a single entity) and the NHS Business Services Authority (NHSBSA).

The NHSBSA grants you the right to access the NHSBSA Information Services' online system known as 'ePACT2’, which includes computer software, the data supplied with it, and any associated media, printed materials, electronic documentation and Internet-based services (ePACT2 system), provided that you comply with all terms and conditions of this EUA.

The right of access cannot be transferred to anyone else.

User obligations

The ePACT2 System is provided to facilitate effective monitoring, management and optimisation of the use of medicinal products within the NHS.

The ePACT2 System may not be used for personal purposes or to profit or otherwise benefit individuals or non-NHS organisations and you agree not to use or access any information via the ePACT2 System unless necessary for the performance of your duties for the NHS and wider Government commissioned services.

You’re responsible for ensuring the accurate production of any reports produced through the ePACT2 System. The NHSBSA shall not be liable for any losses or damage incurred by inappropriate or inaccurate use of any data provided through the ePACT2 System.

Access to the ePACT2 System through any allocated user ID is restricted to one named registered user. You must not share access, passwords, user names or log on details to the ePACT2 System with any other person. Passwords must not be written down.

Where you no longer require use of the system or where your circumstances change such that you no longer satisfy the terms of this agreement, you’re required to advise NHSBSA to this effect so that the account can be withdrawn or amended as necessary.

You agree that the NHSBSA has the right to withdraw access to ePACT2 where you have breached or no longer satisfy the terms of this EUA, or where any other abuse of ePACT2 is understood to have occurred (including unreasonably excessive use).

You’re responsible for informing the NHSBSA if you have access to information you do not consider to be appropriate to your role.

You’re responsible for informing the NHSBSA promptly if accidental or wrongful release of data occurs. Email

Freedom of information requests

For the purposes of Freedom of Information (FOI) legislation ePACT2 system information is held by the NHSBSA. You agree not to use the ePACT2 system to download information to answer an FOI request. You need to refer the FOI requester to

The only exception to this is where you have downloaded ePACT2 information to your local systems before the FOI request was received. Where this is the case, you agree to consult with NHSBSA at before responding to the FOI request.

Personal data

You agree that you will comply with all data and security standards, policies and procedures applicable to you as an employee or contractor of the NHS/Government and that you will only use, hold and distribute data accessed via the ePACT2 System within the NHS/Government and solely as required for the purposes of your employment. Where data you have obtained via the ePACT2 System is no longer required, it must be destroyed in a secure manner in accordance with any applicable legislation and/or NHS data retention policies and/or the instructions of the NHSBSA.

You agree that you and your employer have in place appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and to prevent against accidental loss or destruction of, or damage to personal data which are at least equivalent to the standard of security required by the NHS security policies; and you and your employer shall take reasonable steps to ensure the reliability of any employees who will have access to personal data.

You will be liable for any “breach of confidence” and breach of the Data Protection Act when dealing with any identifiable patient data and you’re required to report this to the Information Commissioner’s Office (ICO). NHSBSA need to be advised of any security incidents relating to patient data within 24 hours.


You acknowledge that in using the ePACT2 System you may have access to Confidential Information including, without limitation, information, including personal data and financial information, in respect of prescribing activity.

You agree that you shall hold any Confidential Information in confidence and, unless required by law, shall not:

  • make any Confidential Information available to any third party (other than to a party to whom you’re satisfied that you may legally disclose such Confidential Information)
  • use the Confidential Information for any purpose otherwise than in the proper performance of your duties as an NHS employee or contractor (as applicable); or
  • permit or cause any unauthorised disclosure of Confidential Information through any failure to exercise due care and diligence
  • release any figures in public that could allow information about an individual that is not already public to become identifiable, or able to be deduced from other data sets produced by NHSBSA, even if you obtain NHSBSA permission to reproduce material

Any number, rate or percentage derived from NHSBSA data must be suppressed if there is a risk of identification. Figures that may identify individuals when subtracted from totals, subtotals or other published figures must also be suppressed.


You agree that cookies are enabled on the ePACT2 Access Management system. The purpose of the cookie is to aid the login process by ensuring your user details do not have to be re-entered.

You can view information relating to cookies.

Login details

All the information you provide when you register will be used to manage access to ePACT2.

The email address you provide may also be used by NHSBSA (Information Services) for service-related communications and sending you newsletters relevant to our Information Systems.

If required, we’ll use the email address provided to:

  • contact you to complete Surveys relating to NHSBSA services and systems
  • invite you to take part in research to help improve our services to you

If you need to update, receive a copy of, or delete your registration information then email

We’ll keep your information for 12 months after your account is closed. This is to make sure all transactions can be fully audited.

We do not disclose this information to third party organisations.