This Data Hub User Agreement ("EUA") is a legal agreement between you (either an individual or a single entity) and the NHS Business Services Authority ("NHSBSA").
NHSBSA grants you the right to access the NHSBSA’s online system, the Data Hub, which includes computer software, the data supplied with it, and any associated media, printed materials, electronic documentation and internet-based services ("Data Hub system"), provided that you comply with all terms and conditions of this EUA. The right of access cannot be transferred to anyone else.
Data Hub End User Agreement (EUA) (Word: 41KB)
This EUA is structured into sections:
- Section A applies to all users who hold a Data Hub Account, including when accessing Public Data.
- Section B applies to approved users with Standard Access to Permission-based Data Domains.
- Section C applies to approved users with Advanced Access to Permission-based Data Domains.
By using the Data Hub system, you agree to comply with the sections that apply to the type of access you hold.
Definitions
Data Domain means an area of data within the Data Hub system (for example, prescription, dental, or ophthalmic data).
Permission-based Data Domains means Data Domains within the Data Hub system that require NHSBSA approval for access (for example, data within ePACT2, eDEN, and eOPS).
Confidential Information means any information containing Personal Data, financial information and any other information clearly designated as being confidential (whether it is marked ‘confidential’ or not) or which ought reasonably to be considered confidential.
Data Breach means a breach of security or security incident which leads to the accidental, wrongful or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data or information contained within or obtained via the Data Hub system.
Personal Data means information relating to natural persons who can be identified directly, or indirectly in combination with other information.
Data Hub Account means your personal account used to access account-based features (for example, notifications and email alerts) and, where approved, Permission-based Data Domains.
Standard Access means approved access to one or more Permission-based Data Domains through a Data Hub Account, without Advanced Access.
Advanced Access means access to additional tools, functionality, or sensitive data (such as prescriber-level and financial information) within the Data Hub system that will be subject to additional responsibilities and enhanced retention rules.
Section A – Data Hub Account (Public Data)
What this covers
This section applies to Data Hub Account holders accessing Public Data. Public Data is also available without a Data Hub Account under the NHSBSA website Terms and Conditions and the Open Government Licence.
Terms and licensing
Use of Public Data and other material on the Data Hub website is subject to the NHSBSA Terms and Conditions, unless otherwise stated, Public Data is made available under the Open Government Licence (OGL) v3 and requires appropriate attribution (for example: “[NHSBSA Title of Information], NHSBSA Copyright [current calendar year]”).
Freedom of Information (FOI) and Public Data
Public Data may be used to answer FOI requests where appropriate. For new FOI requests, requesters should use the NHSBSA Freedom of Information portal or contact the NHSBSA FOI team.
Account inactivity and retention
- Accounts that have been inactive for over 24 months will be closed automatically.
- This applies to the Data Hub Account itself. If you have access to Permission-based Data Domains and/or Advanced Access, those permissions may expire sooner if inactive, as set out in Sections B and C. Expired permissions can be requested again.
- We will keep your information for 12 months after your account is closed to ensure that all transactions can be fully audited. We do not disclose this information to third parties.
Section B – Standard Access
This section applies to users who hold a Data Hub Account and have been granted access to one or more Permission-based Data Domains (for example, prescription, dental or ophthalmic data) for their professional duties.
User obligations
The Data Hub system is provided to facilitate effective monitoring, management and optimisation of NHS and wider Government-commissioned services. The Data Hub system may not be used for personal purposes or to profit or otherwise benefit individuals or non-NHS organisations, and you agree not to use or access any information via the Data Hub system unless necessary for the performance of your duties for the NHS and/or wider Government-commissioned services.
You are responsible for ensuring the accurate production of any reports produced through the Data Hub system. NHSBSA shall not be liable for any losses or damage incurred by inappropriate or inaccurate use of any data provided through the Data Hub system or reliance upon any inaccurate reports produced by users.
You agree not to publish, use or include in any material that will be made public any information obtained via Permission-based Data Domains without the prior written consent of NHSBSA. Where consent is obtained, you must reference the data/information in accordance with any instructions provided by NHSBSA.
Account audits, inactivity and retention – Standard Access
Audits will be carried out incrementally by NHSBSA on Data Hub user accounts to identify and remove inactive accounts.
For users with Standard Access:
- If you do not use your Data Hub Account for 6 months, your access to Permission-based Data Domains will expire.
- This does not close or affect access to your Data Hub Account, and you can request access to Permission-based DataDomains again at any time. Information relating to account retention and closure is set out in Section A.
Access controls and account management
Access to the Data Hub system through any allocated user ID is restricted to one named registered user. You must not share access, passwords, usernames or log-in details with any other person. Passwords must not be written down.
Where you no longer require use of the system, your contact details change, or your role/circumstances change such that you no longer satisfy the terms of this agreement, you must advise NHSBSA so that the account can be withdrawn or amended as necessary. You must not access the system using an email account you no longer use or which has become inactive; notify NHSBSA as soon as possible so records can be updated.
You are not permitted to access Permission-based Data Domains from outside the UK. NHSBSA reserves the right to restrict access from any non-UK IP addresses.
NHSBSA has the right to audit your and/or your employer’s use of the Data Hub system and you and/or your employer will provide information and reasonable cooperation upon request. NHSBSA may withdraw or suspend access where you have breached or no longer satisfy this EUA, where abuse (including unreasonably excessive use) is understood to have occurred, or where there has been a Data Breach. NHSBSA may suspend a user's access pending investigation and, where appropriate, terminate access.
Freedom of Information (FOI) and Subject Access Requests (SAR) – Permission-based Data Domains
FOI and Permission-based Data Domains
For the purposes of FOI legislation, information from Permission-based Data Domains is held by NHSBSA. You agree not to use the Data Hub system to download information from Permission-based Data Domains to answer an FOI request. Refer requesters to the NHSBSA FOI portal or FOI email address. The only exception is where you downloaded such information to local systems before the FOI request was received; in that case, consult NHSBSA before responding.
FOI routes
Make new FOI requests via the NHSBSA Freedom of Information request portal or email [email protected].
Subject Access Requests (your data)
You can request a copy of information we hold about you and exercise your information rights via the Privacy information on the NHSBSA website.
Personal data
You agree to comply with all data and security standards, policies and procedures applicable to you as an employee or contractor of the NHS or wider Government-commissioned service and to use, hold and distribute data accessed via the Data Hub system only within the NHS/wider Government and solely as required for your duties. Where data obtained via the Data Hub system is no longer required, it must be destroyed in a secure manner in accordance with applicable legislation, NHS data retention policies and/or NHSBSA instructions.
You and your employer must have appropriate technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and to prevent accidental loss or destruction of, or damage to, Personal Data, at least equivalent to NHS security policies. You will be liable for any breach of confidence, breach of data protection legislation and/or Data Breach involving Personal Data and must report such incidents to the ICO as soon as possible and notify NHSBSA without undue delay (and in any event within 24 hours) via email at [email protected].
Any small number, rate or percentage derived from NHSBSA data must be suppressed where there is a risk of identification; figures that may identify individuals when subtracted from totals/subtotals or other published figures must also be suppressed.
Confidentiality
You acknowledge that, in using the Data Hub system, you may have access to Confidential Information (including activity data). You shall hold all such information in confidence and, unless required by law, shall not:
(a) make it available to any third parties (other than to a party you are satisfied you may legally disclose to);
(b) use it other than in the proper performance of your duties;
(c) permit or cause unauthorised disclosure; or
(d) release any data in public that could allow information about an individual that is not already public to become identifiable or deducible.
Log-in details and communications
All information you provide when you register will be used to manage access to the Data Hub system. The email address you provide may also be used by NHSBSA for service-related communications and newsletters relevant to our information systems; we may also contact you to complete surveys or to invite you to take part in research to help improve our services. You may opt out of non-essential communications at any time using the routes we provide.
For updates, a copy of, or deletion of your registration information, contact [email protected].
Section C – ‘Advanced’ account-based access
This section applies in addition to Sections A and B where you are granted Advanced Access (for example, Create Analysis or similar data exploration tools) to work with Permission-based Data Domains. Advanced Access may include more detailed or sensitive information (such as prescriber-level and/or financial information) and carries additional responsibilities and different inactivity rules.
Additional user obligations
Where you hold Advanced Access, you may be able to create, combine or refine data in ways that produce more detailed or granular outputs than standard Data Domain views. You agree to:
- Use Advanced Access only where required for the performance of your duties for the NHS and/or wider Government-commissioned services.
- Apply appropriate disclosure control and statistical disclosure methods to any outputs created, ensuring that Personal Data or information about individuals cannot be identified or inferred from your analysis.
- Store, handle and share outputs from Advanced Access in line with:
- applicable legislation,
- NHS data retention and security policies, and
- any additional guidance issued by NHSBSA.NHSBSA may impose additional technical or procedural controls on Advanced Access (for example, restrictions on exporting detailed data) to manage risk.
Account audits, inactivity and retention – Advanced Access
For users with Advanced Access (including tools such as Create Analysis and access to prescriber-level and/or financial information where applicable):
- If you do not use your Advanced Access for 4 months, your Advanced Access will expire and you will return to Standard Access.
- Once you return to Standard Access, the audit, inactivity and retention provisions in Section B apply.
- This does not close or affect access to your Data Hub Account. You can request Advanced Access again at any time (subject to approval). Information relating to account retention and closure is set out in Section A.
Advanced Personal Data and confidentiality considerations
In addition to the obligations set out in Section B, you acknowledge that Advanced Access may increase the risk that individuals or organisations could be identified from derived data or analyses. You must therefore:
- Take extra care when combining datasets, drilling down to small numbers or creating bespoke reports.
- Ensure that any outputs you share internally or externally (where permitted) do not contain small numbers or combinations of variables that could enable re-identification.
- Seek advice from NHSBSA (via [email protected]) where you are unsure whether an output is safe to share.
NHSBSA may review and, where necessary, restrict or withdraw Advanced Access where use is considered to be inconsistent with this EUA or where there is a risk of disclosure or misuse.
Website terms, cookies and privacy
The Data Hub uses cookies to support sign-in and account access (for example, so your user details do not need to be re-entered during the log-in process).
Use of the Data Hub website is subject to the NHSBSA Terms and Conditions, Cookies and Privacy information published on the NHSBSA website.
General
Contact
For data and security standards required by NHSBSA, contact [email protected]
Governing law
This EUA is governed by the laws of England and Wales.
Amendments
NHSBSA may amend this EUA. Continued use of the Data Hub system following changes constitutes acceptance of the updated terms.
Last updated: January 2026