Terms and conditions for the purchase and use of Secure Data Environment (SDE) services

(A) NHS England is England’s national provider of health and social care data for research and development. NHS England’s Secure Data Environment ('SDE') provides authorised researchers and analysts with access to data, in the form of pseudonymised datasets, to support research and development.

(B) The SDE is a data storage platform which has been developed to allow NHS held nation-wide datasets to be made available through a virtual desktop experience, with a range of supporting tools and capabilities. The SDE enables researchers to follow best practice principles, while supporting privacy and security in the use of NHS health and social care data when used for research and analysis.

(C) These Terms apply to the purchase and use of NHS England’s SDE Services and are applicable to any Order(s) placed by or on behalf of Recipient.

(D) The SDE Service is currently in beta and will continue to develop and change. NHS England will communicate these changes in accordance with the Terms of this Contract.

1.1 The Recipient’s Order constitutes an offer to purchase the SDE Service in accordance with these Terms. For the avoidance of doubt:

1.1.1 references to the 'Recipient' includes all Recipients that a Multi-party Order is placed by or on behalf of

1.1.2 reference to the 'Recipient’s Order' includes Multi-party Orders, which shall constitute a collective offer to purchase the SDE Service by the Recipients of the Multi-party Order in question.

1.2 Following the submission of an Order by a Recipient's User Manager, an Order shall only be deemed to be accepted once the appropriate confirmation status is viable on the SDE Portal. The Lead Recipient’s corresponding obligation to pay the Charges shall be determined in accordance with the published charges on the NHS England SDE webpage and the conditions set out in Schedule 3, and in accordance with the relevant Order.

1.3 The Contract, including the Terms, apply to and comprise the basis upon which NHS England shall provide the SDE Service to the Recipient and to the exclusion of any other terms or conditions that the Recipient seeks to impose or incorporate, or which are implied by law, trade custom, practice or course of dealing.

1.4 To the extent that there is any inconsistency or conflict between these Terms, the Contract Form or any other documents which are incorporated into or otherwise related to the Contract, the order of precedence as to which terms (all as are updated or amended from time-to-time) are to be preferred is:

1.4.1 the Contract Form

1.4.2 these Terms including the Schedules

1.4.3 the Data Sharing Agreement

1.4.4 the Data Sharing Framework Contract

1.5 In the event that the Recipients make use of either the BYOD Service and/or the Cohort (Participant) List Service then the terms set out in Schedule 6 and/or Schedule 7 shall apply respectively.

1.6 In the event that NHS England exercises its rights under clauses 8, 9 and/or 17 to vary the Contract then it shall publish an updated version of the Contract and provide the Recipient with an accessible link to that updated version. For the avoidance of doubt, therefore, in the circumstances set out in this clause 1.6 it shall not be necessary for the Parties to sign an amended version of the Contract in order for the relevant variation to take effect.

2.1 The Contract shall take effect on the Commencement Date.

2.2 Unless the Contract is terminated earlier in accordance with these Terms, the Contract shall end:

2.2.1 on the Expiry Date; or

2.2.2 on expiry of the relevant DSA upon which the validity of this Contract is dependent

2.3 Any extension to the Expiry Date under must be executed by the Parties by way of a variation to the Contract in accordance with clause 17.3.

3.1 In their dealings under the Contract, the Parties undertake to at all times act reasonably and in good faith with each other.

3.2 Each Party warrants and represents that:

3.2.1 it has the authority to enter into and meet its obligations under the Contract

3.2.2 it has and will maintain all necessary rights, permissions, authorisations, licenses and consents to perform its obligations under the Contract before the date on which the SDE Service are to start

3.3 The Parties acknowledge that nothing in the Contract either expressly or by implication constitutes an approval or endorsement of any products or services of the other Party or Parties. The Parties agree not to conduct themselves in such a way as to imply any such approval or endorsement.

4.1 Subject to clause 9, NHS England shall supply the SDE Service in accordance with the SDE Service Description (Schedule 2).

4.2 NHS England warrants to the Recipient that it shall provide the SDE Service:

4.2.1 in accordance with applicable Laws

4.2.2 using reasonable care and skill

4.3 NHS England shall use all reasonable endeavours to meet any service levels or performance dates specified in the SDE Service Description (Schedule 2), but unless otherwise stated any such dates shall be estimates only and shall not be binding on NHS England.

5.1 NHS England may from time to time sub-contract its obligations under the Contract, including its delivery of the SDE Service.

5.2 NHS England shall remain responsible for all acts and omissions of its sub-contractors, including their Personnel, as if they were its own.

5.3 NHS England can assign, novate or transfer the Contract or any part of it to any public or private sector body which performs the functions of NHS England.

5.4 A Recipient cannot assign the Contract without NHS England’s prior written consent.

6.1 NHS England will undertake reasonable efforts to maintain complete and accurate records of:

6.1.1 the operation of this Contract and the SDE Services provided under it

6.1.2 NHS England’s invoices for the SDE Service and the Charges paid by the Lead Recipient

6.1.3 any other matter that NHS England may be lawfully required to maintain a record of, including records relating to compliance with Data Protection Legislation

6.2 NHS England will retain the records referred to in clause 6.1 for a minimum of seven years from the date of expiry or termination of the Contract, at which point it will review whether there is an ongoing need to retain them.

6.3 The Recipient acknowledges that NHS England is entitled to audit the Recipient’s access to and usage of the SDE and the SDE Service, which may at NHS England’s reasonable discretion include assessing the Recipient’s systems and facilities. The Recipient will provide NHS England with all reasonable assistance in order to enable it to undertake its auditing rights in accordance with this clause 6.3.

6.4 NHS England acknowledges that the Recipient is entitled to audit NHS England's Processing of Processor Data on the terms set out in clause 2.16 of Schedule 4.

7.1 The Recipient shall:

7.1.1 comply, and ensure that its Personnel (including Authorised Users) comply, with:

1. all terms of the Contract, including these Terms and all Schedules (including, but not limited to, the Acceptable Use Policy and End User Access Agreement)
2. applicable Law including, but not limited to, Data Protection Legislation and the data protection obligations set out in Schedule 4
3. the terms of the applicable Data Sharing Agreement
4. any policy, conditions, guidance, or other material that NHS England may issue in connection with the SDE (as updated from time to time)

7.1.2 ensure its Personnel, including Authorised Users, are suitably trained, experienced and skilled in respect of their use of the SDE Service and the SDE more generally, including in relation to information security awareness and such training or guidance as issued by NHS England in relation to the SDE Service (as updated from time to time)

7.1.3 ensure its Personnel, including Authorised Users, have undergone checks which comply, as a minimum, with the 'Identity checks standards' published by NHS Employers dated June 2024 and as updated or replaced from time-to-time

7.1.4 ensure its Authorised Users have passed all mandatory assessments communicated to it and maintained by NHS England in respect of the SDE, and further ensure that any such assessments are re-taken at intervals confirmed by NHS England

7.1.5 co-operate with NHS England in all matters relating to the SDE Service (including audit in accordance with clause 6.3)

7.1.6 provide NHS England with such information and materials as NHS England may reasonably require in order to supply the SDE Service in a timely manner;

7.1.7 ensure that all information and materials it provides to NHS England are complete and accurate

7.1.8 inform NHS England immediately, and in any event within 1 Working Day, of any changes to its Authorised Users, User Managers or Authorised Representatives

7.1.9 comply with any additional obligations set out in the SDE Service Description (Schedule 2) to include, but not limited to, holding a legally effective Data Sharing Framework Contract and Data Sharing Agreement relating to the SDE as at the Commencement Date and throughout the Term

7.1.10 ensure that any Reference Data and/or Upload Code are free of viruses or other malicious threats before it is uploaded to the SDE Platform and that no Uploaded Code or SDE Developed Code introduces malicious or harmful functionality into the SDE Platform

7.1.11 ensure that it stores a copy of any Reference Data and/or Uploaded Code that it adds to the SDE, in connection with this Contract or SDE Services. The Recipient shall have no remedy in the event such data is lost or otherwise damaged

7.1.12 ensure that any Reference Data and/or Uploaded Code does not contain Personal Data

7.1.13 not, either directly or indirectly, link or otherwise Process Reference Data and/or Uploaded Code so as to render it Personal Data; and

7.1.14 insofar as any Uploaded Code or SDE Developed Code makes use of, or otherwise is used to develop, artificial intelligence ensure that such Code:

1. only Processes NHSE Data for such purposes where it has been explicitly authorised by the relevant Data Sharing Agreement;
2. Processes NHSE Data in compliance with the UK GDPR including, but not limited to, the principles set out in Article 5 UK GDPR; and
3. is not used to undertake any automated processing (as defined in Article 22A UK GDPR) within the SDE. 

7.2 NHS England reserves the right to remove and delete:

7.2.1 additional data or products provided by NHS England including but not limited to Reference Data from the SDE Platform

7.2.2 all data held within an Authorised User’s personal workspace following either deactivation of that Authorised User’s account

7.2.3 all data held within the Recipient Environment following expiry or termination of the Contract.

7.3 In the event of any of the scenarios outlined in clause 7.2 Recipients are responsible for ensuring that any material they wish to retain is removed or transferred from the Recipient Environment prior to account deactivation and/or Contract expiry/termination (as applicable). For the avoidance of doubt once data has been removed and/or deleted in accordance with clause 7.2 then NHS England will not be obliged to further retain, retrieve, or provide continued access to such material after this point.

7.4 The Recipient warrants that, to the best of its knowledge and belief, neither it nor any member of its group:

7.4.1 has, at any stage, violated the Anti-Corruption Laws

7.4.2 is being, or will be, investigated in respect of any breach of the Anti-Corruption Laws

7.4.3 is, or will be, subject to sanctions

7.5 Save where such disclosure would constitute a breach of any applicable law, the Recipient further warrants that it shall immediately, and in any event within 24 hours of becoming aware, notify NHS England upon becoming aware of any infringement or investigation which falls within the scope of clause 7.3.

7.6 For the purposes of clause 10, 'group' shall have the meaning ascribed to it in the Companies Act 2006.

7.7 The Recipient will not allow sanctioned persons or entities to access, directly or indirectly, the SDE Service and the SDE more generally. For the avoidance of doubt, the Recipient is solely responsible for ensuring that its Authorised Users are not sanctioned. The Recipient must notify NHS England immediately, and in any event within 24 hours of becoming aware, upon becoming aware of any use of the SDE Service by a sanctioned person or entity.

7.8 For the avoidance of doubt, a Recipient is responsible for ensuring that its Authorised Users comply fully with all the terms of the End User Access Agreement.

7.9 A breach of clauses 7.3, 7.4, 7.6 and 7.7 by the Recipient shall be considered a material breach which is not remediable.

7.10 The Recipient must ensure that all access to the SDE from outside the UK is conducted in accordance with this Contract and the agreed Data Sharing Agreement (DSA).

7.10.1 The Recipient is responsible for providing accurate, secure and up-to-date information on access territories, IP addresses or VPNs used for accessing the SDE from outside the UK.

7.10.2 Any changes to approved access locations or authorised territories must be notified to NHS England prior to any change being made or implemented and may be subject to additional review or approval.

7.10.3 NHS England reserves the right to review, audit or revoke access from any location that does not comply with the agreed terms, security requirements or applicable legal and regulatory obligations under this Contract.

8.1 In consideration of NHS England carrying out its obligations under the Contract, including provision of the SDE Service, the Lead Recipient shall pay the Charges in accordance with the published charges on the NHS England SDE webpage and the conditions set out in Schedule 3, which outlines:

8.1.1 NHS England’s Charges for its SDE Service and the basis on which its Charges will be calculated (including any changes to the Charges)

8.1.2 the procedure NHS England shall follow to raise invoices to be paid by the Lead Recipient

8.1.3 the timeframes within which the Lead Recipient shall pay NHS England’s invoices and acceptable payment methods for doing so

8.2 NHS England warrants that it will calculate the Charges accurately and in compliance with the Contract.

8.3 All Charges are exclusive of VAT which shall apply at the standard rate at the time of invoicing.

8.4 In the event the Lead Recipient fails to pay outstanding Charges within 20 Working Days of receipt of a valid invoice, NHS England reserves the right to charge interest on the overdue amount at the applicable rate under the Late Payment of Commercial Debts (Interest) Act 1998, accruing on a daily basis from the due date up to the date of actual payment, whether before or after judgment.

8.5 In the event NHS England is delayed in raising an invoice within a timeframe that has been agreed to by the Parties, or it has failed to do so altogether, for the avoidance of doubt this shall not have the effect of relieving the Lead Recipient of their obligations to pay the Charges, and NHS England reserves the right to issue an invoice at such a time it deems reasonable and appropriate.

8.6 NHS England reserves the right to update the unit pricing, as set out in the published charges on the NHS England Secure Data Environment webpage, at the commencement of each Financial Year. NHS England shall confirm the applicable unit pricing applicable to the forthcoming Financial Year in writing to the Lead Recipient by no later than 31 January of each calendar year. Unit price increases in accordance with this clause 8.6 will be up to the monthly average over a 12-month period (January to December) of the Consumer Price Index (CPI) + 5 per cent.

8.7 In addition to the rights as set out in clause 8.6, NHS England also reserves the right to amend the pricing at any time due to the impact of:

8.7.1 procurement or contract change activity relating to third party products and/or services which make up the SDE Service and which it is committed to undertaking as a public sector body

8.7.2 changes in legislation, policy, funding or directions which it must follow and has an impact on the cost and therefore price of the service; and/or

8.7.3 any changes made in accordance with clause 9 of these Terms

8.8 Where the changes in clause 8.7 apply NHS England shall:

8.8.1 inform the Lead Recipient as soon as reasonably practical in advance of the change

8.8.2 confirm the impact and timing of any change including, where applicable, any withdrawal of services and/or pricing

8.9 Where the Recipient objects to proposed pricing changes notified in accordance with clause 8.7 it may terminate the Contract by giving at least 20 Working Days’ written notice to NHS England. In the event that the Recipient does not exercise its right to termination arising under this clause 8.9 then it will be deemed to have accepted the changes proposed by NHS England under clause 8.7.

9.1 The Recipient acknowledges that NHS England may from time to time update and/or make changes to the SDE and the SDE Service to:

9.1.1 amend the SDE Service Description process for submitting and otherwise accepting Orders

9.1.2 improve performance or security

9.1.3 changes to Customisations

9.1.4 modify functionality, which may include discontinuing or replacing aspects of the SDE Service

9.1.5 reflect changes and improvements to its software or operating systems

9.1.6 comply with Law, policy, best practice or guidance which NHS England is required to have regard to, or it is otherwise reasonable for it to have regard to

9.2 NHS England will confirm any material changes under clause 9.1 to the Recipient before they take effect. Such changes may include, but are not limited to, amendment to Schedules to this Contract and to relevant policies which are maintained on NHS England's website.

9.3 Where the Recipient objects to a material update or change under clause 9.1, including changes to the Charges, it may terminate the Contract by giving at least 20 Working Days’ written notice to NHS England. In the event that the Recipient does not exercise its right to termination arising under this clause 9.3 then it will be deemed to have accepted the changes proposed by NHS England under this clause 9.3.

10.1 NHS England acknowledges that a Recipient may from time to time request changes to the scope or execution of the SDE Service it receives or is due to receive under the Contract ('Request').

10.2 The Parties acknowledge that any Request under clause 10.1 ought to be recorded as a new Order, as:

10.2.1 any addition of and/or changes to a User Manager and/or Authorised User are to be made by the User Manager via the SDE Portal

10.2.2 any changes to a Recipient's access requirements in accordance with paragraph 4 of Schedule 3, are to be made by the Authorised Representative by email to NHS England, or via the national service desk

10.3 NHS England reserves the right to make enquiries or request such further information as it deems necessary in relation to any Request, and before it formally accepts the Request.

10.4 For the avoidance of doubt a Request submitted or otherwise completed in accordance with this clause 9.3 will supersede and replace the preceding Order.

10.5 The service variation process outlined in this clause 10 cannot be used by the Recipient to amend the terms of the applicable Data Sharing Agreement or Data Sharing Framework Contract (including, but not limited to, the specific data and purposes for which that data can be used by the Recipient as set out in the Data Sharing Agreement or Data Sharing Framework Contract).

11.1 The License and Intellectual Property provisions of the Recipient’s Data Sharing Framework Contract, including the definitions included therein, apply to the Recipient’s use of the SDE Services. The Parties’ respective Intellectual Property Rights are determined accordingly, subject only to clause 11.2 and any modifications the context may require to give effect to the applicable provisions of the Data Sharing Framework Contract.

11.2 The Recipient agrees to publish full details of any code, methodology or algorithms used to process or create the SDE Output Data ('Code'). This shall be done using the process set out in the SDE as soon as possible, and in any event no more than 12 months from the point the Code is first committed to version control within the SDE. The Recipient hereby licenses the Code under the MIT No Attribution (MIT-0) license.

12.1 The Parties shall comply with their respective data protection obligations as set out in Schedule 4.

12.2 The Recipient’s Data Sharing Agreement and Data Sharing Framework Contract shall also apply to the SDE Service.

13.1 NHS England as a Public Authority, is subject to the FOIA and the EIR regimes.

13.2 Where the Recipient is also a Public Authority, the following provisions shall apply:

13.2.1 If one of the Parties receives a request for information under the FOIA and or EIR which relates to its performance of the Contract, it shall endeavour to inform the other Party within 5 Working Days.

13.2.2 The Parties agree to assist each other with responding to any FOIA and or EIR request falling within the scope of clause 13.2 of these Terms by giving their full co-operation and providing any information needed to enable the Party in receipt of the request to respond and otherwise comply with the requirements of the FOIA and or EIR (as applicable).

13.2.3 For the avoidance of doubt, the Party in receipt of the FOIA and or EIR request retains sole discretion in determining what, if any, information should be provided in response.

13.3 Where the Recipient is not a Public Authority, the following provisions shall apply:

13.3.1 The Recipient acknowledges that NHS England is subject to the requirements of the FOIA and the EIR. At no additional cost, the Recipient shall:

1. provide all necessary assistance and cooperation as reasonably requested by NHS England to enable it to comply with its obligations under the FOIA and or EIR
2. transfer to NHS England all FOIA and/or EIR requests relating to this Contract that it receives as soon as practicable possible and in any event within 2 Working Days of receipt
3. provide NHS England with a copy of all information held on behalf of NHS England required in response to a FOIA and or EIR request and which is in its possession or control in the form that the NHS England requires within 5 Working Days of NHS England’s request for such Information
4. not respond directly to a FOIA and or EIR request addressed to NHS England unless authorised in writing to do so by the NHS England

13.3.2 Notwithstanding any other provision of this Contract, the Recipient hereby acknowledges that NHS England may, in its sole discretion, publish and or otherwise release, any information reasonably required in order to discharge its statutory duties under the FOIA and/or EIR (subject to any applicable exemptions in accordance with the Law). NHS England shall, prior to publication, use reasonable endeavours to consult with the Recipient, if required, on the manner and format of publication and to inform its decision regarding any exemptions but shall have the final decision in its absolute discretion.

13.3.3The Recipient acknowledges that NHS England may be required under the FOIA and or EIR to disclose information, including Commercially Sensitive Information, without seeking consultation or consent from the Recipient. NHS England will make reasonable efforts to inform the Recipient of any FOIA or EIR request (in line with the Secretary of State's section 45 Code of Practice on the Discharge of Public Authorities' Functions under Part 1 of the FOIA), as long as it is both permissible and practically feasible to do so. However, notwithstanding any other terms in this Contract, NHS England retains sole discretion to determine whether any Commercially Sensitive Information or other data qualifies as exempt from disclosure in accordance with the FOIA and the EIR.

14.1 For the purposes of this clause 14.1 and clause 21 (Consequences of Termination), the term 'Disclosing Party' shall mean the Party which discloses or otherwise makes their Confidential Information available and 'Recipient Party' shall mean the Party which receives or otherwise has access to the Disclosing Party’s Confidential Information.

14.2 Each Party undertakes that, when acting as the Recipient Party, it shall:

14.2.1 not use the Disclosing’s Party’s Confidential Information for any purpose other than to perform its obligations under the Contract

14.2.2 treat the Disclosing Party's Confidential Information as confidential and ensure it is appropriately secure and protected

14.2.3 not disclose the Disclosing Party’s Confidential Information except as expressly permitted by these Terms

14.2 4 notify the Disclosing Party if it suspects or becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Data Discloser’s Confidential Information without undue delay and in any event within 24 hours

14.3 The Recipient Party may disclose the Disclosing Party’s Confidential Information:

14.3.1 to its Personnel or advisers who need to know such Confidential Information for the purposes of performing their obligations under the Contract or providing advice on it

14.3.2 if it has obtained the Disclosing Party’s prior written consent; and/or

14.3.3 if required by Law or in connection with a legal obligation

14.4 Each Party shall ensure that its Personnel or advisers to whom it discloses the Disclosing Party's Confidential Information to under clause 14.3.1 comply with the obligations set out in this clause 14.4.

14.5 The Disclosing Party’s prior written consent as referred to in clause 14.3.2 will only be valid if it has been obtained by its Authorised Representative.

14.6 If the Recipient Party is required to disclose the Disclosing Party’s Confidential Information in accordance with clause 14.3.3, the Recipient Party shall as soon as reasonably practicable and to the extent permitted by Law notify the Disclosing Party of the full circumstances of the required disclosure including the relevant Law and/or regulatory body requiring such disclosure and the Confidential Information to which such disclosure would apply.

15.1 References to liability in this clause 15 include every kind of liability arising under or in connection with the Contract including liability in contract, tort (including negligence), misrepresentation, restitution or otherwise.

15.2 Subject to clauses 15.3 and 15.4, this clause 15.2 sets out the types of liability that are wholly excluded:

15.2.1 loss of profits

15.2.2 loss of sales or business

15.2.3 loss of agreements or contracts

15.2.4 loss of anticipated savings

15.2.5 loss of use or corruption of software, data or information

15.2.6 loss of or damage to goodwill

15.2.7 indirect or consequential loss

15.3 Nothing in the Contract limits any liability which cannot legally be limited, including for:

15.3.1 death or personal injury caused by negligence

15.3.2 fraud or fraudulent misrepresentation

15.3.3 breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession)

15.4 Neither Party may benefit from the limitations and exclusions set out in this clause in respect of any liability arising from its deliberate default.

15.5 Nothing in this clause 15 shall limit the Recipient's payment obligations under the Contract.

15.6 If NHS England's ability to meet its obligations under this Contract is affected or delayed due to an action, omission, or failure by any Recipient to a Multi-party Contract, (Recipient Default):

15.6.1 NHS England shall not be liable for any direct or indirect costs or losses incurred by the Recipient arising from NHS England's failure or delay to perform any of its obligations as set out in this clause 15.6

15.6.2 NHS England shall also not be liable for any costs or losses sustained or incurred by any Recipient arising directly or indirectly from any other Recipient’s act, omission, failure or delay to perform any of its obligations under its respective Contract

15.6.3 NHS England shall have the right to rely on the Recipient Default to relieve it from the performance of any of its obligations in each case to the extent the Recipient Default prevents or delays NHS England's performance of any of its obligations

15.6.4 the Recipient shall reimburse NHS England on written demand for any costs or losses NHS England incurs as a result of the Recipient Default

15.7 Subject to clauses 15.3 and clause 15.4 NHS England's total aggregate liability for any and all claims arising under or in connection with this Contract regardless of form of action and whether in contract, tort (including negligence and breach of statutory duty) or otherwise is limited to the sum of the Recipient's SDE Service Set-Up Fee.

15.8 Each Party shall use all reasonable endeavours to mitigate any losses which it suffers under or in connection with the Contract.

15.9 This Contract does not govern any liability or disputes as between Recipients. NHS England will not arbitrate or otherwise engage in dispute resolution of such any such matters between Recipients, which is a matter exclusively for those Recipients to resolve.

16.1 The Parties undertake to each indemnify and hold each other harmless from any claim, proceeding, cost, charge, damages, expenses or losses (including without limitation legal and other professional advisers fees) which they cause as a result of their breach of Law, including Data Protection Legislation, or breach of the provisions of the Contract, except to the extent that any such liability is excluded under clause 15.2 (to be read subject to clause 15.3).

16.2 Indemnification hereunder is contingent upon:

16.2.1 the Party(ies) to be indemnified (Indemnified Party(ies)) promptly notifying the other Party(ies) (the Indemnifying Party(ies)) of a claim

16.2.2 the Indemnifying Party(ies) having joint control of the defence and settlement of any such claim

16.2.3 the Indemnified Party(ies) providing reasonable co-operation and assistance to the Indemnifying Party(ies) in defence of such claim

17.1 NHS England may vary the Contract from time to time, provided that any such variation:

17.1.1 applies on a uniform basis to all Recipients in respect of its service offering

17.1.2 does not contain any indemnities or clauses with a similarly legal effect to indemnities

17.2 Where the Recipient objects to a material variation under clause 17.1, it may terminate the Contract by giving at least 20 Working Days’ written notice to NHS England.

17.3 The Parties may vary the Contract by mutual agreement. Subject to NHS England’s right to vary the Contract under clause 17.1, no addition to, variation of, or exclusion of any term of the Contract shall be effective unless it is in writing and signed by the Authorised Representatives of both NHS England and the Recipient, which in the case of a Multi-party Order includes the Authorised Representatives of all Recipients. 

18.1 NHS England may, at its sole discretion, suspend the supply of SDE Service to any Recipient, either in whole or in part, in the event that:

18.1.1 the SDE is underdoing planned maintenance

18.1.2 there are system outages which are outside of NHS England’s control

18.1.3 NHS England is investigating a potential breach of the Law, including Data Protection Legislation, the Contract, the Data Sharing Agreement and the Data Sharing Framework Contract

18.1.4 NHS England has provided the Recipient with written notice requiring remediation of a material breach under clause 19.3.1(b) or 20.3.1(b), and the Recipient has failed to remediate that material breach

18.1.5 NHS England has provided the Lead Recipient, with written notice requiring payment of a Charge due under clause 19.5 or 20.5, and Lead Recipient has failed to pay that Charge

18.1.6 NHS England has otherwise deemed it reasonably necessary to suspend the supply of SDE Service including, for example, while a potential data security risk is being investigated

18.1.7 the Recipient’s Data Sharing Agreement and/or Data Sharing Framework Contract is suspended; or

18.1.8 in the case of Multi-party Orders, the Lead Recipient decides to suspend the Contract

18.2 For the avoidance of doubt NHS England’s rights under clause 18.1 enable it to suspend the provision of SDE Service to all Recipients to a Multi-party Order in the event that any of clauses 18.1.1 to 18.1.8 apply to one or more of the Recipients to that Multi-party Order.

18.3 In the event NHS England suspends the supply of SDE Service to a Recipient under clause 18.1, it will provide them with prior notice where practicable, and also with updated information as to if, and if so when, the SDE Service are likely to resume.

18.4 NHS England’s right to suspend the supply of SDE Service under clause 18.1 does not affect or in any way limit any other right or remedy available to it.

19.1 This clause 19 applies exclusively to Contracts involving only one Recipient, and for the avoidance of doubt excludes Contracts involving Multi-party Orders.

19.2 Either Party may terminate the Contract by giving at least 20 Working Days’ written notice to the other Party.

19.3 Either Party may terminate the Contract ('Terminating Party') with immediate effect by giving written notice to the other Party if:

19.3.1 in the reasonable opinion of the Terminating Party:

1. the other Party commits a material breach of any term of the Contract which cannot be remediated; or
2. the other Party commits a material breach of any term of the Contract (including the Data Sharing Agreement and Data Sharing Framework Contract) and has failed to remediate it within 10 Working Days of that Party being notified in writing to do so

19.3.2 the Terminating Party is otherwise expressly permitted to do so by the Contract, including by way of clause 19.5.1 (non-payment) and clause 22.5 (Force Majeure event)

19.4 For the purposes of clause 19.3.1 and 20.3.1, a 'material breach' may be a single breach, a number of breaches or repeated breaches of the same kind which together constitute a material breach.

19.5 NHS England may terminate the Contract with immediate effect by giving written notice to the Recipient:

19.5.1 if the Recipient fails to pay any Charge due within 30 Working Days’

19.5.2 if the Recipient’s Data Sharing Agreement and/or Data Sharing Framework Contract is terminated; or

19.5.3 at a date on or after 6 months from the Commencement Date, where terms relating to the full live service have not been agreed thin 30 days of being provided by NHS England

20.1 This clause 20 applies exclusively to Contracts involving Multi-party Orders, and for the avoidance of doubt excludes Contracts involving only one Recipient.

20.2 Any Party may terminate the Contract by giving at least 20 Working Days’ written notice to the other Parties.

20.3 Any Party may terminate the Contract ('Terminating Party') with immediate effect by giving written notice to the other Party if:

20.3.1 in the reasonable opinion of the Terminating Party:

1. another Party or Parties commits a material breach of any term of the Contract which cannot be remediated; or
2. another Party or Parties commits a material breach of any term of the Contract (including the Data Sharing Agreement and Data Sharing Framework Contract) and has failed to remediate it within 20 Working Days of that Party being notified in writing to do so

20.3.2 the Terminating Party is otherwise expressly permitted to do so by the Contract, including by way of clause 20.5.1 (non-payment) and clause 22.5 (Force Majeure event)

20.4 In the event that a Party elects to terminate the Contract under clause 20.3 then the following shall apply:

20.4.1 in the event the Terminating Party is NHS England, NHS England may at its sole discretion elect to terminate the Contract of all the Recipients, or only one or more Recipients, as it reasonably considers to have committed a material breach under clause 20.3.1

20.4.2 in the event that Party is the Lead Recipient, their election to terminate the Contract will have the effect of terminating not only their rights and obligations under the Contract but also those of all Recipients to the Multiparty Order

20.4.3 in the event that Party is a non-Lead Recipient, their election to terminate the Contract will only have the effect of terminating their rights and obligations under the Contract, and not those of any other Recipients or the Lead Recipient and NHS England shall, at its discretion, determine whether to also terminate the Contracts of the Lead Recipient and other Recipients

20.5 NHS England may in its discretion terminate the Contract, either in its entirety or only insofar as it relates to one or more Recipients, by giving written notice to the Recipient(s):

20.5.1 if the Lead Recipient fails to pay NHS England any Charge due within 20 Working Days’ from the later of the due date for the Charge; or the date on which the Lead Recipient was notified in writing of its failure to pay the Charge

20.5.2 if any Multi-party Order Recipient’s Data Sharing Agreement and/or Data Sharing Framework Contract is terminated; or

20.5.3 at a date on or after six months from the Commencement Date with a view to agreeing new commercial terms with the Recipient related to the SDE Service

21.1 Subject to clause 18, NHS England shall continue to provide SDE Service to the Recipient up until expiry of the Contract or the date on which the Contract will terminate.

21.2 Where a Contract is terminated in accordance with clause 19 or 20, NHS England is under no obligation to refund the Charges, including any applicable to Customisations, which have already been paid or are otherwise due to be paid in respect of SDE Service provided up to the date on which the Contract terminates.

21.3 With the exception of termination by NHS England in accordance with clause 19.2 or 20.2, in the event of termination of the Contract, the Lead Recipient will be obliged to pay the applicable Charges for the entirety of the month in which the termination takes effect.

21.4 Expiry or termination of the Contract will not affect:

21.4.1 any rights, remedies or obligations accrued up until expiry or termination; or

21.4.2 the right of NHS England to recover any outstanding Charge from the Lead Recipient up until the date of expiry or termination

21.5 Further to clause 21.4, on expiry or termination of this Contract, the following clauses shall continue in force:

21.5.1 clause 11 (Intellectual Property Rights)

21.5.2 clause 14 (confidentiality)

21.5.3 clause 15 (limitation of liability)

21.5.4 clause 16 (indemnity)

21.5.5 this clause 21 (consequences of termination)

21.5.6 clause 24 (waiver)

21.5.7 clause 25 (severance)

21.5.8 clause 29 (jurisdiction, governing law and dispute resolution)

21.6 Upon expiry or termination of the Contract, each Party shall:

21.6.1 destroy or return to the Disclosing Party, at the Disclosing Party’s sole election, all documents and materials, including any copies, containing, reflecting, incorporating or based on the Disclosing Party’s Confidential Information

21.6.2 erase all the Disclosing Party’s Confidential Information from computer and communications systems and devices used by it, including such systems and data storage services provided by third parties (to the extent technically and legally practicable)

21.6.3 certify in writing to the Disclosing Party that it has complied with the requirements of this clause 21

21.7 Clause 21 is subject only to any applicable statutory or professional obligations the Recipient Party is subject to which require it to retain the Disclosing Party’s Confidential Information.

21.8 Subject to clause 21.9, termination of the Contract shall also result in termination of the Data Sharing Agreement and Data Sharing Framework Contract insofar as those agreements relate specifically to the SDE.

21.9 In the event that the Recipient’s Data Sharing Agreement and Data Sharing Framework Contract relate to access to data through DARS which is unrelated to the SDE, those agreements will cease to apply to the SDE but shall otherwise continue in respect of non-SDE arrangements.

22.1 Neither Party shall be in breach of these Terms or otherwise liable for any failure or delay in the performance of its obligations under these Terms if such failure or delay results from a Force Majeure event.

22.2 If a Party fails or is delayed in performing its obligations under the Contract as a result of a Force Majeure event ('Affected Party'), the Affected Party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of non-performance continues for 20 Working Days, the Party not affected by the Force Majeure event may terminate the Contract by giving 20 Working Day written notice to the Affected Party.

22.3 The Parties will promptly (on becoming aware of the same) notify each other of a Force Majeure event or potential Force Majeure event which could affect their ability to perform their obligations under the Contract.

22.4 The Party will use all reasonable endeavours to continue to perform their respective obligations under the Contract and to mitigate the effects of a Force Majeure event.

22.5 If a Force Majeure event prevents the Affected Party from performing its obligations under the Contract for more than 20 Working Days, the other Party may terminate the Contract by written notice with immediate effect.

23.1 The Contract constitutes the entire agreement between the Parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

23.2 The Parties acknowledge that in entering into the Contract they do not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Contract. In particular, the Parties agree that neither shall have a claim for innocent or negligent misrepresentation or misstatement based on any statement in the Contract.

24.1 No failure or delay by a Party to exercise any right or remedy provided under the Contract or by Law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

25.1 If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the Contract.

25.2 If any provision or part-provision of the Contract is deemed deleted under clause 25.1, the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

26.1 Except as expressly provided otherwise in these Terms, the rights and remedies provided by the Contract are in addition to, and not exclusive of, any rights or remedies provided by Law.

27.1 Subject to the specific notification obligations set out in Schedule 4 any notice or other communication given by one Party under or in connection with the Contract shall be in writing, addressed to the Party’s Authorised Representative and shall be delivered by hand or by pre-paid first-class post, or sent by email.

27.2 Any notice or communication shall be deemed to have been received:

27.2.1 if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address

27.2.2 if sent by pre-paid first-class post, at 9.00 am on the second Working Day after posting

27.2.3 if sent by email, at the time of transmission, or if this time falls outside Working Hours in the place of receipt, when Working Hours resume

27.3 This clause 27 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

28.1 Except as expressly provided otherwise, a person who is not a Party to the Contract shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce these Terms or any other Term in the Contract.

28.2 For the avoidance of doubt, clause 28.1 does not affect any right or remedy of a third party which exists, or is available, apart from the Contracts (Rights of Third Parties) Act 1999.

29.1 The Parties irrevocably agree that the Contract shall be governed by and construed in accordance with the law of England and Wales.

29.2 In the event of a Dispute, within 20 Working Days of one Party receiving a written request from another Party, the Parties’ Authorised Representatives shall meet in good faith in an effort to resolve the Dispute. In the event the meeting fails to resolve the Dispute:

29.2.1 the Parties may by mutual agreement decide to follow the mediation procedure prescribed by the Centre for Effective Dispute Resolutions that is current at the time of the Dispute; or

1. in circumstances where the Recipient is a Health Service Body under section 9 of the National Health Service Act 2006, the Dispute shall be governed in accordance with that provision; or
2. in circumstances where the Recipient is not a health services body, the courts of England and Wales shall have the exclusive jurisdiction to resolve the Dispute

29.3 For the purposes of this clause 29.2, 'Dispute' means any dispute, controversy, claim or difference of whatever nature arising out of, relating to, or having any connection with the Contract or its subject matter, including a dispute regarding the existence, formation, validity, interpretation, performance or termination of the Contract or the consequences of its nullity and also including any dispute relating to any non-contractual rights or obligations arising out of, relating to, or having any connection with the Contract.

1. In these Terms, unless the context otherwise requires, the following words and expressions shall have the following meanings:

Acceptable Use Policy - means NHS England’s Acceptable Use Policy for the SDE, included at Schedule 5 to these Terms.

Additional Charges - means one-off or recurring charges, at a Recipient Contract or individual Authorised User level, as applicable and updated from time to time, as published on the NHS England Secure Data Environment webpage.

Anti-Corruption Laws - means all Laws including official guidance issued pursuant to such legislation or regulations, related to financial crime, including without limitation the Bribery Act 2010, the Criminal Finances Act 2017, The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Proceeds of Crime Act 2002 and the Terrorist Asset Freezing etc. Act 2010 or other applicable money laundering, terrorist financing legislation or sanctions legislation.

Approved Access Location - as set out in the DSA.

Authorised Representative - the person or people identified as such in Section 1 of the Contract Form as at the Commencement Date or as subsequently updated by the Recipient from time to time via the SDE Portal.

Authorised Territory - as set out in the DSA.

Authorised Users - any permitted users of the SDE Service as added and/or updated by the relevant User Manager to the SDE Portal.

BYOD Data Set - means the record-level pseudonymised Data ingressed through the BYOD Service by the Recipient.

BYOD Service - means a service provided by NHSE to the Recipient that allows the upload of record level, pseudonymised data for analysis and linkage within the SDE.

Charges - means the charges payable by the Lead Recipient to NHS England for the supply of the SDE Service under the Contract.

Cohort (Participant) List Service - means a service provided by NHSE to the Recipient that allows for validation, tracing, retention and linkage to NHSE Data within the SDE under an applicable DSA.

Cohort (Participant) List or Cohort (Participant) List Data - means a CSV file containing record-level identifiers submitted via SEFT for validation, tracing and cohort creation in accordance with the DSA and NHS England guidance for submitting such data.

Cohort Submitter - means the individual notified to NHS England as responsible for uploading the Cohort (Participant) List using SEFT.

Commencement Date - has the meaning given in the Contract Form.

Confidential Information - means all information, whether written or oral and however recorded, provided by one Party to another Party under the Contract or in connection with the SDE Service which (i) is known by the receiving Party to be confidential; or (ii) ought reasonably to be considered by the receiving Party to be confidential. For the avoidance of doubt operational information relating to NHS England's delivery of the SDE Service is not confidential.

Contract - refers collectively to the Contract Form, these Terms and any other document or schedule referred to and incorporated herein.

Contract Form - means the form signed by the Parties and into which these Terms are incorporated.

Controller - has the meaning given to it under the UK GDPR.

CRM Personal Data - means the Personal Data NHS England will Process about the Recipient and/or Recipient’s Authorised Users, such as names and business contact details of points of contact.

Customisation - means services and/or features (including licences) which may be applied at a Recipient Contract or individual Authorised User level. These to be subject to additional or separate charges and, where applicable, terms.

Data Protection Impact Assessment - has the meaning given to it in the UK GDPR.

Data Protection Officer - has the meaning given to it in the UK GDPR.

DARS - means the Data Access Request Service operated by NHS England.

Data Sharing Agreement, or DSA - means the data sharing agreement executed between the Recipient and NHS England through the DARS process.

Data Sharing Framework Contract, or DSFC - means the data sharing contract executed between the Recipient and NHS England through the DARS process.

Data Subject - has the meaning given to it in the UK GDPR.

Data Subject Rights Request - means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the UK GDPR as supplemented by the DPA 2018.

Data Protection Legislation - means all applicable data protection and privacy legislation in force from time to time in the UK including the UK General Data Protection Regulation as defined in section 3(10) and 205(4) of the Data Protection Act 2018 ('the UK GDPR'); the Data Protection Act 2018 ('the DPA 2018'); the Privacy and Electronic Communications Regulations 2003 (SI 2003 No.2426) as amended; all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data and the guidance and codes of practice issued by the Information Commissioner or other relevant data protection or supervisory authority and applicable to a Party.

EIR - means the Environmental Information Regulations 2004.

End User Access Agreement - means the agreement accessible at NHS England Secure Data Environment End User Access Agreement (EUAA).

Expiry Date - has the meaning given in the Contract Form or as otherwise agreed between the Parties in accordance with clause 2.2.

External Controller - means any Controller other than the Recipient or NHS England that determines the purposes or means of Processing BYOD Data Sets and/or Cohort (Participant) List Data.

Fair Use - means the configuration and consumption limits as set out in the SDE Service Standard Build and as further described in Schedule 3.

Financial Year - means the period commencing from 1 April of any given year to 31 March of the succeeding year.

Force Majeure - means any event, occurrence, circumstance, matter or cause affecting the performance by either Party of its obligations arising from:

1. acts, events, omissions, happening or non-happenings beyond the reasonable control of the affected Party which prevent or materially delay the affected Party from performing its obligations under the Contract
2. riots, civil commotion, war or armed conflict, acts of terrorism, nuclear, biological or chemical warfare
3. acts of government, local government or regulatory bodies
4. fire, flood or disaster and any failure or shortage of power or fuel; or
5. industrial dispute

The following do not constitute a Force Majeure event:

1. any event, occurrence, circumstance, matter or cause which is attributable to the wilful act, neglect or failure to take reasonable precautions by the Party seeking to rely on Force Majeure
2. the event was foreseeable by the Party seeking to rely on Force Majeure at the time the Contract was entered into; or
3. any event which is attributable to the Party seeking to rely on Force Majeure and its failure to comply with its own business continuity and disaster recovery plans

FOIA - means the Freedom of Information Act 2000;

Gigabyte (GB) - a gigabyte is a unit of computer information that can be equal to 1,024 or 1,000 megabytes.

Intellectual Property Rights - patents, rights to inventions, copyright and related rights, trade marks, trade names, rights in domain names, rights in get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered, and including all applications for, and renewals or extensions of, such rights, and all similar or equivalent rights or forms of protection in any part of the world.

Joint Controller - has the meaning given to it under the UK GDPR.

Law - means any law, subordinate legislation within the meaning of section 21(1) of the Interpretation Act 1978, bye-law, regulation, order, regulatory policy, mandatory guidance or code of practice, judgement of a relevant court of law, or directives or requirements with which the Parties are bound to comply.

Lead Recipient - means the Recipient who is identified as such within the Contract Form and who will be responsible for the payment of Charges in accordance with clause 8.1 and the day-to-day contact with NHS England in relation to matters arising under the Contract.

Multi-party Order - means an Order placed by a Lead Recipient on behalf of them and one or more Recipients.

NHSE Data - Means the datasets for which NHSE are Data Controller and available to request through the DARS process. Once a Data Sharing Agreement contract is in place the agreed minimised data when place into the SDE is classed as SDE Data with controllership for the purpose of processing transferred to the recipient.

Order - means an order for the SDE Service including amendments to existing orders, which includes:

• details of the Authorised Users, and any amendments to Authorised Users and/or User Managers
• the capability requirements of the Authorised User's and any amendments to such requirements as per paragraph 4 of Schedule 3

and includes Multi-party Orders.

Output Check(s) - means the process by which NHS England ensures that data confidentiality is always maintained and data protection best practice is followed in relation to any code or data taken from the SDE.

Participant Validation Engine or 'PAVE' - means the NHS England service which validates, traces and stores participant details for linkage to NHSE Data.

Party and Parties - refers to NHS England, the Recipient(s), or both as the context requires.

Personal Data - has the meaning given to it under the UK GDPR, and for the avoidance of doubt includes Special Category Personal Data, where applicable.

Personnel - refers to the employees, agents, consultants and subcontractors of NHS England, Recipient, or sub-contractor as the context requires.

Processor Data - means collectively SDE Output Data, SDE Data, BYOD Data Sets and Cohort (Participant) List Data.

Process, Processing and Processed - have the meanings given to them under the UK GDPR.

Processor and sub-processor - have the meanings given to them under the UK GDPR.

Public Authority - has the meaning given to it in section 3 of the FOIA.

Quarter - Financial Year (April to March) periods of three months (such as Q1, April – June).

Quarterly Allowance - means the level of compute the Recipient has to utilise and which forms part of the Fair Use terms.

Recipient - means the Lead Recipient and in the case of a Multi-party Order, the organisations identified in Annex 1, who are subject to the terms of this Contract.

Recipient Environment - means the area of the SDE the Recipient can access and analyse data in.

Reference Data - means sets of values which may be used to classify, sort or better identify data records, which for the avoidance of doubt does not include any patient level information or Personal Data;

Request for Information - means a request for information or an apparent request relating to the Contract or an apparent request for such information
under the FOIA or the EIRs.

Safe Countries - means the countries that are the subject of an adequacy decision, as set out in in Part 3, Schedule 21 of the DPA 2018.

SDE - means the digital Secure Data Environment Platform operated and overseen by NHS England to which the SDE Service relate.

SDE Data - means the data held within the Recipient Environment for which the Recipient determines the purpose of the processing of the data and the means of which to process based on the tools available to them within the SDE offering.

SDE Developed Code - means any computer programming instructions, such as scripts, functions or bundles/packages/libraries, that are created or written by or on behalf of the Recipient solely within the SDE and not uploaded from an external source, for execution or storage exclusively in the Recipient’s secure workspace.

SDE Platform - means the platform used by NHS England to deliver the SDE Service, and as further described in Schedule 2.

SDE Portal - means the online self-service portal by which the User Manager can add and/or update other User Managers and/or Authorised Users to the SDE.

SDE Service - means the end-to-end SDE inclusive of SDE Platform and SDE, and as further described in Schedule 2.

SDE Service Charge - means the charges which will apply subject to the terms of the Contract for the SDE Service following set up and exclusive of the SDE Service Set-Up Fee

SDE Service Description - means the SDE Service Description included at Schedule 2 to these Terms.

SDE Service Excess Charge - means the charges which will apply should the Recipient exceed the SDE Fair Use terms, as described in Schedule 3 and in accordance with the published charges on the NHS England SDE webpage.

SDE Service Standard Build - means the standard offering including forecasted average consumption as described in Schedule 3 and priced in accordance with the published charges on the NHS England SDE webpage.

SDE Service Set-Up Fee - means the charges which will apply to set up the Recipient’s access to the SDE, as further described in Schedule 3 and in accordance with the published charges on the NHS England SDE webpage.

SDE Output Data - means data that has been manipulated by the Recipient in the Recipient Environment to form aggregated data with small numbers suppressed, with the express intention of rendering the data anonymised, and approved by NHS England for extraction by the Recipient.

Secure Electronic File Transfer or 'SEFT' - means a secure electronic environment that allows the Recipient to transfer data electronically and securely to and from NHS England.

Special Category Personal Data - means Personal Data within the categories outlined by Article 9 of the UK GDPR.

NHS England’s Authorised Representatives - means the person or persons who have the necessary authority to enforce or otherwise vary the terms of this Contract variations on behalf of NHS England.

Terabyte (TB) - a terabyte is a unit of computer information consisting of 1000GB.

Term - means the duration of the Contract.

Terms - means these terms and conditions for the purchase and use of SDE Services including any other documents and schedules referred to and incorporated herein.

Uploaded Code - means any computer programming instructions, such as scripts, functions or bundles/packages/libraries, which have been uploaded by the Recipient to the SDE from an external source for execution or storage exclusively in the Recipient’s secure workspace.

Usage Data - means data relating to the activities undertaken by Authorised Users including but not limited to name (given name and family name), email address, account status and the amount of storage and/or compute being utilised.

User Manager - means the individual or individuals identified as such in the Data Sharing Agreement, as updated from time-to-time (whether through amendment to the Data Sharing Agreement or as added and/or updated via the SDE Portal.

VAT - means value added tax chargeable under the Value Added Tax Act 1994, or any tax replacing that tax.

Working Day - means a day, other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.

2. In this Contract, unless the context otherwise requires:

2.1 capitalised words and expressions shall have the meanings set out in clause 1

2.2 words in the singular shall include the plural and in the plural shall include the singular

2.3 references to clauses and schedules are to the clauses and schedules of the Terms and references to paragraphs are to the paragraphs of the relevant schedule

3. Clause, schedule and paragraph headings shall not affect the interpretation of these terms.

4. A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.

5. Any words or references following including, include, in particular, for example or any similar expression shall be interpreted as illustrative and shall not limit the sense of those words or references.

1. Introduction

1.1 This schedule provides a summary of the SDE and the support within the Recipient Environment which is made available to Recipients and forms part of the Contract. It does not set out the end-to-end service (e.g. data application and data provisioning), nor all features available in the SDE Platform.

1.2 The SDE Service is iterated and improved using agile methods, meaning features and support will change and be added to over time (in some cases these may be subject to Recipient selection, with additional charges and terms applying).

1.3 Should updates to this SDE Service Description be required this will be communicated by NHS England in writing.

2. Summary of capabilities of the SDE service

2.1 Authorised Users will have access to the SDE Service which will allow them to:

2.1.1 access data approved under the relevant Recipient DSA

2.1.2 collaborate with other Authorised Users within the same DSA

2.1.3 access tools made available by NHS England (which may be Customisations which may be ordered by the Recipient)

2.1.4 consume SDE Platform compute and storage resources

2.1.5 access SDE specific and general support services (see sections 5 and 6 of this Schedule)

2.1.6 to import Reference Data and/or Uploaded Code, subject to DSA checks and NHS England controls and providing no such data includes Personal Data or data which attracts a duty of confidence

2.1.7 output anonymised data (SDE Output Data) in accordance with their DSA through the safe output service

2.1.8 support the use of Bring Your Own Data through the Bring you Own Data Service (see Schedule 6)

2.1.9 support the use of Cohort (Participant) List Data submissions through the use of the Cohort (Participant) List service (see Schedule 7)

2.2 Any such usage must be in accordance with the Acceptable Use Policy and any additional terms.

3. SDE Data

3.1 The datasets and fields made accessible to Authorised Users within the SDE shall be as per the Recipient’s approved DSA. Any updates and changes to this shall be in keeping with the DARS processes and service levels which do not form part of the scope of the SDE Service.

4. SDE platform

4.1 The SDE Platform provides a virtual desktop user experience and access to powerful data analysis and interrogation tools.

4.2 In summary, the current set of licences, tools and key features include:

4.2.1 cloud-based virtual desktop infrastructure (VDI) providing access to an instance of the Databricks E2 data analytics platform and a suite of supporting tools and capabilities

4.2.2 a suite of analysis, coding and interrogation tools including:

1. databricks which supports Python, R and SQL languages for big data analysis
2. RStudio (Posit), a data analysis environment for R, a programming language for statistical computing and modelling
3. GitLab which enables collaboration, code/artefact management and version control
4. a secure portal for importing Reference Data into the Recipient’s workspace within the SDE, subject to processes and conditions set out by NHS England (see section 5 below)

4.3 Recipients shall receive the current Standard Build of the SDE Platform as set out in Annex A of this Schedule unless the Recipient has selected the Customisations made available by NHS England (additional terms may apply, see for example the Pricing and Payment implications outlined in Schedule 3).

4.4 New tools and features for the SDE Service may be made available by NHS England in the future (additional terms and charges may apply).

5. SDE services

Input checking service

5.1 This service checks inputs to ensure:

5.1.1 data and/or Uploaded Code being requested for import does not contain Personal Data or data which attracts a duty of confidence

5.1.2 the Authorised User’s request is in compliance with guidance and instruction issued by NHS England’s such as the SDE Safe Input Rules (issued separately to this Contract)

5.2 The Recipient remains responsible for:

5.2.1 all of its Authorised Users’ activity

5.2.2 the content of reference data and or uploaded code notwithstanding the checks performed by NHS England in accordance with this schedule

Safe output service

5.3 This service checks SDE Output Data requests to ensure:

5.3.1 data outputs are aggregated with small numbers suppressed and counts rounded with data results expressed as tables/text or images

5.3.2 code is reviewed to ensure Personal Data or data which attracts a duty of confidence is not included.

5.4 Further details can be found on the Using Databricks in DAE webpage.

5.5 The Recipient remains responsible for all of its Authorised Users’ activity.

Archiving

5.6 The ability to retain data for the purposes of archiving (Recipients should note that NHS England reserves the right to introduce limits, terms or additional charges as part of future service development).

6. SDE support

6.1 Services to support Authorised Users will continue to develop and, as they do so, NHS England will publish more detail and supporting information on available services and processes.

6.2 NHS England will, on a reasonable endeavours’ basis, provide the following support services:

SDE set-up

6.3 On-boarding the Recipient to the SDE Service.

6.4 Configuration of the Recipient’s SDE instance in line with their Order including any Customisations.

6.5 Provisioning data, as per the Recipient’s approved DSA, within the SDE.

Authorised User management

6.6 Supporting the setting up of Authorised Users into the Recipient Environment at commencement of the Contract.

6.7 Facilitating access to the SDE Portal, for a Recipient's User Manager to amend, add or remove User Managers and/or Authorised Users (subject to any applicable policies, conditions or guidance issued).

Data support

6.8 The data support team will, subject to paragraph 6.9 below, provide the following areas of support:

6.8.1 to Authorised Users in interpreting, manipulating and using the data - this includes preparation of data for analysis by others

6.8.2 to researchers with subject matter expertise on datasets and products and helps them make the best use of linked data resources

6.9 The availability and timeliness of the data support team's role, as outlined in paragraph 6.8 above, is subject to it being a shared resource between all Recipients and in light of which NHS England does not commit to defined or minimum levels of support or lead times for Recipients.

Technical support

6.10 Support is available for any technical issues with the Platform through the NHS England National Service Desk.

Recipient support

6.11 Recipient support operating during business hours, 9am to 5pm (GMT) Monday to Friday excluding bank holidays and other periods as advised by NHS England from time to time.

Online training and guidance which includes:

6.12 inductions on how to login and use the SDE

6.13 guidance documentation to access your account and get started using the provided tools

6.14 'how to' videos

6.15 masterclasses for advanced learning

7. SDE policies and operating guidance

7.1 Access and use of the SDE is subject to policies including Fair Use conditions and operating guidance for the Platform or specific services offered. These policies may contain, but are not limited to, conditions, limits or caps of use and, where appropriate, additional charges for excess use beyond NHS England's standard offering. This is to ensure the service is sustainable and that all Authorised Users get a consistent level of service.

7.2 The policies and operating guidance (including but not limited to processes, procedures, conditions and best practice) which apply to the SDE can be found at Access and support for the Secure Data Environment (or as advised by NHS England in writing).

7.3 NHS England reserves the right to amend and update the policies from time to time, informing Recipients of the changes by notification in writing (which may include SDE Platform notifications).

Specific reserved rights

7.4 The SDE is in beta and will be developed as more data and insights are gained from usage however NHS England services are offered under fixed operating conditions (including resources to supply services).

7.5 In light of the beta status of the SDE NHS England reserves the right to introduce the further conditions and charges set out in paragraph 4 of Schedule 3, and in accordance with the published charges on the NHS England SDE webpage, where it is reasonably necessary to do so in light of demand exceeding NHS England's capacity to supply services. Such conditions and charges will be notified to the Recipient in writing at least 20 Working Days prior to implementation.

7.6 Should NHS England invoke any or all of the conditions in paragraph 4 of Schedule 3 below they will apply from that point onwards (for example, for 'User change' any changes prior to the point of notice being provided would not count towards any thresholds stipulated).

Annex A: Standard build

Available SDE Service Customisation(s)

The following is available to order by the Recipient in addition to the Standard Build in this version of the SDE Service:

1. Basis of pricing

1.1 Under this Contract the Recipient will be charged for:

1.1.1 SDE set-up (such as configuration of the SDE to Recipient Order requirements, provisioning of data as per DSA)

1.1.2 SDE Service Charge(s), fulfilment of the Recipient requirements as per the Order (inclusive of updates)

1.1.3 SDE Service Excess Charge(s) as applicable

1.1.4 additional Charges as applicable

1.2 Pricing may be varied by NHS England in accordance with the provisions of the Contract.

1.3 For the avoidance of doubt, there are also fees and charges under the DSA that must be paid in full in accordance with its terms (inclusive of amendments made by the Recipient), and are payable as per the rates as set out in the DARS price list (amended from time to time and subject to the conditions) as set out at Data Access Request Service (DARS) charges.

1.4 NHS England shall advise, through a written quote, the Recipient of any separate or additional charges which apply resulting from a request by the Recipient which relates to the SDE where these services are not covered under DARS or the Services offered under this Contract.

2. Service changes

2.1 NHS England may make changes to the SDE Service as further set out in clause 9 of the Terms.

3. Price changes

3.1 NHS England may introduce changes to pricing during the Contract as further set out in clause 8 of the Terms.

4. SDE charges

4.1 The ordering process for Recipients is set out in the Contract with NHS England providing additional instruction and/or guidance from time to time. Where any conditions apply to any of the charges detailed in this Schedule, this shall be confirmed by NHS England in this Schedule or in writing.

4.2 As the SDE Service develops, NHS England may introduce new services and features (Customisation(s)), as per this Schedule and clause 9 of the Terms.

4.3 Unless otherwise agreed between the Parties in writing or as part of the conditions set out in paragraph 4.6 of this Schedule, charges shall commence or be applied from the date of completion, access or change being completed by NHS England as per the Order.

4.4 The current charges applicable to SDE Services are published on the NHS England Secure Data Environment webpage (Understanding access charges to the SDE). These charges are subject to service updates or price changes as outlined in paragraphs 2 and 3 above. Any charge-specific conditions are set out in paragraph 4.5 of this Schedule.

4.5 The following charge specific terms apply:

4.5.1 The following conditions apply to the SDE Service Charges (as published on the NHS England SDE webpage):

1. The minimum number of Authorised Users per Recipient Contract during the Term is one (1).
2. The SDE Service Charge is based on the Standard Build as described in Schedule 2 (SDE Service Description) without any Customisation(s), which may be updated from time to time by NHS England.
3. The SDE Service Charge is subject to the Fair Use terms and SDE Service Excess Charges as per section 5 of this Schedule.
4. The SDE Service Charges will be calculated by taking the highest number of concurrent Authorised Users within the calendar month and multiplying this by the per Authorised User per month charge, subject to the terms of section 5 of this Schedule.

4.5.2 The following conditions apply to the Stata Licence element of the SDE Service Charges Customisations (as published on the NHS England Secure Data Environment webpage):

1. 1 Stata licence per Authorised User (capable of being re-assigned but only within the same Recipient Contract or DSA workspace).
2. Duration of 12 months.
3. Payment in advance on next scheduled invoice date.
4. Recipient to inform NHS England if they no longer wish to retain licence prior to 12 months’ period with at least 1 months’ notice. If no notice is received, then the licence will automatically terminate at the end of the duration period.

4.5.3 The following conditions apply to the VDI element of the SDE Service Charges Customisations (as published on the NHS England Secure Data Environment webpage):

1. Upgrade change: One VDI upgrade per Authorised User Order request. An Order request can be submitted at any point (within periods of support that the Service runs).
2. Charges for the Customisation apply for the whole month in which the change in the Recipient Environment occurs.
3. Downgrade change: An Order request can be submitted at any point (within periods of support that the Service runs) but will not be implemented until the end of the month in which the Order is submitted.
4. User Removal: where an Authorised User is removed from the SDE then the Recipient is still required to pay the Customisation charges until the end of the month, to which the removal applies, for that Authorised User.
5. Charges will be applied to the next Quarterly invoice.
6. There is no term limit to this Customisation and the charges will continue unless the conditions (as outlined above) are followed.

Output Checking

4.6 Each Authorised User is entitled to a combined total of Output or Input Check requests per calendar month as set out on Understanding access charges to the SDE. Any additional request will be subject to the applicable charging policy as published on the NHS England Secure Data Environment webpage.

4.7 For the avoidance of doubt, Output Checking shall not be executed by the Order. Any Party may request an Output Check which shall be payable by the Lead Customer. It is the responsibility of the Lead Recipient to manage demand within its organisation and by any Recipients.

5. Fair use (calculation of excess charges)

Fair use

5.1 The SDE Service Charge is based on the Standard Build with the Fair Use based on the level of compute and storage.

5.2 For the level of compute the principle is to allow flexibility for the Recipient during the Quarter, with the Quarterly Allowance being calculated on the following basis:

5.2.1 The per Authorised User level of compute is multiplied by the number of Authorised Users under the Contract, to give a monthly level of compute.

5.2.2 The monthly level of compute will be based on the highest number of concurrent Authorised Users during the month. Recipients are reminded that should they wish to change Authorised Users they should request removal before adding a different Authorised User, failure to do so will result in the higher level of Authorised Users being reported as active for that month.

5.2.3 A Recipient’s monthly level of compute is then multiplied by either by 3 (three) months (the Quarter) or it is pro-rata’d depending on when the Contract started, based on the highest Authorised User level.

5.2.4 A Recipient may, in this model, go over their allocation in one month but providing they do not exceed the total level of compute for the Quarter (the Quarterly Allowance, based on the above methodology) no excess charges will apply.

5.3 The SDE Service Charge is based on the Standard Storage with the Fair Use based on the level of storage.

5.3.1 Any monthly storage level exceeding the fair use will be calculated on the following basis:

5.3.2 The per Authorised User level of storage is multiplied by the number of Authorised Users under the Contract, to give a monthly level of storage.

5.3.3 The monthly level of storage will be based on the highest number of concurrent Authorised Users during the month. Recipients are reminded that should they wish to change Authorised Users they should request removal before adding a different Authorised User, failure to do so will result in the higher level of Authorised Users being reported as active for that month.

5.3.4 This storage is not subject to the Quarterly Allowance and will be calculated based on the actual peak storage utilisation within the month.

Excess charges

5.4 Should a Recipient exceed their Quarterly Allowance, the units of compute that has been exceeded will be multiplied by the SDE Service Excess Charge (as published on the NHS England SDE webpage).

5.5 Examples are provided below (for illustration only, these are not Recipient specific):

Calculation - Quarterly Allowance minus Recipient usage of compute)* published excess DBU charge

Calculation - Taken mid-month of August (therefore active for 15 days): August compute level = 15/31*5*250.

Excess charge: (Quarterly Allowance minus Recipient usage of compute) * published excess DBU charge

Note: October would not count towards Quarterly Allowance in the second example as this would form part of the next Quarter’s total.

5.6 Should a Recipient exceed their Quarterly Allowance, the units of compute that has been exceeded will be multiplied by the SDE Service Excess Charge (as published on the NHS England SDE webpage).

5.7 Should a Recipient exceed their Monthly Storage Allowance, the additional GB of storage that has been exceeded will be multiplied by the SDE Storage Excess Charge (as published on the NHS England SDE webpage).

6. Reporting

6.1 NHS England shall monitor Recipients’ usage from time to time, and will notify the Recipient in the event it exceeds its usage allocation. On request, NHS England will share a consumption report with the Recipient for its information.

6.2 In addition to any consumption report the Recipient may request under paragraph 6.1, NHS England will also provide the Recipient with a Quarterly report setting out its Quarterly consumption.

6.3 The Recipient accepts that NHS England shall not discuss the consumption report or invoicing unless the Recipient can evidence a manifest error in the report.

7. Purchase orders (PO) and invoicing

7.1 NHS England shall issue guidance and instruction to the Recipient on the raising of PO and invoicing separate to this Contract.

7.2 Notwithstanding instructions issued, as outlined in paragraph 7.1, the following shall apply to the Contract:

7.2.1 The Lead Recipient shall raise a PO for the value of the Services within five (5) Working Days of the Contract being executed.

7.2.2 It is the responsibility of the Recipient to raise and maintain a PO for the value which will cover their anticipated use of the Service (including amendments to the Order or SDE Service Excess Charges).

7.2.3 Failure to raise a PO or update a PO (to accommodate changes to the Order) may result in either delayed access to SDE, delayed amendments or Customisations to the Order or, should NHS England deem it appropriate, suspension of the Service.

7.2.4 Failure by the Recipient to raise a PO shall not prevent NHS England from submitting a valid invoice for the charges incurred by the Recipient.

7.2.5 While the invoicing schedule is anticipated to be per Quarter, NHS England reserves the right to amend the invoicing frequency.

7.2.6 All invoices shall be paid in Sterling by electronic transfer of funds to the bank account that NHS England has specified on its invoice.

1. Protection of personal data

1.1 The parties acknowledge that for the purposes of the Data Protection Legislation:

1.1.1 NHS England is the sole Controller in relation to any Processing it is permitted to do as a result of its statutory functions or where required to take any action in Law

1.1.2 NHS England is the sole Controller for the data hosted in the SDE by NHS England

1.1.3 NHS England is the sole Controller in relation to Processing of data associated with the management of the SDE and SDE Platform, including providing support services

1.1.4 NHS England is the sole Controller in relation to any CRM Personal Data it Processes in order to complete the contract and manage the contract compliance and registration

1.1.5 NHS England and the Recipient are Joint Controllers for the use of the SDE Service, including where the Recipient’s Authorised Users carry out analysis on the data in the SDE Service and NHS England approves or rejects the output of that analysis for exporting from the SDE

1.1.6 NHS England will be a Processor on behalf of the Recipient for the purposes of hosting in the SDE Platform any SDE Data as agreed within the Data Sharing Agreement or produced by the Recipient’s Authorised Users in the SDE Platform, solely to the extent that such SDE Data is Personal Data (and as further set out in clause 2 of this Schedule 4)

1.1.7 NHS England will be a Processor on behalf of the Recipient for the purposes of any Reference Data which is also Personal Data added by the Recipient to the SDE Platform, while such Reference Data is undergoing input service checking (and as further set out in clause 3 of this Schedule 4

1.2 The Parties shall comply with Data Protection Legislation and the Law.

1.3 Subject to paragraph 1.1, where the Parties are Joint Controllers the Parties' respective responsibilities are as set out in Annex A.

1.4 Subject to paragraph 1.1, where NHS England is acting as a Processor, NHS England shall only Process the Personal Data in accordance with the Controller’s instructions, whether set out in this Contract and Annex B, unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Controller before Processing the Personal Data unless prohibited by Law. NHS England shall comply with paragraph 2 below.

1.5 For the avoidance of doubt, nothing in this Contract, the associated Data Sharing Agreement or the Data Sharing Framework Contract shall prevent NHS England from performing SDE Services for other Recipients, or providing the same or similar services for other Recipients, or those other Recipients requesting same or similar services on the datasets, or from carrying out the same or similar analysis in the SDE, or producing the same or similar SDE Output Data.

1.6 Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation.

1.7 Any notifications required in accordance with this Schedule 4 shall be delivered by email to the relevant Party's Data Protection Officer.

2. NHS England's role as processor

2.1 This clause 2 of Schedule 4 applies exclusively to NHS England's Processing of:

2.1.1 SDE Output Data where, despite best efforts, any SDE Output Data constitutes Personal Data on the basis that it is possible to re-identify Data Subjects; and

2.1.2 SDE Data, BYOD Data Sets and Cohort (Participant) List Data in order to deliver the BYOD Service and/or Cohort (Participant) List Service.

2.2 In such circumstances NHS England will Process that Processor Data in the capacity of a Processor as instructed by the Recipient as Controller.

2.3 NHS England shall notify the Recipient immediately if it considers that any of the Recipient’s instructions infringe Data Protection Legislation.

2.4 NHS England shall, at the Recipient’s request, provide the Recipient with reasonable assistance as is contemplated by Article 28(3)(f) of the UK GDPR including, but not limited to, the preparation of any Data Protection Impact Assessment prior to commencing any Processing of the Processor Data. Such reasonable assistance may, at the discretion of Recipient, include:

2.4.1 systematic description of the envisaged Processing operations and the purpose of the Processing

2.4.2 an assessment of the necessity and proportionality of the Processing operations in relation to the Processor Data

2.4.3 an assessment of the risks to the rights and freedoms of natural persons

2.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data

2.5 NHS England shall, in relation to the Processor Data:

2.5.1 process that Processor Data only in accordance with the Recipient’s instructions unless NHS England is required to do otherwise by law. If it is so required, NHS England shall promptly notify the Recipient before Processing the Processor Data unless prohibited by law.

2.5.2 ensure that:

1. NHS England Personnel do not Process the Processor Data except in accordance with this paragraph and as described in paragraph 2.3.1 above
2. it takes all reasonable steps to ensure the reliability and integrity of any NHS England Personnel who have access to the Processor Data and ensure that they:
   1. are aware of and comply with NHS England’s duties under this paragraph
   2. are subject to appropriate confidentiality undertakings that are in writing and are legally enforceable
   3. are informed of the confidential nature of the Processor Data and do not publish, disclose or divulge any of the Processor Data to any third party unless directed in advance and in writing to do so by the Recipient or as otherwise permitted by this paragraph
   4. have undergone adequate training in the use, care, protection and handling of Personal Data that enables them and NHS England to comply with their responsibilities under Data Protection Legislation and this paragraph

2.5.3 not transfer Personal Data outside of the Safe Countries, unless the prior written consent of the Recipient has been obtained. Such consent to transfer may be conditional on NHS England entering into the Standard Contractual Clauses, or other appropriate data transfer mechanism

2.5.4 securely delete the Processor Data (and any copies of it) to the Recipient promptly following the earlier of:

2.5.4.1 the termination or expiry of the applicable Data Sharing Agreement; or

2.4.4.2 a written request from the Recipient

unless NHS England is required by Law to retain any Personal Data that is contained within the Processor Data.

2.6 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, NHS England shall implement appropriate technical and organisational measures, including but not limited to the provisions set out in Annex C to ensure a level of security appropriate to the risk, including, but not limited to, as appropriate:

2.6.1 the pseudonymisation and encryption of Processor Data

2.6.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services

2.6.3 the ability to restore the availability and access to Processor Data Processed further to this paragraph, including transfers to third parties in a timely manner in the event of a physical or technical incident

2.6.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing

2.7 Subject to paragraph 2.8, below, NHS England shall not engage a sub-processor to undertake the Processing of any Processor Data, unless, prior to any Processing taking place by the sub-processor, NHS England:

2.7.1 notifies the Recipient in writing of the intended sub-processor and Processing

2.7.2 enters into a written agreement with the sub-processor which gives effect to the terms set out in this paragraph such that they apply to the sub-processor, including providing terms that provide at least the same level of protection for the Processor Data as this paragraph and which meet the requirements of Data Protection Legislation

2.7.3 without prejudice to paragraphs 2.7.1 to 2.7.2, and subject to paragraph 2.7 below, inform the Recipient of any addition or replacement of a sub-processor

2.7.4 provides the Recipient with such information regarding the sub-processor as the Recipient may reasonably require

2.8 NHS England will maintain a list of sub-processors and share a link to that list with the Recipient. The Recipient agrees to NHS England's engagement of all sub-processors included on the list on the Commencement Date. NHS England shall notify the Recipient of any proposed additions or removals from the list of sub-processors and the Recipient shall have the opportunity to object to the same. The Parties shall, acting in good faith, discuss the reasons for any such objections and if the Recipient remains dissatisfied then it shall have the right to terminate the Contract in accordance with clause 19.2 or 20.2 (as applicable).

2.9 NHS England shall ensure that any sub-processor’s access to the Processor Data terminates automatically on termination of this DSA for any reason, save that any sub-processor may access the Processor Data in order to securely destroy it.

2.10 NHS England shall remain fully liable for all acts or omissions of any sub-processor.

2.11 Subject to paragraph 2.11, NHS England shall notify the Recipient without undue delay if it:

2.11.1 receives a Data Subjects Rights Request in connection with Processor Data

2.11.2 receives any other Request For Information, complaint or communication relating to either Party’s obligations under Data Protection Legislation connected with Processor Data

2.11.3 receives any communication from the Information Commissioner’ Office or any other regulatory or supervisory body connected with Processor Data; or

2.11.4 receives a request from any third party for disclosure of Processor Data

2.12 NHS England shall not respond substantively to the communications listed at paragraph 2.9 save that it may respond to a regulatory or supervisory body following prior consultation with the Recipient.

2.13 NHS England’s obligation to notify under paragraph 2.9 shall include the prompt provision of further information to the Recipient in phases, as details become available.

2.14 Taking into account the nature of the Processing, NHS England shall provide the Recipient with reasonable assistance in relation to either Party’s obligations under Data Protection Legislation connected with Data and any complaint, communication or request made under paragraph 2.9 (and insofar as possible within the timescales reasonably required) including by promptly providing:

2.14.1 the Recipient with full details and copies of the complaint, communication or request

2.14.2 such assistance as is reasonably requested by the Recipient to enable the Recipient to comply with a Data Subject Rights Request within the relevant timescales set out in Data Protection Legislation

2.14.3 the Recipient, at its request, with any Processor Data it holds in relation to a Data Subject

2.14.4 assistance as requested by the Recipient with respect to any request from the Information Commissioner’s Office, or any consultation by the Recipient with the Information Commissioner’s Office

2.15 NHS England shall without undue delay notify the Recipient in writing of any event that results in unauthorised Processing of Processor Data including, without limitation, destruction of Personal Data and including any Personal Data Breach (as defined by the UK GDPR) (hereafter, a 'Data Loss Event'). NHS England shall provide such assistance as is reasonably requested by the Recipient following a Data Loss Event.

2.16 Without prejudice to paragraph 2.13, upon the occurrence of a Data Loss Event NHS England shall:

2.16.1 conduct a full investigation into the reasons for and circumstances of the Data Loss Event

2.16.2 take all necessary actions to prevent, contain and mitigate the impact of the Data Loss Event, and remediate the Data Loss Event

2.16.3 if requested by the Recipient, assist the Recipient with the provision of notices to Data Subjects whose Personal Data was or may have reasonably been exposed

2.17 NHS England shall provide the Recipient with all information requested by the Recipient to enable the Recipient to verify NHS England’s compliance with this paragraph and Data Protection Legislation.

2.18 Without prejudice to paragraph 2.15, NHS England shall allow the Recipient or the Recipient’s appointed representatives to audit and inspect its activities in relation to the Processing of Processor Data to enable the Recipient to verify NHS England’s compliance with this paragraph, and NHS England shall cooperate and provide reasonable assistance the Recipient (and its representative) with each audit and inspection.

2.19 NHS England shall, in connection with the Processor Data, maintain complete and accurate records and information to demonstrate its compliance with this paragraph and Data Protection Legislation.

2.20 This paragraph does not relieve NHS England from any obligations conferred upon it in connection with Processor Data by the Data Protection Legislation.

2.21 Neither Party shall do nor omit to do anything that will put the other Party in breach of Data Protection Legislation.

3. NHS England processing of reference data

3.1 This clause 3 of Schedule 4 applies exclusively to NHS England's Processing of Reference Data which contains Personal Data. In such circumstances NHS England will Process that Reference Data in the capacity of a Processor as instructed by the Recipient as Controller, albeit solely for the specific purposes set out in clause 3.2 of this Schedule 4 below.

3.2 In accordance with clause 7.1.10 of the Terms the Recipient must ensure that any Reference Data it adds to the SDE Platform does not contain Personal Data. In the event that the Recipient, notwithstanding that doing so breaches those obligations, does add Reference Data containing Personal Data to the SDE Platform then NHS England will undertake its role as Processor, as outlined in clauses 1.1.7 and 3.1 of Schedule 4 above, solely to process that Reference Data for the purpose of removing and/or deleting any Personal Data contained therein (in accordance with clause 7.2 of the Terms).

3.3 For the avoidance of doubt the provisions in clauses 2.2 to 2.19 of this Schedule 4 will apply to NHS England's Processing of Reference Data as outlined in this clause 3.

Annex A - Joint controller

Table A - Joint controller's responsibility

Purpose and benefits of the processing - NHS England to provide the SDE Services where Recipient and Recipients’ Authorised Users can analyse the data for the purposes and benefits set out in the applicable DSA.

Table A - Responsible party

Table B

Annex B - Data processing services and particulars

For the avoidance of doubt, SDE Output Data will only be deemed as such once NHS England, in its role as Joint Controller (see Schedule 4 above), approves the data for output by the Recipient.

Annex C - Data security

1. Without prejudice to NHS England’s other obligations in respect of information security, NHS England shall:

1.1 having regard to the state of technological development, provide a level of security (including appropriate technical and organisational measures) appropriate to:

1.1.1 the harm that might result from unauthorised or unlawful processing of SDE Output Data or accidental loss, destruction or damage of such Personal Data

1.1.2 the nature of the Personal Data

1.2 take reasonable steps to ensure the reliability of NHS England’s Personnel who have access to SDE Output Data which shall include:

1.2.1 ensuring all such Personnel understand the confidential nature of SDE Output Data and the issues which arise if proper care is not taken in the processing of the SDE Output Data

1.2.2 including appropriate confidentiality clauses in employment contracts, including details of sanctions against any employee acting in a deliberate or reckless manner that breaches confidentiality or the non-disclosure provisions of Data Protection Legislation or causes damage to or loss of Personal Data

1.2.3 ensuring all such Personnel are properly trained in data protection appropriate to their role, and to ensure that all such Personnel have completed such training prior to their use of the SDE Output Data. Where requested to do so NHS England shall provide examples of training materials used, together with methodologies used to demonstrate that Personnel have understood the training. Training shall be repeated at regular intervals to take account of developments in law on good data protection practice and in any event on an annual basis

1.2.4 ensuring all such Personnel are properly vetted, both during the initial recruitment process and throughout their engagement in their processing of SDE Output Data, including through the use of procedures to identify changes in personal circumstances which may affect an individual’s ability to Process the SDE Output Data in accordance with the terms of this paragraph

1.2.5 ensuring only those Personnel involved in the processing of the DARS Application to which the SDE Output Data relates have access to the SDE Output Data, and implementing appropriate access controls to ensure this requirement is satisfied

1.2.6 provide the Recipient with such information, assistance and co-operation as the Recipient may require from time to time to establish either Party’s compliance with Data Protection Legislation

1.2.7 inform the Recipient as soon as reasonably practicable of any particular risk to the security of SDE Output Data of which it becomes aware, and of the categories of Personal Data and individuals which may be affected

2. NHS England shall promptly, and in any event not later than reasonably required in order to enable the Recipient to fulfil its duties under Data Protection Legislation, provide such information as the Recipient requires relating to the identity of any third parties to whom SDE Output Data has been disclosed by NHS England to the extent the Recipient requires this information to comply with its duties under Data Protection Legislation.

3. NHS England shall ensure:

3.1 that it has properly configured access rights for its Personnel, supported by a well-defined joiners and leavers process, to ensure access rights to SDE Output Data are properly managed

3.2 that it has proper controls in place to make sure that complex alphanumeric passwords are required for access to SDE Output Data and that training is provided in relation to the need to keep such passwords secure

3.3 it has in place procedures to identify wrongful use of SDE Output Data, including the monitoring of wrongful access to SDE Output Data

3.4 that suitable and effective authentication processes are established and used to protect SDE Output Data

3.5 that SDE Output Data is backed up on a regular basis and that all back-up data is subject to such vigorous security procedures as are necessary in order to protect data integrity, such security measures being commensurate to the nature of the data, and that a robust business continuity plan is in place. NHS England shall take particular care when transporting back-up data and other personal information and shall ensure such back-up data and other personal information is transported in a safe and secure manner

3.6 that SDE Output Data transferred electronically is encrypted using only the Advanced Encryption Standard (AES) – 256 bits specification

3.7 that SDE Output Data will not be stored on laptops or other portable media unless agreed in writing with the Recipient and subject to the following provisions:

3.7.1 SDE Output Data stored on laptops or other portable media is encrypted to at least Advanced Encryption Standard (AES) 256 bits specification and that NHS England maintains an accurate, up to date asset register, including all such portable media used to process SDE Output Data

3.7.2 all portable media used for storage or transit of SDE Output Data are fully encrypted in accordance with the NCSC 10 Steps to Cyber Security and must meet the standard published by NCSC 'Software Encryption of Removable Media: CPA SC'

3.7.3 portable media are not left unattended at any time (such as in parked cars, in unlocked and unoccupied rooms)

3.7.4 when not in use all portable media are stored in a locked area and issued only when required to authorised employees, with a record kept of issue and return

3.8 that Personnel are not able to access SDE Output Data from home or via their own electronic device other than through a secure electronic network and that SDE Output Data may not be stored in such devices

3.9 that suitable physical security measures are established commensurate to the harm that could result from the unlawful disclosure of and/or access to SDE Output Data. Such physical security measures shall be as identified in the NHS England’s data protection policy

3.10 that suitable physical security measures are established to ensure that SDE Output Data is protected from accidental or deliberate loss or destruction arising from environmental hazards such as fire or flood

3.11 without prejudice to NHS England’s obligations in relation to the disposal of Personal Data, all SDE Output Data which is disposed of must be disposed of in accordance with any relevant law and guidance applicable to such disposal

3.12 that NHS England establishes and maintains adequate data security compliance policies and audits its use of SDE Output Data in compliance with its data security policies on a regular basis and in any event annually

4. NHS England shall throughout the period in which this DSA is in force remain registered with the Data Security and Protection Toolkit or any replacement to such system.

What’s in these terms?

This Policy sets out the content standards that apply when you use our site, upload content to our site, make contact with other Authorised Users on our site, link to our site, or interact with our site in any other way. Click on the links below to go straight to more information on each area:

• NHS England Transparency Notice for this site

Who we are and how to contact us

This site is operated by NHS England ('we' or 'us').

To contact us, email: [email protected].

In the event you identify at any time that your use or our site or any content uploaded by you infringes our Policy at any time, contact us.

By using our site you accept these terms

By using our site, you confirm that you accept the terms of this Policy and that you agree to comply with them. If you do not agree to these terms, you must not use our site. We recommend that you print a copy of these terms for future reference.

Access to our site services shall also be subject to the applicable terms and conditions.

Microsites and third party tools

Access to certain areas (microsites including the SDE) may be subject to additional terms that are available on the microsite. Your use of those areas is also subject to those terms.

Certain functions and tools are subject to third party terms. Where using those functions and tools you agree to comply with those terms provided they are made available to you or your organisation.

Amendments to the site

We may amend this Policy from time to time. Every time you wish to use the site, please check these terms to ensure you understand the terms that apply at that time.

External links

We are not responsible for the content or reliability of any external websites we may link to from our site and we do not endorse the views expressed within them. We aim to replace broken links to websites, but cannot guarantee that these links will always work as we have no control over the availability of those websites.

Secure access

Access to some areas of the site requires an authorised login. You are responsible for the security and confidentiality of your login details. You shall not share your login details with other individuals. You shall not access restricted areas of the site unless you are an Authorised User.

You shall ensure that as a minimum, your password shall have a level of complexity which ensures they cannot be easily guessed by hackers or malicious software and be in accordance with government best practice.

Prohibited uses

You may not use our site:

• to transfer or attempt to transfer data which is outside of the scope of what has been approved within the DSA which applies to your organisation and the project you are working on
• in any way that breaches any applicable Law
• in any way that is unlawful or fraudulent or has any unlawful or fraudulent purpose or effect
• to upload illegal content
• to insult, intimidate or humiliate any person
• to send, knowingly receive, upload, download, use or re-use any material which does not comply with our content standards.
• to transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam)
• to knowingly transmit any data, send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware or compromise the integrity of the site

You also agree:

• not to reproduce, duplicate, copy or re-sell any part of the site in contravention of the provisions of our terms of site use
• not to access without authority, interfere with, damage or disrupt:
  • any part of our site
  • any equipment or network on which our site is stored
  • any software used in the provision of our site; or
  • any equipment or network or software owned or used by any third party

When we consider that a breach of this Policy has occurred, we may take such action as we deem appropriate including but not limited to suspension and restricting access to the site for one or more Authorised Users, restricting access to an organisation or IP address, removing any submission or contribution.

1. About this schedule

1.1. The BYOD Service enables Recipients to upload record level, pseudonymised data  for analysis and linkage to NHSE Data  within a secure workspace in the SDE as described in the related Data Sharing Agreement.

1.2. This Schedule sets out the respective responsibilities of NHS England and the Recipient in relation to the Processing of Cohort (Participant) List Data uploaded through the BYOD Service.

1.3. This Schedule forms part of the Contract (as defined in the SDE Terms) and must be read together with:

1.3.1. the SDE Terms and Schedules and

1.3.2. the applicable DSA(s) and Data Sharing Framework Contract (DSFC)

1.4. If there is any conflict between this Schedule and the SDE Terms or DSA, the order of precedence in the SDE Terms applies.

2. Definitions

2.1. Capitalised terms have the meaning given in Schedule 1.

3. Applicability and scope

3.1. A BYOD Data Set may only be uploaded to the SDE by the Recipient (or organisation instructed by the Recipient as identified within the DSA) in circumstances where:

3.1.1. It is expressly permitted by the relevant DSA including by reference to the specific purpose and legal basis outlined in that DSA and

3.1.2. The data processing services and particulars are documented as per Annex B  of the SDE Terms 

3.2. The ingestion of BYOD Data Set(s) is not intended to replace or circumvent the restrictions on Reference Data, which must not contain Personal Data and is subject to input checks under the SDE Service Description.

3.3. NHS England may, at any time, cease Processing the BYOD Data Set in circumstances where, acting reasonably, it considers that the proposed BYOD Data Set:

3.3.1. cannot be lawfully processed within the SDE including by reference to the specific permitted purposes outlined in the relevant DSA

3.3.2. is inconsistent with SDE policy or technical constraints or

3.3.3. poses a security, confidentiality or fair-use risk

4. Roles, lawful basis and transparency

4.1. Before submitting any BYOD Data Set, the Recipient warrants that it has:

4.1.1. a valid lawful basis under all applicable laws to transfer to NHS England and process within the SDE, the data contained within the BYOD Data Set including, but not necessarily limited to, the UK GDPR and common law duty of confidentiality

4.1.2. complied with its transparency and information obligations to data subjects under the Data Protection Legislation particularly under Articles 13 and 14 UK GDPR and

4.1.3. obtained all necessary licences, consents and contractual permissions from third parties

4.2. The Recipient further warrants that prior to uploading any BYOD Data Set it shall ensure that:

4.2.1. It has removed all direct identifiers

4.2.2. It has minimised the inclusion of any Personal Data

4.2.3. the Study ID associated with the BYOD Data matches with the relevant Cohort (Participant) List and

4.2.4. No duty of confidentiality is owed to the data contained within the BYOD Data Set

4.3. The Recipient also warrants that it shall:

4.3.1. ensure that the combination of the BYOD Data Set with Data and NHSE Data as described in the Data Sharing Agreement does not give rise to or otherwise create data to which a duty of confidentiality is owed and

4.3.2. remain responsible for any and all Processing, including deletion, of the BYOD Data Set, NHSE Data and any combination of the two, within the Recipient's SDE Workspace

4.4. The Recipient shall ensure that insofar as it is required to pseudonymise the BYOD Data Set prior to submission to the SDE that it shall implement and verify that the pseudonymisation process aligns with the expectations of the Information Commissioner’s Office (ICO) guidance, the Data Protection Legislation and applicable industry standards as updated or replaced from time to time.  

4.5. Where NHS England acts as Processor, it will process a BYOD Data Set only on the basis of the  instructions from the Recipient as set out in Schedule 4.

4.6. NHS England will perform safe input checks as per Schedule 2 of the SDE Terms to ensure a BYOD Data Set does not contain Personal Data or data attracting a duty of confidence although, for the avoidance of doubt, the nature and purpose of such checks shall be limited to ascertaining that the BYOD Data is consistent with the permitted terms of the relevant DSA and not to assure that it complies with any wider or broader legal or regulatory standards.

4.7. Where the BYOD Data Set is then Processed with NHSE Data the following relationships under Data Protection Legislation shall apply:

4.7.1. The Parties shall be Joint Controllers in relation to the use of the SDE Service and as further set out in Annex A of Schedule 4 and

4.7.2. NHS England shall be a Processor on behalf of the Recipient for the purposes of Processing any BYOD Data Sets  including, but not limited to, any Processing to link the BYOD Data Set with the supplied Cohort (Participant) List and NHSE Data and making available that linked data in pseudonymised form through the SDE. This role will be performed on the basis set out in clause 2 of Schedule 4

4.8. Each Party must comply with Data Protection Legislation and the data protection provisions outlined in Schedule 4 to the SDE Terms.

5. Data items, minimisation and quality

5.1. The Recipient shall ensure that a  BYOD Data Set is:

5.1.1. limited to the minimum necessary data to achieve the DSA-approved purposes

5.1.2. accurate and, where necessary, kept up to date

5.1.3. free from unnecessary free-text or high-risk identifiers unless strictly required and authorised and

5.1.4. not used to circumvent minimisation, opt-outs or safe setting constraints that apply to NHS data sets

5.2. If Personal Data or direct identifiers are detected within the BYOD Data Set, NHS England will: 

5.2.1. halt any Processing of the BYOD Data

5.2.2. notify the Recipient and

5.2.3. remove/delete such Personal Data in line with clause 3 of Schedule 4

5.3. In the event that NHS England is required to take any corrective or additional measures as a result of the Recipient's breach of its obligations under this paragraph 5 then that shall be a chargeable service calculated on the basis of the charging provisions set out in Schedule 3.

6. Ingestion routes and technical requirements

6.1. BYOD Data Set(s) must be transferred via an NHS England–approved secure route (as indicated by the service) , with encryption and access controls in line with NHS security standards.

6.2. The Recipient shall comply with NHS England technical specifications, including:

6.2.1. permitted file formats and size limits

6.2.2. schema and data dictionary

6.2.3. frequency and batch size and

6.2.4. any additional ingestion guidance communicated by NHS England

6.3. NHS England will perform input checks such as virus scanning, schema validation and safe input checks, and may reject or partially ingest files that fail these checks, or that include data items outside the DSA approved scope.

6.4. The Recipient shall conduct internal validation checks prior to submission to reduce format and content errors. Any manual intervention required to facilitate the successful ingestion of a file due to errors in the data submission shall be treated as a chargeable service calculated on the basis of the charging provisions set out in Schedule 3.

7. Use of BYOD data sets in the SDE

7.1. Subject to the DSA and this Schedule, NHS England will make BYOD Data Sets available within the Recipient Environment so that Authorised Users may:

7.1.1. access, query and analyse BYOD Data Sets using SDE tools

7.1.2. link BYOD Data Sets with DSA-approved NHS data sets and

7.1.3. produce SDE Output Data for consideration under the safe output process

7.2. BYOD Data Sets will not be shared with other Recipients, except where:

7.2.1. expressly authorised in the DSA or

7.2.2. SDE Output Data derived from BYOD Data is released as an anonymised output via the safe output service

8. Intellectual property and licensing

8.1. Ownership of  BYOD Data Sets  and the data contained within (as intellectual property) remains with the Recipient or its licensors, unless otherwise agreed in a DSA or separate agreement.

8.2. The Recipient grants NHS England a non-exclusive, royalty-free licence (with a right to sub-license to its subcontractors acting on its behalf) to, on the Recipient's behalf:

8.2.1. receive, store, back-up and Process BYOD Data Sets

8.2.2. maintain BYOD Data Sets

8.2.3. combine BYOD Data Sets with Cohort (Participant) List   and generate a pseudonymised data asset for use by the Recipient in the SDE or the purposes described in the DSA and this Contract. 

8.3. Nothing in this Schedule grants the Recipient any rights in NHS England or third-party IP beyond those set out in the SDE Terms, DSA or applicable licences.

9. Security, access and prohibited uses

9.1. BYOD Data Sets and the data contained within will be subject to the technical and organisational measures as provided by SDE Terms – Schedule 4 – Annex C. 

9.2. Authorised Users must use BYOD Data Sets only in accordance with:

9.2.1. the SDE Terms

9.2.2. The Acceptable Use Policy at Schedule 5 of the SDE Terms and

9.2.3. the relevant DSA(s) and DSFC

9.3. The Recipient shall not:

9.3.1. upload data known or suspected to be malicious, corrupt or unauthorised

9.3.2. introduce Data containing Personal Data or data attracting the duty of confidence

9.3.3. attempt any Processing within or outside the SDE that materially increases the risk of re-identifying Data Subjects and

9.3.4. use BYOD Data Sets in breach of SDE Fair-Use terms

9.4. NHS England may suspend access to, or permanently remove, any BYOD Data Set where necessary to protect the security or integrity of the SDE or comply with the Law.

10. Retention, archiving and deletion 

10.1. Without prejudice to the SDE Terms, the DSA and this Schedule, NHS England will retain  BYOD Data Sets and the data contained within only for as long as necessary for:

10.1.1. the DSA-approved purposes

10.1.2. operating and assuring the SDE and

10.1.3. meeting legal, regulatory and audit obligations.

10.2. On expiry or termination of the relevant DSA or the Contract, the treatment of BYOD Data Sets and the data contained within shall follow:

10.2.1. the DSA and DSFC

10.2.2. Schedule 4 and

10.2.3. NHS records management code and any agreed archiving arrangements

10.3. Where feasible and lawful, and subject to agreed retention, NHS England will securely delete or irreversibly anonymise BYOD Data Sets on the Recipient’s written request.

11. Freedom of information and transparency

11.1. Requests under the Freedom of Information Act 2000 or Environmental Information Regulations relating to BYOD Data, BYOD Data Sets, or this Schedule, will be handled in line with clause 13 (FOIA and EIR) of the SDE Terms and NHS England’s FOI procedures.

11.2. The Parties will co-operate as reasonably required in responding to such requests.

12. Liability and indemnity 

12.1. Without prejudice to the limitation and indemnity clauses in the SDE Terms, the Recipient is responsible for any loss, damage, cost or expense suffered by NHS England arising out of:

12.1.1. BYOD Data being shared or used without appropriate lawful basis, permissions or licences

12.1.2. infringement of third-party intellectual property rights or duties of confidence associated with BYOD Data and

12.1.3. breach of this Schedule in relation to BYOD Data

12.2. In the event that NHS England corrupts and/or erases the BYOD Data Set otherwise than in accordance with this Schedule then it shall use reasonable endeavours to restore the affected BYOD Data Set but shall not be responsible for any losses, cost or expenses suffered by the Recipient as a result of that corruption and/or erasure.

13. General

13.1. This Schedule applies for the Term of the Contract and for as long as BYOD Data Sets remain in use under an active DSA.

13.2. NHS England may suspend or terminate BYOD Data Set ingestion, in whole or in part, where: 

13.2.1. the relevant DSA or DSFC is suspended or terminated

13.2.2. NHS England reasonably believes the use or content of any BYOD Data Set breaches the Law, this Contract or SDE policy and/or

13.2.3. continuation would materially compromise the security, stability or integrity of the SDE

1. About this schedule

1.1. This Schedule sets out additional terms governing the provision of the Cohort (Participant) List Service submission and Processing of Participant List Data by the Recipient to NHS England for validation, tracing, retention and linkage to NHSE Data within the SDE under an applicable DSA.

1.2. This Schedule must be read together with:

1.2.1. the SDE Terms and Schedules

1.2.2. the applicable DSA(s) and Data Sharing Framework Contract (DSFC) and

1.2.3. NHS England’s guidance for submitting participant data (cohort file), as published or updated from time to time, meaning the method of submitting a Cohort File via an upload to NHS England’s Secure Electronic File Transfer (SEFT) as updated or replaced from time to time

1.3. If there is any conflict between this Schedule and the SDE Terms or DSA, the order of precedence in the SDE Terms applies.

2. Definitions

2.1. Capitalised terms have the meaning given in Schedule 1.

3. Applicability and relationship with DSA and the SDE

3.1. This Schedule applies where the Recipient’s DSA requires or permits the submission of participant (cohort) data to NHS England for linkage to NHS England datasets.

3.2. The Recipient acknowledges that:

3.2.1. end-to-end data application and provisioning are governed by the Data Access Request Service (DARS) process and the DSA and

3.2.2. the SDE Service provides access for Authorised Users to data approved under the DSA within the Recipient Environment, subject to safe input and safe output controls

3.3. Nothing in this Schedule expands the scope of data items, purposes or cohorts beyond what is authorised in the DSA.

4. Roles, lawful basis and transparency

4.1. The Parties acknowledge that Participant List Data (including any Cohort File submitted under the applicable DSA) may contain Personal Data and will be processed in accordance with Data Protection Legislation and the terms of the Contract.

4.2. The Recipient as Data Controller is responsible for: 

4.2.1. determining and documenting the lawful basis under all applicable laws to Process and disclose the Participant List data to NHS England under the DSA, including, but not necessarily limited to, the UK GDPR and common law duty of confidentiality

4.2.2. complied with its transparency and information obligations to data subjects under the Data Protection Legislation particularly under Articles 13 and 14 UK GDPR and

4.2.3. obtained all necessary licences, consents and contractual permissions from third parties

4.3. NHS England will act as Processor solely for the purposes of ingestion, hosting, validation, tracing, retention and linkage of Participant List Data (as set out in the DSA and Schedule 4 of this Contract) in connection with the SDE Service, and will apply the technical and organisational measures described in Annex C of Schedule 4.

4.4. Where NHS England acts as Processor, it will process Cohort (Participant) List Data only on documented instructions from the Recipient in accordance with the Contract.

4.5. Where the Cohort (Participant) List Data is then Processed with NHSE Data the following relationships under Data Protection Legislation shall apply:  

4.5.1. The Parties shall be Joint Controllers in relation to the use of the SDE Service and as further set out in Annex A of Schedule 4 and

4.5.2. NHS England shall be a Processor on behalf of the Recipient for the purposes of Processing any Cohort (Participant) List Data in the SDE Platform including, but not limited to, any Processing to link Cohort (Participant) List Data with NHSE Data and shall perform this role on the basis set out in clause 2 of Schedule 4.

4.6. Each Party must comply with Data Protection Legislation and the data protection provisions outlined in Schedule 4 to the SDE Terms.

5. Data items, minimisation and quality

5.1. The Recipient shall ensure that each Participant (Cohort) File includes only those identifiers and data items that:

5.1.1. are listed as permitted in Annex B of the relevant DSA; 

5.1.2. are supported by the cohort submission template and

5.1.3. include the mandatory fields identified in NHS England’s guidance for submitting Cohort (Participant) List Data

5.2. The Recipient must, where permitted by the DSA, include additional identifiers to maximise trace quality.

5.3. The Recipient shall ensure Cohort (Participant) List data is accurate and up to date, and that entries meet the formatting requirements (including date formats and code sets) specified in the guidance.

6. File format, structure and size

6.1. Cohort (Participant) List must:

6.1.1. be in CSV format only and must not include commas within values

6.1.2. include the column headers exactly as specified in the cohort submission template

6.1.3. contain fewer than one million records per file and

6.1.4. contain a ‘UNIQUE_REFERENCE’ for each row of data The reference structure used by the Recipient must be unique per row within each Cohort File and must not embed identifiable data

6.2. The Recipient shall conduct internal validation checks prior to submission to reduce format and content errors.

6.3. Any manual intervention required to facilitate successful ingestion due to Recipient errors in the data submission shall be a chargeable service calculated on the basis of the charging provisions set out in Schedule 3.

7. Submission method and filenames

7.1. Cohort (Participant) Files must be uploaded only via SEFT using the Cohort Submitter’s SEFT account and the designated upload folder specified by NHS England.

7.2. The filename must include the first part of the DSA number (NIC) followed by free text.

7.3. Cohort (Participant) Files submitted through any other channel may be rejected and/or deleted without Processing.

8. Validation, matching and error handling

8.1. NHS England will run validation checks to confirm that the Cohort (Participant) List Data:

8.1.1. complies with all file format and structure requirements

8.1.2. contains all mandatory fields and have been completed correctly and

8.1.3. aligns with the purposes and data items permitted in the DSA

8.2. A Cohort (Participant) File will only proceed to matching with SDE Output Data where at least 98% of its contents pass the validation checks as set out in this Schedule. 

8.3. Any Cohort (Participant) Files which fails to meet the requirement set out in paragraph 8.2 above will be rejected in full.  In such circumstances NHS England will provide the Recipient with a report confirming the errors and reasons for rejection and it shall be the sole responsibility of the Recipient to correct such errors before resubmitting the relevant Cohort (Participant) File(s).   

8.4. Following successful validation, NHS England will:

8.4.1. run matching using the Master Person Service (MPS) in line with published trace methods

8.4.2. store matched participants in cohort tables associated with the DSA and

8.4.3. provide a summary file describing validation and matching outcomes

9. Security, access and prohibited uses

9.1. The Recipient shall ensure that:

9.1.1. Cohort Submitters have received all necessary training and authorisations required in connection with their role

9.1.2. SEFT credentials are kept secure and not shared and

9.1.3. Cohort (Participant) List Data are checked for malware prior to upload to the SDE

9.2. Cohort (Participant) List Data, cohort tables and linked datasets may only be accessed within the SDE by Authorised Users, in accordance with:

9.2.1. the SDE Terms

9.2.2. The Acceptable Use Policy at Schedule 5 of the SDE Terms and

9.2.3. the relevant DSA(s) and DSFC

9.3. The Recipient shall not:

9.3.1. submit identifiers or data items outside the scope of the DSA

9.3.2. attempt to re-identify Data Subjects and

9.3.3. circumvent SDE security, safe input or safe output processes

10. Retention, archiving and deletion 

10.1. Without prejudice to the SDE Terms, the DSA and this Schedule, the Recipient acknowledges and agrees that it is necessary for NHS England to retain Participant List Data until the closure of the Data Sharing Agreement in order to: 

10.1.1. facilitate the DSA-approved purposes

10.1.2. operate and assure the SDE and

10.1.3. meet legal, regulatory and audit obligations

10.2. On closure of the relevant DSA or termination of the Contract, the treatment of Participant List Data shall follow Schedule 4 of this Contract and the DSFC, and will be deleted from the location within the SDE in which it is stored.

11. Freedom of information and transparency

11.1. Requests under the Freedom of Information Act 2000 or Environmental Information Regulations in relation to this Schedule, the PAVE or Cohort (Participant) List Data will be handled in line with clause 13 (FOIA and EIR) of the SDE Terms and NHS England’s FOI procedures.

11.2. The Parties will co-operate as reasonably required in responding to such requests.

12. Liability and indemnity 

12.1. Without prejudice to the limitation and indemnity clauses in the SDE Terms, the Recipient is responsible for any loss, damage, cost or expense suffered by NHS England arising out of:

12.1.1. submission of Cohort (Participant) List data in breach of the DSA, this Schedule or Data Protection Legislation and

12.1.2. failure to have a lawful basis or appropriate notices in place for data disclosed in the Cohort (Participant) File

12.2. In the event that NHS England corrupts and/or erase the Participant List Data otherwise than in accordance with this Schedule then it shall use reasonable endeavours to restore the affected Participant List Data but shall not be responsible for any losses, cost or expenses suffered by the Recipient as a result of the corruption and/or erasure.

13. Retention, archiving and deletion

13.1. This Schedule applies for the Term of the Contract and for as long as the relevant DSA remains active. On termination or expiry of the relevant DSA, the Recipient shall cease submitting Cohort Files under this Schedule.

13.2. The treatment (retention, archiving, deletion) of Cohort (Participant) List data and cohort tables on expiry or termination shall follow: 

13.2.1. the DSA and DSFC

13.2.2. Schedule 4 and

13.2.3. NHS records management code and any agreed archiving arrangements

11 May 2026

NHS England has updated the Secure Data Environment (SDE) Service Agreement to reflect new SDE features and improvements. These updates include the Bring Your Own Data (BYOD) service, the Cohort (Participant) List service, code import, new usage data for User Managers and clearer data deletion and operational responsibilities.