Terms of use

Version 1 issued 18 August 2020

These terms of use explain what you can expect from us and what we expect from you when you create and operate software services on the DfE Developer Hub. This is not a legal relationship between DfE and any software developer.

We reserve the right to remove your access to the Developer Hub and its application programming interfaces (APIs) temporarily or permanently.

These terms may change from time to time and we will let you know when this happens. If the changes are minor, we will assume you agree to them unless we hear from you. If they are major, you may need to re-accept these terms of use.

If you have any questions contact us.

Background checks

We may carry out basic background checks on your organisation, including:

• information held by Companies House
• your website

What you can expect from us

We will:

• give you at least 6 months' notice of changes affecting any stable APIs
• make sure any minor changes made to stable APIs are backwards compatible
• provide reasonable notice of changes affecting beta APIs, which can change fairly frequently
• warn you before we retire an API

What we expect from you

Your software must take into account the Digital Service Standard (opens in a new tab).

We take the protection of customer data seriously and we expect you to do the same.

You will need to follow:

• National Cyber Security Centre's Digital Service Security (opens in a new tab)
• National Cyber Security Centre's Guidance for secure development and deployment (opens in a new tab)
• Transport Layer Security principles for protecting data (opens in a new tab)
• General Data Protection Regulation - GDPR (opens in a new tab)
• Privacy and Electronic Communications (EC Directive) Regulations 2003 - as amended (opens in a new tab)
• Equality Act 2010 (opens in a new tab)
• Information Commissioner's Office (opens in a new tab)
• Data Protection Act 2018 (opens in a new tab)

You must continue to follow these acts and regulations if they change or are replaced.

Accessing data

You must give your users access to their data. We may also ask to access their data if we open an investigation.

If you withdraw a piece of software or a user stops using it, you must let them retrieve and export all their data so they can meet their obligations to us.

We recommend you use multi-factor authentication to protect personal data.

Processing data

If your software processes personal data, you may need to pay a data protection fee (opens in a new tab).

Use your API’s HTTP headers to pass audit data to us. This will help us protect our users’ confidential data.

To find out if header information is compulsory for your API, that you use, read its' API documentation. All headers will become compulsory so you should start using them now.

Storing data

If you store and process personal data, you must tell users:

• what personal data you’ll be processing and what you’ll use it for
• that you’re responsible for protecting their data
• if you intend to store their data outside the European Economic Area (EEA)
• your lawful basis (opens in a new tab) for processing their personal data

Follow GDPR rules on obtaining consent (opens in a new tab), if you need users' consent to store and process their personal data.

If you store or process data outside the EEA, you must follow GDPR guidance on international transfers (opens in a new tab).

Accessibility

You must:

• meet W3C's Web Content Accessibility Guidelines (opens in a new tab) at a minimum level of AA if your software's web-based, or W3C's guidelines for mobile software (opens in a new tab)
• give us evidence that your software meets the guidelines if we ask for it
• contact us if you have any concerns meeting these guidelines

Advertising and marketing

Any advertising that appears in your software must follow both:

• Advertising Standards Authority Codes (opens in a new tab)
• UK marketing and advertising laws (opens in a new tab)

You must not use advertising that promotes:

• adult themes
• dating
• gaming

You cannot share personal data for marketing without users' consent, as defined in the Information Commissioner's Office (opens in a new tab).

Licence agreements

You must make the terms of the licence agreement between you and your users clear to them.

Security

You must:

• check software for vulnerabilities through secure development and pre-release testing
• check open source or reused proprietary code using resources like the Common Vulnerabilities and Exposures (opens in a new tab) database
• react quickly if you find vulnerabilities in your code
• have a patching policy in place

Your re-releases and upgrades should also follow secure development practices and pre-release testing.

We recommend following the security principles of:

• the National Cyber Security Centre (opens in a new tab)
• National Cyber Security Centre's Guidance for secure development and deployment (opens in a new tab)
• the Open Web Application Security Project (opens in a new tab)
• Cyber Essentials or Cyber Essentials Plus certification (opens in a new tab)

You should look out for and block suspicious attempts to access or manipulate user accounts.

Support

You must give software support to your users. If you need help contact us.