This is a new service - your feedback will help us to improve it.

  1. Home
  2. Terms of use

Terms of use

Version 1 issued 18 August 2020

These terms of use explain what you can expect from us and what we expect from you when you create and operate software services on the Find and Use an API service. This is not a legal relationship between DfE and any software developer.

We reserve the right to remove your access to the Find and Use an API service and its application programming interfaces (APIs) temporarily or permanently.

These terms may change from time to time and we will let you know when this happens. If the changes are minor, we will assume you agree to them unless we hear from you. If they are major, you may need to re-accept these terms of use.

If you have any questions contact us.

Background checks

We may carry out basic background checks on your organisation, including:

  • information held by Companies House
  • your website

What you can expect from us

We will:

  • give you at least 6 months' notice of changes affecting any stable APIs
  • make sure any minor changes made to stable APIs are backwards compatible
  • provide reasonable notice of changes affecting beta APIs, which can change fairly frequently
  • warn you before we retire an API

What we expect from you

Your software must take into account the Digital Service Standard (opens in a new tab).

We take the protection of customer data seriously and we expect you to do the same.

You will need to follow:

You must continue to follow these acts and regulations if they change or are replaced.

Accessing data

You must give your users access to their data. We may also ask to access their data if we open an investigation.

If you withdraw a piece of software or a user stops using it, you must let them retrieve and export all their data so they can meet their obligations to us.

We recommend you use multi-factor authentication to protect personal data.

Processing data

If your software processes personal data, you may need to pay a data protection fee (opens in a new tab).

Use your API’s HTTP headers to pass audit data to us. This will help us protect our users’ confidential data.

To find out if header information is compulsory for your API, that you use, read its' API documentation. All headers will become compulsory so you should start using them now.

Storing data

If you store and process personal data, you must tell users:

  • what personal data you’ll be processing and what you’ll use it for
  • that you’re responsible for protecting their data
  • if you intend to store their data outside the European Economic Area (EEA)
  • your lawful basis (opens in a new tab) for processing their personal data

Follow GDPR rules on obtaining consent (opens in a new tab), if you need users' consent to store and process their personal data.

If you store or process data outside the EEA, you must follow GDPR guidance on international transfers (opens in a new tab).


You must:

Advertising and marketing

Any advertising that appears in your software must follow both:

You must not use advertising that promotes:

  • adult themes
  • dating
  • gaming

You cannot share personal data for marketing without users' consent, as defined in the Information Commissioner's Office (opens in a new tab).

Licence agreements

You must make the terms of the licence agreement between you and your users clear to them.


You must:

  • check software for vulnerabilities through secure development and pre-release testing
  • check open source or reused proprietary code using resources like the Common Vulnerabilities and Exposures (opens in a new tab) database
  • react quickly if you find vulnerabilities in your code
  • have a patching policy in place

Your re-releases and upgrades should also follow secure development practices and pre-release testing.

We recommend following the security principles of:

You should look out for and block suspicious attempts to access or manipulate user accounts.


You must give software support to your users. If you need help contact us.