Contents
- Purpose
- Acceptable use of Futures
- How to handle different types of information
- What approval is required to upload information?
- Acceptable use of accounts
- Compliance with the policy
1. Purpose
1.1 The Futures collaboration platform (also referred to as ‘FutureNHS’ or ‘the platform’) is a digital tool that supports people working in health and care to connect, share and learn across organisational boundaries. The platform hosts workspaces, self-contained areas with a membership dedicated to a particular health and care project, programme or community.
1.2 The acceptable use policy provides a framework for using Futures. The purpose of this policy is to explain how users are expected to use the platform to support their work and sets out the standards of behaviour that all users should meet. It also includes guidance for sharing information based on their sensitivity.
1.3 Where use of the platform falls outside of the guidelines set out in this policy, users accept full responsibility for the use and take suitable steps to ensure their use aligns with the policy moving forward.
1.4 By using the platform, users agree to the rules set out in this policy as well as the platform's terms and conditions and our other policies.
1.5 If you need help with any points listed in the policy you can search the support centre for how-to guides and videos or contact support.
2. Acceptable use of Futures
2.1 Futures should be used to collaborate with others on work, to share information, or to share ideas that contribute to the delivery or improvement of health and care services in the United Kingdom.
2.2 Content shared on the platform must be lawful, relevant, respectful and professional.
2.3 Futures may not be used by private companies to promote goods or services or conduct any other profit-making activity.
2.4 Futures must not be used as a personal social networking site. All activity on the platform must be for professional purposes only.
2.5 Futures must not be used by journalists or by any individual employed by, contracted to, or acting on behalf of a news, media, or journalistic organisation* in any capacity. This includes circumstances where an individual is engaged in such activity as part of a secondary role, voluntary role, freelance work, consultancy, or other form of dual employment.
*For the purposes of this policy, “news, media, or journalistic organisation” includes any organisation whose primary function is the gathering, production, or dissemination of news, commentary, or editorial content through print, broadcast, or digital channels.
2.6 Futures should be used to share content that is actively being accessed, not as a long-term information or record repository.
2.7 Users must not post spam or repeatedly share identical or substantially similar content in a way that may disrupt or detract from effective collaboration on the Futures platform.
3. How to handle different types of information
3.1 It is essential to handle information securely on Futures and in compliance with applicable regulations, such as UK Government Security Classifications and general data protection. In general, access to information should reflect the principle of least privilege. Users should only have the minimum access necessary for their work.
3.2 Because Futures supports a wide variety of organisations across the health and care sector, users may be familiar with and use different types of information categories in their work. This section outlines the four types of information in relation to Futures (general information, personal data, special category personal data, sensitive business information) and the rules for sharing them. It also establishes which information types are not permitted on Futures.
3.3 This section refers to workspace privacy and access permissions. These rules are relevant for workspace managers when deciding whether users need an invitation to join their workspace or if the workspace is visible on the platform to non-members, and also which users can access the information. More information can be found in the support centre and managers should also refer to the workspace management policy.
General information
3.4 Definition: This can be publicly available information, non-sensitive documents, and materials without personal data. The majority of general information produced and processed in the public sector is classified as ‘OFFICIAL’, including routine documents and general correspondence.
3.5 Permitted on Futures: Yes, general information including ‘OFFICIAL’ information can be uploaded to Futures.
3.6 Workspace privacy: Information can be shared in workspaces set to any privacy level (open, restricted, private, confidential), depending on requirements.
3.7 Access: Any email address can be invited to the workspace (as long this adheres to other platform policies, terms and conditions).
Personal data (including special category personal data)
3.8 Definition: Personal data means any information relating to an individual from which they can be identified either directly or indirectly. This might include less sensitive information such as an individual’s name or email address, but can also include more sensitive personal information, for example data about a person’s health, genetics and sexual orientation. If content contains personal data, it is classified as ‘OFFICIAL-SENSITIVE: Personal’ on Futures, in line with government information security classifications.
3.9 Permitted on Futures: This information can only be shared on Futures under specific restrictions:
- All personal data must be shared in line with the Data Protection Act 2018 and GDPR.
- Content containing personal information should be given the label ‘OFFICIAL-SENSITIVE: Personal’ when shared on the platform.
- If a person has willingly shared special category personal data, such as by joining a lived-experience group, this is allowed with restrictions.
- Special category personal data about patients and service users must not be shared on Futures under any circumstances.
3.10 Workspace privacy: Personal data must only be shared in workspaces set to a privacy level of private or confidential.
3.11 Access: Limited access to users with trusted email domains such as NHS, Government, or Arm’s Length Bodies only. Personal email addresses (e.g., Gmail, Hotmail) should not have access.
Sensitive business information
3.12 Definition: This refers to internal organisational data, such as costings, threat vulnerabilities, or confidential decisions regarding public funds that are not in the public domain. If the information contains sensitive commercial information, it is classified as ‘OFFICIAL-SENSITIVE: Commercial’ on Futures, in line with government information security classifications.
3.13 Permitted on Futures: Yes, under specific restrictions. Business information containing sensitive commercial information should be given the label ‘OFFICIAL-SENSITIVE: Commercial’ when shared on the platform.
3.14 Workspace privacy: Sensitive business information must only be shared in workspaces set to a privacy level of private or confidential.
3.15 Access: Limited access to users with trusted email domains such as NHS, Government, or Arm’s Length Bodies only. Personal email addresses (e.g., Gmail, Hotmail) should not have access.
Secret or top secret government information
3.16 Definition: In line with government information security classifications, Secret and Top Secret information is very sensitive government information with specific rules around access and clearance to keep it safe.
3.17 Permitted on Futures: No, information classified as secret or top secret must not be uploaded to Futures.
Summary table of information restrictions
| Information type | Permitted on Futures? | Workspace privacy | Access management |
| General information (Non-sensitive or public data, OFFICIAL information) |
Yes | Open, restricted, private, or confidential | Any email address can be invited |
| Personal data / OFFICIAL-SENSITIVE: Personal (Including personal data and permitted special category personal data) |
Yes - with restrictions | Private or confidential | Trusted emails only (e.g., NHS, Government) |
| Sensitive business information / OFFICIAL-SENSITIVE: Commercial (Including commercial information) |
Yes – with restrictions | Private or confidential | Trusted emails only (e.g., NHS, Government) |
| Secret or top secret government information | No | N/A | N/A |
3.18 Please visit our support centre for guidance on workspace membership, privacy and content permissions.
4. What approval is required to upload information?
4.1 If you need to upload information that falls under any of the sensitive categories (personal data, sensitive business information including commercial information), you may require approval from your organisation beforehand.
4.2 Data Protection Impact Assessment (DPIA): A DPIA may also be required for more sensitive data. Check with your organisation’s information governance team if you are unsure.
4.3 Publishing approval: If you are using Futures to share finalised official content, for example finalised policy or corporate publications, sign off may need to be obtained through your organisation’s publishing approval process before uploading to the platform. If you are not sure if you need publishing approval, please get in touch with your organisation’s publishing team.
5. Acceptable use of accounts
5.1 All users of the platform must use their real name and ensure their profile information is accurate and up to date.
5.2 Users cannot register with a shared email account (where more than one person has access).
5.3 Users must not share an account with anyone else or allow another person to use their account, either intentionally or unintentionally (e.g. through sharing their log in credentials or failing to log out of their account on a shared or public device).
5.4 User accounts must re-verify their email address every three months. If a user does not log in to the platform after one year, the account is deleted.
6. Compliance with the policy
6.1 Failure to comply with this policy may result in a warning and, where relevant, one or more of the following actions:
- Notification to the user's department or organisation
- Removal of the offending content and/or workspace
- Removal of user account, either as a temporary suspension or permanently
- Legal action and/or contact with the appropriate authorities for action (e.g. police).