Skip to main content

Alpha This is a new service. Help us improve it and give your feedback.

Standards - QAT

Operational Acceptance Testing - Example NFRs

The Operational Acceptance Testing (OAT) requirements are established to define the operational parameters of a system, identified collaboratively by programs and the organization. These requirements must be relevant, specific, testable, and measurable.

For example, a set of Non-Functional Requirements (NFRs) should encompass the following areas. Depending on the program requirements, the OAT team must identify the qualifying entries and obtain confirmation from the project stakeholders and UKHSA OAT test manager.

Example NFRs

Area Title Description Example(s)
Data Requirements Data Retention NFRs in this category are formed around topics such as:
• Data is to be retained in the active database partition for 120 days before archiving
• Durations for retention
• Data deleted from archive partition after 240 days
• Policies around what to archive and when		 Data should be retained for 120 days then archived; deleted from archive after 240 days
Data Requirements Data Transfer NFRs include:
• Transfer of files via SFTP
• Security around transfer method
• Files must be encrypted using AES‑256
• Transfer must follow ISO 27001
• Permitted transfer routes		 Files transferred securely via SFTP using AES‑256 encryption following ISO 27001
Data Requirements Data Storage NFRs include:
• Active and Archive partitions must have encryption at rest
• Access to database must be role‑based, least privilege		 Encrypted-at-rest DB partitions; role‑based access enforced
Data Requirements Data Location NFRs include:
• All system data stored in the UK		 UK‑only data storage
Data Requirements Data Backup NFRs include:
• Full backup daily at 00:00 (< 90min)
• Incremental backups every 15/30/45 mins
• Backup to Master Copy
• Master Copy stored separately		 Daily full backups; incremental every 15 min; Master Copy offsite
GDPR Ownership Topics include: Who owns the data, roles/responsibilities Data owner defined per UK Gov guidance
GDPR Processing Consent NFRs include:
• Personal data collected with explicit consent
• Anonymisation
• Breach notification within 24 hours		 Consent required, data anonymised, UKHSA notified within 24h

Published: 27 February 2026
Last updated: 17 March 2026
Page Source