Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Child protection information sharing (CP-IS) data sharing transparency notice - coronavirus (COVID-19)

During the coronavirus pandemic, child protection information will be extracted from the child protection information sharing (CP-IS) system and shared with school nurses and health visitors, who work for local 0-19 public health service providers. 

Our purposes

NHS Digital operates an IT system known as the Child Protection Information Sharing system (CP-IS). This system helps health and social care staff in England to share information about child protection (CP) plans securely, to better protect society's most vulnerable children. When a child is known to social services and is a looked after child, on a child protection plan or unborn child protection plan, basic information about that plan (referred to in this notice as CP Information) is shared securely with the NHS through CP-IS.

During the COVID-19 pandemic, CP information will be extracted from CP-IS and shared with school nurses and health visitors, who work for local 0-19 public health service providers. This is because school nurses and health visitors cannot currently access CP-IS. It will also be shared with pilot sites for the following care settings who cannot currently access CP-IS:

  • scheduled and unscheduled mental health
  • scheduled and emergency dentistry
  • unscheduled sexual health services
  • community paediatrics

This information is being shared for child health safeguarding purposes and will provide these health workers in the pilots and across England with a reliable source of information about  children on a protection plan and children with a looked after status. This will support them to provide healthcare services to those children at a time when local arrangements for data-sharing may be more difficult to administer due to the impact of COVID-19.

NHS Digital is the controller of the CP Information extracted from CP-IS under the General Data Protection Regulation 2016 (GDPR) jointly with NHS England. This is because NHS England has directed NHS Digital to collect this information under the COVID-19 NHS England Public Health Directions 2020 (COVID-19 Directions).

Types of personal data we process

The CP information that NHS Digital is extracting from CP-IS is NHS Number and date of birth so we can identify the child or mother (if the mother is pregnant with an unborn child protection plan).  We also collect what type of plan exists (or if a looked after child) and the start and end date of that plan so the healthcare professional knows whether or not it is still in place.  We will not be obtaining or sharing child protection plans as they are not held on CP-IS. They are held by local authorities and shared locally under existing safeguarding arrangements where this is appropriate.

The CP information also includes audit data of health access to CP-IS records for the last 25 presentations at unscheduled healthcare. This audit data is created and held by NHS Digital whenever a protected child presents at an unscheduled care setting that is already accessing CP-IS.

How we obtained your personal data

NHS Digital already holds the CP information on behalf of local authorities in CP-IS in order to share it with other health professionals on behalf of local authorities. The CP Information has therefore been provided to us by local authorities. At the request of NHS England and in consultation with local authorities, we have however extracted this information from the CP-IS system in order to share it with school nurses and health visitors, and made it available to pilot sites for new areas. 

For existing NHS unscheduled care settings that are accessing CP-IS data, NHS Digital similarly already holds the health access audit data on behalf of NHS organisations who treat protected children in unscheduled healthcare settings.   

There is no additional activity or burden on local authorities for healthcare organisations for this collection.

Who we share your data with

School nurses and health visitors work for local 0-19 public health service providers, who have been commissioned to provide child public health services by local authorities.  We are therefore sharing the CP information provided by each local authority with their commissioned 0-19 public health service provider. We are doing this by sharing the CP information with Child Health Information Service (CHIS) providers, who have been appointed by NHS England to provide child health information systems and services on behalf of 0-19 public health service providers. CHIS providers are therefore processors under GDPR for the 0-19 public health service providers.  Your local authority’s website will provide more information about who the 0-19 public health service provider is in your area.

NHS Digital already shares CP-IS data on behalf of local authorities with the following unscheduled healthcare settings: 

  • emergency departments
  • minor injury units 
  • walk-in centres 
  • GP out-of-hours services  
  • maternity units  
  • paediatric wards 
  • ambulance services

This access is now being extended to: 

  • scheduled and unscheduled mental health
  • scheduled and emergency dentistry 
  • unscheduled sexual health services
  • community paediatrics

These care providers have a need to know whether the children that presents to them are subject to a child protection plan so they can provide appropriate safeguarding for that child. They have a need to access contact details for the local authority that raised the plan to raise any safeguarding concerns. There is also a need for social workers to be notified about the presentation to unscheduled care to identify patterns of behaviour where children are taken to different care settings to mask incidents.

How long we keep your personal data for

We will retain the CP information for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice 2021 and NHS Digital’s Records Management Policy.

The healthcare professionals identified above with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their or your local authority's websites.

At the moment we are only sharing this information for the duration of the COVID-19 outbreak. We will therefore review this arrangement before the end of March 2021 and decide with NHS England, local authorities and healthcare service providers if this arrangement should continue beyond then.

Where we store the data

All CP information we extract from CP-IS will be held within the UK.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see how we look after your health and care information, our general transparency notice and our Coronavirus (COVID-19) response transparency notice.

We may make changes to this transparency notice. If we do, the ‘last updated’ date at the end of the notice will also change. Any changes to this notice will apply immediately from the date of any change.

Last edited: 28 July 2023 10:45 am