Skip to main content

Access Control Service HL7 V3 API

Manage patient consent to share their information, including their Summary Care Record (SCR), with the Access Control Service.

If you are developing a new integration, consider using the Summary Care Record - FHIR API first, which has endpoints that partly (but not fully) replace this API.


Use this API to access the Access Control Service (ACS) - which manages consent to share patient information, including their SCR.

GP systems must check consent to share before sharing, for example, a patient's Summary Care Record (SCR).

You can:

  • get the access permissions for a patient's documents, including their SCR
  • set access permissions on a patient's documents, including their SCR

Note the Summary Care Record - FHIR API also has endpoints enabling you to get and set access permissions, the same as this ACS API.

Who can use this API

This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.

You must do this before you can go live (see ‘Onboarding’ below).

API status

This API is stable.

Service level

This API is a platinum service, meaning it is operational and supported 24 x 7 x 365.

For more details, see service levels.


This API is an HL7 V3 API.

It uses synchronous interactions, using HL7 V3 SOAP web services, for example:

  • Get resource permissions - to get the permissions on a patient's documents
  • Set resource permissions - set the access permissions on a patient's documents

For more details, see HL7 V3.

Network access

You need a Health and Social Care Network (HSCN) connection to use this API.

For more details, see Network access for APIs.

Security and authorisation


This API is user-restricted, meaning an end user must be present and authenticated to use it.

The end user must be:

We support the following security patterns:

  • user-restricted HL7 V3 API, using NHS Care Identity Service 2 (NHS CIS2)
  • user-restricted HL7 V3 API, using CIS

For more details see user-restricted APIs.


For some activities, the end user must be authorised to perform that activity.

The API itself does not perform any authorisation checks. Rather, the calling system is expected to perform them. The authorisation rules are specified in our national Role Based Access Control (RBAC) database.

For more details see our national Role Based Access Control (RBAC) database on the registration authorities and smartcards page.


You can test this API using our Path to Live environments.


You must get your software onboarded before it can go live.

Contact us before onboarding with this API. It uses the Common Assurance Process (CAP) which is tailored for each NHS service.


For details of interactions for this API see part 11 of the Spine External Interface Specification.

For details on the general structure of the interactions, see HL7 V3.

Last edited: 14 April 2022 1:44 pm