We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Child Protection - Information Sharing - HL7 V3 API
Access child protection information from Child Protection - Information Sharing (CP-IS) using our HL7 V3 API.
Overview
Use this API to access Child Protection - Information Sharing (CP-IS), the national electronic database of child protection information.
The API can be used by local authorities and unscheduled care providers as follows:
Local authorities
As a local authority, you can:
- upload a patient's CP-IS information
- receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting
- receive a notification of an inactive NHS Number
Unscheduled care providers
As an unscheduled care provider, you can:
- get a patient's CP-IS information, which will automatically trigger a notification to the relevant local authority
Scheduled care providers
CP-IS is not currently available for use in scheduled care settings.
Information held in CP-IS
CP-IS holds the following information for each registered patient:
- NHS Number
- details of their plan - type, start date and end date
- details of the 25 most recent CP-IS information accesses from unscheduled care settings in England
Identifying patients
All records in CP-IS are held against the patient's NHS Number. It is therefore very important to ensure you use the correct NHS Number for each patient.
For more details, see CP-IS NHS number matching information.
Spine Mini Services Provider (SMSP) access
Unscheduled care providers can access this API in SMSP mode, which means:
- reduced security requirements (for example, NHS smartcards are not required)
- a simpler onboarding process
For more details, see the relevant sections below.
Using SCRa as an interim measure
We prefer unscheduled care providers to integrate their applications directly with CP-IS using this API. However, as an interim measure, you can use our Summary Care Record application (SCRa) to access CP-IS information.
Legal use
This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.
You must do this before you can go live (see ‘Onboarding’ below).
Related APIs
The following APIs are related to this API:
- Personal Demographics Service - FHIR API - use this to find the correct NHS Number for a given patient
API status and roadmap
This API is stable.
To see our roadmap, or to suggest, comment or vote on features for this API, see our interactive product backlog.
Technology
This API is an HL7 V3 API.
All interactions are asynchronous interactions, using HL7 V3 ebXML messaging.
Some of the interactions are 'truly' aynchronous 'fire and forget' messages, for example:
- upload a patient's CP-IS information (as a local authority)
- receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting (as a local authority)
Some of the interactions are technically asynchronous but function as a real-time request-response pair, for example:
- request CP-IS information (as an unscheduled care provider)
- receive CP-IS information (as an unscheduled care provider)
For more details, see HL7 V3.
Network access
You can access this API via:
- the Health and Social Care Network (HSCN)
- the internet - but note that devices using NHS smartcards do require HSCN access
For more details, see Network access for APIs.
Security and authorisation
Local authorities
For local authorities, this API is application-restricted, meaning the calling application is authenticated but the end user is either not authenticated or not present.
In particular, this API uses TLS-MA authentication.
For more details, see application-restricted APIs.
Unscheduled care providers
For unscheduled care providers, this API has two authentication options:
- user-restricted access
- application-restricted access (also known as SMSP access)
User-restricted access mode
In this mode, an end user must be present, authenticated and authorised to use the API.
For authentication, the end user must be:
- a healthcare professional
- strongly authenticated, using either an NHS smartcard or a modern alternative
We support the following security patterns for user-restricted access:
- user-restricted HL7 V3 API, using NHS Identity
- user-restricted HL7 V3 API, using CIS
For more details on authentication, see user-restricted APIs.
To use this API, the end user must be authorised to perform that activity.
The API itself does not perform any authorisation checks. Rather, the calling system is expected to perform them. The authorisation rules are specified in our national Role Based Access Control (RBAC) database.
For more details see:
- our national Role Based Access Control (RBAC) database on the registration authorities and smartcards page
- DCB1609: Child Protection - Information Sharing for details on specific role codes for CP-IS
Application-restricted (SMSP) access mode
In this mode, the calling application is authenticated but the end user is not authenticated by the API.
In particular, this API uses TLS-MA authentication.
For more details on authentication, see application-restricted APIs.
Even though the API does not technically require the end user to be authenticated, a condition of onboarding is that the calling application must:
- authenticate the end user locally
- use local role-based access controls to authorise the end user
For more details on the calling application requirements, see DCB1609: Child Protection - Information Sharing.
Testing
You can test this API using our Path to Live environments.
Onboarding
You must get your software onboarded before it can go live.
As part of onboarding, this API uses the Common Assurance Process (CAP), which is tailored for each NHS service.
The onboarding process is simpler for SMSP access.
For more details, see:
Interactions
For a full list of interactions for this API, see the CP-IS Domain Message Specification.
For details on the general structure of the interactions, see HL7 V3.