Internet explorer is no longer supported

Use this API to access Child Protection - Information Sharing (CP-IS), the national electronic database of child protection information.

The API can be used by local authorities and unscheduled care providers as follows:

Local authorities

As a local authority, you can:

• upload a patient's CP-IS information
• receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting
• receive a notification of an inactive NHS number

Unscheduled care providers

As an unscheduled care provider, you can:

• get a patient's CP-IS information, which automatically triggers a notification to the relevant local authority

However, we recommend using the CP-IS SMSP API for an easier integration.

Scheduled care providers

CP-IS is not currently available for use in scheduled care settings.

Information held in CP-IS

CP-IS holds the following information for each registered patient:

• NHS number
• details of their plan - type, start date and end date
• details of the 25 most recent CP-IS information accesses from unscheduled care settings in England
• the name of the responsible local authority - together with their office hours phone and emergency duty contact numbers

Identifying patients

All records in CP-IS are held against the patient's NHS number. It is therefore very important to ensure you use the correct NHS number for each patient.

For more details, see CP-IS NHS number matching information.

Using SCRa as an interim measure

We prefer unscheduled care providers to integrate their applications directly with CP-IS using our CP-IS APIs. However, as an interim measure, you can use our Summary Care Record application (SCRa) to access CP-IS information.

This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.

You must do this before you can go live (see ‘Onboarding’ below). 

The following APIs are related to this API:

• Personal Demographics Service - FHIR API - use this to find the correct NHS number for a given patient
• Child Protection - Information Sharing - SMSP API - use this for an easier integration with CP-IS for unscheduled care providers

This API is stable.

To see our roadmap, or to suggest, comment or vote on features for this API, see our interactive product backlog.

This API is an HL7 V3 API.

All interactions are asynchronous interactions, using HL7 V3 ebXML messaging.

Some of the interactions are 'truly' aynchronous 'fire and forget' messages, for example:

• upload a patient's CP-IS information (as a local authority)
• receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting (as a local authority)

Some of the interactions are technically asynchronous but function as a real-time request-response pair, for example:

• request CP-IS information (as an unscheduled care provider)
• receive CP-IS information (as an unscheduled care provider)

For more details, see HL7 V3.

Message Handling System (MHS) adaptor

To remove the complexity of building your own Message Handling System, we offer a pre-assured, client side MHS adaptor that you can integrate into your own infrastructure.

It makes it easier to connect to the NHS Spine and perform business operations by exposing a RESTful API that confirms to the HL7 V3 standard. 

You need a Health and Social Care Network (HSCN) connection to use this API.

For more details, see Network access for APIs.

Local authorities

For local authorities, this API is application-restricted, meaning the calling application is authenticated but the end user is either not authenticated or not present.

In particular, this API uses TLS-MA authentication.

For more details, see application-restricted APIs.

Unscheduled care providers

For unscheduled care providers, this API is user-restricted, meaning an end user must be present, authenticated and authorised to use it.

For authentication, the end user must be:

• a healthcare worker
• strongly authenticated, using either an NHS smartcard or a modern alternative

We support the following security patterns for user-restricted access:

• user-restricted HL7 V3 API, using NHS Care Identity Service 2 (NHS CIS2)
• user-restricted HL7 V3 API, using CIS

For more details on authentication, see user-restricted APIs.

To use this API, the end user must be authorised to perform that activity.

The API itself does not perform any authorisation checks. Rather, the calling system is expected to perform them. The authorisation rules are specified in our national Role Based Access Control (RBAC) database.

For more details see:

• our national Role Based Access Control (RBAC) database on the registration authorities and smartcards page
• DCB1609: Child Protection - Information Sharing for details on specific role codes for CP-IS

For an easier integration, use the CP-IS SMSP API instead, which is application-restricted.

You can test this API using our Path to Live environments.

You must get your software onboarded before it can go live.

As part of onboarding, this API uses the Common Assurance Process (CAP), which is tailored for each NHS service.

For more details, see:

• Implementation process for local authorities
• Implementation process for healthcare organisations

For a full list of interactions for this API, see the CP-IS Domain Message Specification.

For details on the general structure of the interactions, see HL7 V3.