Skip to main content
Creating a new NHS England: NHS England and NHS Digital will merge on 1 February 2023. Learn more.

Child Protection - Information Sharing - HL7 V3 API

Access child protection information from Child Protection - Information Sharing (CP-IS) using our HL7 V3 API.


Use this API to access Child Protection - Information Sharing (CP-IS), the national electronic database of child protection information.

The API can be used by local authorities and unscheduled care providers as follows:

authority application
Local authority
Local authority...

CP-IS Data
CP-IS Data
care user
6. receive CP-IS information 
(async real time)
6. receive CP-IS inf...
5. request CP-IS information
5. request CP-IS in...
1. upload
1. upload...
4. receive notifications
4. receive notific...
2. receive
2. receive...
3. send notifications
3. send notificati...
Text is not SVG - cannot display Diagram showing how the API can be used by local authorities and unscheduled care providers.

Local authorities

As a local authority, you can:

  • upload a patient's CP-IS information
  • receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting
  • receive a notification of an inactive NHS number

Local authorities originally used a CP-IS client to transfer CP-IS data from their children’s social care systems to CP-IS via the Spine. This was replaced by the MESH client which all local authorities now use to exchange information with CP-IS - see connections 1 to 4 on the diagram.

Unscheduled care providers

As an unscheduled care provider, you can:

  • get a patient's CP-IS information - which automatically triggers a notification to the relevant local authority - see connections 5 and 6 on the diagram

Scheduled care providers

CP-IS is not currently available for use in scheduled care settings.

Information held in CP-IS

CP-IS holds the following information for each registered patient:

  • NHS number
  • details of their plan - type, start date and end date
  • details of the 25 most recent CP-IS information accesses from unscheduled care settings in England
  • the name of the responsible local authority - together with their office hours phone and emergency duty contact numbers

Identifying patients

All records in CP-IS are held against the patient's NHS number. It is therefore very important to ensure you use the correct NHS number for each patient.

For more details, see CP-IS NHS number matching information.

Using SCRa as an interim measure

We prefer unscheduled care providers to integrate their applications directly with CP-IS using our CP-IS APIs. However, as an interim measure, you can use our Summary Care Record application (SCRa) to access CP-IS information.

Spine Mini Service Provider (SMSP) options

There are also commercially available products which give easier access to CP-IS, known as Spine Mini Service Providers (SMSPs).

These and other conforming software products are listed in our Conformance Catalogue.

If you are interested in becoming a provider of one of these products, see Child Protection - Information Sharing - SMSP API standards.

Who can use this API

This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.

You must do this before you can go live (see ‘Onboarding’ below). 

API status and roadmap

This API is in production.

To see our roadmap, or to suggest, comment or vote on features for this API, see our interactive product backlog.

Service level

This API is a platinum service, meaning it is operational and supported 24 x 7 x 365.

For more details, see service levels.


This API is an HL7 V3 API.

All interactions are asynchronous interactions, using HL7 V3 ebXML messaging.

Some of the interactions are technically asynchronous but function as a real-time request-response pair, for example:

  • request CP-IS information (as an unscheduled care provider)
  • receive CP-IS information (as an unscheduled care provider)

For more details, see HL7 V3.

Some interactions are sent over MESH between CP-IS and local authorities, specifically:

  • upload a patient's CP-IS information, as a local authority
  • receive a notification when a patient's CP-IS information is accessed from an unscheduled care setting, as the responsible local authority

Message Handling System (MHS) adaptor

To remove the complexity of building your own Message Handling System, we offer a pre-assured, client side MHS adaptor that you can integrate into your own infrastructure.

It makes it easier to connect to the NHS Spine and perform business operations by exposing a RESTful API that conforms to the HL7 V3 standard

Network access

You need a Health and Social Care Network (HSCN) connection to use this API.

Local authorities can access MESH on the internet or on HSCN. 

For more details, see Network access for APIs.

Security and authorisation

Local authorities

Local authorities now use the MESH client security and authorisation, rather than the old CP-IS client interface to this API.

Unscheduled care providers

For unscheduled care providers, this API is user-restricted, meaning an end user must be present, authenticated and authorised to use it.

For authentication, the end user must be:

We support the following security patterns for user-restricted access:

  • user-restricted HL7 V3 API, using NHS Care Identity Service 2 (NHS CIS2)
  • user-restricted HL7 V3 API, using CIS

For more details on authentication, see user-restricted APIs.

To use this API, the end user must be authorised to perform that activity.

The API itself does not perform any authorisation checks. Rather, the calling system is expected to perform them. The authorisation rules are specified in our national Role Based Access Control (RBAC) database.

For more details see:


You can test this API using our Path to Live environments.


You need to get your software approved with us before it can go live with this API. We call this onboarding. The onboarding process can sometimes be quite long, so it’s worth planning well ahead.

This API uses our online digital onboarding process.

As part of this process, you need to demonstrate that you can manage risks and that your software conforms technically with the requirements for this API.

Information on this page might impact the design of your software. For details, see Onboarding support information.

To get started, see digital onboarding.

For more implementation details, see:


For a full list of interactions for this API, see the CP-IS Domain Message Specification.

For details on the general structure of the interactions, see HL7 V3.

CP-IS uses the following MESH workflow IDs to communicate with local authorities, replacing the CP-IS domain messages shown:

MESH workflow ID Replaces Description
CPIS_UPLOAD CP-IS Local Authority Upload (REPC_MT000002GB01) CP-IS file update
CPIS_REPORT CP-IS Access to Service Notification (REPC_MT000004GB01) CP-IS report download


Last edited: 13 January 2023 11:14 am