Skip to main content

Child Protection - Information Sharing - HL7 V3 API

Access child protection information from Child Protection - Information Sharing (CP-IS) as a local authority or an unscheduled care provider using our HL7 V3 API.


Use this API to access Child Protection - Information Sharing (CP-IS), the national electronic database of child protection information.

The API can be used by local authorities and unscheduled care providers as follows:

Local authorities

As a local authority, you can:

  • upload a patient's CP-IS information
  • receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting
  • receive a notification of an inactive NHS number

Unscheduled care providers

As an unscheduled care provider, you can:

  • get a patient's CP-IS information, which automatically triggers a notification to the relevant local authority

Scheduled care providers

CP-IS is not currently available for use in scheduled care settings.

Information held in CP-IS

CP-IS holds the following information for each registered patient:

  • NHS number
  • details of their plan - type, start date and end date
  • details of the 25 most recent CP-IS information accesses from unscheduled care settings in England
  • the name of the responsible local authority - together with their office hours phone and emergency duty contact numbers

Identifying patients

All records in CP-IS are held against the patient's NHS number. It is therefore very important to ensure you use the correct NHS number for each patient.

For more details, see CP-IS NHS number matching information.

Using SCRa as an interim measure

We prefer unscheduled care providers to integrate their applications directly with CP-IS using our CP-IS APIs. However, as an interim measure, you can use our Summary Care Record application (SCRa) to access CP-IS information.

Spine Mini Service Provider (SMSP) options

There are also commercially available products which give easier access to CP-IS, known as Spine Mini Service Providers (SMSPs).

These and other conforming software products are listed in our Conformance Catalogue.

If you are interested in becoming a provider of one of these products, see Child Protection - Information Sharing - SMSP API standards.

Who can use this API

This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.

You must do this before you can go live (see ‘Onboarding’ below). 

API status and roadmap

This API is stable.

To see our roadmap, or to suggest, comment or vote on features for this API, see our interactive product backlog.

Service level

This API is a platinum service, meaning it is operational and supported 24 x 7 x 365.

For more details, see service levels.


This API is an HL7 V3 API.

All interactions are asynchronous interactions, using HL7 V3 ebXML messaging.

Some of the interactions are 'truly' asynchronous 'fire and forget' messages, for example:

  • upload a patient's CP-IS information (as a local authority)
  • receive a notification when the patient's CP-IS information is accessed from an unscheduled care setting (as a local authority)

Some of the interactions are technically asynchronous but function as a real-time request-response pair, for example:

  • request CP-IS information (as an unscheduled care provider)
  • receive CP-IS information (as an unscheduled care provider)

For more details, see HL7 V3.

Message Handling System (MHS) adaptor

To remove the complexity of building your own Message Handling System, we offer a pre-assured, client side MHS adaptor that you can integrate into your own infrastructure.

It makes it easier to connect to the NHS Spine and perform business operations by exposing a RESTful API that confirms to the HL7 V3 standard

Network access

You need a Health and Social Care Network (HSCN) connection to use this API.

For more details, see Network access for APIs.

Security and authorisation

Local authorities

For local authorities, this API is application-restricted, meaning the calling application is authenticated but the end user is either not authenticated or not present.

In particular, this API uses TLS-MA authentication.

For more details, see application-restricted APIs.

Unscheduled care providers

For unscheduled care providers, this API is user-restricted, meaning an end user must be present, authenticated and authorised to use it.

For authentication, the end user must be:

We support the following security patterns for user-restricted access:

  • user-restricted HL7 V3 API, using NHS Care Identity Service 2 (NHS CIS2)
  • user-restricted HL7 V3 API, using CIS

For more details on authentication, see user-restricted APIs.

To use this API, the end user must be authorised to perform that activity.

The API itself does not perform any authorisation checks. Rather, the calling system is expected to perform them. The authorisation rules are specified in our national Role Based Access Control (RBAC) database.

For more details see:


You can test this API using our Path to Live environments.


You must get your software onboarded before it can go live.

As part of onboarding, this API uses the Common Assurance Process (CAP), which is tailored for each NHS service.

For more details, see:


For a full list of interactions for this API, see the CP-IS Domain Message Specification.

For details on the general structure of the interactions, see HL7 V3.

Last edited: 19 January 2022 5:10 pm