Implementing Child Protection – Information Sharing using the Summary Care Record application

CP-IS is an NHS project helping health and children’s social care staff to share information and better protect society's most vulnerable children.

This guide provides step-by-step instructions on how to implement CP-IS via the Summary Care Record application, and who needs to be involved. At the end you'll find a project plan that will help you work through the actions and monitor your organisation's progress.

NHS Digital has a team of experienced CP-IS implementation managers (IMs) across England that help organisations through the implementation process. Our IMs provide one-to-one support either in person, on the phone or by email. They can also put you in touch with organisations in your area that have already been through the process.

This guide will enable you to get started and work through the various stages needed to implement CP-IS. But you will need to involve your IM before you can go live. If you need support or feel ready to go live, please contact us and we will put you in touch with the IM for your area. Simply email: cpis2@nhs.net

To find out more about what CP-IS is, why we need it and how it works, visit the CP-IS webpage.

There are several things healthcare providers should be aware of before implementing Child Protection - Information Sharing (CP-IS).

CP-IS only applies to unscheduled healthcare settings

CP-IS only applies to emergency departments,  minor injury units, walk-in centres, GP out-of-hours services, maternity units, paediatric wards and ambulance services.

CP-IS must not be used in scheduled care settings such as outpatients, as this will result in notifications being sent to local authorities that they are not prepared for.

The information that CP-IS provides comes from local authorities that have statutory responsibility for children’s services only. It does not include information from GP practices, schools or health visitors.

CP-IS is an initiative connecting many IT systems

CP-IS is not a system itself. CP-IS is an initiative that connects more than 80 different IT systems used across health and children’s social care in England. It allows safeguarding information to be shared securely between organisations.

CP-IS introduces the Child Care Alert

When you are live with CP-IS, staff will see a ‘Child Care Alert’ tab on a child’s record if they have a child protection plan or are a looked after child. Staff may not know the term ‘CP-IS’, but should be aware of the Child Care Alert tab.

Implementing CP-IS means a project 

CP-IS is not just about implementing an IT system. Implementing CP-IS and managing the information it provides appropriately involves changing your business processes, information governance documents, training staff and more. Each organisation needs to identify someone to act as a project manager who will bring together the staff needed to perform the work. The project can often be completed in as little as eight weeks to three months, depending on the method you use to access CP-IS information, the resources and time you allocate to it.

Every organisation is different

We have tried to provide guidance that will work for all organisations. However, no two implementation projects are the same. Each organisation has a unique set of IT systems, policies, processes and staff with different skills. So please be aware that your implementation journey may be different to your neighbour’s.

Who to check

When you go live, the following patients must be checked when they present for care to see if a Child Care Alert is present on their records.

Do not wait for others 

You should not wait for other organisations or systems suppliers before going live and making a difference with CP-IS.

Every health and social care organisation that is live with CP-IS is providing crucial protection for more than 100,000 of the most vulnerable children in society. Remember, vulnerable children are often moved around and may present at any unscheduled care setting outside of their local area. CP-IS is a national tool and helps to ensure that vulnerable children are protected in unscheduled healthcare settings across England.

The information CP-IS provides

CP-IS enables a limited amount of essential information to be shared between organisations. It carries information about patients who:

• are a looked after child (LAC)
• are subject to a child protection plan (CPP)
• have been one of the above in the previous 365 days
• are pregnant and their unborn child is subject to a child protection plan (UCPP) - this alert is visible for 28 days after the mother’s due date

The only information that can be accessed by healthcare staff via the Child Care Alert is:

• NHS Number
• type of plan (LAC, CPP or UCPP)
• start and end date of that plan
• name of local authority responsible for the child
• contact details for that local authority
• an access history, showing the previous 25 occasions that the child’s Child Care Alert was accessed (date/time, who accessed the record, their role and their organisation name)

Information not shared includes:

• the child’s full social care file 
• the reason the child has a plan
• details of the child’s parents or carers
• the reason the child has previously presented for care
• medical information

This area of work is about ensuring you have the right people with the right skills on board, and that you know how you will handle any problems or issues that come up during your project.

Step 1 – Identify a project lead

Each organisation should identify someone to act as the project lead or project co-ordinator. This person will be the main point of contact for the project and for communicating with NHS Digital. They will be responsible for keeping track of who is doing what, and monitoring progress against the actions you agree. This person could be a project manager but is usually a safeguarding or IT lead. Being the project lead is not a full-time role but usually takes around 25 percent of a full-time role for the duration of the project. Without a clear project lead, the work is likely to drift and to not be completed successfully.

Step 2 – Identify your unscheduled care settings

CP-IS only applies to unscheduled care settings such as:

• emergency departments 
• minor injury units 
• walk-in centres 
• GP out-of-hours services 
• maternity units 
• paediatric wards
• ambulance services

Work out which of these your organisation has, then decide whether you will implement CP-IS in all settings at the same time or do one at a time.

CP-IS must not be used in any other care settings. This will result in local authorities receiving notifications that they are not expecting.

Step 3 – Identify project team members

To implement CP-IS you will need: 

• a safeguarding lead 
• an IT lead 
• an information governance lead 
• a registration authority lead
• a lead from each of your unscheduled care settings 

Identify someone in each of these teams who will support the CP-IS project.

Step 4 – Attend a CP-IS briefing

All members of the project team must attend a briefing about CP-IS with your NHS Digital implementation manager at the start of your project. This could be a face-to-face meeting or a webinar. Please contact your implementation manager to arrange this. If you do not have contact details for your implementation manager please email cpis@nhs.net.

Step 5 – Secure senior support 

You'll need the support of your director of nursing, chief information officer (CIO), safeguarding lead, and possibly your chief executive and senior management team. Brief your senior managers on what CP-IS is, the benefits and why it's important that your organisation implements it.

Step 6 – Agree how decisions will be made 

As a project team, agree how decisions will be made and recorded. Define when an issue or risk to the project will be escalated, who will escalate it, and who they will escalate it to. Then have this agreed by your director of nursing and/or your leadership team so they are aware how you will escalate issues that need their attention or support.

Don’t forget that you can contact the NHS Digital team for support at any time. We can help you through issues or put you in touch with other organisations to discuss the approach they took to overcome them.

Step 7 – Monitor progress

The project lead should keep in regular contact with each member of the project team and check progress against the actions you have agreed. This does not need to be done by bringing the whole team together at a meeting, but it can help when working through issues or at important stages of the project.

This area of work should be led by your IT lead. It outlines the different steps that need to be completed in order for staff to be able to securely access CP-IS information.

Step 8 – Confirm the technical route to implementation

There are a number of different ways healthcare organisations can implement CP-IS technically.

Your IT systems supplier may have developed CP-IS functionality for your current system. This means you would be able to implement CP-IS by simply upgrading your current system. Please visit our website to see a list of IT systems that provide CP-IS functionality.

If this option is not available, we recommend that healthcare organisations implement CP-IS using the Summary Care Record application.

Visit our website to learn the implementation process for healthcare organisations.

What is the Summary Care Record application?

The Summary Care Record application (SCRa) is a free web-based application. SCRa enables healthcare organisations to securely view patient information held on the NHS Spine, including:

• demographics (Patient Demographic Service or PDS)
• Summary Care Records (SCRs) 
• Child Care Alerts (Child Protection – Information Sharing)
• female genital mutilation (FGM) alerts

SCRa is free of charge. It's a secure system that is quick and easy to use. The vast majority of healthcare organisations that have implemented CP-IS so far have done it using SCRa.

SCRa is accessed directly through a web address or the NHS Spine Portal. Each user needs an NHS SmartCard with the correct Role Based Access Control codes added in order to access the right information.

See further information about Summary Care Records.

Step 9 – Assess current use

Establish which IT systems are currently used in each of the unscheduled care settings you have identified as part of the CP-IS project.

If the setting already uses SCRa, move to step 11.

Step 10 – Gain a secure Health and Social Care Network (HSCN) connection

Please visit the HSCN web pages for further information about how to do this.

Step 11 – Obtain NHS Smartcards and Smartcard readers

Please contact the person responsible for issuing and configuring NHS Smartcards for your organisation (the registration authority manager, sponsor or equivalent person/local NHS organisation) to source NHS Smartcards and/or NHS Smartcard readers.

All staff requiring CP-IS access who do not already have an NHS Smartcard will need to follow a local administrative process to apply for one. Your CP-IS project lead should ideally coordinate this for everyone who will need one.

Getting NHS Smartcards and smartcard readers can take time so please start this step as soon as possible so it doesn’t lead to delays later.

Please note that further NHS Smartcard readers can be ordered direct from NHS Digital.

Step 12 – Add Role Based Access Control codes to NHS Smartcards 

When the staff who need access to the Child Care Alert have been identified (step 17 in the Business Change section) you will need to ensure that the correct Role Based Access Control (RBAC) codes are added to their smartcards.

Identify who is responsible for issuing and configuring NHS Smartcards for your organisation (for example, the registration authority manager, sponsor or equivalent) and have the following codes added to cards for the staff concerned.

If staff are already accessing the SCR they will only need one extra code adding to their smartcard (B0107). If they are not already accessing SCR, two codes need to be added (B0107 and B0264).

Step 13 – Ensure systems and web browsers are compatible

Computer systems which access NHS Digital services through the Spine have to meet certain technical standards. The Warranted Environment Specification (WES) defines the client environments that we support. It covers:

• operating systems
• browsers
• Java Virtual Machines (JVMs)
• smartcard printer drivers

Staff responsible for health and care technical infrastructure must check that the environments they are using meet these specifications and are fully supported. Updates must be carried out, when recommended, to make sure all services keep running properly without interruption.

Please visit the WES page of the NHS Digital website and check that the web browsers and version of Java you have are compatible.

Step 14 – Ensure the correct identity agent is installed

Each device that is used to access SCRa will need the NHS Digital Identity Agent installed. Find more information and download the NHS Digital Identity Agent.

Step 15 – Update your technical business continuity plans

Ensure that CP-IS is added into your organisation’s business continuity and disaster recovery plans.

Ensure plans are clear about the process that must be followed for patients who presented for care while systems were down when they come back online.

Ensure that someone is accountable for routinely checking that CP-IS is working, particularly when you make changes to your technical infrastructure.

This area of work is about understanding what your current safeguarding processes are and ensuring that the introduction of new processes is as smooth as possible.

Step 16 – Map your existing safeguarding processes

It's important to map out what your current safeguarding processes are in each setting. This will help you to see what changes are needed further down the line, and who needs to be told about them. Sketch out what currently happens if a safeguarding concern is raised - what action is taken and who is involved.

Step 17 – Map your new safeguarding processes

Map out the new safeguarding and business processes to include the viewing of CP-IS information in the settings where it will take place. Define the roles and responsibilities within the process so it is clear:

• who will be performing the patient trace and checking for a Child Care Alert tab 
• who will click on the tab (which triggers an automatic notification to the child’s local authority) and what they will do with the data
• who will ultimately view the data and what they will do with it 
• any subsequent or supplementary actions that may be required
• who will conduct routine checks to see how the Child Care Alert and the information it provides is being used 

Step 18 – Register and allocate smartcards

When you finish step 18, you should have identified the staff in the unscheduled care settings who will check and view the Child Care Alerts.

Allocate NHS Smartcards to the staff you have identified don't have them (see step 11 in Technical section). This can take time, so please start as soon as possible to avoid delays later.

Add the relevant access codes to staff smartcards to enable them to view the Child Care Alert (see step 12 in Technical section).

Step 19 – Test systems and processes

There are two patient records on the NHS Spine that can be used for local testing and training. Please note - these are test patients and not genuine patients. Genuine NHS numbers and records should never be used for testing or training purposes.

Please use NHS Numbers 9990276579 and 9990275831 for these purposes.

Please ensure each member of staff checks and can see the Child Care Alert on these test patients when the codes have been added to their NHS Smartcards as this ensures they have the correct access.

Step 20 – Design and deliver training

Identify who needs to be trained in the new processes, how this training can best be delivered, and the materials you will need to ensure the training is delivered effectively.

Staff training will need to cover different responsibilities within the new processes. It may include:

• what CP-IS is, how it works and why we need it
• when and where the Child Care Alert should be viewed 
• that CP-IS data should only be searched for and/or viewed when the child actually presents at an unscheduled care setting (it must not be used for administrative purposes)
• how clinicians should use the information provided in the Child Care Alert (including the access history in unscheduled care settings) in their discussions with children and families
• who is responsible for ensuring that CP-IS is embedded in the safeguarding children process in each setting and how they should do this
• that the notification that is sent to the local authority is for information only and is not a safeguarding children alert or referral to social care - any safeguarding concerns should be raised with social care or the safeguarding lead at the time of assessing the presenting child (depending on the processes that have been agreed locally)
• who will conduct routine checks to see how the Child Care Alert is being used was checked and that the information was shared appropriately with the clinician

The CP-IS SCRa user guide in Appendix A can be used to help train staff in using CP-IS.

Step 21 – Update your safeguarding business continuity plans

Ensure that CP-IS is added to your business continuity and disaster recovery plans. Consider how best to ensure staff are routinely trained in CP-IS during their staff inductions and routine training, and make sure existing mandatory safeguarding training includes the new safeguarding process that includes checking the Child Care Alert.

This area of work ensures that your organisation’s information governance (IG) policies, processes and training materials are updated as necessary to include CP-IS. This action should be completed by your IG lead or Caldicott Guardian.

Step 22 – Update information governance policies and training materials 

Identify the existing IG policies, procedures and training materials that need to be updated to include CP-IS.

CP-IS is covered by a national data sharing agreement so you do not need to create agreements locally. However you may need to update your Standard Operating Procedure (SOP) and Privacy Statement.

Ensure that policies on the security of sensitive patient data are extended to incorporate CP-IS data.

Your implementation manager can provide example SOPs and assist you as required.

This area of work is about ensuring you identify and communicate effectively with everyone who needs to know about changes you are making to your safeguarding processes.

Step 23 – Identify your stakeholders and speak to them about CP-IS

It's important to engage with your local health and social care partners so they are aware that you're implementing CP-IS.

During your implementation project you should try to maintain regular contact with:

• local safeguarding children’s boards (LSCBs) - we recommend getting CP-IS implementation added as a regular agenda item so that local partners are kept informed of progress 
• children’s services departments at neighbouring local authorities                                                                                                                             
• safeguarding children leads at local clinical commissioning groups
• safeguarding leads at neighbouring NHS trusts

Communicating with your local children’s services departments will ensure local authorities that already have CP-IS know to expect notifications from you. It may also help to encourage local authorities and other NHS trusts that are not yet live to implement CP-IS.

Step 24 – Communicate internally before and after go-live

Speak to your communications team for their advice on how best to inform staff about CP-IS and your organisation’s work on it. We recommend informing staff about the project when a go-live date is established, and the relevant staff have been trained. This helps to cement the training that has been delivered and inform a wider audience about the importance of CP-IS and why your organisation is supporting it.

Step 25 – Have a ‘go/no go’ call

When you have completed the steps above and think you're ready to go live, arrange a call with your implementation manager. This call is called a ‘go/no go’ call - it is held to ensure that the crucial actions have been completed and to confirm that you're ready to go live with CP-IS.

‘Live’ status is defined as routinely and consistently viewing CP-IS data for presenting children in at least one in-scope setting; with a roll-out plan for all other applicable settings.

This call should include representation from the safeguarding team as well as from IT (and system supplier if appropriate).

Do not go live without having this call.

Step 26 – Go live

This is the date that you go live with CP-IS, and staff start to follow the new safeguarding processes you have developed.

Make sure all staff in that setting know about your planned go-live date in advance and what that means. Make sure you have someone available or shadowing in that setting to help ensure the new processes are followed correctly and that staff are able to ask advice if they need to.

When you go live, the records of all children (or pregnant women) who present for care at the setting must be checked for a Child Care Alert as per your agreed business/safeguarding processes.

Step 27 – Transfer CP-IS to business as usual

You should formally bring the CP-IS implementation project to a close by reporting to your accountable officer or board and transferring ownership of ongoing responsibilities to the business.

Consider reporting on the successes and lessons learnt from your project, and formally transfer responsibility for: 

• staff inductions and training - ensure that new staff are given access and are properly trained 
• routine audit - check that CP-IS information is being routinely accessed by the correct people, in the correct way, and that the information is being used appropriately as outlined in your safeguarding processes
• IT – check local error logs and ensure that CP-IS is technically working as it should particularly when changes are made to local network infrastructure 

Your implementation manager will continue to support you until all your unscheduled care settings are live with CP-IS.

Step 28 – Have a post go-live call

Eight weeks after you go live with CP-IS, your implementation manager will contact you to arrange a post go-live checkpoint call. This call is held to ensure that everything is working as it should and to discuss any issues that have surfaced.

Step 29 – Consider becoming a CP-IS champion

CP-IS champions help the national CP-IS project team to encourage other organisations to implement CP-IS by taking part in:

• case studies
• media work
• events and speaking opportunities 
• work to develop and improve CP-IS guidance and materials 

Once you have gone live with CP-IS, consider whether your organisation would like to help the national CP-IS team. CP-IS champions each decide what they would like to take part in and are presented with opportunities as they arise. Contact us at cpis@nhs.net for further information.