Carebeans aims to support the NHS goal and vision of a people powered health and social care system enabled by the Integrated Digital Care Record. We need an interoperable ecosystem of applications, data and processes to allow the right information to be available to the right user at the right time. The fundamental elements of the vision are:
The importance of using an Open API approach and hence the value of the policy is to:
The term Open API refers to all methods of software-to-software interaction including, but not limited to, web interfaces, direct program interfaces, batch/file drops over FTP etc.
Carebeans is a commercial organisation that has, and continues to invest, in the development of its IPR. There are key principles that are fundamental to the health of the company, its customers and data privacy: Carebeans system IPR must not be compromised and will not be shared with competing organisations. It is our customers data and they determine how it can be used and who by. The integrity of the system must be maintained. The privacy of personal data is paramount.
We will be constantly adding and updating our available APIs.
The term Application Programming Interface, or API, in the context of this document is used broadly to refer to any mechanisms which allow a system or service to access data or functionality provided by another system or service. Consequently, this policy will encourage software interoperability.
Open APIs are those APIs that have been exposed to enable other systems to interact with Carebeans system, and those APIs have been sufficiently documented that the available functionality is discoverable, fit for purpose and re-usable. Open also means potential users of the API can access the API documentation free of charge and also access the API free of charge.
Where access to the live API is not possible (e.g. chargeable usage applies, service level agreements are in place, or the API returns confidential data) a test environment will be provided to allow potential users to experiment and test the API.
Although API’s provide access to the Carebeans system the data does not belong to Carebeans. In this context, Carebeans is the processor. The data controller, the care provider (Carebeans customer) owns the data and will need to provide explicit permission in the form of a change to the processor/controller agreement.
It will be up to the care provider to determine and document consent of any Service users and system users if their data is to be shared.
Partners wanting to consume APIs must go through the below process:
Although the API is free to use it is not open for anyone to access. Security and privacy of our customers data is paramount and there is a process to be followed to allow access. In summary:
The following types of API are in the scope of shared APIs:
The objective, over time, is to make Data held in Carebeans system available via an Open API, consistent with the HM Government Open Data policy.
This will take time and the roadmap will be based on need.
The following APIs are not available for sharing:
At this time there are only a handful of APIs available and these standards are being applied to these. As time moves forward and new APIs are developed they will be developed in line with these standards. APIs will be developed on customer need and governed by business financial constraints. Our Aim is not to make this an overly costly APIs will be tailored to customer requirements while aligning with our fiscal considerations. Our objective is to ensure affordability without compromising on value.
This section outlines the specific policy statements and principles for our Open APIs:
Carebeans employs a REST architecture to facilitate API’s to its partners and customers. The key benefits of this implementation are compatibility between different clients and servers, regardless of platforms or operating systems, and the simplified communication and data transfer between applications. REST works on top of the HTTP transport. It takes advantage of HTTP’s native capabilities, such as GET, PUT, POST and DELETE. When a request is sent to a RESTful API, the response (the “representation” of the information “resource” being sought) returns in either the JSON, XML or HTML format. A RESTful API is defined by a web address, or Uniform Resource Identifier (URI)
API security is concerned with the transfer of data through APIs that are connected to the internet. Broken, exposed, or hacked APIs are behind major data breaches and as such Carebeans applies all the best practices to ensure sensitive data is secured.
The following security is placed for the protection of the integrity of all APIs – both consumed and provided:
Although the API is free to use it is not open for anyone to access. Security and privacy of our customers data is paramount and there is a process to be followed to allow access. In summary:
A SLA will be put in place.
Please fill in the form shown, giving as much information as you can in relation to your intended use of our APIs.
A member of our team will be in touch with you in due course once your application has been submitted.
If you would prefer to send an email, please do so by contacting [email protected]