SRCL LIMITED

My Surgery Website

Provision of GP Practice Websites for communicating with and collecting data of patients, appointment making, medication ordering, online consultation, digital triage and signposting along with advertising the services of the practice.

Features

• Responsive NHS approved design for all devices
• Clinical system online services integration
• Syndicated NHS health & wellbeing centre
• NHS GP Website benchmarking tool
• WCAG 2.1 (AA) compliance
• Easy to update, anytime, anywhere
• Centralised group management
• Smart online forms
• Designed to active signpost patients to relevant services
• Patient digital triage

Benefits

• Reduces the footfall at the practice
• Increases access for patient
• Patients are signposted to relevant services
• Enables social prescribing model of care
• Simple to use
• Automatically updated to comply with latest legislation
• NHS design compliant

£350 to £900 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.twells@stericycle.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

171023549099712

Contact

Michael Twells
07595033735
michael.twells@stericycle.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: There are no constraints on using the My Surgery Website. It fully supports all web browsers (incl. IE11 and above) and mobile devices. Maintenance windows are outside of core hours.
• System requirements:
  • Internet access
  • Up to date browser

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Support queries are monitored Monday to Thursday 9.00AM to 5.00PM and Friday 9:00AM to 4:30PM (excluding bank holidays).; ; Support tickets are instantly acknowledged and customers issues a unique reference ID. A support engineer will contact the customer within 24 hours if they need further information, with resolutions confirmed or resolution time agreed within 48 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Support queries are monitored Monday to Thursday 9.00AM to 5.00PM and Friday 9:00AM to 4:30PM (excluding bank holidays).; ; Support tickets are instantly acknowledged and customers issued a unique reference ID. Tickets are allocated on a first come first served basis by a department of technical support engineers.; ; The service has two support levels;; ; Basic: Reporting and investigation of service level issues e.g. bugs in software, included in the annual price for the service.; ; Enhanced: Completely managed service e.g support engineers will make any change to the service a customer requires using the services editorial suite of tools (an additional annual fee of £100 per annum applies).
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers are fully supported in the set up and configuration of the service. During the sales process the customers are asked to pick a base template for their website or request a bespoke layout and for any additional requirements. The base template is populated with relevant customer specific information (as provided by the customer) and any additional configurations made to meet the customer requirements. Our support team liaise with the customer, refining the website until the customer is happy with the service and give approval to publish the website.; ; Online training can be arranged as required, however our system is designed with intuitiveness and user-friendliness in mind. Full documentation for system configuration and workflows is provided in online help guides.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Users have full access to their data when they are in contract with us and will work with them to retain access once the contract has ended.
• End-of-contract process: The customer subscription, training, documentation, support (if applicable) and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew they are required to give 90 days notice. On the subscription end date or date requested their domain will be transferred to their new provider, all data is archived and then securely deleted after a predefined period.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: My Surgery Website comes with inbuilt responsive designs so it is optimised for mobile devices and desktops. The mobile version will include all the features of a desktop version but will re-size content including media like videos and fix them according to the size of mobile device.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The service can be accessed via a web browser interface. Supported browsers are Microsoft Edge, Firefox, Chrome, Safari and Opera. The service has been designed to also be used on mobile devices.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Platform has been tested using multiple accessibility compliance tools such as aXe.
• API: No
• Customisation available: Yes
• Description of customisation: The user can choose from multiple design templates as a starting point, and from there they have access to tools to customise their website as much as they like.; ; The user can customise their own website or ask our support team to do it for them if they have purchased the relevant level of support.

Scaling

• Independence of resources: We have over a 50% resource buffer on our platform to cover anomalous spikes in use. We monitor the systems for average use, and have the capacity for growth if and when needed.

Analytics

• Service usage metrics: Yes
• Metrics types: The customer can add their own google analytics or google tag manager code to their website and track their website usage.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Software Encryption
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Form and Survey results can be exported as PDF files
• Data export formats: Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • DOC
  • DOCX
  • PDF
  • JPEG
  • JPG
  • PNG
  • TIFF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: 99.9% up time guarantee
• Approach to resilience: Available on Request
• Outage reporting: If there was an unplanned service outage we would contact affected customers via an email alert and help centre notifications. Affected customers would also see in application information alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Management portal is limited to internal access via our private network/VPN Tunnel, additionally requiring specific user group permissions, and still requiring a username and password.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Wordplay
• PCI DSS accreditation date: 07/10/2021
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: DSP Toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Our security governance is subject to best practice and leading industry standards but not officially accredited
• Information security policies and processes: Our security policies are independent and in-house but ensure:; ; Authorised access is enforced,; All sensitive data is encrypted and verified,; All access is recorded and audited,; All data is transferred securely; All security incidence are reported and investigated, any remedial actions are taken.; ; All incidents are reported to the VP of Data Protection, who reports in to the VP Regional General Counsel Compliance Officer, who then reports in to the company board.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Software changes are subject to a standard requirements definition process and reviewed by senior functional and security design resource before being approved for development. Once developed, changes are assigned to a specific release, with this release passing through a defined 'path to live' - escalating from development to test environment before being placed in a stage environment for final checks. New changes, once developed are reviewed by a security test specialist and also subject to ongoing vulnerability scanning and penetration testing.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to several security information outlets to help remain agile in response to emerging threats. Our third party host also keeps all clients informed of identified threats and remediation. We do standard patching on a monthly basis and have procedure in place for "emergency patching" if necessary.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Have third party threat solution that does regular scanning of the system and we receive alerts if a threat is found. We would respond immediately to any realised threat.
• Incident management type: Supplier-defined controls
• Incident management approach: User are able to report any incidents through normal customer service channels, and we will follow our triage process - escalating to relevant mangers etc where necessary. Any reports will be distributed to relevant parties.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  As a major supplier to the NHS we are committed to reducing cost but also to reducing our impact on the environment. We are continuously developing solutions and assessing the marketplace to identify opportunities to reduce the impact of our services on the environment. FPM has reduced its carbon emissions by migrating our infrastructure resulting in the need to less servers. All FPM solutions are designed to help NHS organisations reduce their carbon footprint, from online consultation via their website or online policies and procedures reducing the need for paper copies which feed in the NHS paperless agenda. FPM has also shifted the majority of the training business online to reduce travel of trainers and participates to attend the training.

  Covid-19 recovery

  As frontline service providers for the NHS, both FPM and Stericycle were deeply engaged in the NHS’ response to the COVID 19 pandemic. Both organisations adapted their services and support to ensure that their NHS customers were able to continue to deliver services during that period of unparalleled pressure. The learnings and enhancements made to the whole Stericycle business as a result of the pandemic have resulted in a more robust and resilient structure that will mitigate the risks of any future pandemic.

  Tackling economic inequality

  We are committed to ensuring that we support all our staff and their families with pay packages and associated benefits packages that ensure that they never experience economic inequality. All FPM staff are paid well above the real living wage and we are committed to ensuring that this remains in place and will do so for the duration of the framework. ; ; Additionally, we are committed to supporting the local economies in which we operate. We utilise local SME businesses to provide ancillary support services such as facilities management and courier services.; ; We are fully compliant with requirements to identify and tackle Modern Slavery in our business and in our supply chain. We conduct detailed due diligence on all suppliers and will, where possible, provide support and guidance for our SME suppliers in identifying and tackling Modern Slavery in their supply chains.; ; On a number of Stericycle’s NHS contracts we run projects to support job seekers in their endeavours. Our highly skilled recruitment team work with the Trust and local employment and/or disability groups to deliver CV writing and interview preparation courses. The courses are designed to build confidence for candidates and to help them build job seeking skills.

  Equal opportunity

  We are committed to driving and delivering equal opportunities across all businesses and areas of operations. As part of a global PLC, headed by Cindy Millar, FPM is required to adhere to and promote the employee Code of Conduct that details our corporate commitments to diversity and equality. Across the whole business, there are established committees working to promote the voices and successes of all communities that make up the Stericycle family.; ; To ensure we are promoting wider equal opportunities, part of all due diligence of our suppliers is that they agree to adhere to our Supplier Code of Conduct which requires them to have documented equality and diversity policies.

  Wellbeing

  Across the whole Stericycle business in the UK we have implemented a wellbeing enhancement programme that incorporates mental health support initiatives, fair work practices and financial support initiatives.; ; At every Stericycle facility we have sought volunteers to become mental health champions. Volunteers go through 25 hours of paid-for training with an external provider to help them identify and support colleagues who may be experiencing mental health difficulties. To date we have trained 13 champions across our business and also can provide this facility to our customer base as part of our Social Value commitments.; ; Across many areas of our business we offer preferred shift patterns and, where appropriate, home or remote working to support wellbeing. These initiatives are well received and have resulted in better outcomes for both employees and the business.; ; To support employees that may experience unexpected financial difficulty we have instituted a programme called SteriCares that can provide short-term, immediate financial support to struggling colleagues and their families. The programme is funded through salary sacrifice from colleagues across our whole business. To date, the fund has generated over £20,000 in donations in the UK and has been used to support any colleagues that need it. Although not in massive demand it provides an extra level of comfort and support for our personnel.; ; As part of a wider organisation, Stericycle, that is committed to good corporate citizenship, we have access to significant resources that develop programmes across our NHS customer base to deliver against the social value objectives. We will utilise the skills and knowledge developed across our business to tailor or develop specific programmes for our new customers that deliver actual social value to their communities.

Pricing

• Price: £350 to £900 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.twells@stericycle.com. Tell them what format you need. It will help if you say what assistive technology you use.