IRIS SOFTWARE LIMITED

IRIS Looked After Call

Monitoring school attendance, attainment and PEPs of Looked After Children on behalf of UK Virtual Schools. Reduce absenteeism and increase attainment to realise potential. Safeguard children and their data on behalf of Virtual Schools and local authorities. Secure transfer and storage of sensitive data pertaining to students in the UK.

Features

• Daily attendance, termly assessment, PEP data collection from educational settings.
• Secure real time reporting with remote access for authorised users.
• Dynamic integration with school's MIS and manual calling.
• Electronic storage of all data within audit trail.
• Secure data transfer between multiple systems.
• Integrated secure communications.
• Automatic data extraction from multiple sources.
• Automatic electronic alerts to designated stakeholders.
• Webhosted for maximum secure access.
• Interoperable with multiple platforms.

Benefits

• Anytime, anywhere access on multiple devices and unlimited users.
• No requirement for additional hardware by the user.
• Brings together useful data from variety of sources.
• Access levels set by users' role for additional security.
• Flexible solutions to fit all statutory requirements.
• Multiple options for training and support.
• Real time reporting enables immediate interventions.
• Removes manual process, saves precious time.
• Complies with current data protection legislation.
• Can operate as a Management Information System for Virtual Schools.

£1.82 a unit a week

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BidTeam@iris.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

178099279925618

Contact

Bid Team
0344 225 1525
BidTeam@iris.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements: Modern up to date web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Any new ticket is responded to within 10 minutes to confirm the ticket has been created and advising the user of the ticket reference number.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our support KPIs are: 90% of inbound calls answered within 30 seconds. 88% of tickets resolved within 48 working hours (tickets worked in order of priority), 92% ticket satisfaction.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Once contracted, we will ask for an extract of your data to include as a minimum: student name, DOB, UPN, school URN, gender, care status and year group. This data is uploaded into the portal, and introductory letters are sent to the placements to explain and reassure them that we are working on your behalf, and will be collecting attendance and assessment data. We will establish the preferred data collection method for each setting: - Manual Calling – up to 3 times daily for AM and PM session marks - Automatic data extraction – directly from the school MIS - Self-serve portal – schools upload marks as required LAC supports onsite training at the beginning of every contract and online/telephone support throughout the period of the contract. Once the authority sign DPA with us, the service can commence. Schools must sign local authority DSA in order to share data. All schools receive a manual phone call to explain who we are, on who’s behalf we are calling and the authority we have to collect the data. We are happy to assist any school with downloading the automatic data extraction tool, self serve portal or any other part of service collection.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: If a customer decides not to renew their contact a written instruction is required 30 days before contract end date. Customers are supported through the process of exporting any required data from the system via Global Export reporting which provides data in CSV format.
• End-of-contract process: The purchaser can retrieve data collected by the service by downloading a 'Global Export' from within the Looked After Call portal. Full support is available to help in this process. From the date of contract expiry or cancellation, a 7 day cooling off period will begin and data collection services cease. 60 days after contact expiry the data will be permanently removed from databases and document stores in line with GDPR regulations. It will take an additional 30 days for data to be completely removed from rolling system backups.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Service is optimised for desktop and tablet devices. It is possible to use on a mobile phone but due to the nature of reporting available, some scrolling may be required.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: Yes
• Description of customisation: The User Profile section allows users to configure settings:; - enable/disable 2 Factor Authentication (2FA); - subscribe/unsubscribe to a series of alerts which trigger if certain events occur (eg. Child is excluded or a PEP is completed)

Scaling

• Independence of resources: The service is architected to be highly available and to scale depending on user demand. Monitoring systems alert the operational team to any potential issues which allow them to proactively maintain a responsive service to end users.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported by authorised users when logged into the web application.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Iris Looked After Call is encrypted whilst in transit.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The Looked After Call portal is available to authorised users 24/7/365. We achieve 99.9% up time. Performance and availability of our service is monitored carefully by internal operations team and via automated external systems. Should performance degradation issues be identified, it triggers an investigation process headed by the internal Operations team to determine actions to rectify. To demonstrate how we guard against cyber threats and our commitment to cyber security, please see our Cyber Essentials certification. All systems are annually penetration tested by an external accreditation service. We target 97% collection rate on all available attendance marks. Specific KPIs within the tender SLA will identify the target criteria and failure recovery. To date we have never failed to comply with a client SLA or had early termination of contract due to non-compliance of a SLA.
• Approach to resilience: The service is architected to be highly available and to scale depending on user demand. Monitoring systems alert the Operational team to any potential issues which allow them to proactively maintain a responsive service to end users
• Outage reporting: In the event of a system outage or where significant performance degradation occurs, registered users will be kept updated via email.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Design and implementation of User authentication is guided by best practice. Access to customer data within the system is controlled by LA Administrative users. New users are required to have an email address which is their username. The registration email contains a time restricted link which allows the user to set their password and confirm their registration. Password complexity meets OWASP recommendations Whenever users password are changed, a confirmation email is sent to the users registered email address. Registered users are allowed to make support requests via email. 2-factor authentication can be enabled or disabled at user level.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: IRIS Software Group operates an information security management system containing 25 policies which align with ISO 27001 and provide detailed documentation on how the group manage IT governance and security. We follow & implement the NCSC guidance relating to the 14 Cloud Security Principles.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our processes are aligned with ISO 27001. Infrastructure changes are planned and documented in advance including contingency plans. These records are retained for a minimum of 12 months. Any planned or unplanned maintenance that will require downtime will be disclosed to active users of the application in advance by email (At least 7 days notice would be sought). Wherever possible maintenance will be undertaken outside of normal usage hours.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The DevOps team utilise as suite of tooling within DataDog with monitoring agents to ensure vulnerabilities are identified quickly. Monthly patching is spread over the second week from patch Tuesday. All servers encompassing services are split over several days to ensure no single service is affected. Patch windows of 1am-4am are in place. Critical patches are handled within this policy but on an escalation process if needed to make systems safe within days/hours rather than the regular patching schedule.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Logging on critical systems has mandatory requirements for successful/failed authentication attempts. On all other systems there is mandatory logging of security relevant information. Logging facilities/Log information are protected from unauthorised access/tampering. Logs are centrally-stored and aggregated, log analytic tools used to detect anomalies. ; ; Logs are timestamp archived and securely stored (Azure). A full history of system administrator/system operator activities on critical equipment and activities is recorded, including configuration management and operational changes. Where changes are not automatically logged our change management procedures record the change reason and details of the change. Information is kept a minimum of 12 months.
• Incident management type: Supplier-defined controls
• Incident management approach: IRIS has a comprehensive set of data management procedures including procedures for the reporting and investigation procedure for personal data incidents, including:; -definition of personal data breach; -report incidents to the Group Data Protection Officer (DPO); -DPO will provide the CIO with an initial summary of the known facts, detailing: (1) what appears to have happened (2) immediate steps being taken to contain/investigate the issue and who by, (3) initial assessment of risk to individuals (4) whether the incident, once confirmed as a breach, is likely to require a report to the Information Commissioner’s Office, to customers/any individuals affected.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  We are committed to ensuring equal opportunities at IRIS. Our CEO, Elona Mortimer-Zhika, celebrates diversity in our workplace and expects the culture and environment of IRIS to be based on mutual respect and free from discrimination. We are committed to delivering a competitive and fair employment environment. We put equality, diversity, and inclusion at the forefront of our decisions, monitor progress, take action to continually improve, and be transparent with our findings. We have a zero-tolerance approach to discrimination based on protected characteristics and any allegations of discrimination will be dealt with in line with our Disciplinary policies. We have several wellbeing groups, including Unique which provides support for physical or mental health conditions or neurodivergent people. We provide a variety of training schemes to all employees, regardless of any protected characteristic, and encourage progression through our organisation.; ; We are passionate about gender equality and are committed to building a diverse workforce. We have continued to invest in our range of programmes to support gender equality and support the women of IRIS so they can reach their full potential. These initiatives ensure that we continue to focus on making IRIS a great place to work, enable our people to flourish, improving gender pay equality and providing equal opportunity for all. IRIS Groups championing of women in leadership has been recognised as a Great Place to Work for Women. The executive team comprises of three female leaders and 11 male leaders. ; Our Modern Slavery Policy sets out the ways in which we identify and manage the risks of modern slavery as a business, including risk assessment, risk mitigation and staff training. IRIS reviews all material suppliers and assesses whether any risks of slavery or human trafficking arise.

  Wellbeing

  We are committed to engaging, supporting and empowering our workforce. We create an environment where they feel part of a team; from regular global company updates to social evenings and charity events. We’re a UK Best Workplaces™ for Wellbeing. We have over 40 Mental Health First Aiders, have a weekly workplace support group and offer a free Employee Assistance Programme and bereavement counselling. We have several wellbeing groups and celebrate diversity. We offer colleagues a cycle scheme, private medical insurance and reduced gym memberships. We hold company fitness challenges and provide free fitness sessions. We’re proud to be a Real Living Wage employer, provide UK cost of living support, offer a tech and car scheme and give access to money coaches, workplace ISAs and pension, life assurance and critical illness cover. We seek our employees feedback on benefits that matter to them.; We give our employees three ‘Giving Back’ days a year on top of their annual holiday entitlement to support local community and national charitable cause. Employees are encouraged to actively give their time and skills to fundraise for a charity of their choice and volunteer on community projects, including being a school governor, charity trustee, reading with school children through the Benchmark scheme, mentoring in schools and running money management courses, both externally in conjunction with charities and schools, as well as internally with IRIS employees.

Pricing

• Price: £1.82 a unit a week
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at BidTeam@iris.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.