SRCL LIMITED

My Surgery Website

Provision of GP Practice Websites for communicating with and collecting data of patients, appointment making, medication ordering, online consultation, digital triage and signposting along with advertising the services of the practice.

Features

• Responsive web design for all devices
• Clinical system online services integration
• Syndicated NHS health & wellbeing centre
• Easy to update, anytime, anywhere
• WCAG 2.1 (AA) compliance
• Centralised group management
• User Way technology built-in
• Smart online forms
• Designed to active signpost patients to relevant services
• Patient digital triage

Benefits

• Reduces the footfall at the practice
• Increases access for patient
• Patients are signposted to relevant services
• Enables social prescribing model of care
• Simple to use
• Automatically updated to comply with latest legislation

£525 to £1,375 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.twells@stericycle.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

256919609858293

Contact

Michael Twells
07595033735
michael.twells@stericycle.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: There are no constraints on using the My Surgery Website. It fully supports all web browsers (incl. IE11 and above) and mobile devices. Maintenance windows are outside of core hours.
• System requirements:
  • Internet access
  • Up to date browser

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Support queries are monitored Monday to Thursday 9.00AM to 5.00PM and Friday 9:00AM to 4:30PM (excluding bank holidays).; ; Support tickets are instantly acknowledged and customers issues a unique reference ID. A support engineer will contact the customer within 24 hours if they need further information, with resolutions confirmed or resolution time agreed within 48 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Support queries are monitored Monday to Thursday 9.00AM to 5.00PM and Friday 9:00AM to 4:30PM (excluding bank holidays).; ; Support tickets are instantly acknowledged and customers issued a unique reference ID. Tickets are allocated on a first come first served basis by a department of technical support engineers.; ; The service has two support levels;; ; Basic: Reporting and investigation of service level issues e.g. bugs in software, included in the annual price for the service.; ; Enhanced: Completely managed service e.g support engineers will make any change to the service a customer requires using the services editorial suite of tools (an additional annual fee of £100 per annum applies).
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers are fully supported in the set up and configuration of the service. During the sales process the customers are asked to pick a base template for their website or request a bespoke layout and for any additional requirements. The base template is populated with relevant customer specific information (as provided by the customer) and any additional configurations made to meet the customer requirements. Our support team liaise with the customer, refining the website until the customer is happy with the service and give approval to publish the website.; ; Online training can be arranged as required, however our system is designed with intuitiveness and user-friendliness in mind. Full documentation for system configuration and workflows is provided in online help guides.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Users have full access to their data when they are in contract with us and will work with them to retain access once the contract has ended.
• End-of-contract process: The customer subscription, training, documentation, support (if applicable) and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew they are required to give 90 days notice. On the subscription end date or date requested their domain will be transferred to their new provider, all data is archived and then securely deleted after a predefined period.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: My Surgery Website comes with inbuilt responsive designs so it is optimised for mobile devices and desktops. The mobile version will include all the features of a desktop version but will re-size content including media like videos and fix them according to the size of mobile device.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The service can be accessed via a web browser interface. Supported browsers are Internet Explorer 11, Microsoft Edge, Firefox, Chrome, Safari and Opera. The service has been designed to also be used on mobile devices.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Platform has been tested using multiple accessibility compliance tools such as aXe.
• API: No
• Customisation available: Yes
• Description of customisation: The user can choose from multiple design templates as a starting point, and from there they have access to tools to customise their website as much as they like.; ; The user can customise their own website or ask our support team to do it for them if they have purchased the relevant level of support.

Scaling

• Independence of resources: We have over a 50% resource buffer on our platform to cover anomalous spikes in use. We monitor the systems for average use, and have the capacity for growth if and when needed.

Analytics

• Service usage metrics: Yes
• Metrics types: The customer can add their own google analytics or google tag manager code to their website and track their website usage.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Software Encryption
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Form and Survey results can be exported as PDF files
• Data export formats: Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • DOC
  • DOCX
  • PDF
  • JPEG
  • JPG
  • PNG
  • TIFF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: 99.9% up time guarantee
• Approach to resilience: Available on Request
• Outage reporting: If there was an unplanned service outage we would contact affected customers via an email alert and help centre notifications. Affected customers would also see in application information alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Management portal is limited to internal access via our private network/VPN Tunnel, additionally requiring specific user group permissions, and still requiring a username and password.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Wordplay
• PCI DSS accreditation date: 07/10/2021
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: DSP Toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Our security governance is subject to best practice and leading industry standards but not officially accredited
• Information security policies and processes: Our security policies are independent and in-house but ensure:; ; Authorised access is enforced,; All sensitive data is encrypted and verified,; All access is recorded and audited,; All data is transferred securely; All security incidence are reported and investigated, any remedial actions are taken.; ; All incidents are reported to the VP of Data Protection, who reports in to the VP Regional General Counsel Compliance Officer, who then reports in to the company board.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Software changes are subject to a standard requirements definition process and reviewed by senior functional and security design resource before being approved for development. Once developed, changes are assigned to a specific release, with this release passing through a defined 'path to live' - escalating from development to test environment before being placed in a stage environment for final checks. New changes, once developed are reviewed by a security test specialist and also subject to ongoing vulnerability scanning and penetration testing.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to several security information outlets to help remain agile in response to emerging threats. Our third party host also keeps all clients informed of identified threats and remediation. We do standard patching on a monthly basis and have procedure in place for "emergency patching" if necessary.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Have third party threat solution that does regular scanning of the system and we receive alerts if a threat is found. We would respond immediately to any realised threat.
• Incident management type: Supplier-defined controls
• Incident management approach: User are able to report any incidents through normal customer service channels, and we will follow our triage process - escalating to relevant mangers etc where necessary. Any reports will be distributed to relevant parties.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Internally, we have continued efforts to minimise the environmental; footprint of our operations and conserve resources. We have numerous programs in place or under evaluation to minimise our use of natural resources and reduce the impact of climate change.; ; We are working with our hosting partner Rackspace to reduce our environmental impact and encourage them to reduce their to fight climate change. Through the delivery of cloud services to our customers, Rackspace Technology is contributing to an overall reduction of energy consumption. In addition, by moving companies to shared resources and facilities, cloud adoption helps to reduce the number of duplicate, energy-hungry data centres across an enterprise. Customers who decide to move their data to the cloud with Rackspace Technology have a variety of options to help them further reduce their carbon footprint. The sustainability and financial benefits from cloud migration vary, depending on which cloud a customer selects, the level of cloud optimisation, and whether the customer uses any sustainability innovations powered by the cloud.

Pricing

• Price: £525 to £1,375 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michael.twells@stericycle.com. Tell them what format you need. It will help if you say what assistive technology you use.