Neighbourhood Direct Ltd

GP Fusion

GP Fusion is an online platform for the delivery of GP Practice Websites which are designed to reduce the clinical/admin pressure on Practices and improve access to services for Patients.

The system also includes facilities for shared information management across Practice Groups and intranet features such as internal document management.

Features

• Responsive design ensures sites adapt correctly for mobile devices
• Easy integration with online clinical systems and consultation services
• Enhanced facilities for shared information management across Practice Groups
• Large collection of easily activated pre-built forms, including Patient Registration
• Custom form and survey creation
• Easy to self-edit content, with full documentation and support
• Optionally, we will manage your content for no additional cost
• Site content checked for layout, copyright & accessibility issues periodically
• Fully compliant with accessibility, GDPR and security legislation
• Secure information sharing between Practice and Patient

Benefits

• Improves access to information and services for Patients
• Reduces the clinical/admin pressure on Practices
• Facilitates the use of online clinical systems and consultation services
• Reduced need for telephone calls and Practice visits by Patients
• Comprehensive data on service usage is available
• End-to-end encryption ensures Patient data is handled securely
• Practice Group staff can manage information shared across multiple sites
• Useful resources shareable privately within the Practice or Practice Group
• Managed content option reduces website management time for Practice Staff

£382.80 to £646.80 an instance a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at webadmin@opg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

433105910625023

Contact

Katy Morson
01253608013
webadmin@opg.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: System updates are outside core office hours and typically result in approximately 10-15 minutes of downtime per month.; ; Sites on the system will work in all modern web browsers. Very old web browsers which only support TLS 1.0/1.1 protocols are not supported, for security reasons, as required by Microsoft.
• System requirements: Modern, supported web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support requests are taken via dedicated telephone number or email address by our Web Administration Team. Most requests are completed within 4 hours of receipt, often immediately.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Support requests are taken via a dedicated telephone number or email address by members of our Web Administration Team. Most requests are completed within 4 hours of receipt, often immediately. Our average response time on calls is just 3 seconds.; ; Although sites on the system are designed to be fully manageable by the Practice, we are always happy to make any and all website changes on a Practice's behalf. This covers anything from minor text tweaks and document uploads through to major custom layout changes and custom form creation. There is no extra charge for this service.; ; All documents submitted to us as content are checked for accessibility issues which will be corrected before upload. If the issues are beyond correction, we either recreate the document in an accessible form or replace the document with a link to an official (i.e. gov.uk/nhs.uk) page hosting the content. Each site is checked for layout, copyright & accessibility issues periodically.; ; Our offices are staffed 8.30am to 5.00pm, Monday to Friday, except public holidays. During holiday periods (eg Christmas) incoming requests are remotely monitored and actioned.; 24/7 monitoring alerts support staff to any availability issues out of hours.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Initially a demonstration site is created, using content on an existing website for the Practice and/or other content supplied by the Practice. We then work with the Practice to adjust the demonstration site to suit their requirements for content, look, features, third-party integrations etc. Once the site is how the Practice would like it, the go live process is initiated.; ; Full documentation is provided and telephone/video-based support/training is available on demand during office hours.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Website content and uploaded files can all be downloaded in one zip file through the admin area available to the Practice.
• End-of-contract process: Either party may withdraw from the arrangement at any time giving three months' notice in writing.; There are no additional fees at contract-end.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All websites on the platform are responsive so they adjust automatically for best usability on the device being used to access them. Adjustments include image scaling or hiding and menus condensing to mobile-style 'hamburger' menus when viewed on small mobile devices.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The public service interfaces of GP Fusion are the GP Practice Websites used by Patients. Each site has a private administration area which is logged into by nominated Practice staff for the purposes of editing content or collecting secure form submissions. Different levels of access are allocated to Practice staff users depending on what access is required.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We use various tools to test for website accessibility issues as well as manual checks and act on recommendations in commissioned third-party assessments.; We routinely run checks for accessibility (as well as copyright & layout) issues in content added directly by Practices.; ; All documents submitted for us to add to sites are checked and accessibility issues identified are corrected by our team before upload. If the issues are beyond correction we either create a new and accessible document for the content, add the content directly to a page on the website(s) or replace the document with a link to an official (gov.uk or nhs.uk) page hosting the content.
• API: No
• Customisation available: Yes
• Description of customisation: The look and content of sites on the platform can be extensively customised.; There are a range of templates which the Practice can switch between at any time by simply choosing a different one within the admin area.; Pages can be added, removed or edited by the Practice.; A library of standard patient interaction forms can be activated or deactivated at any time by the Practice.; There is also a custom form builder to allow easy creation of an unlimited number of additional forms.; A range of widgets can be added in each page to include formatted contact lists, staff, maps, pages from third party websites (eg NHS pages), and custom HTML code.; Third-party online services such as Accurx, eConsult, Patient Access, DoctorLink, Patient Services (INPS) etc can be incorporated easily.

Scaling

• Independence of resources: Bandwidth is scalable and usage currently runs at under half that available. Server resources can handle at least double the peak traffic with no noticeable delay in responses.

Analytics

• Service usage metrics: Yes
• Metrics types: Full, anonymised usage statistics are available.; This includes visitor numbers, individual page traffic, bounce rate, session duration, device types used and traffic source (eg search engine, direct traffic, social media etc).; There is also a running total of the number of forms submitted in time periods up to 12 months available in the dashboard.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
• Other data at rest protection approach: Data encrypted in storage and only accessible by the Practice
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Website content (web pages & media files) can be exported by a single click in the admin area. This downloads a .zip file containing the pages, as html files, and the media files in their original respective formats.; ; Patient-submitted data is stored in an encrypted state on the server until either the Practice has fully processed it or the set expiry period has passed. This data can be printed out by the Practice from the secure admin area if a hard copy is required.
• Data export formats: Other
• Other data export formats:
  • HTML
  • PDF
  • GIF
  • JPEG
  • Text File
  • PNG
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • PDF
  • HTML
  • GIF
  • JPEG
  • PNG
  • Text file

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Availability 99.9%; Excluding any scheduled maintenance
• Approach to resilience: Available on request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Access to the admin panel is restricted to named users and password protected. Role-based access control levels are used to restrict users to operations they have been given the permission to perform. The system supports 2FA using email for administrator access.; Accounts can be locked down to specific IP addresses if required.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: Restricting access by IP and 2FA using email

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • DSP Toolkit (for Oldroyd Publishing Group Ltd)
  • Cyber Essentials
  • PCI DSS (for Oldroyd Publishing Group Ltd)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: * DSP Toolkit (for Oldroyd Publishing Group Ltd, of which Neighbourhood Direct Ltd is a member); ; * Cyber Essentials; ; * ISO 27001 standard applies to the data centre only
• Information security policies and processes: We have company policies in place on data security, data protection, network security and passwords. We review data security and access arrangements at least annually, using electronic reports, physical checks and discussions with staff.; ; Our staff undergo mandatory annual data security training & testing, and have refreshers on our company policies and their responsibilities in relation to confidentiality.; ; Digital access to data is controlled using the principle of 'Least Privilege'. ; ; In line with the (UK)GDPR we protect data at "a level of security that is appropriate to the risks presented by the processing activity". We do not retain personally identifiable data any longer than is necessary and any sensitive data is securely encrypted both in transit and in storage.; ; Robust physical access controls are in place at our head office and at the hosting data centre.; ; We have a data breach procedure with a clear escalation path.; ; The Data Security and Protection Toolkit assessment for Oldroyd Publishing Group Ltd (of which Neighbourhood Direct Ltd is a member) contains details of our policies and processes.; ; Key staff members who could potentially handle sensitive data are BS7858 security screened.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Input on the system is received from Practices, service users (patients) and internal team members.; All bugs, new feature requests and enhancement requests are logged as issues, given a priority level and allocated to specific team members where appropriate.; Outstanding issues are reviewed periodically and priorities changed where required.; Changes made by the development team are tested in a development environment before being released live.; At all stages of the change management cycle, potential negative side-effects of changes and impact on security are taken into consideration.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Server patching is automatically managed by our hosting provider.; System software is assessed and replaced/upgraded when necessary.; Third-party services are used for regular vulnerability scanning.; The server is pro-actively monitored by our hosting provider in terms of security, with full virus scanning, and sits behind a dedicated firewall which is also pro-actively managed and updated by the hosting provider.; Security news sources and system supplier alerts are monitored to give early warning of any developing threats.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our hosting provider proactively monitors the server and alerts us about planned updates and downtime.; We monitor the system using third party services to alert us instantly of service interruptions, 24/7.
• Incident management type: Supplier-defined controls
• Incident management approach: We have Data Security Policies which outline how we prevent data security breaches and how we will react to them if they occur.; The Data Security Breach Procedure covers how to complete a breach report, using a Data Security Incident Report form. It also covers how the report is then escalated and investigated, potentially as far as the Information Commissioner's Office, depending on the nature of the potential breach and result of the initial investigation.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  Equality, Inclusion & Diversity Policy included within employee handbook.; Career opportunities section of company website includes equal opportunities statement.; Company works with local organisations when recruiting to provide opportunities for individuals that require additional support when seeking and taking employment.

  Wellbeing

  Supporting Positive Mental Health Policy, Alcohol & Substance Abuse Policy and Positive Work Environment Policy included within employee handbook.; Free access to Employee Assistance Programme for all employees.; Fundraising events to support local community organisations.

Pricing

• Price: £382.80 to £646.80 an instance a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Demonstration sites are populated with Practice-supplied content and access is given to Practice contacts for the purpose of testing out the system. There is no set time limit on demonstration sites.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at webadmin@opg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.