MacLaren West LTD

UK Food Surveillance System Service

A Cloud based service which manages the details and results of food and animal feed samples submitted for analysis and/or examination by Official Control Laboratories (OCLs) on behalf of Local Authorities and other partners.

Features

• Validated Data collection
• Seamless transfer of Food/Animal Feed Sampling data to Laboratories
• Flexible reporting
• Interoperability with Local Authority systems
• Return of Test results to Local Authority
• Collection of Sampling/Test data for national analysis
• Web portal to view and manage sampling data/activity

Benefits

• Collect standard/valid data through API
• Instant upload of sampling data to laboratory eliminating data entry
• Collect data nationally for further analysis/reporting
• Seamless transfer between systems
• Robust time proven solution
• Compatible with common Local Authority Management Systems
• Compatible with major Laboratory Management Systems
• Easy access to data through a modern reporting portal

£800 to £800 a unit a day

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at john@maclarenwest.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

538239780816090

Contact

John Anderson
07515396842
john@maclarenwest.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Maintenance is occasionally carried out, but this is performed out of normal working hours (evenings and weekends). Such maintenance is brief and has little or no effect on the service.
• System requirements:
  • A internet connection is required to access the services API
  • HTTPS and TSL1.2 is required on connected clients.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: During business hours: Urgent queries are responded to within 2 hours, normal queries are responded to within 48 hours.; ; Support is not normally provided out of hours (such as evenings and at weekends), but can be provided under special prior arrangement.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: • Major – within 24 hours of receipt of call. Such as Operational failure of the service within the agreed operational hours. Provision of data reports to users to support urgent and time bound queries; • Moderate – within 5 working days of receipt of call. Assistance to users using the system and data mapping/other functions.; • Minor – within 10 working days of receipt of call. Such as: Tracking samples for a local authority to compare with local records; tracking historic data at labs.; ; All support is included in the cost of the service. Users have access to technical staff at all stages of the support process.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide comprehensive documentation. Onsite and/or online training can be arranged on request for new or existing users.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Data will be provided as full database backup file for each database included in the service. Help will be given to ensure that backups are restored and accessible if requested.
• End-of-contract process: We have a full transition guide which will be provided to the client on notice that the contract will expire and not be renewed. We will engage with any future supplier to implement the process detailed in the transition guide upon request.; ; We will provide all data to the client and ensure that it is accessible.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The service is an API and can be used from any device where a client has been developed to interface with it. Client software on mobile devices may not support some features of the API due to limitations in features of the device.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: Users can submit sample data and query data. The API is for authorised users only. Sampling data can be submitted to laboratories through the API and results for completed analysis are returned through the API. ; ; Users can manage data such as Premises data, sampling templates, surveys and local lookup lists through a client connected to the API
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: The resources allocated to the service are sized to meet reasonable usage of the system. Usage is monitored closely and additional resources will be added if required. The service is built to minimise the impact users of the system have on resources.

Analytics

• Service usage metrics: Yes
• Metrics types: All data transfers between clients and the cloud service are logged. Statistics and details of data flow are provided on request, including usage by Sampling organisations (LAs and Port Health Authorities, etc), by country or region, etc.; ; Further data on performance of Laboratories in analysing and returning results is available.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Exports can be requested through support. Exports are provided in CSV or Excel files. We work closely with users to provide data export to meet their specific needs.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • XML
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • XML
  • JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We guarantee service uptime of 99.9% or greater: (excluding scheduled downtime).; ; We have no explicit refund policy, but are keen to engage with users and work with them to resolve any harm done as a result unplanned downtime.
• Approach to resilience: Our service is hosted within Microsofts Azure cloud infrastructure. There is redundancy built into both the network infrastructure and the hardware that the service runs on. The system is designed to scale appropriately to user needs. ; ; The service is designed to be robust and also can be rebuilt within a period of 3 hours. All data is backed up and can be restored with minimal risk of data loss. ; ; Further information is available on request.
• Outage reporting: The service is monitored continuously for an independent source and any outages are reported in real time to support staff through an API and via email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are protected by two factor authentication and limited to authorised users only.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We comply with ISO/IEC 27001 and are working towards certification.
• Information security policies and processes: MacLaren West follows security standards as advised by the Open Group Architecture Framework. ; • Authentication: Authentication is applied on all systems under our control. ; • Authorisation: Role base authorization is used to manage user access to resources, ; • Audit: All critical systems include comprehensive auditing. Audits are run regularly, the results of which are reviewed for compliance to company standards. ; • Assurance: We maintain automated test suites which we use to verify that all required security policies remain in place. We run automated audit reports on all infrastructure and take action to apply security and performance suggestions from these audits.; • Asset Protection: All data is encrypted at rest and in transit. All data is protected with authentication and authorization rules.; • Administration: All systems have configurable security policies which can be updated based on specified requirements. This includes adding, updating or removing users and roles. ; • Risk Management: We are a risk adverse organization. Our highest priority is the security and integrity of data held on behalf of our clients and all reasonable precautions are taken to protect it.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: A suite of automated tests are run against all of the services APIs before a release is authorised. These tests include compressive coverage of services security.; ; As well as the automated tests, a full code review it performed with a focus on security issues.; ; Once a build has pass all tests and the code review is completed, the build is deployed to a staging environment where final user tests are performed. Once these tests are passed and reviewed, the build is moved into production. ; ; All builds are versioned and changes documented.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The service is accessible through a protected API by authorised users. Data transferred through the API is encrypted and transferred over a TLS 1.2 connection. These measures limit vulnerability but do not eliminate it,; ; We do comprehensive testing of the whole API before release of a new build of the service. ; ; In the case of a serious threat that risked the exposure of data, we apply a patch within 24 hours, possibly sooner.; ; Potential threat information is gathered from our own testing and features of the Azure cloud infrastructure which performs continuous monitoring of traffic to and from the service.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The Azure environment we use monitors our service and databases constantly and reports any threats or advisory actions. We review these reports weekly and implement recommended changes. ; ; The service itself monitors usage by authorise parties. We review usage data weekly for any activity that is out of the ordinary. We work with clients to understand or rectify possible issues.; ; We alert clients of any attempted attacks against the service with details of how the issue was handled.
• Incident management type: Supplier-defined controls
• Incident management approach: We have processes for common events such as service errors, authorisation issues and security issues with our services and Azure platform.; ; The first steps on each process requires the allocation of an incident manager, an assessment of the risk associated by a vulnerability, initiation of any immediate action required to secure the effected service(s) and when a full remediation can by deployed. Disclosure of the incident will be emailed to a predefined list of stakeholders. An advisory notice will also be emailed out if required. After a full remediation an incident, reports will be supplied to the appropriate notification list.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Our service replaces a manual process that traditionally consumes a lot of paper. We have worked with our users to develop processes that fully eliminates this waste.; ; The data captured by UKFSS is used to target future sampling, further reducing wasteful activity. We are actively implementing features within the service to help further refine the sample planning and targeting, such as allowing users to see general activity across the country to better inform their planning.; ; Within the company we embrace any effort to reduce our carbon impact. • We offer a Cycle to work scheme to reduce the impact of local travel. • We support remote working and working from home for all members of staff. • We have eliminated the use of on-premises servers in preference to more energy efficient cloud-based solutions. • In choosing the equipment we use, we prioritise features such as sustainability, energy efficiency and the use of harmful or hard to recycle substances in manufacturing processes and the equipment itself. • We use equipment that has a long useful life. We work with partners that are also committed to reducing their negative impact on the planet. We chose Microsoft Azure, who take their commitment to the environment seriously, as our cloud partner. By partnering with Microsoft, by 2025 our cloud services will use 100% renewable energy, they will be Water positive by 2030 and be Zero-waste certified by 2030.

Pricing

• Price: £800 to £800 a unit a day
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at john@maclarenwest.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.