WorkInConfidence: Anonymous Speak Up & Case Management

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: No
System requirements: Staff have internet access (PC, tablet or phone)

Browser access (Edge, Chrome, Safari, Firefox, Opera)

User support

Email or online ticketing support: Email or online ticketing
Support response times: Initial response usually within 1 business hour but always within one business day (9-5 business days).
Weekends and holidays usually picked up within 24 hrs.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
Web chat accessibility testing: The web chat widget is Level one (A) compliant and satisfies some Level two (AA) requirements. Testing has been done on the plug in.
Onsite support: Yes, at extra cost
Support levels: We provide a single level of support for all clients which includes phone, email and online chat support.

The cost of support is included within the user licence fee with the only additional costs being any site visits requested by the client.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: When a new client starts using WorkInConfidence they are allocated an account manager who works with them through the on-boarding process to ensure a successful launch. This includes providing materials to guide them through the pre-launch process, online administration training, and marketing collateral. The client also gets access to our comprehensive online support area with resources for administrators, managers and users. The account manager then works with the client regularly post-launch to ensure that they continue to get the best out of WorkInConfidence.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: For anonymous conversation and case management, clients (appropriate manager) can download PDF copies of dialogues including any manager notes and case details.
For case management and anonymous conversation core key details of cases can be downloaded as .csv.
System use metrics and reports can also be downloaded as PDF or csv.
End-of-contract process: If any organisation ceases to be a client of WorkInConfidence, we will remove all of its data and that of its staff/users within three months of their ceasing to be a client. Alternatively, the client may choose to have a paid 12 months run off period after which the data would be deleted three months post that.
Clients can access data per above.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Yes the service is mobile optimised. When accessed from a mobile device (smartphone or tablet) the pages reformat to fit the size of the device in question. Core functionality is the same.
Service interface: No
User support accessibility: WCAG 2.1 AA or EN 301 549
API: No
Customisation available: Yes
Description of customisation: WorkInConfidence is highly customisable putting the client in control of how they use it. Client's (own) administrators can easily control settings and administer the system through their own interface.
System wide configuration includes:
Tailoring of messaging on landing pages and inside the system:
Which of the facets – anonymous speak up, open case logging, surveys and forums - staff have access to:
Who has admin and management rights:
Which publicity routes are accessed:
Which of four available registration routes staff can utilise (work mail, any mail and registration code, no mail or bulk upload).
Anonymous speak up configuration includes: Which topics and which management responders are on the system, and whether particular topics are directed to suggested manager most suitable to handle them
Whether anonymous dialogue is entirely 1:1 with a manager or shared with the primary admin or other managers at the end; format of reporting; periods for reminders, periods of suspension (for anti-misuse).
Case Management allows creation of your own fields, templates for notes and reports.
Format of reports.

Scaling

Independence of resources: The WorkInConfidence service is automatically monitored to ensure that there is always sufficient capacity to meet the needs of all clients. Any potential issues are highlighted and additional capacity can be added within 30 minutes.

Analytics

Service usage metrics: Yes
Metrics types: Administrators/Reports Access can access 1. number of conversations raised by category and manager 2. conversations raised by “pick list” - this is bespoke to each client but a pick list could be location or grade 3. conversations open by manager, showing when the last message was responded to 4. ratings by manager on how timely and useful was the response 5. Shared learnings / outcomes. 6. closure rates and average response times by manager. Admins can apply filters to reports and save them as a new report. Clients can request bespoke reports within the limits of the system from support.
Reporting types: Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Encryption of all physical media

Other
Other data at rest protection approach: All personal identifiable information and dialogues are encrypted.
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Data export approach
Conversations and management reports may be downloaded via the user interface in pdf format. Given the sensitive nature of data wholesale export is not possible .
For case management key details of cases can be downloaded as .csv.
Reports can be exported via pdf or .csv.
Data export formats: CSV

Other
Other data export formats: PDF

Csv
Data import formats: CSV

Other
Other data import formats: XLS

XLSX

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: We aim to be available at least 99.5% of the time, apart from reasonable scheduled maintenance (either outside normal business hours or up to 1 day per quarter). Historically we have exceeded 99.9% availability. If we exceed this downtime, clients are entitled to 7 days free for each day we have been down as long as they request it within 28 days of the outage.
Approach to resilience: WorkInConfidence is hosted on Amazon's AWS infrastructure used by many large organisations. We chose to partner with Amazon because of their work in this area. More details are available from the AWS website or directly from WorkInConfidence.
Outage reporting: There is a public dashboard at: https://status.workinconfidence.com/

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Username or password
Access restrictions in management interfaces and support channels: Access restrictions in management interfaces and support channels
The administration areas of all clients instances of WorkInConfidence are protected via username and password. The system insists on strong passwords of at least eight characters with upper and lower case letters and numbers. Users of the system have the ability to set up Multi Factor Authentication. We recommend this for Admin Users and Managers. Users can choose to mandate MFA for either all users or Manager/admin users.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: Cyber Essentials

IASME Governance standard

NHS Digital Toolkit

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: IASME Governance standard
Information security policies and processes: WorkInConfidence has:
1. Clarity on what is collected, what purposes and how stored. This is clearly documented in Privacy policies and a further internal policy;
2. Technical measures to guard security and privacy. The CTO is in charge of this, and has close oversight of all aspects of the build and operations of the Company’s services. This is discussed regularly with the CEO and also in every board report there is an update, also highlighting any areas of security risk;
3. Organisational measures. All staff are required to be aware of the organisation’s security policies and processes, and are trained and are regularly updated on these. Any third parties working with us have to sign up to and adhere to these.
Any security risk is required to be notified to the CEO and COO immediately.
To support each of these the Company and has clearly documented policies and procedures, a log of who has been trained and when last updated. These include User Privacy Policy, Password Policy, Mobile Device Policy, Retention Policy, Incident Response Policy, Confidential Data Policy.
The above are reviewed and updated at least semi-annually and any key changes highlighted to the Board.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: All components of the service are under configuration control (source control via git) and all changes are reviewed and tested with a view on security before being applied to the live service.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Potential threat information comes from a variety of sources such as our hosting provider for hardware and OS information, the providers of the development language and framework we use. These and other sources are used to determine the priority and the speed with which any are implement. For OS related patches these are typically applied weekly and for framework changes at the next major release unless it is considered a security risk in which case it would be hot-fixed.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Many steps are taken to ensure that the service cannot be compromised but we actively monitor the logs for unusual activity or activity from outside of known parameters. If an anomaly is detected it is flagged up via both email and instant notification to support staff. This is then investigated immediately to see if there has been an issue and steps taken accordingly.
Incident management type: Supplier-defined controls
Incident management approach: Incidents flagged up during routine monitoring will be dealt with through company policy. User can report incidents either through our website or via our dedicated email address: security@workinconfidence.com.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Social Value

Equal opportunity
Wellbeing

Equal opportunity

As part of ensuring equal opportunities, it is critical that organisations understand the problems different parts of the workforce face, whether and how those vary by different group and whether all groups feel treated fairly and have access to equal opportunities.

However, it can be hard for relevant groups to express their views. The WorkInConfidence platform enables people to give feedback in a safe and trusted way.

Staff have their identities protected – whether using the Anonymous Speak Up or survey aspects of the platform. At the same time, organisations and their management can get a clearer picture on whether different groups are equally engaged, treated with equal respect, feel they have equal opportunities and equally affected by issues around wellness.

By helping create understanding and giving equality of voice, WorkInConfidence provides a powerful boost to ensuring equal opportunities.

Wellbeing

WorkInConfidence is designed to deliver more respectful, more engaged organisations. There is a major problem with staff who have problems in areas like respect, bullying, harassment and poor behaviours often feeling unable to raise them. These problems contribute in turn to hugely diminished wellbeing for both those who experience the problems and colleagues who witness them. Repeatedly, however, staff feel unable to raise problems through fear of repercussions, lack of psychological safety and belief that nothing will happen. WorkInConfidence is designed to enable staff to raise problems of concerns without fear giving organisations better opportunities to tackle them. At the same time as giving staff the safety to raise problems, the case management facility in the platform ensures that cases can be properly recorded and tracked to satisfactory conclusion. Clear central reporting gives organisations a more joined up picture of problems, how they are dealt with and what learnings have been made and shared to minimise problems going forward. Alongside this the surveys help organisations to understand whether they are in the right place with Wellbeing so remedial measures can be taken if they are not.

Pricing

Price: £0.05 to £0.92 a user a month
Discount for educational organisations: Yes
Free trial available: No

WorkInConfidence: Anonymous Speak Up & Case Management

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

WorkInConfidence: Anonymous Speak Up & Case Management

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents