OCLC (UK) Ltd

WorldShare Management Services

OCLC’s WorldShare® Management Services provide cloud-based library management and discovery applications in an integrated suite, offering librarians a comprehensive and cost-effective way to manage library workflows efficiently, and improve access to library collections and services.

Features

  • An integrated suite of cloud-based applications
  • Offers both discovery and management applications in a single suite
  • Draws on WorldCat for the data that powers its applications
  • Provides unified acquisitions for both physical and electronic collections
  • Data security, data backups and preservation are provided for you
  • All interfaces are optimised for mobile devices
  • Allows unprecedented opportunities for sharing routine workflow tasks
  • Provides what you require to create and share applications collectively

Benefits

  • Greater efficiencies in library management workflows are delivered
  • No additional costs in having to acquire a discovery tool
  • Build better student experience and focus more resources on innovation
  • All of your acquisitions functions are available in one system
  • Draw on WorldCat® to power your workflows
  • Reduced IT maintenance meaning more time for strategic IT initiatives
  • Less need to spend time and money on security issues
  • Quick and efficient execution of work, saves time and money

Pricing

£10,000.00 to £95,000.00 a unit a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.evans@oclc.org. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

6 3 2 7 1 9 2 1 4 1 6 8 3 1 4

Contact

OCLC (UK) Ltd Andrew Evans
Telephone: 01142677500
Email: andrew.evans@oclc.org

Service scope

Software add-on or extension
No
Cloud deployment model
Hybrid cloud
Service constraints
OCLC will notify Institution promptly of any factor, occurrence, or event coming to its attention likely to affect OCLC's ability to meet the Uptime Commitment, or that is likely to cause any material interruption or disruption in the Hosted Services.
Maintenance may occur any Sunday during a 4 hour window and may occasionally be extended. Notice of scheduled maintenance will generally occur 3 days prior to scheduled downtime. In the event emergency maintenance is required, OCLC will make commercially reasonable efforts to notify Institution in advance.
System requirements
Not Applicable

User support

Email or online ticketing support
Email or online ticketing
Support response times
An email response is given immediately to acknowledge receipt of a question and Support assign a call number used to track the query. All customers receive the same level of support. The UK Support Desk opens during UK business hours (Mon – Fri, 09:00 -17:30 and excluding public holidays). Outside of these hours customers can report system issues to our global, Service Operation Centre, which operates 24/7. They deal with critical calls, typically focusing on system availability issues. Lower priority critical calls can be registered via the online ticketing system and will be picked up when the support desk re-opens.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Support work to the following SLAs: * Level 1 Definition: An outage or an almost total loss of functionality, SLA Response time 2hrs - SLA for time to fix / provide workaround 24 hours/ * Level 2 Definition: A significant proportion of the system loses functionality, SLA Response time 4hrs - SLA for time to fix / provide workaround 7 days/ * Level 3 Definition: The system does not operate in accordance with the product description, but the Library is still able to use significant elements of the system, SLA Response time 4hrs - SLA for time to fix / provide workaround 20 days. All customers receive the same level of support and support costs are included in the fee for providing and maintaining software. OCLC provides a Technical Services/Cloud support contact person.
Support available to third parties
No

Onboarding and offboarding

Getting started
You will be assigned a designated, PRINCE2 qualified project manager to guide you through the entire implementation process. From the start, they will liaise closely with your key contact to maintain a detailed implementation plan with agreed milestones and timescales. They will arrange and conduct regular project meetings and reports, review and sign-off of key work stages, and maintain a log of any issues arising that require resolution.

The project manager will draw up a Project Initiation Document (PID) in consultation with you and this serves as a jointly owned project document. A full training programme will also be agreed with you as part of this planning process. A session for each module is generally covered. Additionally, the System Administrator will be offered System Configuration training so that proficiency is acquired within the project time-scale. Tailored training sessions are usually delivered online but some onsite training can be requested. Online sessions are recorded allowing you to extend training to absent staff, or use the playback facility for refresher sessions.

Beyond implementation, OCLC customers are well supported by other trainings and documentation on the OCLC WorldShare Community Centre. These are extensive, freely available on a self service basis, and continually updated.
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
WMS allows for the migration of data on any change of supplier when the contract ends. Customers may extract data themselves. The following are typical formats for the various categories of data:
- Bibliographic data for print and electronic resources (MARC, MARC XML, Dublin Core, MODS or UNIMARC)
- User data (CSV format, tab-delimited)
- Circulation data (tab delimited or XML via an API)
- Acquisitions (various, or XML via an API)
- License information (various, or XML via an API)
- Collections data, print or subscribed titles (MARC)
End-of-contract process
In accordance with our General Terms and Conditions, either party may terminate the agreement without cause at the end of the initial term or any successive subscription year with at least 30 days prior notice. Notice to terminate shall be in writing, unless the agreement was concluded electronically, in which case the agreement may be cancelled electronically.

OCLC grants customers access to the Bibliographic Data and the Customer Data for 90 days after the end of the Agreement to export it in accordance with the applicable Terms and Conditions. OCLC for their part shall destroy the Internal Data or delete it from the OCLC Systems not more than 90 days after the end of the agreement.

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile and the desktop services are the same, accessed via the same URL, with no separate mobile 'app'. The mobile version has a responsive design and automatically renders the screen to fit the device you are working on, meaning no awkward scrolling but instead, a clean looking, easy to use interface.
Service interface
Yes
User support accessibility
WCAG 2.1 AA or EN 301 549
Description of service interface
WorldCat Discovery is accessible and usable on any device providing a rich feature set that facilitates the user journey. Features include automatic device detection - the user interface resizes, reformats and intelligently displays on the screen size are available.

The WMS staff interface has user friendly, easy-to-apply, customisable features. Staff can include or exclude elements from the screen layouts during a session.

WMS and WorldCat Discovery configure automatically to the most appropriate user view on desktop, tablet, phone or other mobile device. No add-ons or mobile apps are required and no separate configuration is required.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
WorldCat Discovery uses standard HTML and follows the design principles of the WAI-ARIA (Web Accessibility Initiative - Accessible Rich Internet Applications) specification to make the discovery interface more accessible for adaptive technologies. Both WMS and WorldCat Discovery are compatible with assistive technology, such as screen magnifiers and screen readers. If a device and its browser also support such software, then text to speech functionality can be enabled by the user.

OCLC has successfully tested the following screen readers with WMS and WorldCat Discovery:
• JAWS from Freedom Scientific
• Read&Write from Texthelp Systems
• ZoomText from Ai Squared.
API
Yes
What users can and can't do using the API
OCLC offers approximately 25 APIs covering all aspects of WMS. Every WMS library has access to all APIs at no additional cost. A complete listing of APIs with documentation can be found at: https://www.oclc.org/developer/develop/web-services.en.html.

The pre-requisites for working with our APIs are detailed here:
https://www.oclc.org/developer/develop/worldshare-platform/support/prerequisites.en.html
At the application level, API users are required to be authenticated and then must submit a request for a developer WSkey. In addition, some OCLC web services perform verification at the user level (using either, principalID and principalIDNS values, or an Access Token).
We have a GitHub Repository to record changes, and user-created code libraries for handy shortcuts.

Our goal is to make APIs and Web services as broadly accessible as possible. However, given that data is linked to institutional, rather than individual criteria, eligibility rules vary for each Web service area. Please refer to the particular documentation for each service, which describes any specifics.
API documentation
Yes
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Intuitive and responsive design for end-users means minimal customisations by individuals are necessary. Options exist for switching language, formats for exporting or sharing references, creating and maintaining personal lists.
By contrast, several customisable elements exist in the user interface governed by library staff:
Visually, the search interface may be branded with Institution’s logo, strapline and colour. You can also choose whether to show enriched content such as dust jackets and Google previews.
Functionally, you may add custom quick links, embed the search box elsewhere (and create custom tabs to guide users), specify a default search scope, operate separate policies for branches, manage the order of your database listing, switch on an A-Z list of e-journals /e-books, and control the display of fulfilment options based on local policies.
Major customisations in the staff interface include:
granular role based permissions so staff only need to see modules and access functions which are central to their role, specific alerts for key events such as license renewals, a gear box to select preferred individual default settings, such as viewing text or MARC code cataloguing fields.
Customisations are controlled via the Admin or Configuration module, accessible to staff members with the role of ‘super-user’.

Scaling

Independence of resources
Our Webscale services are highly scalable, and can support any number of simultaneous users without negatively affecting system performance. Performance will be monitored to ensure that response time meets quality standards that have been set.
WMS achieves scale and robustness through horizontal partitioning. A partition is defined by the subset of institutions it serves.
For scale, we deploy multiple copies of each service, with each instance serving one or more partitions. As more institutions come online and load increases, we add partitions and deploy additional service instances across additional hardware. Therefore, each service, partition and institution is scaled independently.

Analytics

Service usage metrics
Yes
Metrics types
We offer 100 inclusive, ready-to-use reports which do not require any additional software. Many modules enable staff to immediately generate and download relevant, real-time metrics, such as: Budget Summary (Acquisitions), Hold Shelf Lists (Circulation), Requests for non-stock items (Inter-Library Loans), or COUNTER statistics for e-resources (Licences). Mixed presentation formats are used, typically tables and pie-charts.
In addition, the Analytics module provides access to data we have transferred to warehouse. The currency of these is variable due to our data normalisation processes (currently 1 month behind for cataloguing and 1 day behind for all other metrics).
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other
Other data at rest protection approach
Physical security within the data centre allows only authorised staff to have access to the servers. This includes biometric mechanisms for staff identification. Logical access control allows only authorised staff or users to have appropriate access to data. Identity management data is encrypted at rest. Data is encrypted at rest using AES-256 encryption.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Customers will be granted access to the relevant secure file areas to extract and export their data to their chosen destination. This does not require OCLC intervention. Please refer to the preceding answer for format options.
Data export formats
  • CSV
  • Other
Other data export formats
  • MARC
  • MARC XML
Data import formats
  • CSV
  • Other
Other data import formats
  • MARC
  • MARC XML

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Other
Other protection within supplier network
While we do not encrypt traffic within a data centre, all traffic between data centres is encrypted using Legacy SSL and TLS (1.2). Robust perimeter controls ensure that no unencrypted private traffic flows across the internet. We employ state of the art Intrusion Detection Systems and user enterprise-grade anti virus protection on our Windows servers. Since our public APIs are exposed to the internet, client traffic to and from those APIs is encrypted.

Availability and resilience

Guaranteed availability
Our SLA states an Uptime Commitment of 99.5%. All software applications are monitored 24x7x365 and alerts are captured in both log files and a centralised internal dashboard which is proactively managed by IT specialists. Customers may choose to sign up for global system alerts and associated updates about resolution.

With regard to the LMS performance, we aim for 95% of transactions to complete within three seconds across 10 minute reporting windows during office hours (measured from system ingress point to system egress point, thus excluding network transit time beyond OCLC data centres).

UK Helpdesk available 09:00 - 17:30 Monday–Friday. High priority calls are answered via the global support desks, available 24/7. The UK Support team is made up of nine analysts. Response times relate to the urgency rating of a call: Critical – 2hrs response with a fix or work-around within 4 hrs (average resolution achieved 1hr, 55 mins) ; High – 4 hrs response with a fix or work-around within 7 days (average resolution achieved 6 hrs) ; Medium – 4 hrs response with a fix or work-around within 20 days (average resolution achieved 9 days).
We have no case of refunding for failure to meet these standards.
Approach to resilience
Information on how our service is designed to be resilient is available on request.
Outage reporting
Customers may sign up for global system alerts and any associated resolution updates. This can be via email or RSS feed.

Identity and authentication

User authentication needed
Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
A customer institution may choose identity federation with their existing IDP or we may provide an IDP (and thus username/password). OCLC will consider joining a regional identity federation to support authentication. We support existing IDPs running SAML2 SP initiated Web Browser SSO profile[1], Central Authentication System (CAS, version 2 & 3), and LDAP. OpenID Connect is planned.

[1] often referred to as shibboleth; see Section 4.1 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf and https://en.wikipedia.org/wiki/Shibboleth_Single_Sign-on_architecture
Access restrictions in management interfaces and support channels
Customers authenticate to the management interface with their own or OCLC’s IDP. Customer administrators assign roles that authorise access to protected interfaces as needed by individual staff.

OCLC support staff use an OCLC IDP to be authenticated and roles to be authorised to access protected interfaces.
Access restriction testing frequency
At least once a year
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI
ISO/IEC 27001 accreditation date
02/04/2020
What the ISO/IEC 27001 doesn’t cover
Control A.18.1.5 has been declared not applicable because OCLC does not create, manage, or export cryptographic controlled items.
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
05/04/2022
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
Note Applicable
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
Yes
Any other security certifications
  • ISO/IEC 27018:2019
  • ISO/IEC 27701:2019, SOC Type II

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO/IEC 27018:2019, ISO/IEC 27701:2019, SOC Type II
Information security policies and processes
The Head of Global Security is responsible for implementing the Information Security Policy, and this position reports to the Chief Information Officer (CIO). The CIO reports to the Chief Executive Officer (CEO). Our policies follow the ISO 27001:2013 standard, and we will be happy to review them with you on request. Yearly ISO 27001 audits ensure that we comply with our policies, and internal security staff routinely engages with other staff to ensure policies are considered and addressed during development and deployment.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Non-trivial changes are reviewed for potential security impact. Otherwise, the change management process implements the controls recommended in ISO 27001. Specifically, we implement strict segregation of duties by allowing only select staff to deploy changes, and only after the changes are reviewed by the Change Review Board. The CRB is made up of a diverse team tasked with ensuring changes are appropriate and correctly implemented. Software changes are versioned and can be rapidly rolled back. All changes are tracked through a central change management system subject to management oversight.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We conduct vulnerability scans monthly to identify potential threats. A team consisting of security and support staff review each vulnerability for its severity and potential impact on the business. We deploy patches as needed based on our analysis, and we have a process for handling emergency/critical patches. We use vulnerability scans, vendor security bulletins, and trusted news sources to keep informed of potential threats. We also rely on the Common Vulnerability Enumeration and follow the principles of the Common Vulnerability Scoring System.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use an industry-leading IDS to monitor incoming and outgoing traffic. We closely monitor system performance for early indication of security issues. We preserve audit logs for at least six months and use those logs for diagnostic and forensic purposes. OCLC maintains a robust Incident Response process, and we conduct annual training on that process.
Incident management type
Supplier-defined controls
Incident management approach
Users can report events through the website or by calling the OCLC service desk. Operations has a full runbook detailing how to respond to common events. OCLC also maintains a full escalation matrix that defines critical staff to involve for each product and service. Should an incident require it, OCLC has a time-tested Computer Incident Response Procedure that is reviewed annually by the Director of Global Security. This procedure defines the team and the individual roles to handle an incident. We maintain a website for customers to monitor overall system health.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Covid-19 recovery

Covid-19 recovery

As a company, OCLC were able to transition staff to homeworking successfully for two years, without the need to reduce headcount. Staff were supported remotely during this time with ongoing communications and provisions to allow for them to continue working successfully. Staff have come to appreciate the flexibility we have found in our remote workplace over the last two years and OCLC are now in the process of returning to the office in a hybrid model, allowing for flexibility and the ability to quickly send our staff to work fully remote if needed.
All OCLC offices follow local legislation and guidelines regarding health and safety measures, and appropriate measures have been taken to ensure offices are safe for return. We are adopting a hybrid format that balances the need for flexibility, in-person engagement, and dedicated workspaces and technology that allow us to give our best to the customers who rely on OCLC’s products and services to serve their communities. This approach allows us to maintain and foster OCLC’s collaborative culture.
Consistent, in-person engagement allows important aspects of a healthy workplace to thrive, including mentoring, diversity and inclusion, problem-solving, creativity, and relationship-building.
In addition, the REALM research project www.oclc.org/realm conducted by OCLC, the Institute of Museum and Library Services, and Battelle, was set up to produce and distribute science-based COVID-19 information that can aid local decision making regarding operations of archives, libraries, and museums.
The project has:
Collected and summarised research related to the COVID-19 virus that may be applicable to the collections, operations, and facilities of archives, libraries, and museums.
Completed and published a laboratory study on how the COVID-19 virus interacts with materials commonly handled by staff and public in those facilities.
Produced toolkit resources that support operational and other decision making, specific to cultural heritage institutions.
Equal opportunity

Equal opportunity

OCLC is an equal opportunity employer. Employment practices are based on ability and performance, including hiring, promotions, training and development, compensation, and disciplinary actions. OCLC does not discriminate on the basis of race, colour, religion, national origin, sex, age, marital status, non-disqualifying physical or mental disability, veteran status, sexual orientation, political affiliation, and/or any other lawfully protected classification in the state, country, or province in which the employee is employed. Reasonable accommodation is provided in accordance with the law to advance employment opportunities for qualified individuals with physical or mental disabilities and disabled veterans.
Our diverse workforce is a tremendous asset. Valuing each associate as a unique and talented individual leads to a more productive and fulfilling work environment. Inclusion at OCLC is defined as “an active strategic process that values and leverages similarities and differences in order to accomplish a common goal.”
The Inclusion Initiative has the following primary aims:
To cultivate a corporate culture that promotes, understands the value of, and knows how to leverage a wide array of perspectives in the conviction that inclusive thinking will improve solutions for libraries and the diversity of people they serve.
To promote understanding of social and cultural contexts so that OCLC can operate effectively in the markets it serves.
To promote a work environment where every person within OCLC can feel significant, valued, and influential, thereby building broad commitment and ownership for the work of the cooperative. OCLC is committed to advancing equity, diversity, and inclusion https://www.oclc.org/en/about/diversity-and-advancing-racial-equity.html
Our organization has a strong sense of public purpose and we commit to evaluating and calibrating our practices and policies. One initiative is Reimagine Descriptive Workflows https://www.oclc.org/research/areas/community-catalysts/reimagine-descriptive-workflows.html
The report Reimagine Descriptive Workflows: A Community-informed Agenda for Reparative and Inclusive Descriptive Practice, synthesizes the findings from research and ongoing operational work.
Wellbeing

Wellbeing

OCLC offers valuable benefits to protect the health and the wellbeing of employees and their families. OCLC promotes and encourages a healthy lifestyle, helping employees to live happier and healthier and aims to support staff to improve their health and make positive changes.

Some of the initiatives offered at OCLC UK include private medical insurance, flu vaccinations, eye care vouchers, a cycle to work scheme, as well an employee assistance program which gives employees and their family members access to expert guidance and specialist support on any kind of issue – from everyday matters to more serious wellbeing problems. This includes guidance on family relationships, dealing with conflict and debt management, as well as online tools such videos and podcasts on staying healthy.

Regular initiatives within the office such as yoga sessions, fresh fruit, and massages are also made available to staff.

OCLC UK also has its own Mental Health First Aider based at the Sheffield office who regularly promotes and communicates wellbeing advice. They are a point of contact if an employee or someone they are concerned about are experiencing a mental health issue or emotional distress and can give employees initial support and signpost them to appropriate help if required.

In recognition of our international teamwork and collaborative culture, we also encourage a flexible working environment and will endeavour to support our people, where possible, in alternative working patterns to support a healthy work life balance. This also aligns with our new hybrid working model, allowing employees to work from both the office and home flexibly.

Pricing

Price
£10,000.00 to £95,000.00 a unit a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Upon request, OCLC may grant a temporary password to a demo version of WMS. This permits exploration of the various modules using existing test data.
A sandbox environment is provided for developers working with Platform APIs. This can be used to test applications before taking them into production.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.evans@oclc.org. Tell them what format you need. It will help if you say what assistive technology you use.