Atlantic Data

Disclosures Manager - Disclosure and Barring Service (DBS) services

Atlantic Data's Disclosures service provides organizations with an online platform for processing, administering, and managing criminal record checks. This service connects directly to the DBS through its eBulk service. Disclosures Manager is highly configurable with a comprehensive suite of management tools to assist organisations to manage and oversee these checks.

Features

• Comprehensive, online criminal record check system
• Secure user access
• Electronic record of applicant's identity check
• Internal user and applicant dashboard to track DBS applications
• Comprehensive management reports covering the entire process
• Administrator functions and user-management
• Flexible charging arrangements, including online billing
• Comprehensive validation to ensure completeness and accuracy of DBS applications
• Fast turnaround between submission and final result
• Configuration options available, including API integration

Benefits

• Advanced technical capability in processing DBS criminal record applications
• Minimises application intervention
• Available in other languages
• Eligibility and Entitlement controls
• in Screen Support Guidance for users
• Supplementary background screening optional
• Enhanced security
• API Integration
• Disclosure Scotland and DBS services approved

£3.00 to £7.50 a transaction

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud-enquiries@atlanticdata.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

733292166000655

Contact

Client Services team
0333 320 7300
gcloud-enquiries@atlanticdata.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Digital Identity and Right-to-Work Services; Other Background Screening Services
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements: Service is accessible via any internet-enabled PC or device

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Questions can be submitted via telephone, email or a built-in secure messaging facility.; ; An initial response to e-mails and messages is provided same working day. If the matter cannot be dealt with on the first contact, a priority approach is adopted whereby the most critical of technical issues are dealt with as a high priority.; ; The majority of queries relate to DBS processes such as new applicant data not matching previous application data held on record by the DBS.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: WCAG2.1AA compliance by testing against assistive technologies, such as JAWS Screen Reader and Zoom Text Screen Magnification software.
• Onsite support: No
• Support levels: Support for users of the Disclosures system is via a helpdesk and/or client relationship management team. Both of these support services are available 9am to 5pm. Each of these teams offer a level of technical support and are able to resolve the vast majority of technical issues. Specialist technical support is available via a priority-based ticketing system, which the helpdesk support advisers and relationship management team have access to.; ; Customers qualify for a dedicated account manager as primary contact for support. These customers are provided a unique email address and contact point.; ; Support is included in annual account maintenance fees.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Client User On-boarding is a pre-planned phase within all new client user start-ups or launches. Disclosures and Disclosures Manager is intuitive and is provided with short 3 step training and initiation program of videos. Onsite training is available. The service Quick Start Guide and video tutorials have proved highly successful and meet most organisations training requirements. ; ; The Quick Start Guide is an online training module which takes users through the key functions of the system upon registration. Video tutorials provide more in-depth training on how to use key functionality within the system.; ; An additional Inline help service is available to users throughout the Disclosures system. This aspect provides additional support to users about important key considerations such as name history or middle names.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Certain Disclosures reports allows users to extract data at the end of the contract using the API feature. Otherwise this can be managed by Atlantic Data on behalf of its customers.
• End-of-contract process: The off-boarding process is largely straightforward. Atlantic Data will work with the organisation to establish a project requirement and timetable to agree any required actions as part of the transition.; ; If a clients require Atlantic Data to consult or liaise with a new supplier at the end of the contract period, its reasonable costs of doing so would also be agreed with the customer in advance.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Disclosures Manager works on mobile devices with no difference in functionality.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Disclosures is accessible using an internet connection. Authorised users use their login credential together with Dual Factor Authentication security. Senior Client Administrators are able to set Access role rights and permissions i.e. initiating new DBS checks, I.D. check, to access management information and reports relevant to their area of responsibility.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: One of Atlantic Data's key clients is a national disability charity, providing support and services to blind and partially sighted people across the UK, through the provision of guide dogs, mobility and other rehabilitation services. This national charity provided vital assistance to oversee Disclosures' WCAG2.1AA compliance, and by testing against assistive technologies, such as JAWS Screen Reader and Zoom Text Screen Magnification software.
• API: Yes
• What users can and can't do using the API: Disclosures offers API Integration. The API allows users to carry out a range of activities with 3rd party systems e.g.:; - initiating a DBS application invitation; - updating shared information; - DBS application status information; - cancellation applications; ; Atlantic Data is also able to deliver alternative integration solutions, using most technical methods - SFTPS, SQL access and SOAP and REST API's.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The Disclosures Manager service, can be configured to suit the customers' requirements. Customisable aspects are varied, but include:; - job role descriptions specific to the organisation's requirements; - combinations and levels of DBS checks to suit the customer's needs; - users configured within a structure of departments, branches and divisions to reflect the customer's own corporate structure, or physical network of offices.; - an application/information flow which suits the customer's own business processes; - a variety of I.D. check options, including outsourcing to 3rd parties, such as the Post Office; - tailored reports and export data, such as financial information; - corporate branding; - integration with customers' own/third party systems

Scaling

• Independence of resources: Atlantic Data is an IT services organisation with a full technical and IT capability. Atlantic Data supports it own IT server network and infrastructure with a full DR capability. Each client is maintained on their own dedicated virtual instance within Atlantic's cloud service. using Tier one connectivity Atlantic has a proven record on 99% uptime. Dynamic load and resource management enables our IT division to maintain a highly scalable resource centre.; ; This level of infrastructure enables clients and service users to receive consistent high levels of service accessibly.

Analytics

• Service usage metrics: Yes
• Metrics types: Disclosures has a suite of management reports which allow users to track applications, as well as obtain useful MI regarding the organisations Disclosure applications.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The export of data can be achieved in a number of ways. Typically through an API . Bespoke versions of Disclosures contain a customised export facility with fields of data specifically agreed with the customer.; ; Otherwise this can be managed by Atlantic Data on behalf of its customers.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Atlantic Data makes a service level commitment to its clients which guarantees that its online and support services will be available to users between 9am and 5pm. In practice though, the online aspects of the Disclosures system are available 24 hours a day 7 days a week. Disclosures users benefit from a system which boasts in excess of 99% uptime.
• Approach to resilience: As an ISO 27001-certified organisation for IT security management systems, Atlantic Data implements robust measures to ensure resilience. Such measures include SLAs, disaster recovery and business continuity planning, and historic performance demonstrates an uptime in excess of 99%.; ; Further information about the resilience of Atlantic Data's systems are available on request.
• Outage reporting: Atlantic Data maintains a log management service policy. As a part of internal framework authorised systems administrators review the audit trail logs daily. These logs capture and store reports in a centralised log analyser, which proactively triggers alerts on suspicious activity and authentication failures. Root cause analysis processes and procedures address potential security threats and incidents that may occur and appropriate corrective action is taken to address and prevent further occurrences.; ; Where necessary, outages are reported to affected customers via a combination of system messages, public dashboard, email alerts and personal client relationship contact.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Atlantic Data maintains an access control policy, which details the segregation of duties and ensures the confidentiality and integrity of data by restricting access only to authorised personnel.; ; User access is granted only after a formal authorisation process. Most Disclosures systems adopt a role-based access principle. All access is provided by creating unique user credentials which helps in audit trails.; The service is configured with multiple levels of privileges based on the roles, which ensures the confidentiality of the data by segregation of duties. ; ; Support services are provided by utilising registered user passwords.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institution
• ISO/IEC 27001 accreditation date: 28/01/2022 (01/02/2007 was the orginal accreditation)
• What the ISO/IEC 27001 doesn’t cover: The certification covers business process outsourcing services, software development and support, client administration, customer support, DBS umbrella body services, compliance with UK data protection legislation, eBulk services, hosting and web services, support functions such as legal, IT, administration and facilities.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Self-certificated
• PCI DSS accreditation date: 3 April 2020
• What the PCI DSS doesn’t cover: Current Attestation is for PCI level 4
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: ISO 27001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Atlantic Data is ISO 27001-certified. Some of the security measures in place are as follows:-; clear desk and clear screen policy, restricted physical access within the premises to authorised personnel, shred/disposal of sensitive data policies, password policy, physical and environmental controls (e.g. biometric access doors and RFID), encryption of data in transit and at rest, firewall policy, visitor management processes and an annual IT health check.; ; In addition to the above, Atlantic Data has an internal security forum, with representation at board level, to review regular updates on security on a periodic basis and monitor compliance with policies and process.; ; Compliance with policies and processes is also ensured through rigorous training, internal and external audits.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Changes to Atlantic Data's Disclosures systems invariably stem from one of three main sources 1. Changes initiated by a change in process by the DBS; 2. changes requested by the client; 3. changes/modifications/upgrades to the system initiated by Atlantic Data.; ; In any of these cases, Atlantic Data follows a strict change management process as part of its ISO controls. This includes robust tracking and monitoring of all change requests. Before being deployed to a live environment, any changes are tested in a staging environment for QA and assessed for risks, such as any potential impact on security.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Atlantic Data has an Internal Security Forum which regularly reviews updates on security. All systems and the environments they are hosted on are regularly reviewed. Independent IT health checks are conducted and appropriate fixes are applied. The workstation environment is also patched regularly to address vulnerabilities.; ; The IT perimeter is secured using the EAL4+-compliant UTM which acts as the IPS system. The production systems are configured using iptables, firewall, TCP wrappers and application firewalls. All these systems report to a centralised log analyser, which records an audit trail of any incident and triggers alerts on suspicious activity to authorised personnel.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Atlantic Data carries out protective monitoring via a centralised log analyser. This allows authorised systems administrators to review logs on a daily basis. The analyser proactively triggers alerts on any suspicious activity or authentication failures. A root cause analysis process ensures that in the event of any security incidents appropriate and timely corrective action is taken to correct that instances and prevent any future occurrence. Incidents are address immediately.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Atlantic Data's disaster recovery plan and business continuity plans define the processes necessary for the effective restoration/recovery of critical functions. The plans detail strategies for business recovery, plans in the event of communication failure, testing, key employee contact lists, and vendors' emergency contacts. The RTO for IT infrastructure, data and client support is 24 hours.; ; A back-up site is isolated from Atlantic Data's primary location on a TIER 4 datacentre with the same level of security controls and resilience as the primary. The DR site is a mirror of the production set up and capable of the shortest of RPO.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Other
• Other public sector networks: The Disclosures and Barring Service's e-Bulk network

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Wherever possible Atlantic Data will employ an approach that aims to deliver additional environmental benefits in the performance of the contract, including working towards net zero greenhouse gas emissions, influencing staff, suppliers, customers and communities through the delivery of the contract to support environmental protection and improvement.

  Covid-19 recovery

  Wherever possible Atlantic Data will endeavour to adopt activities that, in the delivery of the contract create employment, re-training and other return to work opportunities for those left unemployed by COVID-19; to support people and communities to manage and recover from the impacts of COVID-19, including those worst affected or who are shielding. Where it can, Atlantic Data will also support organisations and businesses to manage and recover from the impacts of COVID-19. It will also support the physical and mental health of people affected by COVID-19, including reducing the demand on health and care services, improve workplace conditions that support the COVID-19 recovery effort including effective social distancing, and sustainable travel solutions.

  Tackling economic inequality

  Wherever possible Atlantic Data will endeavour to adopt activities that, in the delivery of the contract: - Create opportunities for entrepreneurship and help new, small organisations to grow, supporting economic growth and business creation. - Create employment opportunities particularly for those who face barriers to employment and/or who are located in deprived areas. - Create employment and training opportunities, particularly for people in industries with known skills shortages or in high growth sectors. - Support educational attainment relevant to the contract, including training schemes that address skills gaps and result in recognised qualifications. - Influence staff, suppliers, customers and communities through the delivery of the contract to support employment and skills opportunities in high growth sectors.

  Equal opportunity

  In its effort to reduce the disability employment gap Atlantic Data will endeavour wherever possible to adopt activities that: - Demonstrate action to increase the representation of disabled people in the contract workforce. - Support disabled people in developing new skills relevant to the contract, including through training schemes. - Influence staff, suppliers, customers and communities through the delivery of the contract to support disabled people. In order to help tackle workforce inequality, Atlantic Data will carry out activities that: - Demonstrate action to identify and tackle inequality in employment, skills and pay in the contract workforce. - Support in-work progression to help people, including those from disadvantaged or minority groups, to move into higher paid work by developing new skills relevant to the contract. - Demonstrate action to identify and manage the risks of modern slavery in the delivery of the contract, including in the supply chain.

  Wellbeing

  In delivering the service Atlantic Data will endeavour to carry out activities that: - Demonstrate action to support the health and wellbeing, including physical and mental health, in the contract workforce. - Influence staff, suppliers, customers and communities through the delivery of the contract to support health and wellbeing, including physical and mental health.

Pricing

• Price: £3.00 to £7.50 a transaction
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud-enquiries@atlanticdata.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.