SARD JV

ESR Wrapper API

The ESR Wrapper API allows for connection to the NHS's Electronic Staff Record system.

Through the ESR Wrapper API, ESR data can be accessed through a user interface which is aesthetically pleasing and easy to use. This allows the user to find the information they require.

Features

• Access staff information easily and efficiently
• Multi-level data security (only access to the data needed)
• Easy-to-navigate user interface, developed with the user in mind
• Community-driven and open-source that will continue to grow

Benefits

• Allows an NHS Trust to maintain staff data quality
• Creates a single point of truth for staff records
• Allows for wider workforce system integration
• Group staff by cost centre for financial planning
• Compare cost centres to clinical teams

£5,000 to £100,000 an instance a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris@sardjv.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

863940737297231

Contact

Chris Giles
07840 454821
chris@sardjv.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: ESR Wrapper API is part of our wider workforce management platform. It connects to Medical Job Planning, AHP Job Planning, Medical Revalidation & Appraisal, eRostering, eLeave, Multi-source Feedback /MSF and Capacity and Demand Management
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: No
• System requirements:
  • Internet connection
  • Modern web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Less than 10 seconds when initiated via our chat support system. Within 24 hours (typically less) when outside core chat support hours. Full details of response times are within our SLA.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: Our chat support software supplier ensures WCAG 2.1 AA; https://help.snapengage.com/ada-web-accessibility-for-visitor-chat/
• Onsite support: Onsite support
• Support levels: All clients are provided with an account manager who will liaise with you to answer queries and feature requests. These are then processed as part of our technical triage process.; ; Chat support are able to escalate queries to the on-call software engineer if appropriate.; ; There are no additional costs for our support services.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide onsite and online training to system administrators. We provide chat support to system administrators and we have an account manager that will guide new users through the implementation plan.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • Other
• Other documentation formats:
  • Video guides
  • Webinar recordings
• End-of-contract data extraction: We are able to extract the data as a series of zip files or database backups. We can also provide access to the API for offboarding.
• End-of-contract process: There are no additional costs for offboarding.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no differences between our mobile and desktop services. The majority of the system is easier to use on a desktop device due to the nature of the service.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: All of our systems have a freely accessible RESTful API built on Swagger Open API specification standards.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: The UI for the service interface has been tested against WCAG 2.1 AA
• API: Yes
• What users can and can't do using the API: There is a simplistic web based user interface that allows the API administrator to easily navigate the data but the application's primary role is API-first
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: This is an open-source application and therefore clients are able to extend the software, make suggestions for improvements or even contribute to the source code themselves. The API administrator can create API tokens that are scoped to the level required by the consuming application.

Scaling

• Independence of resources: The system is load balanced over multiple web servers that have significant redundancy and contingency built in.

Analytics

• Service usage metrics: Yes
• Metrics types: We can provide ticketing, support and service information for all our end users. There are compliance reports that will show user system engagement.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: They can export data in multiple formats: zip files, CSV, JSON exports or migration when they're moving to another client.
• Data export formats:
  • CSV
  • Other
• Other data export formats: JSON
• Data import formats: Other
• Other data import formats: The system connects to NHS BSA's FTP servers

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Our service level agreement has an uptime of 99.9%. Please refer to the Service Level Agreement for more detail.
• Approach to resilience: The system consists of multiple application and database servers behind a load balancer. This ensures zero downtime deployments and downtime is not expected within a year, even for maintenance with the exception of large scale database upgrades. These typically take less than an hour.; Further information is available upon request.
• Outage reporting: There's an email notification, announcements on Twitter and our website in the event of an unexpected outage. We have service monitoring software that constantly monitors the health of our services.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Full details are available in our ISMS - available on request
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 05/02/2024
• What the ISO/IEC 27001 doesn’t cover: Our certification covers the design, development, sale and support of IT solutions and software for medical revalidation, nurse revalidation, job planning, appraisals and workforce to the healthcare sector in the UK. The scope covers all data held or processed under the authority of SARDJV Ltd. pursuant to all process and services involved in this operational aim. Physical work locations other than the head office, including employees' homes, are excluded from the scope in terms of physical security as these areas are beyond the company's control to secure. The ISMS does cover the information security aspects of the operational processes conducted at these locations. Information that is not relevant to the operational processes of SARD JV Ltd is also excluded from the scope. While the services provided by off-site data storage facilities are within the scope, the physical boundaries of these facilities are not.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have a full Information Security Management System accredited to ISO27001 that lists all of our policies. The full ISMS is available upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change management is included as part of our full ISMS accredited to the ISO27001 standard. All system changes must be authorised by the CTO who must first assess justification for business and potential negative security impacts. Changes must be deployed and tested according to change control and secure development procedures and are tracked on technical project manager software. We operate an agile environment of continual monitoring.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Full details are available in our ISMS - available on request
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Full details are available in our ISMS - available on request
• Incident management type: Supplier-defined controls
• Incident management approach: Full details are available in our ISMS - available on request

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Climate change is an undeniable challenge of our times. We are fully committed to reducing our carbon footprint through: 1. Providing hybrid or remote working options to all employees to reduce commuter travel. 2. Maintaining regional workspaces to reduce commuting distance for local employees. 3. Ensuring that all meetings that would otherwise require travel, are conducted online wherever possible. 4. Using technological solutions to work towards a paper-free office environment. 5. Reducing single-use plastics in our operations and promoting the recyclability of products used. 6. Implementing energy-efficient technologies and practices to further decrease our energy consumption where possible.

  Covid-19 recovery

  The Covid-19 pandemic affected us all, and as we navigate this new reality, we are dedicated to supporting individuals impacted by COVID-19 in the following ways: 1. Creating work opportunities for those disproportionately affected by the pandemic where available. 2. Allowing our staff to continue to work from home if they feel they are vulnerable to COVID-19 and/or are still uncomfortable with an in person return. 3. Providing health and wellness resources to support mental and physical well-being during the ongoing recovery period. 4. Offering flexible scheduling and other accommodations to meet the diverse needs of our workforce as they adjust to post-pandemic life.

  Tackling economic inequality

  Economic stability is intertwined with societal well-being. We are determined to: 1. Regular pay-scale assessments and employee feedback. 2. We pay at least the London Living Wage across our sites whether in and out of London. 3. Advocate for policies that support flexible working and facilitate better work-life balance. 4. Providing training and advancement opportunities to enable career growth and economic mobility for all employees. 5. Partnering with community organisations to support local economic development and increase employment opportunities.

  Equal opportunity

  We staunchly believe in promoting diversity and ensuring equal opportunity for all. 1. We offer opportunities for training and skills development throughout the organisation, including areas of employee interest that may not be directly linked to their current role. 2. We regularly review pay scales to ensure equality and fairness regardless of demographic. 3. Implementing inclusive hiring practices to broaden representation within our workforce.

  Wellbeing

  The wellbeing of our employees and stakeholders is paramount. 1. Regular well-being assessments, feedback sessions and appraisals with all staff. 2. Hosting and promoting programmes that support both physical and mental health for our staff. 3. Facilitating volunteer hours for our staff in health-focused charities and initiatives. 4. Providing access to professional mental health support and resources, including counselling and stress management workshops if requested. 5. Encouraging a culture of work-life balance with flexible work hours and the option for remote work wherever feasible.

Pricing

• Price: £5,000 to £100,000 an instance a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris@sardjv.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.