SH:24 C.I.C.

SH:24 Digital Sexual & Reproductive Health Service - Online STI Testing

SH:24 is a not-for-profit CIC committed to delivering the highest quality, user-centred digital SRH services in partnership with the NHS and public health. CQC-rated 'Outstanding' our service includes fully-accessible web-portal (ordering, support information and decision-support tools) and cloud-based EPR 'Admin', integrated with industry-leading and resilient laboratory and pharmacy partners.

Features

• Holistic and responsive service design, tailored to local population needs
• Rapid service mobilisation and clinic onboarding within two-four weeks
• CQC-rated 'Outstanding' clinical and safeguarding pathways
• 'Talk to us by text' enables rapid and convenient user-support
• Personalised support and realtime tools to help you manage demand
• Multi-channel user support at every service interaction
• Dedicated multidisciplinary team working to continually improve the service
• Added resilience through integration with multiple laboratories and pharmacies
• Continuously improving services in response to feedback from all users
• Commitment to validating innovative services through robust academic evaluation

Benefits

• Provide the most cost-effective targeting of your priority groups
• Modify your service-offer and targeting for free and at pace
• Manage demand easily with realtime data, supported by bespoke analysis
• Co-designed clinical support to maximise resources and continuity of care
• Provide holistic and quality online information and decision-support tools
• Support service-users to self-manage through optional Personal Health Records
• Interoperable EPR will integrate with your clinic-based EPR system
• Rapid turnaround times for kit dispatch, pathology and prescribing
• Strong partnership working to refine service provision through data insights

£5.25 to £175.00 a transaction

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sh24.info@nhs.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

909500956892427

Contact

Graham Pomery
020 3318 7609
sh24.info@nhs.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Hybrid cloud
• Service constraints: None
• System requirements: Internet-access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have a multidisciplinary team (clinical, customer service and business support) that supports service-users, clinic partners and commissioners, 8 hours a day, 7 days per week, via email, text or phone. We respond to all queries within 24 hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: SH:24 provides the same level of unrivalled support to all service-users at every service interaction, clinic partners and commissioners. This includes a dedicated contract manager who provides personalised support, monitoring and reporting on service delivery performance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Before launch, we bring together Customer stakeholders in a strategy and service design session to explore and define the service offer.; ; For anyone accessing our Electronic Patient Record (Admin) we then provide full onboarding training including briefings and small group sessions tailored around:; 1. the service-user journey.; 2. utilising/navigating the platform.; 3. online/clinic service integration.; ; Staff with Admin access are provided with a digital handbook and access to videos which demonstrate how to access and manage client records.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We provide Customers with access to their disaggregated dataset throughout and on completion of the contract. ; ; SH:24’s data warehouse (supported by software called Databricks) facilitates timely access to download this dataset on demand. ; ; We also offer Customers alternatives to this such as encrypted file transfer via secure public sector (NHS) email or secure transmission via an S6 bucket to the Customer's data warehouse at pre-agreed intervals. ; ; The dataset includes all pseudo-anonymised individual information covering orders, results (including cut-off indexes), demographics and risk-assessment / triage responses. Backing data is usually provided in XLS and CSV format. Datasets can contain the full range of all non-PID data fields collected, or be tailored to provide only the data required.
• End-of-contract process: We work with the Customer to: ; 1. agree dates to remove access to our order platform and our Electronic Patient Record (Admin). ; 2. provide a final invoice for our service; 3. provide a final data transfer and agree the data retention period.; ; We will always process test kits returned after these dates at no additional cost to the Customer.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: No
• Customisation available: Yes
• Description of customisation: Customers determine the type services offered and who is eligible for each. Customers determine what STI tests are offered to users based on their responses to the online risk assessment, this includes the option for service-users to opt-in and/or opt-out of any recommended tests. Clinical management and communication of results can be customised depending on the Customer's preference. Configuration is flexible and can be modified at any point throughout the delivery period.

Scaling

• Independence of resources: User data is hosted in Amazon Web Services’ (AWS) ISO27001 accredited secure data centre environment. Our cloud servers are located in AWS’s facility in London and leverage multi-availability-zone deployments (built to be independent and physically separated from one another). ; ; We utilise a self-healing orchestration platform to ensure that our applications are always available. This also allows us to easily scale resources to meet unexpected demand.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide the following metrics:; 1. activity against targets and affordability limits; 2. activity uptake in key demographics such as age, gender and ethnicity and in key populations; 3. activity and positivity mapped by LSOA ; 4. performance metrics against agreed KPIs and channels (online and user-activated test kit sites) such as positivity, return rate; 5. bespoke analysis on changes in service usage and outcomes
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Our electronic patient record (EPR), Admin, provides real-time data for Customers and their staff, including clinicians, service managers and commissioners – appropriate access is determined by need.; ; We also provide Customers with detailed monthly reports of performance against agreed KPIs.; ; Customers have access to their disaggregated dataset throughout the contract. SH:24’s data warehouse (supported by software called Databricks) facilitates timely access to download this dataset on demand. ; ; We also offer alternatives to this such as encrypted file transfer via secure public sector (NHS) email or secure transmission via an S6 bucket to the Customer's data warehouse at pre-agreed intervals.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We guarantee 24/7 availability. ; ; SH:24 services are designed using high-availability, fault tolerant patterns. Our website is decoupled from the CRS so that maintenance can be performed without any impact on service-users. ; ; We utilise a self-healing orchestration platform to ensure that our applications are always available. This also allows us to easily scale resources to meet unexpected demand.; ; All of our underlying infrastructure is hosted across multiple AWS availability-zones to ensure physical redundancy of resources.
• Approach to resilience: Available on request
• Outage reporting: Maintenance pages provide information about how to get in contact in case of backend failure. Outages also reported on social media and delivered via email to all relevant parties including our customers.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Admin users’ access is restricted to specific information according to clearance level and function of role. Permissions are based upon a strictly need-to-know / data minimisation basis. Access is managed centrally by SH:24’s Risk and Compliance Team. The management of access rights is subject to regular compliance checks to ensure that users are complying with their duty to use their access rights in an appropriate manner.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • NHS Digital's DSP Toolkit
  • NHS Digital's DCB 0129 and 0160 compliant

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: SH:24 fully integrates data protection into processing activities, business practices, and service development throughout the development lifecycle – from the initial design stage through to live optimisation. As part of its agile and design-led approach (strongly influenced by Government Digital Services approach), SH:24 has; consistently practiced data protection by design and default, providing a strong foundation for the legal requirement codified in Article 25 of the UK/EU GDPR and the Data Protection Act (2018).
• Information security policies and processes: We have board-level oversight of the implementation of our information security policies and procedures. The Senior Information Risk Owner (Operations Director) reports to the IG lead (CEO) on a fortnightly basis regarding information risk and on a monthly basis to SH:24’s Directors’ Group and quality, information governance and risk management meeting.; ; SH:24’s approach to information security is underpinned by comprehensive policies, procedures and supporting guidance to support staff compliance. Some have been listed below (full list available on request):; ; • Access Control Guidance and Procedure; • Records Management and Retention Policy; • Information Handling Guidance and Procedure; • Use of Mobile Computing Devices Guidance and Procedure.; ; All SH:24 staff are required to complete the NHS Digital Data Security Training and sign a confidentiality code of conduct that makes it a disciplinary offence to breach information security policies and procedures.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have a structured change control process is in place to manage changes to our ICT system. It is fully embedded within our development process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Regular audits of our system security including penetration testing are conducted by an accredited third-party. This occurs every 12 months and when new code is deployed. No vulnerabilities have ever been identified. ; ; Urgent security patches are automated and deployed daily. Non-urgent updates are deployed as soon as convenient; we regularly deploy at least 10 times in a month.; ; Any security issue which is not addressed by the automated update process is considered the highest priority for the team, with other work paused until it has been addressed.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Available on request
• Incident management type: Supplier-defined controls
• Incident management approach: We maintain a Data Breach Register of all breaches and near misses occurring within the organisation. This register of breaches and the resulting actions taken inform our policies and procedures. ; ; We use the Health and Social Care Information Centre Breach Assessment Grid and the ICO guidelines to assess whether an incident is reportable. We inform, where appropriate, the Information Commissioner, Department of Health and other regulators via the Data Security and Protection Toolkit and ICO reporting tool. We then inform the Data subjects and escalate our report to other relevant parties as appropriate.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Travel by staff and patients accounts for 10% of NHS carbon emissions. Digital services reduce these emissions and SH:24 works to maximise this impact in the way it delivers services.; ; Despite being a low-emitting organisation, we recognise that the development, delivery and use of our services results in greenhouse gas emissions. We have a pivotal role in influencing environmental protection and improvement. Our ‘sustainable’ value makes this part of our culture, supporting our purpose, vision and mission.; ; We are actively working on assessing, forecasting and reducing our environmental impact and the impact of our suppliers, customers, stakeholders, and communities. We are taking active steps to become NetZero by 2035.; ; We have a cross-functional team, chaired by our CEO, who holds responsibility and oversight for ensuring an environmental stewardship framework runs throughout our organisation.; ; Key areas of active focus:; ; eco-design of digital technologies, ; sustainable packaging and,; sustainable office/home-working culture.; ; We chose to co-locate at Keele University Science and Innovation Park due to their ambition to be carbon neutral by 2030 and their groundbreaking research into climate change and renewable technologies. SH:24 occupies three sites on campus and receives around 50% of our annual electricity directly from renewable energy sources. We will influence and contribute towards:; ; Delivering a truly biodiverse ‘green campus’,; Development of a community sustainability hub.

  Covid-19 recovery

  SH:24’s cloud-based design has in-built resilience which we have utilised to support our partners in mitigating against the impact of COVID-19. ; ; This includes: remote working, partnerships with industry-leading technology, pathology and pharmacy providers with dedicated capacity; temporary staffing pools; back-up kit fulfilment centres with greater than 12 weeks of primed test kits. ; ; Our services can also be added temporarily to support local clinic services during clinic closures.

  Tackling economic inequality

  We are a registered Real Living Wage employer and all employees, regardless of their role or location, receive salaries above that of the London Living Wage. ; ; As a not-for-profit CIC, we want to ensure those we work with share our values. We ensure that the suppliers and subcontractors we engage deliver social value as well as quality services and value for money. We undertake to be responsible in our practices by utilising procurement processes that are open and transparent. ; ; We are conscious of creating employment opportunities that stimulate economic and social progression in regions with high unemployment. Our logistics centre, on the Keele University campus in Staffordshire employs locally, and our relationship with the university enables us to recruit interns and FTE staff. We support the local economy, using businesses in Stoke for locally sourced products within our supply chain. ; ; We are proud to be in Staffordshire, immersing ourselves in community events and employment initiatives (apprenticeships, internships, and the government-backed Kickstarter scheme). We took part in the Midlands Engine events, presenting our model and belief in the region’s prosperity.

  Equal opportunity

  We have an Equality and Equal Opportunities Policy, reviewed annually which describes how we monitor the make-up of the workforce with a view to encouraging equality and diversity, and how we support individual needs. ; ; We include an EDI statement on our job adverts which describes how we invest in our staff and foster a positive, diverse and inclusive company culture. ; ; To support employee career progression, we advertise all job roles internally and externally, and give all internal candidates a face to face interview. We promote cross-functional team working and a leader-leader model which supports initiative and growth. ; ; We have a Diversity and Inclusion working group which aims to educate and equip the organisation, and its staff, with the knowledge and tools needed to be more mindful of current barriers, history and structural factors that lead to racial/ethnic disparities.; ; We take modern slavery seriously and have worked with an external modern slavery consultant to identify areas in our service delivery that may be at risk. Although no areas were identified at high risk we have an action plan that can be made available on request

  Wellbeing

  Aligned to our mission, our organisational culture has been built around delivering fair, supportive and equitable working standards and practices to all. ; ; Our values, underpinned by our social mission, were crafted by our employees (not imposed by management) and are therefore truly celebrated and embraced: ; ; Respect, ; Acceptance, ; Empathy, ; Reflection and Initiative, ; Conscience and Creativity, ; Drive and Enthusiasm. ; ; We recognise that ‘work’ is a big part of someone’s life, so we support employees by offering holistic benefits packages that support our employees’ mental and physical health, and wellness. ; ; We encourage flexible and remote working (when possible) to enable us to support our employees’ personal situations, regardless of where they live across the UK.; ; We ensure all employees are offered one-to-one pastoral support from their line manager, personalised professional development plans and complete exit interviews to understand how we can improve.

Pricing

• Price: £5.25 to £175.00 a transaction
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sh24.info@nhs.net. Tell them what format you need. It will help if you say what assistive technology you use.