iNGAGE - Locum Workforce Direct Engagement Service
iNGAGE is a suite of cloud and physical based services, supported by a number of systems that allow NHS Trusts to Directly Engage their temporary Workforce. The service allows Trusts greater transparency and control over their Flexible workforce and allows them to deliver considerable savings and rate reductions.
- Dedicated service/platforms facilitating seamless direct/non-direct-engagement of locum workforce
- Dedicated recruitment, on-boarding and time-sheeting and reporting portals
- Implementation, change management, business process re-engineering
- Account managers responsible for compliance, performance, account & supplier management
- End-to-end recruitment, on-boarding, time-sheeting and self-bill administration
- Full management report suite supported by bespoke reporting tools
- Digital contract management and engagement support services
- Completely bespoke service with automated controls and digitised processes
- 24/7 service with dedicated account staff and specialist consultants
- Integrated with current processes and systems delivering a seamless service
- Large-scale savings, rate reductions, cost management & efficiency gains
- Automated & streamlined processes delivering enhanced controls and reduced administration
- Increased transparency & compliance allowing effective planning and reduced risk
- Greater visibility empowering better performance management of suppliers
- Processes tailored to Trust staffing, workforce and staffbank needs
- Allows flexibility to adapt to changing demand and market conditions
- Understanding of the staffing/workforce market allowing for seamless implementation
- Improved financial processes including self bill invoicing, reporting and accruals
- Single System and service provider covering all staff groups
- Direct engagement of Doctors and Allied Health staff
£1 to £25 per unit per hour
ICS Ingage Limited
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Our service can function as an extension of the client's systems and processes, e.g. Master Vendor system, accounts payable and payroll systems|
|Cloud deployment model||Private cloud|
|Service constraints||Our service operates in line with a pre-planned comprehensive maintenance schedule. Constraints include software access via approved browsers only, which is subject to quarterly updates without notification|
|Email or online ticketing support||Email or online ticketing|
|Support response times||We acknowledge within 2 working hours, resolve low-level issues within 24 working hours, medium-level issues in 48 working hours and technical issues within 14 working days.|
|User can manage status and priority of support tickets||No|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Onsite support|
|Support levels||Each customer has an account manager and a dedicated team on-site throughout the lifecycle of the programme. They will deal with all first-line support queries and the day-to-day management and running of the services. They are supported by a dedicated technical team for the escalation of any second-line queries.|
|Support available to third parties||No|
Onboarding and offboarding
We provide a high level of support -
During implementation we deploy a dedicated implementation team, who will deliver full scoping, design, configuration and deployment of the services and all associated technology and systems. Thereafter we can provide onsite support, and an account manager. Throughout the lifecycle of the programme we provide dedicated onsite and online training, support and analytics to ensure the service is being used correctly and efficiently.
All of the above is supported by dedicated resource libraries, online FAQs, video and webinars.
|End-of-contract data extraction||We discuss exit planning from the start of the service so that we can establish expectations and agree processes. We can export data in a standard csv format via secure email. Alternative formats and processes may be available and can be discussed during contract negotiations. With respect to the retention of data, it is for customer to determine what retention periods it wishes to establish.|
From the receipt of a notification of intent to terminate we arrange a review meeting, which is followed by a resolution meeting and if needed an exit meeting in which a full exit plan is agreed and then executed.
Exit plan will be conducted over a 12 week period and will ensure full delivery during this process, with agreed milestones and deliverables agreed for all stages.
After 12 weeks any additional service or support will be provided at charge agreed during the exit plan.
On termination of services, the exit plan shall consist of the following:
(a) We will provide Customer with a copy of Customer’s data from, in a manner reasonably requested by Customer (e.g. CSV, HTML, or Excel); and
(b) Access to personnel as required to assist in transfer of Customer Data.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||The software has been enhanced to optimise use on a mobile interface. There is a dedicated mobile-enabled microsite. This ensures quick and seamless actions to complete tasks, actions, items and approval chains. Each mobile interface is customisable for each customer. This is supported by dedicated apps for functional input and for approval, commonly used for budget approval and time/expense management.|
|What users can and can't do using the API||
The Account Manager works with clients to set up service and relevant API during implementation.
Any changes to the API are logged with the Account Manager, who works with systems engineers to facilitate changes wherever possible.
Data within our system may be imported or exported through HTTPS either via the user interface or using our bespoke Integrator.
The bespoke Integrator, a light-weight Java-based integration tool, can be used to integrate to third-party applications. Several pre-built connectors exist currently for the following applications: JD Edwards; Oracle; PeopleSoft; and SAP; along with various other applications, including HRMS; project management, time collection, e-Procurement solutions; and other legacy applications.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
Every implementation of our service is unique. Our service is fully bespoke - users can agree to customise any aspect, including: services, processes, configuration, goals, objectives.
Users can customise user interface, home page layout, reporting work flow, user access, approval hierarchy, organisational structure, corporate calendar, cost centres, performance indicators, thresholds, dashboards, system variables, onboarding, offboarding, custom fields, task codes, classifications, rate groups, rate schedules, classifications.
Customisation is available via in-technology customisation buttons and/or via our onsite system administrator.
Basic customisation can be accessed by all users, and during implementation dedicated system administrators would be agreed for more technical configuration/ customisation items. All of this is agreed by user role permissions, as agreed in implementation.
|Independence of resources||
We give each client a client-specific environment, enabling separation and no impact by demand of other users. Each client receives its own dedicated team, support-networks and account manager, further ensuring they receive a quality service at all times.
As a software-as-a-service, SAP Fieldglass automatically and transparently handles scaling and redundancy based on SLAs governing performance and availability. It monitors application-servers, database-servers, bandwidth, and infrastructure for average and maximum utilisation with Orion.
Current utilisation averages c20% across all components with a goal of scaling component vertically or horizontally (depending on specific component) upon reaching 60% threshold, including web-servers, database-servers, and storage.
|Service usage metrics||Yes|
We provide fully bespoke metrics, configured and designed during implementation with client input.
The system provides:
-Analytical tools aid workforce management and planning
–Integrated reporting throughout the process allowing budgetary/spend controls and oversight
–Supplier management; dedicated supplier dashboards
Supported by a suite of MI including:
–Direct engagement uptake reports
–Payment files including breakdowns of VAT payable
–Multiple other bespoke reports
The tool facilitates tracking/reporting of:
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Other|
|Other data at rest protection approach||SSAE 18 / ISAE 3402 Type 2 SOC1 since 2005. And finally, we offer a Type 2 SOC2 for all five principles.|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
We offer seamless exports in multiple formats, bespoke reporting suite, a dedicated analytics tool; data manipulation will be carried out in the system, or externally via raw exports. In addition we can facilitate bespoke data reporting and export requests via our account manager who will facilitate in line with performance indicators as standard.
In addition, clients have the ability to directly export any list or chart views likewise any analytical or statistical data in any of the following modules which can be exported with ease: PMO dashboard, visuliser, rota management tool, shift management tool, reporting accountancy.
|Data export formats||
|Other data export formats|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
We aim to provide a service accessible 24/7, excluding emergency maintenance windows (if taken during hours of 5am-8am GMT) weekly maintenance windows, and extended maintenance windows
We would offer clients a KPI of 98% availability
Service credits would be agreed during contract negotiations
|Approach to resilience||We do not wish this information to be public. Details of our datacentre setup and service design for resilience are available on request.|
We communicate any issues clearly and quickly. Our onsite staff ensure reporting. We use email notifications to ensure ongoing communication throughout any outage.
In our experience, our system has had no unplanned outages, just planned maintenance.
Identity and authentication
|User authentication needed||Yes|
|User authentication||2-factor authentication|
|Access restrictions in management interfaces and support channels||The system is fully configerable and we have the ability to provide 'chinese walls' and restricted access in multiple ways including but not limited: 1: user role permissions, 2: cost centres, 3: sites, regions and location. We can manage access via our account management team or train clients' own staff as system administrators and allow them access to manage access rights of others. Additionally, supervisors can be given access to manage the rights of their teams. All of the above is scoped during implementation and delivered inlive with pre-agreed business rules that form part of agreed KPIs.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||QMS International|
|ISO/IEC 27001 accreditation date||12/06/2013|
|What the ISO/IEC 27001 doesn’t cover||
To our understanding nothing is not covered, but for the avoidance of doubt our technology delivers "associated services" as addressed below:
"The approved information security management systems apply to the following:-
THE PROVISION OF SPECIALIST STAFF ON A PERMANENT, TEMPORARY OR CONTRACT BASIS, THE SUPPLY OF ASSOCIATED SERVICES AND THE PROVISION OF COMMUNITY AND COMPLEX CARE"
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||10/11/2016|
|CSA STAR certification level||Level 3: CSA STAR Certification|
|What the CSA STAR doesn’t cover||All parts of our technology solution are covered|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Our robust suite of policies underpin our ISO27001, IG Toolkit and Cyberessentials accreditation. Our Information Security Management System has processes for all governance and security aspects, including staff training, data protection and retention, data transfer, hardware and access procedures.
Senior Managers (e.g. HR, IT, Operations) form our Information Governance committee, which reports to the Board, ensuring a whole-group and multi-role focus, and reviews performance and procedures.
Procedures for suspected/ actual information security incident (including near miss) mandate how each staff member should report, and what action is needed. We record all incidents on Datix to ensure a consistent approach to collecting information, and mandatory steps ensure escalation to appropriate managers, and undertaking investigations within agreed timescales. Our Clinical Director and Caldicott Guardian reports to ICO/ relevant third parties. Information Governance committee reviews incidents to verify actions were appropriate actions and lessons are learned.
To ensure policies are followed, all staff undertake training on Information Governance during induction, ensuring a baseline of knowledge. Responsibility for Information Governance is included in staff code of conduct. This is reinforced by system protocols (e.g. mandatory password resets to approved complexity level). ISMS and documentation are available on intranet, not hard copy, ensuring version control.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The technology we use and its supporting infrastructure are governed by strict change control policies and procedures throughout thier lifetime. These controls are audited by a SSAE 16 audit to validate the operating effectiveness. Changes are assigned a risk category and are tested thoroughly by following a formal testing methodology.
The technology we use has procedures, processes, and technology such as VM templates, GPO, and DSC to deal with OS configuration management. The application follows strict life cycle management as well as source control management to ensure builds are properly processed and deployed.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
The technology we use follows a Risk Based Vulnerability Assessment Method, with internal and external weekly vulnerability scans. Vulnerabilities are rated on criteria, e.g. internally/externally facing, age, ease of exploitation, etc. The rating determines remediation.
Two departments address vulnerabilities: the security team scans for internal, external, credentialed and non-credentialed vulnerabilities and delivers a list of vulnerabilities with a defined risk level. The IT team patches systems based on vendors' patch cycles throughout their lifetime. Once the security team communicates vulnerabilities, the IT team works to remediate, testing in the staging infrastructure when possible, and deploying during the next suitable window.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||All devices and servers on the network log to an enterprise SIEM tool. The security team monitors this tool to ensure activity does not exceed the expected baseline. The application uses the LOG4J framework for logging system exceptions and issues. These system logs are reviewed by the Quality Assurance team to ensure silent failures and other problems are forwarded to the development team for resolution. The system audit trail provides customers the ability to monitor all actions in their company instance including failed login attempts and other actions taken by their users.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
SAP Fieldglass’s mature and tested incident response process is based on NIST standards and ensures that data breach notifications are make within the 72-hour period as stipulated by GDPR.
Please note that SAP Fieldglass already comply with the SOC 2 Privacy Principle, which address the most common privacy requirements. In addition, SAP Fieldglass added the ISO 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII Processors to our ISO 27001 security program (ISMS), as well as the Cloud Security Alliance STAR certification.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£1 to £25 per unit per hour|
|Discount for educational organisations||No|
|Free trial available||No|