Hanlon (SR) Case Management
Modular CRM to track client interventions addressing barriers to progression and helping jobseekers into employment, education and training. Employer engagement and vacancy management. Management of business support, grants, and loans. Community benefit, social value and Section106 monitoring. Manage student work experience programmes. Programme funding management. Programme performance reporting and analysis.
- Web enabled, multi-provider employability tracking system
- Customer registration and e-signature. ESF and GDPR compliant
- Customer assessment, profiling and progression analysis
- Customer referral, intervention tracking and outcomes analysis
- Virtual labour market. Employer engagement, vacancy management and skills matching
- Business enquires tracking and impact analysis
- Real-time, flexible reporting using embedded pivot grids. Statutory reporting
- Public facing portal, Employability and business development Content Management System
- Community benefit and Section 106 tracking and reporting
- On-line student work experience management
- Connects customers, businesses, service providers to everyone's mutual benefit
- Co-ordinate customer services across multiple providers saving time and money.
- Single customer registration reduces frustration and potential errors
- Holistic customer record enables providers to work more collaboratively
- Achieves positive customer outcomes more quickly through safe data sharing
- Bulk email, messaging, mail-merge and SMS for easy contact management.
- Single, shared business record reduces un-necessary, repeated contact
- Centralised, real-time reporting. Quick, easy and comprehensive
- Flexible, simple reporting meets statutory requirements saving time and effort
- Highly configurable data framework fits any programme, value for money
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Response within 1 hour during office hours. Response at weekends is next working day unless special arrangements are agreed.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
All customers can access the following support functions:
activation of user licences;
access to a helpdesk via email and phone for advice and problem resolution;
remote, on-line support and user training;
help with data management, including bulk data updates and development of ad-hoc reports as and when required;
regular site visits to check on system usage, share best practice, discuss issues and deliver refresher training if necessary;
development and release of new software builds containing enhancements and modifications to meet the requirements of new and existing programmes. We aim to release at least four new software builds per year.
We do not set a limit on the number of helpdesk calls or emails per customer.
All of the above is included in the annual hosting, support and maintenance charge which is based on 17.5% of the system and software module charges.
Service Level Agreements are available covering our response framework and fault resolution
|Support available to third parties||Yes|
Onboarding and offboarding
We provide any or all of the following, depending on which are most appropriate to meet the requirements of the customer:
online, context sensitive help on the web forms within the application;
digital user manuals, including a quick guide;
onsite train the trainer;
onsite user training based on user roles - there is a training session for each module in the application - each session lasts a maximum of 4 hours and users can select, or be advised, which sessions are most appropriate for them based on their user role;
remote, online training.
|End-of-contract data extraction||
At the outset we agree an exit plan with our customers that includes options for data extraction. These include:
supply of a copy of all data in csv format. The data is structured with master records, for instance client core data, with separate spreadsheets for sub records such as activities and outcomes, linked on the unique master ID, such as Client ID;
continuation of storage of the database on our servers for analysis and reporting purposes only, subject to compliance with GDPR.
Users can select whichever option suits their purposes best. Their decision is generally based upon the length of time beyond the contract end date that they have to report to funders. For ESF programmes, this could be up to 7 years. We have incorporated data redaction facilities in to the application to enable extended reporting periods in order to remain compliant with GDPR.
|End-of-contract process||Customers generally purchase the Hanlon service to meet the requirements of a specific funded programme that has an end date. The end date of the contract for the Hanlon service is generally set to coincide with the end date of the programme. At this point the customer may decide that they have no further need of the service and request their data to be returned. However, many customers decide that the service meets the requirements of other programmes that they are running and therefore seek a contract extension with Hanlon so that they can continue to use the service. Many organisations have used the Hanlon service for over 10 years which has proved to be very cost effective for them.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Web pages within the Hanlon application are developed using Bootstrap 4 and are designed to be responsive. The layout of each page adjusts to fit the size of the user's screen. So the same page renders correctly on both PC / laptop monitors and mobile devices, such as tablets and mobile phones|
|Description of service interface||The service interface is configurable depending on the user's role. There is a side panel and breadcrumb navigation control providing access to user role specific modules and records within the application. tabs are used to navigate to sub elements within|
|Accessibility standards||None or don’t know|
|Description of accessibility||
All pages have large, clear headings and descriptions. Users can clearly see what element of a record they are on. The size of text on the system is in line with modern screen resolutions. Level A accessibility has been achieved for all elements with some achieving AA and AAA.
Users can change the system theme CSS which can bring various accessibility improvements, such as changing colours and increasing text size. Also, we will respond to individual user accessibility requests by creating tailored CSS rules for them that help to improve their experience of the system.
|Accessibility testing||We use Powermapper to test our web pages against the W3C accessibility standard.|
|What users can and can't do using the API||
Users can read data from the system (API v1). Users have read access only and cannot make any changes via the API. Authentication is handled by Hanlon's using generated tokens which can be redacted as required.
The API can be used to export client, enterprise and vacancy data to external systems. In development is a facility to manage the importation of data from external systems.
|API documentation formats||Open API (also known as Swagger)|
|API sandbox or test environment||Yes|
|Description of customisation||
Customisation of the application is achieved by configuring settings and content within the system. Options include:
amend the data framework to capture the data users require on activities, interventions, outcomes, demographics, barriers to progression, support needs, aspirations and skills - to name just a few;
design the content and layout of client registration forms and assessments;
design employer and opportunity registration forms;
customise business profile options such as sector, size, accreditations and locations;
create personalised user dashboards;
design the content and layout of user reports.
Administrative tools are available within the web and windows sections of the application. The tools enable users to customise the application as described above.
Users are assigned to system roles. Roles can be created with prescribed functionality. System administration is one of the elements of functionality that can be assigned to specified users.
|Independence of resources||
We have built redundancy into our network to ensure applications are not adversely affected by high usage.
Network monitoring software alerts our support team to high CPU / memory usage.
Also, processor intensive functionality, such as real-time embedded pivot grid reports, are firstly queued and then allocated a maximum percentage of server memory rather than being allowed to overload the server.
Long running operations, such as GDPR redactions/deletions are handled by web services.
We closely monitor memory and disc usage and our network can be easily expanded if required.
|Service usage metrics||Yes|
History of user log ins.
Date and user who created records in the database.
Email send logs.
Document send logs.
Record search and loading times.
Report and query processing times.
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
There are two methods to export data:
1. Every aspect of data within the system is reportable and all reports are exportable. Users can apply criteria to data for reporting purposes so that only the data they wish to see comes back and they can also create their own report layouts. Each report is exportable in a number of formats, such as .PDF, .DOCX and .XLSX.
2. At no additional cost our support team will create ad hoc data extracts to users' specifications. This option is included in our support service
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||SQL|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
We aim to provide 99.95% service availability. The only exception is planned maintenance scheduled in advance and usually conducted out of normal working hours.
In the unlikely event of us failing to meet the above SLA (in any one month rolling period) the customer will be eligible for a credit. We'll refund 1 day's service fee for every hour that connectivity has been unavailable over the specified SLA, up to a maximum value of one month’s service.
|Approach to resilience||
Our data centre has 20MB fibre optic backbone supplied and managed by GTT Communication and there is a 2MB ADSL backup line.
The data centre contains multiple web servers and SQL servers and clients can be moved on to any of these if required.
There are primary and secondary kit options at every potential point of failure.
There is an onsite backup to removable disc facility. Backups are scheduled to run automatically every evening. They operate on a fortnightly schedule, with the current week's backup discs held in a fire-proof safe onsite and the previous week's discs stored securely offsite by Iron Mountain.
Service outages are reported by email.
We are in the process of making an outage dashboard available externally.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
MS Asp.Net Identity authentication framework is used to manage access to the web application. Active Directory is used for the Windows (RDP) application.
Two factor authentication is available on request.
Password changes require an access sent directly form the system via email.
User based privileges manage user access to certain parts of the application based upon their role.
Security settings are used to manage access to:
specific cohorts of clients, enterprises and vacancies;
specific information on client profiles, interventions and action plans;
documents and document types
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||14/01/2011|
|What the ISO/IEC 27001 doesn’t cover||N/a|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Our information security policies are detailed in our ISMS (Information Security Management System) and constitute the main element of our ISO27001 certification, first achieved in 2011 and most recently re-assessed in November 2018.
Policies cover all elements of information security, including: risk framework, all aspects of assets, patch control, usage policies, staff (recruitment, induction, on-going training and leavers), data handling, documents, physical security, business continuity / disaster recovery.
Our system administrator creates a schedule of security compliance checks at the start of each year and produces a report for the operations director each month.
Our information security policies are reviewed each quarter and updated as necessary.
Staff are trained on their information security responsibilities as part of their induction and undergo refresher training regularly thereafter.
Posters are displayed throughout the offices reminding staff of their responsibilities.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Firstly, Team Foundation Server (TFS) is used to manage the cycle of build development, testing and roll out. TFS allows us to assess and document data security risks associated with each new build.
Both new software developments and infrastructure enhancements are subject to risk analysis prior to implementation. The three elements of
Confidentiality, Integrity and Availability are assessed. The risk plan assesses likelihood and potential impact for each scenario with options for mitigation, before arriving at a decision on whether to proceed.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Firstly, within our BCM we maintain a risk register with impact assessments.
We also use various tools to monitor our system. Manage Engine network monitoring software is deployed on our servers. This reports any issues to our system administrator.
In addition, application and network penetration testing is carried out regularly by our own team and once per year by an external, fully accredited company.
Virus protection is managed by Windows Defender on the servers and Bit Defender on stand-alone devices.
Security patches are deployed as soon as they are available, or at least once per week.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Monitoring software is deployed on servers and stand alone machines. An email is automatically sent to the system administrator if potential compromises are identified.
In addition, we perform our own internal tests on a monthly basis. Application testing leading up to the release of a new software build is far more intensive .
External penetration testing is also used to identify potential compromises.
The response an incident is dependent on its nature, but all would be treated as a priority.
We have a documented Business Continuity Plan available to staff, that provides guidance on how to deal with incidents.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Some incidents are emailed directly by the application to a Helpdesk folder. Users can also report incidents to our Support folder.
Each incident is logged on our ISMS and assigned a status, priority and a support team member.
Users are notified that the incident has been logged and provided with a resolution date/time.
The operations director checks the incident log daily and ensures deadlines are being met. One of the business KPIs is the response time for incident resolution.
Incident reports are provided on request. We are developing a feature on our web site to allow users to download reports.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£75 per user per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||Users can experience the current system build containing demonstration data for up to four users and for up to four weeks. They have unlimited access to the support / helpdesk during this time.|
|Link to free trial||Www.hanlon2019.hanlonsonline.co.uk|