Release cash savings by reducing agency spend with Messly Locum.
Messly Locum enables hospitals to manage temporary staffing efficiently, safely and cost-effectively by connecting directly with doctors. Hospitals can build a digital staff bank, manage shifts and easily track spending.
Bring your shifts to Messly, already used by 20,000 doctors.
- Shift creation and management
- Staff on-boarding and compliance workflow
- Candidate profiles, CVs and work histories
- Workforce contact management
- Cloud web and mobile based application
- Messaging, notifications, timesheets and alerting
- Locum spend management and spend forecasting
- Real-time analytics and reporting
- Integration with 3rd party software
- Dedicated support team available
- Reduce spend on locum agencies - cash releasing savings
- Significantly improve locum fill rates - enable safer staffing
- Bring shifts to doctors - 20,000 utilising Messly community
- Save staffing manager time - increase efficiency
- Fill shifts with trusted doctors - enable safer staffing
- Reduce cases of consultants 'acting down' - cash releasing savings
- Monitor spending, forecasting and manage exceptions
- Better workforce planning - improve staff morale
- Improve process for flexible working - improve staff morale
- No obligation free trial - risk free
£15 to £25 per unit
- Free trial available
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Bank Builder - Add doctors to your staff bank by accessing top medical talent from our community of UK-based clinicians.|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Weekdays: Within 2 hours
Weekends: Within 24 hours
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), 7 days a week|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||
WCAG 2.0 A on all checklist items except:
1.4.1 – Use of Colour: Don’t use presentation that relies solely on colour
2.1.1 – Keyboard: Accessible by keyboard only
|Web chat accessibility testing||Basic assistive technology check against WCAG 2.0 A checklist|
|Onsite support||Onsite support|
- Account Manager assigned
- Team on site to run 60 min training with each users with time available for questions
- Team available for follow up support and questions to ensure implementation successful.
- Account Manager as point of contact
- Available through phone and email 9:00-17:00 Monday to Friday. Two Hour response time
- Out of hours /weekend support is provided via email ticketing and live-chat. Twenty-four hour response time
|Support available to third parties||Yes|
Onboarding and offboarding
We do the following to ensure a rapid, low-risk rollout of Messly Locum across the Trust. We typically complete this within 3-4 weeks, so Trusts can begin realising benefits swiftly.
We take an initial review of current processes and requirements of each Trust aiming to build a rollout plan and launch date. This includes understanding current processes and engagement levels.
2. Agree targets
We work collaboratively with departments to assess their current performance taking into consideration the current fill rate, engagement levels and agency use. We set realistic Trust and Messly targets for internal fill rates and make recommendations on how to achieve these.
3. Department onboarding
Messly offers department-by-department in person staff training for all relevant staff. This takes approx 30 mins - 1 hour. Our support team is available on an ongoing basis to answer any queries, troubleshoot issues and support adherence to new processes.
A profile is created for each department, all relevant doctors are invited to the new digital staff bank allowing them to start booking shifts immediately.
Alongside this Messly runs a campaign in conjunction with the Trust to inform doctors of the new process, including on site drop-in events and online outreach.
|End-of-contract data extraction||We are able to provide full data extraction of trust and department level data on request at no cost. Data is provided CSV format with one week notice required.|
Termination can be easily requested by contacting the assigned Account Manager. There are no termination costs.
No uninstallation is required. The end-user’s account will be blocked with immediate effect.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Our platform is built with best practice Responsive Web Design (RWD) enabling access from any internet-connected mobile device. The user interface has been optimised to enable the product feature to be identical on both mobile to desktop.|
|Accessibility standards||None or don’t know|
|Description of accessibility||
WCAG 2.0 A on all checklist items except:
1.4.1 – Use of Colour: Don’t use presentation that relies solely on colour
2.1.1 – Keyboard Accessible by keyboard only
|Accessibility testing||Basic assistive technology check against WCAG 2.0 A checklist|
|What users can and can't do using the API||
Messly's API is a fully featured RESTful JSON API.
Users can integrate with and use our API by generating an authentication token for their account which is passed along with every request as a header.
With API access set-up, users can then:
- apply for and confirm attendance for shifts.
- apply and join hospital departments.
- set up trust level work eligibility and payroll information.
- add relevant medical information (grade, specialty, work history, exams etc. )
- post department shifts.
- offer to and approve doctors to work shifts.
- invite, remove and accept doctors into your department's approved "locum bank".
|API documentation formats||Other|
|API sandbox or test environment||Yes|
|Description of customisation||
The software has in-built features to enable users to customise their experience, both on setup and through the duration of the contract from within the application.
- Users roles and number of users
- Customisation of shift types specific to the department
- Customisation can be done by Messly team, department administrators and managers through in-application settings.
|Independence of resources||We have monitoring tools and have implemented some restrictions on our shared environments to ensure that usage does not affect the performance of individual users. In the case that you do experience any type of performance issues with the server, we are able to migrate your users to a new environment.|
|Service usage metrics||Yes|
Messly can provide reporting on any activity that takes place on the platform, and can tailor reports to your needs.
Standard reports include monthly usage data on:
Total Shifts posted
Total Shifts Filled
Urgent shifts %
Non-urgent shifts %
Total spend By grade
Total spend by urgency
Current number of shifts posted
Current number of shifts filled
Data on shifts filled and rates can be provided for payroll purposes.
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||In-house|
|Protecting data at rest||Encryption of all physical media|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Built in export functionality on rota coordinator, clinicians and central dashboard. By clicking a single button users are able to export their specific data in CSV format.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
99% uptime SLA for end-users
Pro rata refund for failure to meet uptime e.g. 0.5% additional downtime would incur refund of 0.5% contract value.
|Approach to resilience||Available on request.|
1. Public banner on website homepage
2. Email and SMS alerting to relevant end-users
3. Uptime Robot (for internal monitoring)
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Members of the doctor community must provide a valid GMC number.|
|Access restrictions in management interfaces and support channels||Restriction in management interfaces and support channels is based on secure individual user login and passwords. End-users are assigned individuals roles within the application which restrict their access to specific interfaces they are not required to interact with.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||SSL Certification|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||IG Toolkit v14.1|
|Information security policies and processes||
* Data Protection Act Compliant
*ICO registered with registered data controller
*Fully Caldicott compliant
* Security roles and responsibilities
* Specifying risk appetite, tolerance, scope and period of risk assessment, and ongoing risk management process
* Security standards
* Disaster recovery policy
* Incident response policy
* Security awareness, training, and education
* Asset access specifying access rights to categories of assets and how these are managed
* Staff training to ensure adherence to policy, policy waivers and exceptions, and consequences of non-compliance
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
We adopt Agile methodology through the Scrum framework:
- Our product owner creates a prioritised wish list (product backlog).
- During sprint planning, the team pulls a small chunk from the top of that wish list, a sprint backlog, and decides how to implement those pieces.
- The team has a certain amount of time — a sprint (usually two to four weeks) — to complete its work, but it meets each day to assess its progress and monitor changes.
- At the end of the sprint, detailed quality assurance is carried out to ensure components are ready to ship.
|Vulnerability management type||Undisclosed|
|Vulnerability management approach||
Vulnerabilities are assessed at two levels:
1. Server level: These are assessed by our third-party host who have a dedicated team to assessing potential threats and addressing them which entails deploying patches, typically within 48 hours.
2. Application Level:
Our development team regularly use vulnerability management software (Qualys) to assess for vulnerabilities. These are run against the OWASP Top 10 Risks and common hacker techniques. Patching is typically deployed within 48 hours.
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||
We use a number of different tools to assess potential compromises:
- Sucuri’s SiteCheck
- Google Webmaster Tools
- Google Safe Browsing diagnostics
- webcheck.me Scanner
If a vulnerability is identified we follow a rigorous 4-stage process within 24 hours to identify and restore the site as quickly as possible.
1. Application take offline
2. Assess the damage and apply restoration of data if necessary
3. Work on recovery and preventative solutions
4. Application restored online
|Incident management type||Supplier-defined controls|
|Incident management approach||
We follow rigorous 8-stage incident management
1. Identifying Incidents
Based on compromise testing
2. Logging Incidents
Submitted by end-users via online ticketing system and email
3. Categorising Incidents
Categorisation based on inputted category/subcategory or email topic.
4. Prioritisation of Incidents
Based on impact/urgency/priority metrics
5. Initial Diagnosis of Incidents
Carried out by member of service desk
6. Escalation of Incidents
Tickets escalated based on level of inactivity to prevent incidents from being missed.
7. Investigation and Diagnosis of Incidents
8. Resolution and Recovery of Incidents
Status of incident updated and fed back to end-user with outcome via bespoke email reporting.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£15 to £25 per unit|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||This is agreed with customers on a case-by-case basis.|