Service Level Agreement (SLA) for the SSD Secure File Transfer Service

Transcription

1 Document filename: SFT Service Level Agreement Directorate / Programme Systems and Project Service Delivery N/A Document Reference: DOC Project Manager N/A Status Approved Owner Norman Raphael Version 1.9 Author John Martin Version issue date 24 Mar 2015 Service Level Agreement (SLA) for the SSD Secure File Transfer Service Copyright 2014 Health and Social Care Information Centre

2 Document Management Revision History Version Date Summary of Changes Mar 15 Annual Review and updates to bring in line with v2.1 SLA Guidelines Reviewers This document must be reviewed by the following people: Reviewer name Title / Responsibility Date Version Norman Raphael Head of Service Delivery 1.9 Duncan Larkman Systems Development Team Manager 1.9 Simon Netley Service Assurance Manager 1.9 Robert Hardisty Head of Hosting and Infrastructure 1.9 SFT SRB Members Customer representatives 1.9 Approved by This document must be approved by the following people: Name Title Date Version Norman Raphael Head of Service Delivery 1.9 Samantha Harris SFT SRB Chairman 1.9 Sean Walsh SSD Director 1.9 Glossary of Terms HSCIC SSD HSCIC Health and Social Care Information Centre Systems & Service Delivery Service Provider HSCIC SSD Service Management Service Level Agreement Organisational Level Agreement Customer NHS HSCIC SSD SLA OLA The Systems and Service Delivery directorate of HSCIC The appropriate Service Delivery Manager and the Senior management of the service provider. An agreement between the Service Provider and Customer that documents services and agreed service levels provided to the Customer. An internal agreement covering the delivery of services which support the IT organisation in their delivery of services. The organisation that negotiates this SLA and any associated funding. Page 2 of 30

3 User Third Party Suppliers Complaint Incident Strategic Planning Group SFT Service Review Board SPG SFT SRB Any member of the customer s staff entitled to use the service. Suppliers external to the Service Provider used for the provision of some part of the service. May be internal NHS departments, or external organisations. A statement of unhappiness, expressing discontent about a situation. Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service. The customer group which represents all Trusts in England, Wales and Northern Ireland, or their successors The group that reviews and monitors the SFT service and links to the SPG. Document Control: The controlled copy of this document is maintained in the HSCIC corporate network, (according to the pathname recorded on the CMDB configuration Item) Any copies of this document held outside of that area, in whatever format (e.g. paper, attachment), are considered to have passed out of control and should be checked for currency and validity. Distribution Method: The document will be made available via the HSCIC Web site. Related Documents: These documents will provide additional information. Doc Reference Number Title DOC Secure File Transfer Service - System Level Security Policy (v.1.0, 23/10/2014) Page 3 of 30

4 Contents 1 Parties to this Agreement and Authorisation Parties to this Agreement Authorisation 6 2 Introduction Summary of Agreement Validity and Review of this Agreement Service Support and Service Delivery Processes 7 3 Service Description and Specification Service Description and Scope Service Out of Scope Roles and Responsibilities Service Provider roles and responsibilities SFT Service Review Board roles and responsibilities User Responsibilities Third Party and Dependent Supplier Responsibilities Service Desk Hosting Performance Targets Reporting Data Protection 14 4 Service Continuity and Availability Hours of Service Availability Hours of Support Operation Planned Downtime Service Continuity Backup and Recovery 15 5 Support Arrangements Incident Management Incident Response and Resolution times Incident Resolution Incident Escalation Major Incident 17 Page 4 of 30

5 6 Changes & Releases Change Management IT Infrastructure Enhancements Application Change Requests Release Management 19 7 Capacity Planning and Management 20 8 Security Principles and administration 21 9 Service Cost and Charging Arrangements Additional Service Costs Meetings Communications Complaints Complaint Circumstance Complaint Format Complaint Recipient Complaint Acknowledgement Complaint Resolution Complaint Escalation SLA Escalation and Arbitration Termination of the Service Changes to Agreement 30 Page 5 of 30

6 1 Parties to this Agreement and Authorisation 1.1 Parties to this Agreement This Service Level Agreement consists of the following parties: Primary Care Information System Service Review Board Health & Social Care Information Centre, Systems & Service Delivery 1.2 Authorisation Agreed on behalf of the SFT SRB Sign: Date: Print Name: Samantha Harris, Chairman Service Review Board Agreed on behalf of Systems & Service Delivery Sign: Date: Print Name: Sean Walsh, NHS HSCIC, Systems and Service Delivery Page 6 of 30

7 2 Introduction 2.1 Summary of Agreement This document is the Service Level Agreement between the Secure File Transfer Service Review Board and HSCIC SSD Service Management for the support and delivery of the Secure File Transfer System (SFT). The Agreement defines the standards and levels of service to be provided and the responsibilities of both parties to enable the effective and efficient running of SFT. This Agreement is to be managed and administered by both the SFT Service Review Board and HSCIC SSD Service Management. 2.2 Validity and Review of this Agreement This agreement is valid from 24/03/2015 to 31/03/2016. A structured review will take place annually to evaluate and prove the performance and appropriateness of this agreement. Interim meetings may also be as held to discuss the agreement. Any recommendations for changes (following these meetings) to the contract/sla/ola will be reviewed and agreed and passed to the Service providers Service Delivery Manager 2.3 Service Support and Service Delivery Processes The processes to be used for service management will be in conformance with the requirements of ISO/IEC and will as far as practicable, utilise ITIL best practice. Page 7 of 30

8 3 Service Description and Specification 3.1 Service Description and Scope SSD s Secure File Transfer system is offered on a Service Desk, Application Support and Maintenance and Hosting basis and includes the provision of the following IT Infrastructure and associated technical & service support: - Provision of hardware and Software to permit the operation and monitoring of the Secure File Transfer Service (see 3.2); - Provision of a simple web-based interface enabling users to select a file, recipients and a password prior to uploading a file; - Provision of qualified technical personnel to: - Administer and undertake operational support and development of the service (limited to the infrastructure, SFT application and network within SSD); - Monitor, measure and report on the performance of the service; - Provision of Help Desk service to record unauthorised use of PIN. The following service and configuration items are in scope for the SFT service: - 2 Virtual Server running HP-Unix and Oracle ; - 2 x Application servers running Apache 2 on Centos Linux 6.3 The Service will: - Provide access to the database; - Process files submitted to the SFT application; - Offer only SSL connections using AES 256 bit encryption, negotiating down to AES 128 bit for users with browsers that are unable to handle AES 256 bit encryption; - Access to the database only via the application servers, providing an additional layer of security; - Handle files up to one (1) GigaBytes (GB) in size, with the facility to accommodate larger files following testing and agreement with SSD; - Delete files automatically after three (3) days of them being placed within the SFT system, with the ability for the user to define a deletion date earlier than three (3) days; - Only permit files to be loaded where both the initiator and the intended recipients address are verified as either existing on the NHSmail directory or a defined list Page 8 of 30

9 of mail domains, with the proviso that at least one of the addresses is a NHSmail address; - Only be available over N3; - Be capable of storing a total of two (2) TeraBytes (TB) of user initiated files at any time; - Capable of handling three hundred (300) concurrent users; - Include application backup. N.B. this excludes the customer deposited files; - Have audit facilities to record: Filenames, Date and time of upload, Initiator of upload, intended recipients, Date, time & recipient of each download, Date and time of deletion; - Purge Audit records automatically after 90 days; - Be capable of displaying an Out Of Service message on the landing page in the event that any other part of the service becomes unavailable for longer than 30 minutes for any reason. 3.2 Service Out of Scope The following service and configuration items are out of scope for the SFT service: - Support relating to Issues with submitting, uploading, User s files; - The support for the User s infrastructure, including hardware, network connections cables or printer sharing; - Contacting third party suppliers in respect of hardware which has not been supplied through a Supplier contract; - Resilience of the service, (If there is a hardware failure the service will not be available); Roles and Responsibilities Service Provider roles and responsibilities Party to this Agreement; Assign a Service Delivery Manager for each customer to be responsible for day-today Service delivery; Undertake performance management of this Agreement, including operational reviews, Change Management, Service Review, and Escalation; To provide Help Desk staff to take calls during the service hours; To provide an answer-phone service to record calls outside normal working hours; Page 9 of 30

10 To make Service Delivery staff available to support all product areas during the service hours; To allocate calls with an initial priority via discussion between the Help Desk and the Customer; Second-line support staff to verify the initial priority set at the Help Desk, via discussion between Service Delivery personnel and the customer, and offer an initial assessment of the time it will take to resolve; To deal with calls raised with the Help Desk in line with the priorities and response rates indicated below; To ensure that a call remains open until a satisfactory resolution has been reached in agreement with the customer; In the event that a customer is unavailable and two attempts have been made to contact the caller, Service Delivery staff will close the call. If this is the case a message will be left with someone at the customer's office and an sent to the caller; To provide follow-up communication providing detail of resolution to the problem/issue identified above; To provide staff for the resolution and fixing of software problems; To provide details of any prerequisites for installation work at least 5 working days prior to the work being planned; To ensure that no member of staff makes unauthorised access to a computer or makes unauthorised changes to the programmes/data; To ensure that all staff are fully briefed in their responsibilities under the Data Protection Act 1998 as it relates to the processing of information relating to individual people covering the obtaining, use, storage or disclosure of such information; To ensure that all staff comply with the provisions of the Data Protection Act (1998), including related Caldicott Guardian principles, and the Computer Misuse Act (1990); To ensure that all staff operate under the good practice included in the HSCIC security policy in particular to its provisions relating to Computer Viruses; In the investigation of incidents, advice may be offered on the root cause of the problem should it lie outside of the application software, although the responsibility for fixing this remains with the User; and SFT Service Review Board roles and responsibilities The SFT Service Review Board will represent all Agencies / Area Teams in England, or their successors, and other NHS organisations making use of SFT, including but Page 10 of 30

11 not limited to Contractor Practices, Area Teams, NHS Trusts and Special Health Authorities. The SFT Service Review Board will act collectively in: determining protocols for the operation and use of the 'SFT' service throughout the National Health Service (NHS); commissioning enhancements and modifications to the SFT service and software; monitoring the provision of the 'SFT' service to its users in the NHS; facilitating the provision of the 'SFT' service to the NHS. The detailed responsibilities of the SFT Service Review Board will be to: be Party to this Agreement; In partnership with the Supplier: Act as the Service Management Board for the service; Forecast Service delivery and associated capacity management with the Supplier; Be responsible for the ownership and monitoring of the NHAIS 'SFT ' service, which includes this Service Level Agreement (SLA) Undertake the monitoring of the top-sliced funds agreed with the Technical Infrastructure Group (TIG) and allocated by the Strategic Planning Group for the provision of the 'SFT' service; Agree the content of enhancements to the 'SFT' service; Negotiate with the Strategic Planning Group funding of major developments, where appropriate, and monitor resultant projects; and Represent the views of users of the 'SFT' service as a whole and to disseminate information on 'SFT' activities to representative bodies throughout the NHS User Responsibilities To raise all requests for support services with the Supplier Help Desk by telephone on or via (exeter.helpdesk@hscic.gov.uk); The following information will be requested by the Help Desk: Name of individual; Name of organisation; Organisation code; Telephone number of individual; address of individual; Subject heading (e.g., Open Exeter/Ophthalmic Payments); Details of Incident; and Incident category requested (if applicable). Page 11 of 30

12 To be responsible for any loss or corruption of data or malfunction of the live system, caused by the use of local administrator access by any PCSS/agency staff. The rectification of such loss or corruption falls outside ALL normal support agreements provided by the Supplier; To ensure that the HSCIC SSD Help Desk is notified of any changes to key personnel; To utilise the Change Request process administered by the Supplier to request any software changes - for details refer to: To provide remote access for Service Delivery personnel as and when required for the purposes of working on support calls. In the event that this cannot be/ is not provided, the response and resolution timescales cannot be assured; To ensure that new members of staff receive appropriate and relevant application or systems administration training prior to using any of HSCIC products or services, also to ensure they have been notified of the available user manuals and electronic help files; To ensure that all necessary licensing arrangements are in place for 3 rd party software; To ensure that any intention to withdraw from the support contract is discussed with the Service Delivery Manager, and that a minimum of 6 months notice is provided of this intention Third Party and Dependent Supplier Responsibilities In the context of this Agreement, a Third Party Dependent Supplier is a supplier of IT Infrastructure services to support and deliver to the requirements of this Agreement, working to either the Supplier, or the customer. HSCIC Service Management is not directly responsible or accountable for the delivery of services via third parties e.g., Local IT departments or the training provider. 3.4 Service Desk The Service Desk service will be carried out from HSCIC SSD offices and will undertake call handling, incident escalation, and user communication activities. Users are to report all calls to the Service Desk. Confirmation that a call is logged in accordance with this agreement is the Service Desk reference number. Users should advise the Service Desk of any access constraints, such as restricted times of availability. Page 12 of 30

13 Calls reported by users to other entities, such as local technical support are not supported by this agreement. Exeter Helpdesk: The service desk can be contacted by telephone / using the details below: Tel: or by exeter.helpdesk@hscic.gov.uk 3.5 Hosting The hosting of the primary and standby service is carried out from the Land Registry data centres based in Gloucester and Plymouth. The Data Centres are located at Plymouth and Gloucester land registry sites and are accredited to ISO 27001:2005 standard and have CPNI (Centre for Protection of National Infrastructure) and GSI (Government Secure Intranet) status and accreditation exceeding most NHS related security requirements. 3.6 Performance Targets This Agreement includes a number of performance targets for the provision, delivery and measurement of service performance. Performance targets are to be used positively, as a means of identifying both good service performance, and areas of weakness where management effort and pressure should be applied. The period of calculation of performance targets will be monthly. The method of calculating performance targets will be determined by the process to be measured, e.g., incidents passing through the Help Desk service will be measured from statistics produced by the HP Open View Help Desk application. The Service review process within this Agreement will set out the process for managing and amending performance targets, appropriate to the levels of performance displayed under this Agreement. The following performance targets apply to Incident Management 95% of reported support calls to be responded to within target 90% of reported support calls to be resolved within the target Service Availability will be 98% 3.7 Reporting The following standard reports are provided. The data source is the Supplier s standard incident logging database. Weekly calls report detailing priority, resolution and closure cause. These are available electronically to sites that have requested them. National Response and resolution SLA reports are reported monthly Page 13 of 30

14 Trend information by period - calls by site and calls by product reports are provided in the monthly Support Reports The reports are provided to customers by Service Delivery Managers at customer reviews upon request by the NHAIS Key User. In the event of any non-compliance or issues being identified, corrective actions will be agreed and communicated to the Customer. These include, but are not limited to, actions within the Service Improvement Plan. 3.8 Data Protection The transfer and use of data within SFT in the course of normal operational support of SFT and associated systems is covered by the Data Protection Agreement within this Service Level Agreement. Therefore any support activity which requires the Supplier to exchange service-related data to enable it to deliver the service does not require any further agreement. The transfer mechanism of all data conforms to HSCIC and SSD security policies, and includes encryption of the data whilst in transit. The data is used only for the purpose for which it is requested. If a requirement arises to use the data for purposes additional to those specified in this Service Level Agreement, the Data Controller must provide written agreement for this additional use before it commences. Therefore, a Data Protection Agreement will be required for any non-standard use of Person Identifiable Data. Page 14 of 30

15 4 Service Continuity and Availability 4.1 Hours of Service Availability The service will be available for user access between 09:00 and 17:00 GMT, Monday to Friday, excluding Public Holidays. Please note, the system is generally available outside of these hours, however is not guaranteed. 4.2 Hours of Support Operation Hours of operational support will be 9am to 5pm, Monday to Friday, excluding English Public Holidays Planned Downtime The maximum planned downtime allowed will be no more than 1 day per calendar month and will be scheduled outside the period of 09:00 to 17:00 in order to minimise impact on Users. As part of the planning and scheduling of approved downtime of the Service, the Service Delivery Manager will formulate an appropriate communication and publish this on the login screen of the application at least two days in advance of the planned downtime. The content of this communication, subject to liaison, will include: Nature of downtime explanation of its requirements; Date and time of downtime; Specific functionality of the Service that will be affected, or will be unavailable Actions to be carried out, if appropriate, by Users When the Service will become available for use The communication is to be circulated to all Supplier Service Delivery units, principally the Service desk, to prepare for potential User calls. Notification of downtime to Users is provided through the front page of the SFT system. 4.3 Service Continuity Backup and Recovery The Supplier will provide a secure backup to support the live IT Infrastructure in the event of a major Incident or Disaster. The backup Infrastructure will include all the necessary components to ensure that all processes and targets within the Agreement can be fulfilled on invocation. The Supplier will be responsible for determining when and how the backup and recovery infrastructure will be invoked. Page 15 of 30

16 5 Support Arrangements 5.1 Incident Management Incident Response and Resolution times All incidents will be categorised and allocated a priority with agreement of the user at the time of logging the call. The incident category may be requested or challenged by the user, in which case the incident will be categorised / prioritised according to the wishes of the user. If the support team subsequently believes that a different category or priority should be used, they will negotiate with the user accordingly. All calls are dealt with in order of priority allocation, 1 being the highest order of priority. Incident categorisations, and target response and resolution timescales are as detailed in the below table: Priority Maximum Response Target Maximum Resolution Target Examples 1 2 hours 3 working days Unavailability of the entire system, a key module or major function, causing significant business impact. 2 4 hour 6 working days Impairment of the entire system, a key module or major function, causing limited business impact. 3 2 days 10 working days Issues causing inconvenience, minor disruption or restricting performance. 4 5 days As agreed Non-urgent issues causing slight irritation but where workarounds are available; integrity checkers; cosmetic or general enquiries for information Incident Resolution The closure of an incident record will occur once the user has confirmed satisfactory resolution. If the user cannot be contacted the incident closure shall be dealt with inline with the roles and responsibilities detailed in this agreement Incident Escalation Page 16 of 30

17 Incident Escalation is the process of communicating information on an Incident, or other live operational service issue for the purpose of raising its profile, and requesting senior management attention and/or intervention. If the customer is not happy with the progress of an incident they may: Contact the Help Desk requesting escalation of an incident. Contact the relevant Service Delivery Manager Major Incident When a Major Incident is recognised and is within scope of this agreement a Major Incident Manager shall be assigned who will liaise with support staff, third parties and senior management. The Service Delivery Manager or deputy will liaise with the customer of the service and shall ensure that resources are focused and the situation is effectively managed in a way that minimises disruption to the user. Page 17 of 30

18 6 Changes & Releases 6.1 Change Management Change Management and Control is the process of identifying, assessing, communicating and implementing proactive and reactive change to the IT Infrastructure. It is a business-critical service management process that assures the integrity of the IT Infrastructure, and protects its operation, design and performance, for the benefit of users and this Agreement IT Infrastructure Enhancements Changes to the IT Infrastructure will be categorised and planned according to business need. Changes to the Infrastructure will be made outside of agreed service hours where possible; however urgent changes will require immediate action, hence will result in an interruption in service Application Change Requests Change requests for the application can be raised internally by the Supplier or externally by a User. The change request form is available via: Any changes to the SFT service will be considered by the SFT Service Review Board. SSD will assess the change for impact and cost and advise the SFT Service Review Board accordingly. Priority of approved changes will be mutually agreed between the Service Review Board and the Systems & Operations Manager. The change request system will be updated with the outcome, and the originator informed of the status. The definition of an Emergency Request for Change (erfc) in Systems and Service Delivery is: A Change that must be implemented in order to avoid significant disruption to the system or service or to correct significant usability. Page 18 of 30

19 6.2 Release Management Changes to the IT infrastructure will be released on an on demand basis using either a single or multiple release unit model as agreed with the customer. The release of Changes to the IT Infrastructure shall be planned, tested, packaged, and implemented to a structured plan. All planned releases of hardware and software change will include the following attributes: Checking of live configuration by accessing the Configuration Management databases and definitive software library (as appropriate); Completion of Product Assurance processes, including provision of an environment on the operating system allowing end-to-end testing, where appropriate; Documenting of development activity progress and determination and recording of Issue Logs where appropriate; Creation of a test plan to include the environment required for testing, the process to verify releases are acceptable, and the success criteria; Determination of impact of the release on the live Service configuration, including affected Users ability to use the Service; Assessment of the potential resource requirements and financial commitments to undertake and complete the release; Updates to all documentation will be undertaken. An emergency release is normally implemented immediately as a response to a erfc. Such a release could bypass the standard SSD release assurance processes. E.g., Given the urgency the release, activities such as testing and notification may be limited. Page 19 of 30

20 7 Capacity Planning and Management Capacity Planning and Management is concerned with ensuring the right resources (both physical and human) are in the right place, at the right time, to deliver the Service in support of this Agreement. Capacity of the service is regularly monitored, in terms of supporting an expanding user base, changing business needs and supporting new functionality. Page 20 of 30

21 8 Security Principles and administration The system will be risked assessed on an annual basis and a risk management / security improvement plan will be put in place to address any unacceptable risks. This will be the responsibility of the Business Manager. The SFT service database is encrypted. Any files submitted are sent over N3, which is a virtual private network. This privacy provides an additional layer of security to the password model and connection encryption used on the SFT service. HSCIC staff have no means of decrypting the files handled by the SFT system. A System Level Security Policy (SLSP) is in place for this service the SLSP helps to demonstrate understanding of information governance risks and commitment to address the security and confidentiality needs of a particular system. All HSCIC SSD staff are aware of their responsibilities to fully comply with the provisions of the Data Protection Act (1998), including related Caldicott Guardian principles, and the Computer Misuse Act (1990). For further information and advice regarding legislation, please refer to the 'Important Information' link on the Open Exeter Authentication and Audit system, at Page 21 of 30

22 9 Service Cost and Charging Arrangements Maintenance tasks covering the application and associated infrastructure are based upon two (2) man days per month, chargeable at a daily rate of SSD will use the HSCIC's standard charging process to recover the costs for maintenance of the SFT infrastructure and application. This will be achieved by transfer of funds via HSCIC management accountants Additional Service Costs Where additional service costs are anticipated or likely to be incurred over-and-above the obligations and cost schedule set out in this Agreement, the following process will apply, either reactively or proactively, according to operational circumstances: Customer Identification The nature of the service to be delivered is documented as a request in an appropriate format by the individual Customer and submitted to the Head of Service Delivery, including: Description of service required; Reason for service requirement; Timescales service required within; Benefits of service to be provided; Budgetary parameters and tolerance for service to be provided; Whether service change is permanent or temporary. The Head of Service Delivery will acknowledge the request and confirm the delivery of the service, together with appropriate actual or estimated costs, and timescales. The Parties will decide the outcome of the request, and implement/reject as and where appropriate. Supplier Identification Note: This process is separate to that of implementing an emergency change, where requests for financial assistance form part of the Minor Modifications process. The nature of the service to be delivered is documented as a request in an appropriate format by the Head of Service Delivery and submitted to the SFT Service Review Board, including: IT Infrastructure configuration item affected; Reason/Justification for service requirement; Timescales service to be delivered within; Benefits of service to be provided; Estimated additional service cost; Page 22 of 30

23 Recommendations on permanent or temporary service change; Timescales financial agreement required within. The SFT Service Review Board will acknowledge the request, and confirm satisfaction or otherwise with its outline, together with providing, or otherwise, the necessary financial authorisation. The Parties will decide the timetable for the request to be implemented/rejected as and where appropriate. If the delivery of additional services affects or causes to affect the achievement of Performance Target(s) within this Agreement, prior identification or exclusion of the Target(s) will be discussed and agreed by the Parties. Page 23 of 30

24 10 Meetings The Service Review Meeting will be held between the Supplier and the SFT Service Review Board Chair annually to discuss: - The Service Scope; - The Service Level Agreement; - Business needs. The Service Review Board will be held at agreed intervals to discuss : - Performance; - Achievements; - Issues; - Action Plan. Outcomes of these meetings are documented in the SFT Service Review Board minutes. Page 24 of 30

25 11 Communications Communication channels used to contact the customer (for example, to agree downtime, accept releases) will be through a combination of (as appropriate): Biannual Service Review Board Meetings to the Service Review Board Chair and / or members Alerts through the SFT portal log in screen Page 25 of 30

26 12 Complaints Complaint Circumstance Where a customer or user is not satisfied with the service or support provided by SSD through the usual channels of the SSD Help Desk or escalation to the responsible Service Delivery Manager, he/she has the option of raising a formal complaint Complaint Format Complaints should be written and submitted as an or letter, outlining the situation and the basis of the complaint Complaint Recipient By mail to the NHS HSCIC SSD Head of Service Delivery Norman.Raphael@hscic.gov.uk Or by post to: Norman Raphael Head of Service Delivery Systems and Service Delivery Hexagon House Pynes Hill Exeter Devon EX2 5SE Complaint Acknowledgement An acknowledgement will be returned within 2 working days of receipt of the complaint using the same media as the original complaint (i.e., by or post) Complaint Resolution SSD will seek to resolve the complaint to the satisfaction of the complainant within 20 working days of the receipt of the complaint. Page 26 of 30

27 Complaint Escalation If the complainant is unhappy with the manner in which the complaint has been dealt with or resolution of the complaint they may escalate the issue to the HSCIC SSD Director (Sean Walsh) at the above address or by to: Page 27 of 30

28 13 SLA Escalation and Arbitration The performance of this Agreement will ultimately be administered and governed by the authorised signatories. If it is necessary to escalate any aspect of either party s obligations or performance under this Agreement, an escalation route (as detailed below) is available as means of arbitration, and to achieve a mutually acceptable solution or decision. The escalation route should only be used as a means to highlight or raise the profile of a particular service delivery issue, should all other opportunities fail. At the point where it is agreed between the signatories that decision or solution to a service issue cannot be resolved within normal means, details of the issue should be escalated to their immediate line managers, dependent upon the nature and context of the issue. Liaison should be undertaken with the escalation point to discuss the circumstances surrounding the issue, and aim to achieve a satisfactory conclusion, including consensus on decision, and action plans. Where it is appropriate to escalate an issue external to the supplier, one or both of the signatories will communicate directly, as appropriate. It will be the responsibility of the signatory to achieve and reach a satisfactory conclusion to the issue, and communicate, as appropriate to personnel involved in the delivery of this service. Page 28 of 30

29 14 Termination of the Service If either party wishes to terminate (either early or planned) or transfer the service a minimum of 6 months notice shall be notified to the respective party. If either party wishes to discuss an early end of the service or transfer of the service, they will be required to raise this formally with the NHS HSCIC Service Delivery Manager for discussion at the service review or via an ad-hoc meeting if required earlier. Page 29 of 30

30 15 Changes to Agreement Day-to-day or operational changes to this Agreement can be proposed at any time, in writing, by either Party with a minimum of 1 month s notice. Major changes to this Agreement will be proposed and discussed at the SFT Service Review Board, with a decision made at the time on its approval or rejection. If further analysis is required in order to make a decision, an action will be identified and taken forward for resolution at the next SFT Service Review Board meeting. The content of proposed changes to this Agreement will be as follows: Submitter details, etc; General description of the change, and the area/section of the Agreement affected; Brief benefits of the change; Actions required to effect the change, together with roles and responsibilities; Impact of change on any historic data and information analyses, e.g., change of performance targets, and existing processes and procedures; and The estimated (if possible) financial impact of the change, e.g. on Service cost, or effort to administer the Agreement. For each change proposed it will be necessary to understand if a baseline in service delivery will be necessary, in order to track and measure corresponding change in the performance of the Parties. This may take the form of selected data and information, but each proposal must be agreed by the Parties prior to decisions being made. The process for identifying and agreeing additional Service costs is specified within section (Additional Service Costs). Page 30 of 30