SOAR Security

SOAR Security

SOAR (Scottish Online Appraisal Resource) is encrypted in two ways: the system itself is encrypted, and any files that are uploaded are also separately encrypted.

Files uploaded to SOAR are only accessible to the appraisee (the user themselves).  Files submitted to an appraisal interview are ONLY accessible to the appraiser and appraisee for that appraisal. So for example, if you uploaded files to share with your appraiser this year, and next year you have a new appraiser, he or she will not have access to the files you shared with this year's appraiser.

With regard to security, we strive to ensure our security protocols are kept up-to-date.  Once a year SOAR is subjected to external security testing (as per NES policy), and if there are any weaknesses found we ensure these are fixed ASAP.  We fix any high level issues identified immediately, and fix/address all other issues in the security report before the end of the fiscal year. An example of this is that we added the security questions before we launched SOAR live, as recommended by the test results/report.

Whilst we try our best to ensure SOAR's security is as current as possible, we also need your help with protecting the security of the system.

  • Ensure your password is safe and secure, and not shared with anyone (YOU are expected to login and log your own appraisal information, not your PA, not your Practice manager, etc)
  • You should always make sure you remove any patient identifiable information before you share any documentation with your appraiser.

SOAR Webhosting

SOAR is hosted on an external secure server due to our system requirements. SOAR is hosted by a company called Brightsolid, based in Tayside, whose clients include Fife Council, Lothian Council, Scottish Widows, Standard Life, as well as other NHS Health Boards in Scotland.

Brightsolid specialises in hosting online applications/systems and has consistently provided a high level of quality and secure service to NES.

SOAR External Web Developers

SOAR does not have an in-house development team.  All IT development on SOAR are carried out by external IT companies.  Each project is normally tendered for, and the winning tender is based on expertise, experience, and value for money.

SOAR was initially developed and maintained (via SLA) by Conscia Ltd in 2006/2007.  The system is now (2014/2015) maintained by Tactuum (based in Glasgow), who specialise in mobile and healthcare IT solutions.

What happens if SOAR fails?

Our server on Brightsolid is backed up on a daily and weekly basis.  Daily backups are kept for the last 6 days (Sat/Sun/Mon/Tues/Wed/Thurs); and the weekly backups are taken on a Friday, and kept for 5 weeks.

All backups are stored in a separate building from the server.

Additionally, a copy of the system (not data) is kept / maintained by our external web developers (currently Tactuum, based in Glasgow) on their development server, which could be used on an emergency basis once data is restored.  An archived copy of the system is also kept by NES.

Use of Cookies

Google has a special tool (Google Analytics) which we use to monitor where our website visitors are accessing our resources from (e.g. number of users accessing SOAR from UK, Spain, USA etc; number of times a particular page on the Medical Appraisal Scotland website had been visited etc), and the way this works is that when you visit a page on SOAR or the Medical Appraisal Scotland website, a piece of script (called cookie) is used to gather information on where the user is from.  This information is used on an aggregated basis and is NOT used to identify individual users of the system.

For details on cookies used on the Medical Appraisal Scotland website and SOAR, please visit the section on Cookies.

Restricted Access for different user roles on SOAR

Each user role on SOAR is assigned by an administrator, either locally at Health Board level, or via NES at system admin level.  We ask new users to the system to complete a login request, but they cannot add themselves to SOAR.  This helps us ensure the system is used by the correct people for the correct/intended purpose.

Within each user role, a user can access certain resources and functions. Naturally, they will also be prevented from accessing other information and details on SOAR that do not relate to them.  For example, a Trainee user will not be able to assign an appraiser to an appraisee (this is done by administration teams); similarly, an appraiser will not be able to access information or documentation for users that are not linked to them.

For a full list of roles and access rights for SOAR users, please download and review the PDF document below.

SOAR Permissions Overview | File Size: 106.85 KB | Date Updated: 28/05/2020

Overview of what each user role on SOAR can access.

This page was last updated on: 06/10/2015