NHS DTAC

NHS DTAC was introduced in 2021 by NHSX (now part of NHS England), and is a national baseline criteria for digital health technologies, to be used by healthcare organisations to assess suppliers. You can think of it as a larger framework of multiple smaller risk management frameworks, separated into five sections.

• Clinical Safety: complete your DCB0129 with a registered Clinical Safety Officer as per the Health and Social Care Act, 2012
• Data Protection: become GDPR compliant with the Data Security and Protection Toolkit (DSPT)
• Technical security: complete your UK Cyber Essentials certification
• Interoperability: ensure interoperability with existing NHS systems
• Usability and accessibility: ensure your platform meets the needs of all patients

Yes, the Digital Technology Assessment Criteria (DTAC) is a mandatory requirement for all digital health technologies for procurement by the NHS, and a significant proportion of the DTAC form is made up of legislation.

Yes, even initial pilots require completion of the DTAC form.

No, the NHS, nor other organisations, can issue DTAC certification, but using our platform will ensure all the requirements are met.

Ensuring clinical safety is essential when introducing new digital health technologies. There are two key standards in the NHS: DCB0129 and DCB0160. Although very similar in content, DCB0129 is for the Manufacturer of Health IT Systems, whereas DCB0160 is for the Health Organisation (such as the NHS Trust where the product will be deployed). To comply with such standards, the clinical safety team must complete a Clinical Risk Management Plan, a Hazard Log and a Clinical Safety Case Report. Clinical safety is a continuous process, and it is important to have monitoring post deployment of the system.

Please contact us for additional advice on completing DCB0129, or on Clinical Safety Officers.

Data protection is an important component of DTAC. To comply companies must ensure they are compliant with GDPR by registering with the ICO and appointing a Data Protection Officer and Senior Information Risk Owner. Companies must complete key documentation, including a privacy notice, Information Asset Register and a Record of Processing Activities (also known as an Article 30 register). You must have a valid legal basis under GDPR Article 6 in order to process any personal data, and additional justification under Article 9 if the data includes Special Category Data (such as health data). A Data Protection Impact Assessment must also be completed for any Special Category Data.

For NHS procurement, companies must complete the Digital Security Protection Toolkit, which includes GDPR compliance and Cyber Essentials compliance. This also involves an external penetration test (which we can provide).

Please contact us for any additional advice on Data Protection.

To comply with the technical security aspect of DTAC, a company must complete UK Cyber Essentials, which involves a self assessment of your company’s technical security. For procurement, it is recommended to complete Cyber Essentials Plus, which involves both a self assessment and an External Audit. For NHS procurement, companies must complete the Digital Security Protection Toolkit, which includes GDPR compliance and Cyber Essentials compliance. This also involves an external penetration test (which we can provide).

Contact us for further advice on Technical Security.

To provide a seamless care journey, it is important that relevant technologies in the health and social care system are interoperable, in terms of hardware, software and the data contained within. Those technologies that need to interface within clinical record systems must also be interoperable. Application Programme Interfaces (APIs) should follow the Government Digital Services Open API Best Practices, be documented and freely available and third parties should have reasonable access in order to integrate technologies.

While some NHS trusts may request implementation of interoperability to enable a pilot of your innovation, simply having the strategy with awareness and proof of readiness to integrate is sufficient to pass the DTAC . The key part of this strategy is that it must be clear and understandable for the assessors at the NHS trust.

For more advice on interoperability, please contact us.

Usability and accessibility is about ensuring everyone can access the services they need, regardless of background, identity or circumstances. It is important to make sure people with different physical, mental health, social, cultural or learning needs can use your digital health technology, whether it's for the public or staff. This includes people who do not have access to the internet or lack the skills or confidence to use it. An essential part of this is creating a User Journey Map, while meeting accessibility standards including WCAG2.2 AA and the 2018 accessibility regulations.