DTAC – Digital Technology For the NHS
Digital Technology Assessment Criteria
DTAC is a set of standards that computer programs or digital equipment should pass to be considered for adoption within the UK’s National Health Service (NHS).
The core document for DTAC is a 36-page A4 form. It is not the only paperwork required as some sections require completing additional documentation. These include:
• A clinical risk management template to match the DCB0129 standard.
• Clinical safety case report
• Hazard log (all available at)
If a medical device is proposed it must be registered with the Medicines and Healthcare products Regulatory Agency (MHRA).
If data or information passes through or is stored in the system (and it probably will) then the provisions of the UK GDPR and the NHS’s Data Security and Protection Toolkit Assessment will need to be met. A Data Protection Impact Assessment (DPIA) is also required.
The applying organisation will need a current Cyber Essentials qualification. Cyber Essentials plus is not necessary.
The developer will need to prove that the product has undergone a penetration test and passed the top 10 vulnerabilities for the previous year as defined by the Open Web Application Security Project (OWASP).
Any APIs must follow Government Digital Services Open API Best Practice.
In addition to the background paperwork above the product is scored as a % according to the NHS service standard. This includes categories such as what the product does and how it meets a need together with the development process and how it will be supported after release.
All the above is quite a shopping list. It specifically applies to the NHS but could also be relevant when working with other bodies connected to the NHS. It provides a framework for good practice and any records can be presented again should a product make its way into the NHS through a less direct route. For example any outsourced work should meet the DTAC standards and any outsourced body will be more likely to attract NHS destined work if they can prove that they work to these standards.
Many of the recommendations and requirements are not new so will be relatively easy for an existing provider to match. On the other hand the DTAC increases the work load for any business trying to break into NHS digital supply.
With appropriate planning the workload from the DTAC can be optimised. If the technical questions cannot be answered then the product is unlikely to be considered for adoption. The questions do relate to the development process so getting solutions in place early on will not only fulfil DTAC but also strengthen the process itself. For example C1.2 requires the name of the Clinical Safety Officer. There must be a suitably qualified person in place to pass DTAC but the advice from the Clinical Safety Officer will aid the overall product development and should increase some of the scores in the service standard section.
The service standard section is important in the NHS’s decision to adopt a product but the requirements are more easily overcome as a project progresses. It is also possible that a submission could score 0% in some of these areas and still be adopted as the best design for the job. The technical questions of the other hand are of a ‘yes/no’ and ‘prove why’ nature. It is clear what the correct answers should be, getting the proof is harder and these should be the priority at the beginning of development.
It is not necessary to put all measures in place at the start of planning but it should be identified how and when they will be addressed. A few are time sensitive. Cyber Essentials is renewed each year so the DTAC proposal submission needs to take account of the renewal date. The penetration test viability depends on threats within the past year so again needs to be relatively recent. For both these cases it is best to have attempted them in the year previous to submission. This gives time to overcome any shortcomings; optimising the chance of success in subsequent submissions. It would be folly to time a penetration test 3 weeks before a planned submission date and then find errors that might take over a month to overcome, test again and pass.
Many of the DTAC questions relate to computer and information security. Kindus are well placed to offer support in these areas. We also work with clients in the medical sector so are well versed in the various standards and processes involved there. We can provide reliable advice and support to achieve success in DTAC.