Skip to content
8Fold governance Logo With Text Horizontal
  • DTAC
  • Services
    • DTAC
    • Cyber Security
    • Data Security & Protection (DSPT)
    • Interoperability, Accessibility & Usability
    • Clinical Safety & DCB0129
    • Information Governance
  • About
    • Meet the team
    • Join us
  • News
    • Blog
    • Case Studies
  • Contact
Menu
  • DTAC
  • Services
    • DTAC
    • Cyber Security
    • Data Security & Protection (DSPT)
    • Interoperability, Accessibility & Usability
    • Clinical Safety & DCB0129
    • Information Governance
  • About
    • Meet the team
    • Join us
  • News
    • Blog
    • Case Studies
  • Contact
  • +44 (0)1273 569172

← From our blog

DTAC – Smoothing the path to procurement

← From our blog

DTAC – Smoothing the path to procurement

Digital Technology Assessment Criteria (DTAC) – Smoothing the path to procurement

The task of getting digital tools and apps approved for use within the NHS and social care has long been a challenge for developers and suppliers.

Limited advice from the centre has meant that health and social care organisations have often taken contrasting approaches when it comes to scrutinising health technology as part of a procurement: some have been very light touch whilst others have approached due diligence checks with significantly more rigour. 

There have even been examples of variation within the same organisation with some products being subject to far more detailed reviews than others.  This lack of consistency has led to some suppliers being initially lulled into a false sense of security when their product has been readily adopted by the first few customers, only to suddenly be faced with a slew of complex questions and compliance ‘requirements’ from a more discerning buyer that wishes to hold them to ‘higher’ (or arguably the correct) standards.

I have been on both sides of the fence when trying to deal with this challenge.  

When representing health providers that have been seeking to procure a new digital tool, suppliers would often state with confidence that “we’re already in use across dozens of NHS organisations” and would be quick to provide these impressive credentials.  Eager colleagues would be delighted that the product they had chosen (and in some cases already purchased) was clearly fully compliant.  Surely it wouldn’t have already been adopted by so many others if this wasn’t the case?  Sadly, a few probing questions about data security, clinical safety or regulatory compliance would often highlight one or two rather conspicuous gaps and it would quickly become clear that the supplier’s existing customer base hadn’t undertaken the necessary assurance checks or scrutinised key compliance requirements in a robust manner.  The result would often be a swathe of hasty remedial work by the supplier, painful and costly delays and in the most extreme cases, the loss of confidence in the supplier or a decision to walk away from the deal entirely.

When supporting developers and suppliers, we can be approached when those awkward questions have been raised by a customer. We will quickly support the necessary compliance activities to ensure the expected controls are in place.  Equally frustrating however is when we have worked with a client to ensure all the necessary compliance measures are in place upfront, only to discover the customer doesn’t ask for evidence of the significant assurance activities which have been carried out.  Needless to say though, it is always much better to be fully prepared but not be asked, than to have a procurement go sour due to actual or perceived issues around compliance.

This lack of consistency, driven by a lack of coherent and consistent guidance from the centre, does little for the confidence of the public.  They want to be reassured that the digital tools being used by health and social care providers are safe and effective.  The ability of providers to undertake consistent and high quality due diligence checks on new digital tools and technology, makes it difficult for developers and suppliers to anticipate and respond to the needs of their customers and the wider public.

The road to a common compliance standard – DTAC

In 2017, NHS England and NHS Digital launched their NHS Apps Library as part of their citizen-facing initiative.  This was initially intended to provide a single, centrally approved library of apps for use by patients and citizens.  NHS Digital managed the approval process and ensured that every app was assessed and approved using a set of Digital Assessment Questions.  Initially, this was hailed as a success, but before long the NHS Apps library began to include clinician facing apps as well as those intended for use by patients and citizens, seemingly confusing the intended purpose of the Library.  The NHS Apps Library was also subject to a rather unhelpful disclaimer:

“The app developer is solely responsible for their app’s advertisement, compliance and fitness for purpose.”

If NHS Digital weren’t willing to take on some responsibility for the compliance and fitness for purposes of Apps they were assessing, what value did the NHS Apps Library bring in practice, other than acting as another advertising platform for the Apps themselves?

This conundrum was not lost on many and with the introduction in late 2019 of NHSX, the joint unit bringing together teams from the Department of Health and Social Care and NHS England and NHS Improvement to drive the digital transformation of care, the need for clarity and consistency in the assessment of digital technology was high on the agenda.  Towards the end of 2020 NHSX announced their new Digital Technology Assessment Criteria.  In true NHS style, this is to be known by the acronym ‘DTAC’.

NHSX summarise the identified need for the DTAC as follows:

“The DTAC was developed in response to developers and those making buying and commissioning decisions looking to NHSX for clear direction on how to build and buy good digital health technologies. We listened to innovators who are seeking to understand what the NHS is looking for when it buys technologies to enable them to build it into their product development ‘by design’. Those buying technologies told us they wanted a proportionate and tangible criteria that was simple to apply and assess against, encompassing all digital health technologies, to ensure that the products they select are safe and built well.

By setting a national baseline, the intention is now to smooth the path between development and procurement so that the NHS and social care may realise the benefits that digital technologies can bring.”

The DTAC is intended to be used as a baseline assessment for digital technology across health and social care nationally and locally.  It will also become the assessment used to support entry to the NHS Apps Library, helping to bring consistent standards to both patient and citizen-facing technology as well as that designed for use by professionals organisations or institutions.

Preparing for DTAC (Digital Technology Assessment Criteria)

DTAC procurement DTAC - Smoothing the path to procurement

 

The DTAC assessment criteria is intended to be a ‘one size fits all’ baseline in terms of safety and security and focuses on 5 core areas:

  1. Clinical safety (DCB0129): assessed to ensure that baseline clinical safety measures such as a Clinical Risk Management System, Clinical Safety Report and Hazard Log, Clinical Safety Officer (CSO) and MHRA compliance (where applicable) are in place
  2. Data protection: assessed to ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected including registration with the Information Commissioner’s Office (ICO), a named Data Protection Officer (DPO), NHS Data Security and Protection Toolkit (DSPT) submission and a Data Protection Impact Assessment (DPIA)
  3. Technical assurance: assessed to ensure that products are secure and stable including Cyber Essentials certification, Penetration Testing, Multi-Factor Authentication (MFA) and logging, reporting and load testing
  4. Interoperability: assessed to ensure that data is communicated accurately and quickly whilst staying safe and secure. This includes the use of:
    1. Health Level Seven International (HL7) / Fast Healthcare Interoperability Resources (FHIR) in accordance with Government Digital Services Open Application Programme Interfaces (API) Best Practice
    2. Verified NHS Number as the primary patient identifier
    3. OAuth 2.0/TLS 1.2 for secure interoperability with Electronic Health Records (EHRs)
    4. Compliance with ISO/IEEE 10073 (where applicable).
  5. Usability and accessibility: products are allocated a conformity rating having been benchmarked against good practice and the NHS service standard.

The first 4 criteria operate as the assessed criteria with the fifth and final criteria used to issue a conformity rating and benchmark products against both the NHS Service Standard and other similar products available in the marketplace.

Interestingly the DTAC criteria align almost directly to the key support services which 8foldGovernance have been providing to its clients for many years.  They not only reflect the key aspects of assurance which in our experience health and social care organisations are most concerned about, they also represent the foundational components which underpin robust and effective suppliers and solutions which bring the most value to patients and the health and social care economy.

Our team are here to help you navigate DTAC successfully and prioritise the right elements at the right time. Please book your free 30-minute consultation with our experts here

Do you meet the statutory requirements under DCB0129?

To you ensure that clinical safety is a core practice for your organisation and that the statutory requirements for health IT in the UK (DCB0129) are met, contact us for a no-obligation call. We’ll help you to understand what your obligations are and also what needs to be done to ensure that you are compliant with the mandatory requirements.

Need a named Clinical Safety Officer? (DCB0129)

A key requirement of the DCB0129 standard is that your organisation has a named Clinical Safety Officer (CSO) that is responsible for the application of the entire clinical safety process. The CSO must be a suitably qualified and experienced clinician, with advanced knowledge and understanding of risk management in clinical domains. At 8fold, we have a team of qualified Clinical Safety Officer’s, ready to offer their expertise for organisations that do not have a CSO in place. To learn more, book your no-obligation consultation here.

 

Adam Spinks

Adam Spinks

Adam is a specialist information governance lead and has worked extensively for NHS trusts, CCG’s, private healthcare providers and digital health technology companies. He has extensive knowledge of data protection and privacy law, information risk management, data flow mapping and is expert in the practical application of data protection impact assessments (DPIA) and information sharing agreements (ISA). He is an expert communicator and trusted advisor in the industry.

Published:

  • March 17, 2021

Posted In:

  • DTAC

SHARE THIS POST

Facebook-f Twitter Linkedin-in Envelope

Book your free, no-obligation discovery call with our experts.

If you need for support with any of your information governance and compliance needs including, DTAC, DSP Toolkit and Clinical Safety (DCB0129 and DCB0160), please get in touch for quick no obligation chat.

Book your call now
Book your call now

Other articles

History Lesson in Compliance

A Quick History Lesson in Health & Care Compliance

Read article →
Insource DTAC case study

Case Study: Insource – The route to DTAC compliance

Read article →
What is Clinical Safety?

What is Clinical Safety?

Read article →
8fold Zen Logo

+44 (0) 1273 569172

info@8foldgovernance.com

DTAC SERVICES

  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • Interoperability, Accessibility & Usability
  • Cyber Security

LINKS

  • About
  • News
  • Join Us
  • Case Studies
  • Contact
  • Charity Work
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
8 fold governance net promoter score
The Green Web Foundation Score 8fold governance
Cyber Essentials Trademark
B1G1 Logo

 Privacy Policy | Cookie Policy | Terms & Conditions

© 2023 8Fold
8Fold governance Teal Zen logo

+44 (0) 1273 569172

info@8foldgovernance.com

DTAC SERVICES

  • Full DTAC Support
  • Information Governance
  • Interoperability, Accessibility & Usability
  • Clinical Safety Data
  • Security & Protection
  • Cyber Security

LINKS

  • About
  • News
  • Case Studies
  • Contact
Cyber Essentials Trademark
Green Wen Foundation 8Fold
8Fold Net Promoter Score

Customer

Satisfaction

Rating

B1G1 Logo

 Privacy Policy | Cookie Policy | Terms & Conditions

© 2023 8Fold
X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept