Digital Technology Assessment Criteria (DTAC) – Smoothing the path to procurement

The task of getting digital tools and apps approved for use within the NHS and social care has long been a challenge for developers and suppliers.

Limited advice from the centre has meant that health and social care organisations have often taken contrasting approaches when it comes to scrutinising health technology as part of a procurement: some have been very light touch whilst others have approached due diligence checks with significantly more rigour. 

There have even been examples of variation within the same organisation with some products being subject to far more detailed reviews than others.  This lack of consistency has led to some suppliers being initially lulled into a false sense of security when their product has been readily adopted by the first few customers, only to suddenly be faced with a slew of complex questions and compliance ‘requirements’ from a more discerning buyer that wishes to hold them to ‘higher’ (or arguably the correct) standards.

I have been on both sides of the fence when trying to deal with this challenge.  

When representing health providers that have been seeking to procure a new digital tool, suppliers would often state with confidence that “we’re already in use across dozens of NHS organisations” and would be quick to provide these impressive credentials.  Eager colleagues would be delighted that the product they had chosen (and in some cases already purchased) was clearly fully compliant.  Surely it wouldn’t have already been adopted by so many others if this wasn’t the case?  Sadly, a few probing questions about data security, clinical safety or regulatory compliance would often highlight one or two rather conspicuous gaps and it would quickly become clear that the supplier’s existing customer base hadn’t undertaken the necessary assurance checks or scrutinised key compliance requirements in a robust manner.  The result would often be a swathe of hasty remedial work by the supplier, painful and costly delays and in the most extreme cases, the loss of confidence in the supplier or a decision to walk away from the deal entirely.

When supporting developers and suppliers, we can be approached when those awkward questions have been raised by a customer. We will quickly support the necessary compliance activities to ensure the expected controls are in place.  Equally frustrating however is when we have worked with a client to ensure all the necessary compliance measures are in place upfront, only to discover the customer doesn’t ask for evidence of the significant assurance activities which have been carried out.  Needless to say though, it is always much better to be fully prepared but not be asked, than to have a procurement go sour due to actual or perceived issues around compliance.

This lack of consistency, driven by a lack of coherent and consistent guidance from the centre, does little for the confidence of the public.  They want to be reassured that the digital tools being used by health and social care providers are safe and effective.  The ability of providers to undertake consistent and high quality due diligence checks on new digital tools and technology, makes it difficult for developers and suppliers to anticipate and respond to the needs of their customers and the wider public.

The road to a common compliance standard – DTAC

In 2017, NHS England and NHS Digital launched their NHS Apps Library as part of their citizen-facing initiative.  This was initially intended to provide a single, centrally approved library of apps for use by patients and citizens.  NHS Digital managed the approval process and ensured that every app was assessed and approved using a set of Digital Assessment Questions.  Initially, this was hailed as a success, but before long the NHS Apps library began to include clinician facing apps as well as those intended for use by patients and citizens, seemingly confusing the intended purpose of the Library.  The NHS Apps Library was also subject to a rather unhelpful disclaimer:

“The app developer is solely responsible for their app’s advertisement, compliance and fitness for purpose.”

If NHS Digital weren’t willing to take on some responsibility for the compliance and fitness for purposes of Apps they were assessing, what value did the NHS Apps Library bring in practice, other than acting as another advertising platform for the Apps themselves?

This conundrum was not lost on many and with the introduction in late 2019 of NHSX, the joint unit bringing together teams from the Department of Health and Social Care and NHS England and NHS Improvement to drive the digital transformation of care, the need for clarity and consistency in the assessment of digital technology was high on the agenda.  Towards the end of 2020 NHSX announced their new Digital Technology Assessment Criteria.  In true NHS style, this is to be known by the acronym ‘DTAC’.

NHSX summarise the identified need for the DTAC as follows:

“The DTAC was developed in response to developers and those making buying and commissioning decisions looking to NHSX for clear direction on how to build and buy good digital health technologies. We listened to innovators who are seeking to understand what the NHS is looking for when it buys technologies to enable them to build it into their product development ‘by design’. Those buying technologies told us they wanted a proportionate and tangible criteria that was simple to apply and assess against, encompassing all digital health technologies, to ensure that the products they select are safe and built well.

By setting a national baseline, the intention is now to smooth the path between development and procurement so that the NHS and social care may realise the benefits that digital technologies can bring.”

The DTAC is intended to be used as a baseline assessment for digital technology across health and social care nationally and locally.  It will also become the assessment used to support entry to the NHS Apps Library, helping to bring consistent standards to both patient and citizen-facing technology as well as that designed for use by professionals organisations or institutions.

Preparing for DTAC (Digital Technology Assessment Criteria)

The DTAC assessment criteria is intended to be a ‘one size fits all’ baseline in terms of safety and security and focuses on 5 core areas:

1. Clinical safety (DCB0129): assessed to ensure that baseline clinical safety measures such as a Clinical Risk Management System, Clinical Safety Report and Hazard Log, Clinical Safety Officer (CSO) and MHRA compliance (where applicable) are in place
2. Data protection: assessed to ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected including registration with the Information Commissioner’s Office (ICO), a named Data Protection Officer (DPO), NHS Data Security and Protection Toolkit (DSPT) submission and a Data Protection Impact Assessment (DPIA)
3. Technical assurance: assessed to ensure that products are secure and stable including Cyber Essentials certification, Penetration Testing, Multi-Factor Authentication (MFA) and logging, reporting and load testing
4. Interoperability: assessed to ensure that data is communicated accurately and quickly whilst staying safe and secure. This includes the use of:
   1. Health Level Seven International (HL7) / Fast Healthcare Interoperability Resources (FHIR) in accordance with Government Digital Services Open Application Programme Interfaces (API) Best Practice
   2. Verified NHS Number as the primary patient identifier
   3. OAuth 2.0/TLS 1.2 for secure interoperability with Electronic Health Records (EHRs)
   4. Compliance with ISO/IEEE 10073 (where applicable).
5. Usability and accessibility: products are allocated a conformity rating having been benchmarked against good practice and the NHS service standard.

The first 4 criteria operate as the assessed criteria with the fifth and final criteria used to issue a conformity rating and benchmark products against both the NHS Service Standard and other similar products available in the marketplace.

Interestingly the DTAC criteria align almost directly to the key support services which 8foldGovernance have been providing to its clients for many years.  They not only reflect the key aspects of assurance which in our experience health and social care organisations are most concerned about, they also represent the foundational components which underpin robust and effective suppliers and solutions which bring the most value to patients and the health and social care economy.

Our team are here to help you navigate DTAC successfully and prioritise the right elements at the right time. Please book your free 30-minute consultation with our experts here

Do you meet the statutory requirements under DCB0129?

To you ensure that clinical safety is a core practice for your organisation and that the statutory requirements for health IT in the UK (DCB0129) are met, contact us for a no-obligation call. We’ll help you to understand what your obligations are and also what needs to be done to ensure that you are compliant with the mandatory requirements.

Need a named Clinical Safety Officer? (DCB0129)

A key requirement of the DCB0129 standard is that your organisation has a named Clinical Safety Officer (CSO) that is responsible for the application of the entire clinical safety process. The CSO must be a suitably qualified and experienced clinician, with advanced knowledge and understanding of risk management in clinical domains. At 8fold, we have a team of qualified Clinical Safety Officer’s, ready to offer their expertise for organisations that do not have a CSO in place. To learn more, book your no-obligation consultation here.