What NHS organisations expect you to know
The health and care compliance landscape has changed dramatically in the last few decades, and with potentially more change on the horizon, a quick history lesson is useful to help provide some context and understanding of where we are today.
Information Governance (IG) Toolkit – Genesis
I started my career in Information Governance and Data Protection in 2010. Back then, one of my main roles was supporting the NHS trust that I worked for to complete their ‘Information Governance Toolkit’ (as it was known at the time).
At this stage, the IG Toolkit had been in place for around six years and was well established across the NHS. More organisations than ever before had access to NHS patients and/or their information, were providing services directly to the NHS, or had access to NHS Connecting for Health services. The Department of Health needed a way of ensuring all these organisations could demonstrate they were complying with data protection, confidentiality and freedom of information law as well as all the associated NHS policy requirements. The IG Toolkit therefore became the tool which organisations were contractually obliged to use to make annual submissions of evidence to the Department of Health.
GDPR and the National Data Guardian – A new dawn
Fast forward a few years and the world is trying to get to grips with arguably, the most comprehensive data protection regime the world has ever seen – the General Data Protection Regulation (GDPR). At this point, the NHS was also undergoing a comprehensive review of Data Security, Consent and Opt-Outs by the National Data Guardian (NDG) who had recommended 10 Data Security Standards that NHS organisations should comply with to appropriately protect patient data. These covered three important domains:
- People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
- Technology: Ensure technology is secure and up to date.
Data Security & Protection Toolkit (formerly known as the ‘IG Toolkit’) – the next generation
Against this backdrop emerged the new and improved NHS Data Security and Protection Toolkit (DSPT). As well as a rebrand, transitioning from ‘Information Governance’ to ‘Data Security and Protection’, it focussed more heavily on cyber security than its predecessor. The new DSPT was also positioned more explicitly as the means by which NHS organisations were expected to assess the data security and protection arrangements of the organisations they worked with or alongside, meaning more organisations than ever needed to complete it.
Health & Social Care Act 2012
In parallel, the NHS was making improvements in the area of ‘clinical safety’ and in 2012, we saw the introduction of the Health and Social Care Act 2012 which made it mandatory for NHS organisations to implement a clinical risk management framework. This was fundamentally supported by two information standards
- DCB0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
- DCB0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.
These standards legally require health organisations to establish a framework to effectively manage the clinical risks associated with the deployment and implementation of health IT systems (i.e. they must adhere to DCB0160). Part of this places a requirement on health organisations to ensure that, as part of any procurement, manufacturers and their health IT systems comply with the DCB0129 standard.
Digital Technology Assessment Criteria (DTAC)
The final piece of the puzzle emerged towards the end of 2020. The NHS recognised that both developers and those involved in the procurement and implementation of health IT systems were struggling to understand the totality of what was expected of them and therefore, were seeking clear direction on how to build and buy good digital health technologies. The problem was that innovators would often have vastly different experiences when engaging with different NHS organisations, not least because they had varying levels of awareness and understanding about compliance. Some NHS organisations were particularly ‘hot’ when it came to data security and protection but were less rigorous when assessing clinical safety. Sometimes it was the other way around and in a few cases, very little due diligence was undertaken at all.
Enter the Digital Technology Assessment Criteria (DTAC). The ‘DTAC’ as it has come to be known, was introduced to remove the confusion about what was mandatory and what was simply ‘desirable’ when it came to digital health technologies within the NHS. It brought together legislation and good practice in key areas and set a national baseline criteria for digital health technologies both entering and already used in the NHS and social care. These 5 key areas were:
- Clinical safety;
- Data protection;
- Technical security;
- Interoperability; and
- Usability and accessibility standards.
The DTAC is designed to be used by healthcare organisations to assess suppliers at the point of procurement or as part of a due diligence process, and by developers to understand what is expected to enter the NHS and social care market.
So why the history lesson?
Well, it’s clear that although the DTAC is a relatively recent development, each of its individual components have been around for quite some time – nearly 20 years in the case of data protection and over 10 years in the case of clinical safety. These aren’t new. NHS organisations therefore have a reasonable expectation that these long standing compliance requirements will be understood and met by the suppliers they work with, and ignorance of these will often be a cause for concern. What’s more, the DTAC has made it easier than ever to know what NHS organisations expect to see. It’s a bit like seeing the exam questions before you have to sit the test!
In our experience, it is best to have all of your compliance in place before you engage with the NHS. We have seen numerous examples of excellent organisations and products failing to get a foothold in the NHS simply because they haven’t done their homework
Why have your homework assessed when we can do it for you?
Whilst having your DTAC homework reviewed can be useful for some health-tech companies that have the specialist IG skills in-house to complete it, at 8fold we support those companies that don’t have the skills or resources to see this through to completion themselves. Whether that’s completing the DTAC on your behalf, or acting as your named Clinical Safety Officer or named Data Protection Officer (key requirements of the DTAC), this can make all the difference when providing reassurance to NHS organisations that your product is deemed to be clinically safe, secure and compliant.
But, to make this entire process more seamless for both health-tech companies and NHS organisations, we have also launched the UK’s first and only DTAC Portal. The DTAC Portal allows health-tech companies to securely share all their DTAC documents and evidence from one place. It means that NHS organisations can access your DTAC information in real-time, making the procurement process simple and seamless for everyone involved.
Streamline your route to DTAC compliance
Want to know more about how we support health-tech companies with DTAC? Check out our latest case studies, or book a call with a member of our team below.