Skip to content
8Fold governance Logo With Text Horizontal
  • DTAC
  • Services
    • DTAC
    • Cyber Security
    • Data Security & Protection (DSPT)
    • Interoperability, Accessibility & Usability
    • Clinical Safety & DCB0129
    • Information Governance
  • About
    • Meet the team
    • Join us
  • News
    • Blog
    • Case Studies
  • Contact
Menu
  • DTAC
  • Services
    • DTAC
    • Cyber Security
    • Data Security & Protection (DSPT)
    • Interoperability, Accessibility & Usability
    • Clinical Safety & DCB0129
    • Information Governance
  • About
    • Meet the team
    • Join us
  • News
    • Blog
    • Case Studies
  • Contact
  • +44 (0)1273 569172

← From our blog

A Quick History Lesson in Health & Care Compliance

← From our blog

A Quick History Lesson in Health & Care Compliance

History Lesson in Compliance

What NHS organisations expect you to know

The health and care compliance landscape has changed dramatically in the last few decades, and with potentially more change on the horizon, a quick history lesson is useful to help provide some context and understanding of where we are today.

Information Governance (IG) Toolkit – Genesis

I started my career in Information Governance and Data Protection in 2010.  Back then, one of my main roles was supporting the NHS trust that I worked for to complete their ‘Information Governance Toolkit’ (as it was known at the time).

At this stage, the IG Toolkit had been in place for around six years and was well established across the NHS. More organisations than ever before had access to NHS patients and/or their information, were providing services directly to the NHS, or had access to NHS Connecting for Health services.  The Department of Health needed a way of ensuring all these organisations could demonstrate they were complying with data protection, confidentiality and freedom of information law as well as all the associated NHS policy requirements.  The IG Toolkit therefore became the tool which organisations were contractually obliged to use to make annual submissions of evidence to the Department of Health.

 

GDPR and the National Data Guardian – A new dawn

Fast forward a few years and the world is trying to get to grips with arguably, the most comprehensive data protection regime the world has ever seen – the General Data Protection Regulation (GDPR). At this point, the NHS was also undergoing a comprehensive review of Data Security, Consent and Opt-Outs by the National Data Guardian (NDG) who had recommended 10 Data Security Standards that NHS organisations should comply with to appropriately protect patient data. These covered three important domains:

  1. People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
  2. Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
  3. Technology: Ensure technology is secure and up to date.

 

Data Security & Protection Toolkit (formerly known as the ‘IG Toolkit’) – the next generation

Against this backdrop emerged the new and improved NHS Data Security and Protection Toolkit (DSPT). As well as a rebrand, transitioning from ‘Information Governance’ to ‘Data Security and Protection’, it focussed more heavily on cyber security than its predecessor.  The new DSPT was also positioned more explicitly as the means by which NHS organisations were expected to assess the data security and protection arrangements of the organisations they worked with or alongside, meaning more organisations than ever needed to complete it.

 

Health & Social Care Act 2012

In parallel, the NHS was making improvements in the area of ‘clinical safety’ and in 2012, we saw the introduction of the Health and Social Care Act 2012 which made it mandatory for NHS organisations to implement a clinical risk management framework. This was fundamentally supported by two information standards

  1. DCB0160 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems.
  2. DCB0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems.

 

These standards legally require health organisations to establish a framework to effectively manage the clinical risks associated with the deployment and implementation of health IT systems (i.e. they must adhere to DCB0160).  Part of this places a requirement on health organisations to ensure that, as part of any procurement, manufacturers and their health IT systems comply with the DCB0129 standard.

 

Digital Technology Assessment Criteria (DTAC)

The final piece of the puzzle emerged towards the end of 2020. The NHS recognised that both developers and those involved in the procurement and implementation of health IT systems were struggling to understand the totality of what was expected of them and therefore, were seeking clear direction on how to build and buy good digital health technologies. The problem was that innovators would often have vastly different experiences when engaging with different NHS organisations, not least  because they had varying levels of awareness and understanding about compliance. Some NHS organisations were particularly ‘hot’ when it came to data security and protection but were less rigorous when assessing clinical safety. Sometimes it was the other way around and in a few cases, very little due diligence was undertaken at all.

Enter the Digital Technology Assessment Criteria (DTAC). The ‘DTAC’ as it has come to be known, was introduced to remove the confusion about what was mandatory and what was simply ‘desirable’ when it came to digital health technologies within the NHS. It brought together legislation and good practice in key areas and set a national baseline criteria for digital health technologies both entering and already used in the NHS and social care. These 5 key areas were:

  1. Clinical safety;
  2. Data protection;
  3. Technical security;
  4. Interoperability; and
  5. Usability and accessibility standards.

 

The DTAC is designed to be used by healthcare organisations to assess suppliers at the point of procurement or as part of a due diligence process, and by developers to understand what is expected to enter the NHS and social care market.

 

So why the history lesson?  

Well, it’s clear that although the DTAC is a relatively recent development, each of its individual components have been around for quite some time – nearly 20 years in the case of data protection and over 10 years in the case of clinical safety. These aren’t new. NHS organisations therefore have a reasonable expectation that these long standing compliance requirements will be understood and met by the suppliers they work with, and ignorance of these will often be a cause for concern. What’s more, the DTAC has made it easier than ever to know what NHS organisations expect to see. It’s a bit like seeing the exam questions before you have to sit the test!

In our experience, it is best to have all of your compliance in place before you engage with the NHS. We have seen numerous examples of excellent organisations and products failing to get a foothold in the NHS simply because they haven’t done their homework

 

Why have your homework assessed when we can do it for you?

Whilst having your DTAC homework reviewed can be useful for some health-tech companies that have the specialist IG skills in-house to complete it, at 8fold we support those companies that don’t have the skills or resources to see this through to completion themselves. Whether that’s completing the DTAC on your behalf, or acting as your named Clinical Safety Officer or named Data Protection Officer (key requirements of the DTAC), this can make all the difference when providing reassurance to NHS organisations that your product is deemed to be clinically safe, secure and compliant.

But, to make this entire process more seamless for both health-tech companies and NHS organisations, we have also launched the UK’s first and only DTAC Portal. The DTAC Portal allows health-tech companies to securely share all their DTAC documents and evidence from one place. It means that NHS organisations can access your DTAC information in real-time, making the procurement process simple and seamless for everyone involved.


Streamline your route to DTAC compliance

Want to know more about how we support health-tech companies with DTAC? Check out our latest case studies, or book a call with a member of our team below.

Adam Spinks

Adam Spinks

Adam is a specialist information governance lead and has worked extensively for NHS trusts, CCG’s, private healthcare providers and digital health technology companies. He has extensive knowledge of data protection and privacy law, information risk management, data flow mapping and is expert in the practical application of data protection impact assessments (DPIA) and information sharing agreements (ISA). He is an expert communicator and trusted advisor in the industry.

Published:

  • March 13, 2023

Posted In:

  • Information Governance, Clinical Safety, Data Protection, DCB0129, DCB0160, DSPT, DTAC, GPDPR

SHARE THIS POST

Facebook-f Twitter Linkedin-in Envelope

Book your free, no-obligation discovery call with our experts.

If you need for support with any of your information governance and compliance needs including, DTAC, DSP Toolkit and Clinical Safety (DCB0129 and DCB0160), please get in touch for quick no obligation chat.

Book your call now
Book your call now

Other articles

History Lesson in Compliance

A Quick History Lesson in Health & Care Compliance

Read article →
Insource DTAC case study

Case Study: Insource – The route to DTAC compliance

Read article →
What is Clinical Safety?

What is Clinical Safety?

Read article →
8fold Zen Logo

+44 (0) 1273 569172

info@8foldgovernance.com

DTAC SERVICES

  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • Interoperability, Accessibility & Usability
  • Cyber Security

LINKS

  • About
  • News
  • Join Us
  • Case Studies
  • Contact
  • Charity Work
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
8 fold governance net promoter score
The Green Web Foundation Score 8fold governance
Cyber Essentials Trademark
B1G1 Logo

 Privacy Policy | Cookie Policy | Terms & Conditions

© 2023 8Fold
8Fold governance Teal Zen logo

+44 (0) 1273 569172

info@8foldgovernance.com

DTAC SERVICES

  • Full DTAC Support
  • Information Governance
  • Interoperability, Accessibility & Usability
  • Clinical Safety Data
  • Security & Protection
  • Cyber Security

LINKS

  • About
  • News
  • Case Studies
  • Contact
Cyber Essentials Trademark
Green Wen Foundation 8Fold
8Fold Net Promoter Score

Customer

Satisfaction

Rating

B1G1 Logo

 Privacy Policy | Cookie Policy | Terms & Conditions

© 2023 8Fold
X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept