Skip to content
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
  • +44 (0)1273 569172
Book a Call

← Case Studies  

Supporting Collaboration

The KiActiv® Journey to DTAC & DCB0129 Compliance

Kiactiv
Understanding the Problem with Information Governance Information Governance, Information Governance tablet, Security Info Governance

CASE STUDY: KiActiv®

Digital health technology companies that want to become NHS suppliers need to complete the NHS Digital Technology Assessment Criteria (DTAC) for health & social care and self-certify that any product(s) meets this criteria.

The DTAC assessment can be challenging for businesses to navigate alone. There’s no formal certification process, and no external, accredited body to assess the product(s) and offer any stamp of approval. This can make it difficult for digital health tech companies to navigate the DTAC and feel 100% confident about their compliance status.

With NHS England increasingly placing more and more emphasis on the need for digital health companies to be DTAC compliant, KiActiv® approached 8foldGovernance, seeking support to demonstrate their compliance, namely with regards to penetration testing and DCB0129 (clinical risk management).

About KiActiv®

KiActiv® is a digital behaviour change service that remotely supports patients to build physical activity into their everyday routines in a sustainable way, helping to manage and reduce the risk of long-term health conditions.

Operational in the NHS since 2017, KiActiv® collaborated on a research programme with the University of Bath in 2013, which demonstrated that the KiActiv® approach was effective in changing and optimising behaviour to sustainably improve health outcomes over a period of time.

The digital service has since been used across primary, secondary and community care settings to support older patients with multimorbidities, including diabetes, COPD, hypertension, rehabilitation, and more recently, long-covid.

The digital service integrates minute-by-minute physical activity data from a validated wearable device. The online dashboard provides a personalised picture of this information, using proven visualisations that enable people to consider other ways they can optimise their everyday physical activity i.e. through a planned commute, housework, or even having a meal delivered vs cooking at home. This is supplemented by twelve weeks of motivational mentoring to support people to get the best out of the technology, while also teaching vital self-management skills that prove to be effective for their health in the long term.

The digital service is currently active across 10 Integrated Care Boards (ICBs) and systems (ICS) and is free for patients at the point of use.

KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance

The Problem

Becoming DTAC compliant

As a digital health company that values patient safety and compliance, it was important for KiActiv® to find the right advice and guidance from trusted experts in the field of NHS compliance. Tommy Parker, CEO of KiActiv®, approached 8foldGovernance to ensure the highest standards of clinical safety and become DTAC compliant.

“Up until that point it had been a very murky picture in terms of what we needed to do”, said CEO, Tommy Parker. “Whilst there are nice spreadsheets that you can download from NHS England and other companies saying, ‘for X amount of money we’ll tell you whether you’re compliant or not’, it simply wasn’t clear.

“We knew it was going to come so we wanted to get ahead of it – and that’s exactly what 8fold and the DTAC portal has allowed us to do”.

The Strategy

KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance

Penetration testing

To assess the ‘technical security criteria’ of the KiActiv® product, an Owasp Top 10 penetration test was carried out to ensure compliance with section C of the Digital Technology Assessment Criteria. This helps the NHS to establish if the product meets industry best practice security standards and that the data being collected and processed in the application is secure. The Owasp test seeks to identify any vulnerabilities that could be exploited to attack the system or its users, bypass controls, escalate privileges, or extract sensitive data.

KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance

Clinical Safety as-a-Service and Clinical Risk Management (DCB0129)

To ensure that clinical safety and clinical risk management was considered and integrated into every part of the business; from product development, operations to user experience, Karen Whitton, Director of Clinical Risk at 8foldGovernance, supported the team to demonstrate their compliance with DTAC and DCB0129.

“Karen was able to get her head into the detail of what we do – focussing on clinical risks and pulling together all the required documentation. It was pretty seamless,” said Tommy.

He adds: “It’s valuable to have that external look at what we do, both from a clinical risk point of view, but also from a process perspective because she pushed us to do more internally, sharing ideas on how we could implement that thinking into our architecture. That’s been extremely valuable.”

As risks and processes vary from business to business, it’s important to ensure that a clinical risk management system is tailored and appropriate to the individual organisation and its products. To provide the greatest value to KiActiv® for the long term, we established a usable clinical risk management system rather than create a generic and unworkable ‘tick box exercise’ for compliance. To do so involved getting under the bonnet of KiActiv® as an organisation and product by following the user journeys for both service users and mentors. This process helped to uncover any potential pitfalls which may result in clinical harm.

In close collaboration with the KiActiv® team, we worked through all potentially hazardous scenarios to ensure risks were identified and mitigations introduced. Furthermore, we identified any gaps in the internal documentation and the supporting procedures and assisted the team to implement these new recommendations. The KiActiv® team have been extremely positive throughout the process and Karen continues to be regularly involved in the risk management of their product as the designated Clinical Safety Officer.

Karen said: “Ensuring that patients and users receive the highest quality of care is the driving factor behind creating a functional clinical risk management system. This ensures a systematic approach is taken to identify risk in advance of an update or the release of new functionality. It also avoids any potential clinical incidents and the need to roll back features or updates which can be very costly.“

The Results

Since working with 8fold, KiActiv® has been able to demonstrate compliance in all areas of DTAC including; clinical safety, data protection, technical security, interoperability, usability and accessibility.

As well as being assured by a team of registered clinical risk and compliance specialists, the 8fold DTAC Portal allowed KiActiv® to easily share their full DTAC documentation and supporting evidence with their NHS clients, including the information governance team responsible for monitoring compliance. This has made the process of signing up new customers even more seamless. “The Information Governance team typically turns around and says, ‘yes that looks good’ and they sign it off”, says Tommy.

He adds: “Once we ticked everything off, it also enabled us to have more structured conversations with the 8fold team about how to operationalise changes in future and demonstrate our compliance more widely. That was useful to help tie everything up in a neat package, to share and sit behind as something we knew we could rely on.

“Getting that initial sense-check of where we were was really good, and with Karen focussed on how we can mature some of our processes, that builds even better foundations as we scale.”

KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance
KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance

Book your free, no-obligation discovery call with our experts.

Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.

Book your call now
KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance

Book your free, no-obligation discovery call with our experts.

Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.

Book your call now
KiActiv Case Study: KiActiv's Path to DTAC & DCB0129 Compliance KiActiv,DCB0129 Compliance
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept