NHS organisations use the DTAC as a minimum baseline of compliance requirements. The DTAC helps the NHS to assess the compliance and maturity of solutions during or before a formal procurement exercise.
The NHS DTAC applies to all new digital technologies, even where new technologies are being piloted in an NHS organisation. If a developer has multiple products, each one needs to be compliant with the DTAC. Some examples of products in the scope of DTAC include: AI tools designed for clinical decision support, patient-facing digital health technologies, health apps, medtech and devices with an associated app, health IT systems, web-based portals and more.
DTAC provides a consistent, national baseline for compliance for all digital technologies. The NHS often use it as a minimum set of requirements to evaluate a new technology, but may sometimes ask for more information if the product includes Generative AI capabilities or is considered a Medical Device.
The DTAC has five essential criteria against which digital technology proposed for use within the NHS must be assessed: Data Protection, Clinical Safety, Technical Security, Interoperability, and Usability and Accessibility. It’s designed to help innovators maintain focus on high standards and, as such, requires an ongoing commitment to quality and safety throughout the lifetime of the product(s) in question.
Medical Device manufacturers need to comply with the DTAC if they have a software solution which is classed as a Medical Device or there is a software component which enables a piece of Medical Device hardware to connect with third-party systems. They will also need to complete the Pre-Acquisition Questionnaire (PAQ) as part of the procurement process.
DTAC should be reviewed and updated regularly, at least on an annual basis. Different aspects of your DTAC submission will need to be reviewed at different times during the year, so it is expected to be an ongoing commitment to retain compliance with the DTAC framework.
DTAC incorporates considerations for data protection regulations by assessing how digital technologies comply with legal requirements and safeguard user data. There is the expectation with the DTAC for a supplier to be registered with the Information Commissioner's Office (ICO), appoint a Data Protection Officer (DPO), complete the NHS Data Security Protection Toolkit (DSPT) and produce an outline Data Protection Impact Assessment (DPIA) for use with potential NHS customers.
Clinical Safety is one of the 5 sections of the DTAC criteria. As part of a complete DTAC submission, suppliers must evidence that they have completed the necessary documentation to be deemed compliant with DCB0129. Manufacturers of solutions assessed against the DTAC are not required to complete DCB0160 - this is the responsibility of the NHS organisation deploying the technology.
Organisations can effectively adopt DTAC by building a robust process for quality assurance, with dedicated resources appointed to manage each component of the DTAC submission. A high-quality DTAC submission is dependent on a multi-disciplinary approach and a commitment to maintaining documentation to reflect the latest version of the product.
Absolutely. The 8foldGovernance team have significant experience in supporting organisations through the DTAC questionnaire, with experience across each of the 5 domains. They have worked with hundreds of businesses to comply with the DTAC and secure contracts in the NHS.
On this page you’ll find answers to the most common question about the NHS DTAC and what it involves for your organisation.
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |