Launched in February 2021, The Digital Technology Assessment Criteria (DTAC) for health and social care gives staff, patients and citizens confidence that the digital health tools they use meet NHS clinical safety, data protection, technical security, interoperability, usability and accessibility standards.
It is the national baseline criteria for digital health technologies in the NHS and social care sector, and therefore all health-tech providers must complete and pass the DTAC.
As a developer of health technology products or applications, you should meet the requirements within the NHS DTAC, which include:
| Data Protection |
| – An audit of your data protection framework and privacy, ‘by design’ – You must comply with the UK GDPR, which includes meeting the principles to protect the rights of individuals – Your organisation must be registered with the Information Commissioners Office (ICO) – You should appoint a Data Protection Officer (DPO) – You should publish a NHS Data Security and Protection Toolkit (DSPT) to “Standards Met” – You should complete a Data Protection Impact Assessment (DPIA) |
| Technical Security |
| • Gain and renew (annually) Cyber Essentials certification (ideally to Cyber Essentials Plus standard) • Ensure that an External Penetration Test of your product or application, is conducted at least annually • Provide evidence that you have Multi-Factor Authentication (MFA) in place, along with checks in respect of Load Testing and Logging / Reporting • Carry out a custom cod security review, of your product or application |
Delivery and Project Management
Our tailored package of project management is designed to support and lead health technology providers to a successful assessment, capturing all of the essential criteria found within the DTAC – in respect of Data Protection and Technical Security.
Our expert team can deliver every technical and data protection requirement within the NHS DTAC, providing you with a one-stop service towards a successful assessment.
Through our “hands-on” project leadership and bespoke technical-engagement (underpinned by regular “live” project sessions via video conference), we deliver a turnkey approach to the DTAC that ensures a complete end-to-end service, assurance and renewal process.
Our experienced team works closely with health-tech providers to manage their criteria in meeting and qualifying for The Digital Technology Assessment Criteria.
DTAC Project Management Overview:
| Onboarding | Our consultant will meet with you to discover more about your organisation and product(s), along with setting the scene and explaining how the DTAC project management process will work over the coming weeks. |
| Project Management | DTAC is made up of four core sections, which contains technical questions and assessed sections. Project management is key to a successful outcome, providing our clients with a focused resource – avoiding additional pressure on your team and ensuring a dedicated approach to passing the DTAC. |
| Cyber Essentials | A requirement with DTAC, Cyber Essentials is a UK Government-backed scheme which is designed to protect organisations of any size or sector from 80% of common cyber threats. The Cyber Essentials scheme covers five main technical controls which are designed to protect; your organisation’s devices, internet connection and data, and services. |
| External Penetration Testing | To pass the DTAC, you must evidence that your product has undergone an external penetration test that included the Open Web Application Security Project (OWASP) top 10 vulnerabilities. The penetration testing and summary report must demonstrate there are no vulnerabilities that score 7.0 or above using Common Vulnerability Scoring System (CVSS). |
| GDPR and Information Governance | A GDPR and Information Governance review forms a core element of the DTAC, with a focus on four key areas. 1. Risk and Mitigation 2. Data Protection Impact Assessment (DPIA) 3. Record of Processing Activities (RoPA) 4. Contracts and Third-Party Agreements |
| DPO as a Service (DPOaaS) | In order to pass the DTAC, there are several key aspects of the assessment that relate directly to the persona/role of Data Protection Officer (DPO) As you will likely be processing high volumes of special category data, it is a requirement that a DPO is in place (either appointed internally or as a contracted third party) |
| Code Review | To complete the DTAC, you must carry out a code review. Our team will work with you to evidence that you have carried out automated scanning of code for vulnerabilities, a manual review of the code, string matching, library review, followed user input, selected random portions for review, read all code and checked one functionality at a time. |
| NHS Data Security and Protection Toolkit (DSPT) | The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly. To pass DTAC, your organisation must confirm that it is compliant with the DSPT Assessment. |
