The DTAC sets out the NHS’s minimum clinical safety, data protection, technical security, interoperability, usability and accessibility standards. As a result, IG-Smart Ltd.’s DTAC services enable your organisation to comply with the DTAC, by helping your organisation must satisfactorily complete the DTAC’s detailed questionnaire and provide robust evidence in support of its answers.
Moreover, the complex DTAC questionnaire is divided into the following non-assessed (non-technical) and assessed (technical) domains:
Non-assessed (non-technical) DTAC requirements:
- Company information: this section requires organisation to provide basic company and product information.
- Value proposition: this section requires organisation to set out the intended product uses and benefits and provide user journey examples.
Assessed (technical) DTAC requirements:
We aid your organization in implementing a strong Clinical Risk Management system and activities compliant with NHS’s DCB1029 standard. Hence, our Clinical Safety Officer works with stakeholders to conduct Clinical Risk Assessments and create a Clinical Safety Case Report and Hazard Log.
Accordingly, your organization must have a named Clinical Safety Officer, who must have undergone proper training and accreditation and be registered with a clinical professional body. On the other hand, hire an outsourced Clinical Safety Officer service provider that meets these requirements.
Furthermore, if your organisations product/(s) is considered a medical device under the UK Medical Devices Regulations 2002, then you will need to provide details of your Medicines and Healthcare products Regulatory Agency (MHRA) registration. As well as a Declaration of Conformity and, if applicable, certificate of conformity issued by a Notified Body / UK Approved Body.
IG-Smart Ltd.’s DTAC services are designed to both enable your organisation to implement DCB1029 and provide you with the optional benefit of having an outsourced Clinical Safety Officer service that is provided by highly experienced and qualified clinicians.
Similarly our Clinical Safety Officers bring their real-world clinical experience to bear when helping our clients to ensure their digital products are safe for use in clinical settings. They follow clinical risk management frameworks and methodologies that have been tried and tested across the NHS and beyond to ensure your organisations products have been rigorously assessed as being DTAC and DCB1029 compliant.
DTAC services Data protection
To meet the DTACs data protection criteria your organisation will need to:
- Ensure it has registered with the UK Information Commissioners Office (ICO), where applicable. You use the ICO’s registration self-assessment tool to determine whether your organisation needs to register.
- Provide details of a nominated Data Protection Officer (DPO) if your organisation is required to have one. Also, if your organisation (or its products) routinely processes patient identifiable information, then it is likely to require a DPO.
- Comply with the NHS Data Security and Protection Toolkit (NHS DSP Toolkit).
- Conduct and submit a Data Protection Impact Assessment (DPIA). The DPIA should clearly demonstrate that your organisation has taken the nature, scope, context and purposes and processing and the sources of any data protection risks, into account, assessed the risks, and treated risks in proportion to the threat they may pose.
- Also, ensure that any data your organisation may process outside of the UK is processed in line with current legislation.
Our DTAC services are designed to enable your organisation to ensure that it meets all the NHS’s minimum data protection standards for DTAC compliance. Including providing your organisation with our multi-award-winning outsourced Data Protection Officer services, enabling NHS DSP Toolkit compliance, completing a robust DPIA, and implementing processes to enable compliant international data processing. You simply need to let us know how much or how little data protection advice and support your organisation requires, and we will provide it to you.
DTAC Services Technical Security
To meet the DTACs technical security criteria your organisation will need to:
- Be Cyber Essentials or Cyber Essentials Plus
- Provide evidence of external penetration testing of your organisations product/(s). The penetration test must include a review of Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12-month period and the assessment report must demonstrate that there are no vulnerabilities that score 7.0 or above using the Common Vulnerability Scoring System (CVSS).
- Confirm that all custom code has been security reviewed.
- Verify all privileged accounts have Multi-Factor Authentication enabled.
- Validate that logging and reporting requirements are clearly defined.
- Guarantee that your organisations product/(s) have been load-tested.
Our DTAC services enable your organisation to access any Technical Security advice and support it may require, to meet the DTAC’s requirements, from our multi-disciplinary team of security experts – through a single point of contact.We are proud winners of Best Cyber Security Consultancy Firm of the year for four consecutive years, since 2019 and have a team of Certified Cyber Security, Cloud Security, and Information Security Professionals, Lead ISO 27001 Auditors and Implementors, and Ethical Hackers.
We can also help your organisation to obtain Cyber Essentials and/or Cyber Essentials Plus certification, and through one of our partner organisations complete a penetration test that includes a review of OWASP Top 10 and CVSS vulnerabilities.
If your organisations product/(s) exposes any Application Programming Interfaces (APIs) or integration channels for other consumers, you will need to provide detail and evidence of:
- The APIs, with particular regard to any API connections – setting out the healthcare standards for interoperability that are met (e.g., Health Level Seven International (HL7) / Fast Healthcare Interoperability Resources (FHIR).
- Adherence to Government Digital Services Open API Best Practice.
- The documentation and free availability of APIs.
- Reasonable access for third party connectivity.
- The use of the NHS number to identify patient data, NHS Login to establish a user’s verified NHS number, unless the product does not identify patient record data or there is a legitimate rationale for not using the NHS number/Login.
- Your products your capability for read/write operations with electronic health records (EHRs) using industry secure interoperability standards (e.g. OAuth 2.0, TLS 1.2 or greater).
- Your products compliance with ISO/IEEE 11073 Personal Health Data (PHD) Standards if it is a wearable or device.
Whilst most developers know enough about any APIs that are embedded within a product to be able to answer the DTACs interoperability questions themselves, with little to no support, if required, we can provide advice on adherence to UK healthcare industry and government best practice standards.
Usability and accessibility
The Usability and accessibility section of the DTAC is scored (see scoring percentages below) in relation to the NHS service standard. The scoring does not contribute to the overall Assessment Criteria of section C.
To fully meet the DTAC Usability and accessibility standards your organisation will essentially need to:
- Engage users in the development of your product/(s) and consider user needs in product development lifecycles – 10%
- Map all key user journeys to ensure the whole user problem is solved (or it is clear to users how it fits into their pathway or journey) – 10%
- Undertake user acceptance testing – 10%
- Ensure Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliance – 20%
- Publish an accessibility statement – 10%
- Operate a multidisciplinary team – 2.5%
- Adopt agile ways of working in product development – 2.5%
- Ensure continuous product improvement – 5%
- Have a benefits case that includes your organisations objectives and the benefits it will be measuring – 10%
- Be aligned with the NHS Cloud First strategy and policy – 5%
- Use and contribute to open standards, common components, and patterns – 5%
- Operate a reliable service with Service Level Agreements for all customers – providing customers with reports regarding support and product performance and availability. – 10%