The Digital Technology Assessment Criteria for Health and Social Care (DTAC)
The assessment criteria is made up of five core components. Sections A and B will provide the assessors the context required to understand your product and support your evidence. The core assessment criteria is defined in section C1-C4. Section D details the key Usability and Accessibility principles required. Further frequently asked questions are available at the end of the document.
The core criteria in Section C will determine the overall success of the assessment of your product or service. The accompanying score provided from Section D will show the level of adherence to the NHS Service Standard.
A. Company Information - Non-assessed section
Information about our company and contact details
Code
A1
A2
A3
A4
A5
A6
A7
A8
A9
A10
A11
Question
Provide the name of your company
Provide the name of your product
Provide the type of product
Provide the name and job title of the individual who will be the key contact at your organisation
Provide the key contact's email address
Provide the key contact's phone number
Provide the registered address of your company
In which country is your organisation registered?
If you have a Companies House registration in the UK please provide your number
If applicable, when was your last assessment from the Care Quality Commission (CQC)?
If applicable, provide your latest CQC report.
Options
Intelligent OH Ltd
Genius
Software as a Service
Tracey Hudson, Managing Director - Operations
I07983 272357
3&4 Pegasus House, Pegasus Court, Olympus Avenue, Warwick, CV34 6LW
England
14323815
Not applicable
Not applicable
B. Value proposition - Non-assessed section
Please set out the context of the clinical, economic or behavioural benefits of your product to support the review of your technology. These criteria will not be scored but will provide the context of the product undergoing assessment.
Where possible, please provide details relating to the specific technology and not generally to your organisation.
Code
B1
B2
B3
B4
Question
Who is this product intended to be used for?
Provide a clear description of what the product is designed to do and of how it is expected to be used
Describe clearly the intended or proven benefits for users and confirm if / how the benefits have been validated
Please attach one or more user journeys which were used in the development of this product
Where possible please also provide your data flows
Options
Workforce but the software will be managed by a member of the HR or H&S team (outsourced or in-house) who will add employees to the system. Those employees will then log-in and self-assess their symptoms
Genius is designed to produce workplace adjustment recommendation reports automatically via the employee self-assessing using our automated questioning software.
The intended benefits for users are:
- Instant workplace adjustment reports emailed to the advisor immediately upon completion by employee
- Reduced cost from usual OH referrals as no OH practitioner input is required
A proof-of-concept exercise was conducted in 2018 using a semi-manual prototype which worked very effectively, could be conducted by a HR professional so no requirement for OH to be involved which significantly reduced the costs of OH referrals.
Supporting Information
Public Health England (PHE) Strategy 2020 to 2025 which focusses on Protecting Employee Health and broadening health and wellbeing activities which our software does.
Employee (patient) self-service system including person-held health records
Automated & targeted health education & protection during the assessment process
Built-in guidance for employers & advisers
Built in health education for employees
OH practitioner case management access
Built-in recommendations
Trend reporting linked to ICD, ICF, ICHI, NICE, HSE
Evidence-based recommendations
Accessible to OH practitioners, Advisors & service users 24/7
Real-time advice
Advisor testing of original assessment process as a proof of concept carried out by a qualified HR team using guided questionnaires
A review of the evidence and migration to the functional assessment model has been conducted
Beta testing of Genius questionnaires has been conducted by OH professionals along with live use.
This question is a context question, and it is expected that existing documentation will be provided.
GOV.UK provides guidance on how to make a user journey map and what should be included.
Data flows enable the assessor to understand how data moves through a product. This may be included within a Data Protection Impact Assessment. If this is the case, please provide as a separate attachment for ease of review.
C. Technical questions - Assessed sections
C1 - Clinical Safety
Establishing that your product is clinically safe to use.
You must provide responses and documentation relating to the specific technology product that is subject to assessment.
The DCB0129 standard applies to organisations that are responsible for the development and maintenance of health IT systems. A health IT system is defined as “product used to provide electronic information for health and social care purposes”. DTAC is designed as the assessment criteria for digital health technologies and C1 Clinical Safety Criteria is intended to be applied to all assessments. If a developer considers that the C1 Clinical Safety is not applicable to the product being assessed, rationale must be submitted exceptionally detailing why DCB0129 does not apply.
The DCB0160 standard applies to the organisation in which the health IT is deployed or used. It is a requirement of the standard (2.5.1) that in the procurement of health IT systems the organisation must ensure that the manufacturer and health IT system complies with DCB0129. The organisation must do so in accordance with the requirements and obligations set out in the DCB0160 standard. This includes personnel having the knowledge, experience and competences appropriate to undertaking the clinical risk management tasks assigned to them and organisations should ensure that this is the case when assessing this section of the DTAC.
If the Clinical Safety Officer or any other individual has concerns relating to safety of a medical device including software and apps, this should be reported to the Medicines and Healthcare products Regulatory Agency (MHRA) using the Yellow Card reporting system: Report a problem with a medicine or medical device - GOV.UK (www.gov.uk).
Code
C1.1
C1.1.1
C1.1.2
C1.2
C1.3
C1.4
Question
Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129?
Please detail your clinical risk management system
Please supply your Clinical Safety Case Report and Hazard log
Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details
If your product falls within the UK Medical Devices Regulations 2002, is it registered with the Medicines and Healthcare products Regulatory Agency (MHRA)?
Do you use or connect to any third-party products?
Supporting Information
The DCB0129 standard applies to organisations that are responsible for the development and maintenance of health IT systems. A health IT system is defined as ‘“product used to provide electronic information for health and social care purposes”.
DCB0129 sets out the activities that must and should be undertaken for health IT systems.
An example clinical risk management system template can be downloaded from the NHS Digital website.
Specifically, your DTAC submission should include:
● A summary of the product and its intended use
● A summary of clinical risk management activities
● A summary of hazards identified which you have been unable to mitigate to as low as it is reasonably practicable
● The clear identification of hazards which will require user or commissioner action to reach acceptable mitigation (for example, training and business process change)
It should not include the hazard log in the body of the document - this should be supplied separately.
Example Clinical Safety Case Report and Hazard Log templates can be downloaded from the NHS Digital website.
The CSO must:
● Be a suitably qualified and experienced clinician
● Hold a current registration with an appropriate professional body relevant to their training and experience
● Be knowledgeable in risk management and its application to clinical domains
● Be suitably trained and qualified in risk management or have an understanding in principles of risk and safety as applied to Health IT
● Have completed appropriate training
The work of the CSO can be undertaken by an outsourced third party.
If this question is not applicable, because your product does not fall within the UK Medical Devices Regulations 2002, continue to question C1.4.
If no, continue to section C2.
DCB0129 contains the requirements in relation to third party products.
Scoring Criteria
To pass, the developer is required to confirm that they have undertaken Clinical Risk Management activities in compliance with DCB0129.
To pass, the developer is required to evidence that a clinical risk management system is in place and that it is compliant with the requirements set out in DCB0129.
This should include:
● The clinical risk management governance arrangements that are in place
● The clinical risk management activities
● Clinical safety competence and training
● Audits
To pass, the developer is required to submit the Clinical Safety Case Report and Hazard Log that is compliant with the requirements set out in DCB0129. This should be commensurate with the scale and clinical functionality of the product and address the clinical risk management activities specified with the standard.
The Clinical Safety Case Report should present the arguments and supporting evidence that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment at the defined point in the products lifecycle. It should provide the reader with a summary of all the relevant knowledge that has been acquired relating to the clinical risks associated with the product at that point in the life cycle:
● A clear and concise record of the process that has been applied to determine the clinical safety of the product
● A summary of the outcomes of the assessment procedures applied
● A clear listing of any residual clinical risks that have been identified and the related operational constraints and limitations that are applicable
● A clear listing of any hazards and associated clinical risks that have been transferred, together with any declared risk control measures, that are to be addressed as part of the clinical risk management process in the organisation where the product is being deployed
● A listing of outstanding test issues / defects associated with the product which may have a clinical safety impact.
The Hazard Log should record and communicate the on-going identification and resolution of hazards associated with the product. All foreseeable hazards should be identified, and the risk of such hazards should be reduced to acceptable levels.
A summary should also be provided to the assessor of identified hazards that the developer has been unable to mitigate to as low as it is reasonably practicable. It should also clearly identify the hazards which will require user or commissioner action to reach acceptable mitigation.
To pass, the developer must have a named CSO which can be through an outsourced arrangement.
They must be a suitably qualified and experienced clinician and hold a current registration with an appropriate professional body relevant to their training and experience.
C2 - Data Protection
Establishing that your product collects, stores and uses data (including personally identifiable data) compliantly.
This section applies to the majority of digital health technology products however there may be some products that do not process any NHS held patient data or any identifiable data. If this is the case, the Data Protection Officer, or other suitably authorised individual should authorise this data protection section being omitted from the assessment.
Code
C2.1
C2.2.
C2.2.1
C2.3
C2.3.1
C2.3.2
C2.4
C2.5
C2.5.1
Question
If you are required to register with the Information Commissioner, please attach evidence of a current registration.
If you are not required to register, please attach a completed self-assessment showing the outcome from the Information Commissioner and your responses which support this determination.
Do you have a nominated Data Protection Officer (DPO)?
If you are required to have a nominated Data Protection Officer, please provide their name.
If you are not required to have a DPO please attach a completed self-assessment showing the outcome from the Information Commissioner and your responses which support this determination.
Does your product have access to any personally identifiable data or NHS held patient data?
Please confirm you are compliant (having standards met or exceeded status) with the annual Data Security and Protection Toolkit Assessment.
If you have not completed the current year's assessment and the deadline has not yet passed, please confirm that you intend to complete this ahead of the deadline and that there are no material changes from your previous years submission that would affect your compliance.
Please attach the Data Protection Impact Assessment (DPIA) relating to the product.
Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer (if one is in place) or an accountable officer where exempt in question C2.2.
Please confirm where you store and process data (including any third-party products your product uses)
If you process store or process data outside of the UK, please name the country and set out how the arrangements are compliant with current legislation
Options
Provided here
Yes - Tracey Hudson
Tracey Hudson
Yes
Confirmed compliance
Confirmed. Tracey Hudson has signed off all risk assessments & mitigations, access controls and system level security policies.
UK only
n/a
Supporting Information
There are some instances where organisations are not required to register with the Information Commissioner. This includes where no personal information is being processed.
The Information Commissioner has a registration self-assessment tool to support this decision making.
Not all organisations are required to have a Data Protection Officer (DPO). This is determined by the type of organisation and core activities. The most common reason for organisations providing digital health technologies to have a DPO is due to the core activities involving processing health data (being a special category).
The Information Commissioner has a self-assessment tool to determine whether you must appoint a DPO.
The UK General Data Protection Regulation (GDPR) applies to the processing of personal data.
If no, continue to question C2.4
The Data Security and Protection Toolkit allows organisations to measure performance against the National Data Guardian’s 10 data security standards.
DPIA’s are a key part of the accountability obligations under the UK GDPR, and when done properly help organisations assess and demonstrate how they comply with data protection obligations.
The Information Commissioner has provided guidance on how to complete a DPIA and a sample DPIA template.
Individual organisations within the Health and Social Care system are accountable for the risk-based decisions that they must take.
Individual organisations within the Health and Social Care system are accountable for the risk-based decisions that they must take.
From 1 January 2021, the UK GDPR applies in the UK in place of the “EU GDPR’. The UK GDPR will carry across much of the existing EU GDPR legislation. The Department for Digital, Culture, Media & Sport has published two Keeling Schedules which show the changes to the Data Protection Act 2019 and EU GDPR.
The Information Commissioner has published guidance on international data transfers after the UK exit from the EU Implementation Period.
Scoring Criteria
To pass, the developer is required to submit evidence that they have a current registration with the Information Commissioner. This can be validated against the Information Commissioner's Register of Fee Payers.
Alternatively, if the developer confirms they are not registered with the Information Commissioner because they are not required to do so, then a self-assessment from the Information Commissioner’s self-assessment tool should be attached which aligns to the product.
To pass, the developer is required to confirm they have a DPO in place where this is mandated. Where a DPO one is in place if it is not required by the Information Commissioner then this will also constitute a pass.
Alternatively, if the developer confirms they do not have a DPO because they are not required to do so, then a self-assessment from the Information Commissioners self-assessment tool should be attached which confirms this and aligns to the product.
To pass, the developer must confirm that they are compliant with the Data Security and Protection Toolkit Assessment. This should be validated against the Data Security and Protection Toolkit database and achieve Standards Met or Exceeded status.
Dependent on the date of the assessment versus the opening of the annual assessment period, it may be that a developer has not yet completed the toolkit. The developer is asked to confirm that they will complete the assessment and that they will maintain their compliance versus the previous year.
Will be completed when access authorised.
To pass, the developer must provide a DPIA that is compliant with the requirements set out under the General Data Protection Regulations. It should ensure that risks to the rights and freedoms of natural persons are managed to an acceptable level.
The DPIA should:
● Establish the context; taking into account the nature, scope, context and purposes and processing and the sources of the risk
● Assess the risks; considering the particular likelihood and severity of high risks
● Treat the risks; through mitigation and ensuring the protection of personal data and demonstrating compliance with the GDPR
It should include:
● A description of the envisaged processing operations and the purposes of the processing
● An assessment of the necessity and proportionality of the processing
● An assessment of the risks to the rights and freedoms of data subjects
The measures envisaged to address the risks and to demonstrate compliance with the GDPR
To pass, the developer must confirm that their Data Protection Officer or accountable officer has signed-off the risk assessments and mitigations / access controls and system level security policies.
Individual organisations within the Health and Social Care system are accountable for the risk-based decisions that they must take.
Due consideration should be taken where data is processed outside of the UK.
Please note: It is a contractual requirement under the new GP IT Futures (GPITF) framework as it was in the GP System of Choice (GPSoC) framework, to host all data in England.
Individual organisations within the Health and Social Care system are accountable for the risk-based decisions that they must take.
Due consideration should be taken where data is processed outside of the UK and should only be hosted within the European Economic Area (EEA) or a country deemed as adequate by the European Commission.
To pass, the developer must demonstrate that the country in which data is processed or stored is compliant with current legislation or the organisation's policy (should this differ).
C3 - Technical Security
Establishing that your product meets industry best practice security standards and that the product is stable.
Dependent on the digital health technology being procured, it is recommended that appropriate contractual arrangements are put in place for problem identification and resolution, incident management and response planning and disaster recovery.
Please provide details relating to the specific technology and not generally to your organisation.
Code
C3.1
C3.2.
C3.3
C3.4
C3.5
C3.6
Question
Please attach your Cyber Essentials Certificate
Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12-month period.
Please confirm whether all custom code had a security review.
Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)?
Please confirm whether logging and reporting requirements have been clearly defined.
Please confirm whether the product has been load tested
Options
Yes - internal code review
Yes
Yes Logging and reporting requirements have been clearly defined here
Yes - Load testing has been performed with a plan in place for usage to increase to enable significant scalability.
Supporting Information
Cyber Essentials helps organisations guard against the most common cyber threats.
The National Cyber Security Centre (NCSC) have published cyber security guidance for small to medium enterprises (SME’s).
The NCSC provides guidance on penetration testing. The OWASP Foundation provides guidance on the OWASP top 10 vulnerabilities.
The NCSC provides guidance on producing clean and maintainable code.
The NCSC provides guidance on Multi-Factor Authentication.
The NCSC provides guidance on logging and protective monitoring.
To confirm yes to this question, logging (e.g., audit trails of all access) must be in place. It is acknowledged that not all developers will have advanced audit capabilities.
Load testing should be performed.
Scoring Criteria
To pass, developers must have a valid Cyber Essentials certificate. Certification lasts for a period of 12 months so the certificate should be within date. This should be validated against the IASME database.
NHS organisations are required to have Cyber Essentials in place (and is now incorporated into the NHS Digital Data Security and Protection Toolkit (DSPT) for NHS Trusts and Foundation Trusts in 2021-22 assessments) and to mitigate risk within the supply chain, suppliers should hold Cyber Essentials.
To pass, the developer must evidence that the product has undergone an external penetration test that included the OWASP top 10 vulnerabilities.
The penetration testing / summary report must demonstrate there are no vulnerabilities that score 7.0 or above using the Common Vulnerability Scoring System (CVSS).
To pass, the developer must confirm that an internal or an external custom code security review has been undertaken. An external review is preferable; however an internal code review would meet the baseline requirement.
To pass, the developer must confirm yes that all privileged accounts have MFA.
To pass, the developer must confirm yes that logging and reporting requirements have been clearly defined.
To pass, the developer must confirm yes that load testing has been performed.
C4 - Interoperability Criteria
Establishing how well your product exchanges data with other systems.
To provide a seamless care journey, it is important that relevant technologies in the health and social care system are interoperable, in terms of hardware, software and the data contained within. For example, it is important that data from a patient’s ambulatory blood glucose monitor can be downloaded onto an appropriate clinical system without being restricted to one type. Those technologies that need to interface within clinical record systems must also be interoperable. Application Programme Interfaces (APIs) should follow the Government Digital Services Open API Best Practices, be documented and freely available and third parties should have reasonable access in order to integrate technologies.
Good interoperability reduces expenditure, complexity and delivery times on local system integration projects by standardising technology and interface specifications and simplifying integration. It allows it to be replicated and scaled up and opens the market for innovation by defining the standards to develop upfront.
This section should be tailored to the specific use case of the product and the needs of the buyer however it should reflect the standards used within the NHS and social care and direction of travel.
Please provide details relating to the specific technology and not generally to your organisation.
Code
C4.1
C4.2
C4.2.1
C4.3
C4.3.2
C4.4
Question
Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers?
Do you use NHS number to identify patient record data?
If no, please set out the rationale, how your product established NHS number and the associated security measures in place
Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2)
If no, please state the reasons and mitigations, methodology and security.
Is your product a wearable device or does it integrate with them?
Options
No
No
Product does not identify NHS patient record data. National insurance number is used as the unique identifier.
No because the product does not read/write into EHRs
Not applicable because the product does not read/write into EHR's.
No.
D. Key principles for success
The core elements defined in this section will form part of the overall review of the product or service and is a key part to ensuring that the product or service is suitable for use. The assessment will set a compliance rating and where a product or developer is not compliant highlight areas that the organisation could improve on with regards to following the core principles.
This section will be scored in relation to the NHS service standard. This will not contribute to the overall Assessment Criteria as set out in Section C.
D1 - Usability and accessibility - scored section
Establishing that your product has followed best practice.
Please note that not all sections of the NHS Service Standard are included where they are assessed elsewhere within DTAC, for example clinical safety.
Code
D1.1
D1.1.1
D1.2
D1.2.1
D1.3
D1.3.1
D1.4
D1.4.1
D1.5
D1.6
D1.7
D1.8
D1.9
D1.9.1
D1.10
D1.10.1
D1.11
D1.12
D1.12.2
Question
Understand users and their needs in context of health and social care
Do you engage users in the development of the product?
If yes or working towards it, how frequently do you consider user needs in your product development and what methods do you use to engage users and understand their needs?
Work towards solving a whole problem for users
Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey?
If yes or working towards it, please attach the user journeys and/or how the product fits into a user pathway or journey
Make the service simple to use
Do you undertake user acceptance testing to validate usability of the system?
If yes, please attach information that demonstrates that user acceptance testing is in place to validate usability
Make sure everyone can use the service
Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant?
Provide a link to your published accessibility statement.
Create a team that includes multi-disciplinary skills and perspectives. Does your team contain multidisciplinary skills?
Use agile ways of working. Do you use agile ways of working to deliver your product?
Iterate and improve frequently. Do you continuously develop your product?
Define what success looks like and be open about how your service is performing. Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking?
Choose the right tools and technology
Does this product meet with NHS Cloud First Strategy?
Does this product meet the NHS Internet First Policy?
Use and contribute to open standards, common components and patterns.
Are common components and patterns in use?
If yes, which common components and patterns are in use?
Operate a reliable service
Do you provide a Service Level Agreement to all customers purchasing the product?
Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers?
Please provide your average service availability for the past 12 months, as a percentage to two decimal places
Options
Yes please see detail here
For every development, user needs are considered. our methods of engaging users are to take a sample of employers, advisors and employees to consult on testing.
Yes
Yes
User acceptance testing information can be found here
Yes
Our accessibility statement is here
Yes
Yes
Yes
Yes. Our benefits case is here.
Yes
Yes
Yes
SQL database with Javascript, CSS, HTMP in the coding to present web pages to the user.
Yes
Yes
99.90%
Get In Touch
© Copyright 2025. Intelligent OH Ltd. All rights reserved.