Digital Technology Assessment Criteria
What is DTAC?
The Digital Technology Assessment Criteria (DTAC) is an NHS England framework used by commissioners, providers, and procurement teams to assess whether a digital health technology meets baseline expectations for safe, secure and effective use across health and adult social care.
DTAC brings together recognised standards, policies, and good practice in one place. It is widely used as part of NHS procurement, due diligence, onboarding, and assurance, particularly for suppliers introducing new digital tools into care pathways.
Why DTAC Matters for Suppliers
A strong DTAC position can help you:
- Shorten NHS due diligence by presenting evidence in a familiar structure
- Reduce delivery risk by addressing clinical safety, IG and security early
- Improve stakeholder confidence (clinical, digital, IG, procurement)
- Accelerate deployment by reducing rework and late-stage blockers
- Strengthen governance for scaling across multiple NHS organisations
DTAC is not just paperwork—done well, it becomes a practical assurance backbone for implementation.
The five DTAC Domains
Domain 1: Clinical Safety
Domain 3: Technical Security
Domain 1: Clinical Safety
What NHS stakeholders expect
Clear clinical risk management aligned to the NHS digital clinical safety standards, including proportionate evidence that hazards are identified, controlled, and monitored throughout the product lifecycle. Typical evidence and artefacts we help you produce
- Clinical Safety Management Plan (CSMP) and governance model
- Hazard Log (with severity/likelihood, controls, residual risk)
- Clinical Safety Case Report (CSCR) / Safety Case narrative
- Clinical risk acceptance and sign-off approach
- Go-live clinical safety readiness pack and live monitoring plan
Relevant standards
DCB0129 (developer/manufacturer responsibilities) and DCB0160 (deploying organisation responsibilities) are the NHS clinical risk management standards widely referenced in digital clinical safety assurance.
Domain 2: Data Protection
Domain 3: Technical Security
Domain 1: Clinical Safety
What NHS stakeholders expect
Privacy-by-design and demonstrable compliance with UK GDPR and Data Protection Act 2018, with clarity on controller/processor roles, lawful basis, retention, and data subject rights.
Typical evidence and artefacts
- Data flow mapping and records of processing (RoPA) support
- DPIA (and DPIA review/remediation plan)
- Data Sharing Agreement / Data Processing Agreement support (as applicable)
- Retention schedule and deletion approach
- Supplier security & privacy policies aligned to procurement expectations
We translate requirements into clear, reviewable evidence that stands up to IG scrutiny.
Domain 3: Technical Security
Domain 3: Technical Security
Domain 3: Technical Security
What NHS stakeholders expect
A robust security posture and clear technical assurance evidence covering risk management, access control, vulnerability management, secure development, incident response, and supplier governance. Typical evidence and artefacts
- Security risk assessment and remediation plan
- Policies: access control, encryption, logging/monitoring, secure configuration
- Vulnerability management and patching process
- Incident response plan and breach notification process
- Technical assurance statements and security architecture overview
DTAC explicitly includes technical assurance/security as a core domain.
Domain 4: Interoperability
Domain 3: Technical Security
What NHS stakeholders expect
Evidence that your product can integrate safely and reliably into NHS environments, supporting standard messaging, APIs, identity, and information flows relevant to your use case.
Typical evidence and artefacts
- Integration approach and interface specifications
- Information standards mapping (where applicable)
- API documentation and environment requirements
- Data quality approach and clinical safety controls around integration
- Implementation plan for NHS deployment (including constraints and dependencies)
We help you present interoperability in a way that is credible to NHS integration teams and aligned to your product maturity.
Domain 5: Usability and Accessibility
What NHS stakeholders expect
Clear evidence that users can operate the system safely and effectively, and that accessibility is addressed so the product is inclusive for diverse users, including those with disabilities.
Typical evidence and artefacts
- Usability testing approach and outputs (scaled to product stage)
- Accessibility statement and supporting evidence
- User guidance, onboarding materials and safe-use considerations
- Risk controls tied to usability findings (linking back to clinical safety)
Usability and accessibility is one of the five Digital Technology Assessment Criteria (DTAC) domains.
How Innovate Health Consulting Supports DTAC
We take a pragmatic, delivery-focused approach: gap assessment → evidence build → stakeholder-ready submission pack.
We work with your product, clinical, security, and leadership teams to create evidence that is accurate, consistent, and implementation-ready, not generic templates.
We can support you whether you are:
- Pre-procurement and preparing for NHS conversations
- Mid-procurement responding to DTAC requests quickly
- Post-procurement preparing for onboarding, go-live and assurance