Section C: Assessment criteria - assessed section
This is section C of the Digital Technology Assessment Criteria (DTAC).
In this section, developers are asked to provide evidence against the following assessment criteria. This will be reviewed by our subject matter experts (SMEs) and it will form the core part of the assessment.
C1 - Clinical safety criteria
C1.1 - Does your product fall within and comply with the mandated scope of DCB0129 and are you supporting deploying organisations with DCB0160?
Response option: Yes/No
Supporting information:
C1.1.1 - Upload completed DCB0129: Risk plan, Clinical Safety Case Report and Hazard Log
Response option: File upload
Supporting information: Clinical Safety Case Report and Hazard Log templates can be found here
C1.2 - Do you have a nominated Clinical Safety Officer [CSO] - Please provide their details.
Response option: Free text
Supporting information: The Clinical Safety Officer must be a clinician, have a current registration with a professional body and be trained in clinical risk management. The work of the CSO can be undertaken by an outsourced third party.
C1.3 - Is your product classified by MHRA as a medical device. Provide the rationale.
Response option: Free text
Supporting information: Information on medical device regulation
C1.3.1 - Upload certificate and state which class
Response option: File upload
Supporting information: n/a
C1.4 - Are you registered with the Care Quality Commission (CQC)?
Response option: Yes I No I Not applicable
Supporting information: Information on CQC registration
C1.4.1 - When was your last assessment from the CQC?
Response option: Date I Not applicable
Supporting information: n/a
C1.4.2 - Please upload the latest report if applicable
Response option: Upload
Supporting information: n/a
C2 - Data protection criteria
Establishing that your product collects, stores and uses data compliantly
C2.1 - Please provide evidence of your Information Commissioner’s Office (ICO) registration and payment
Response option: Attach file
Supporting guidance: Evidence of payment
C2.2 - Do you have a nominated Data Protection Officer (DPO). Please provide their details.
Response option: Free text
Supporting guidance: Data Protection Officers
C2.3 - Does your product have access to NHS held patient data or records?
Response option: Yes I No
Supporting guidance: n/a
C2.3.1 - If yes please confirm you are compliant with the annual Data Security and Protection Toolkit assessment.
Supporting guidance: Data Security and Protection Toolkit
C2.3.2 - If yes have you carried out a Data Protection Impact Assessment (DPIA) in relation to processing patient data? Have your risk assessments and mitigations/access controls/system level security policies been signed-off by your Data Protection Officer? Please provide detail
Response option: Free text
Supporting guidance: Data Protection Impact Assessments
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
C2.4 - Provide detail on where you store and process data
Response option:
1. Within UK only2. Within EU
3. Outside of EU and where
C2.5 - Is your organisation compliant with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) Please provide the following evidence...
Response option:
Please provide the following evidence:
- ICO Data Controller checklist
- Documented lawful basis for processing data, including special categories of data
- Data Protection Policy
- Information Security Checklist
- Information Security Policy
- Privacy notice/ policy and how it is visible for users
- DPIA framework / demonstrate use of DPIAs including data flows
- Process / policy for dealing with individuals rights:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- Process for identifying, reporting and managing breaches
- Confirmation that adequate contracts and processing arrangements are in place with all sub processors
Supporting guidance: Resources from the Information Commissioner’s Office
C3 - Technical security criteria
Establishing that your product meets industry best practice security standards.
C3.1 - In order to handle sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification. Please provide your certificate ID.
Response option: Free text | Upload
Supporting guidance: Link to Cyber Essentials self-assessment portal
C3.2 - Please evidence that vulnerability, load and penetration testing has been conducted on your product and the frequency
Response option: Free text I Upload evidence
Supporting guidance: Resources from National Cyber Security Centre
C3.3 - Was the testing outlined in 3.2 conducted internally or using a 3rd party? If 3rd Party please indicate who conducted the assessment.
Response option: Internal I External, Company Name
Supporting guidance: n/a
C3.4 - Are you ISO 27001 compliant?
Response option: Yes | No
Supporting guidance: Upload copy of certificate of compliance
C4 - Interoperability criteria
Establishing how well your product exchanges data with other systems.
C4.1 - Does your product expose any Application Programming Interfaces (APIs) or integration channels for other consumers?
Response option: Yes | No | Not Applicable
Supporting guidance: n/a
C4.2 - If your product is reliant on exchanging data with other systems via APIs, do the APIs adhere to the Government Digital Services (GDS) Open API Best Practices?
Response option: Yes | No
Supporting guidance: n/a
C4.3 - Do you use NHS Number to identify patient record data?
Response option: Yes | No
Supporting guidance: n/a
C4.4 - If your product uses NHS Number does it use NHS Login to establish a user's verified NHS Number?
Response option: Yes | No
Supporting guidance: NHS login
C4.5 - State the reasons for not using NHS Login and relevant method of establishing an assured NHS Number?
Response option: Free text
Supporting guidance: n/a
C4.6 - Does your API adopt generally accepted healthcare standards of data interoperability (e.g. HL7 / FHIR)?
Response option: Yes I No
Supporting guidance: n/a
C4.7 - Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2, Signed JWTs)
Response option: Yes I No, Free text
Supporting guidance: n/a
C4.8 - State the reasons and relevant mitigations if it does not.
Response option: Free text
Supporting guidance: n/a
C4.9 - Is your product a wearable or device, or does it integrate with them?
Response option: Yes | No
Supporting guidance: n/a
C4.10 - Provide evidence of how it complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards.
Response option: Free text
Supporting guidance: Access the ISO Standard. This is a paid-for document
Next section
Continue on to section D: Key principles for success.