Section C: Assessment criteria - assessed section

This is section C of the Digital Technology Assessment Criteria (DTAC).

In this section, developers are asked to provide evidence against the following assessment criteria. This will be reviewed by our subject matter experts (SMEs) and it will form the core part of the assessment.

Information:

C1 - Clinical safety criteria

C1.1 - Does your product fall within and comply with the mandated scope of DCB0129 and are you supporting deploying organisations with DCB0160?

Response option: Yes/No

Supporting information: 

C1.1.1 - Upload completed DCB0129: Risk plan, Clinical Safety Case Report and Hazard Log

Response option: File upload

Supporting information: Clinical Safety Case Report and Hazard Log templates can be found here

C1.2 - Do you have a nominated Clinical Safety Officer [CSO] - Please provide their details.

Response option: Free text

Supporting information: The Clinical Safety Officer must be a clinician, have a current registration with a professional body and be trained in clinical risk management. The work of the CSO can be undertaken by an outsourced third party.

C1.3 - Is your product classified by MHRA as a medical device. Provide the rationale.

Response option: Free text

Supporting information: Information on medical device regulation

C1.3.1 - Upload certificate and state which class

Response option: File upload

Supporting information: n/a

C1.4 - Are you registered with the Care Quality Commission (CQC)?

Response option: Yes I No I Not applicable

Supporting information: Information on CQC registration

C1.4.1 - When was your last assessment from the CQC?

Response option: Date I Not applicable

Supporting information: n/a

C1.4.2 - Please upload the latest report if applicable

Response option: Upload

Supporting information: n/a

Information:

C2 - Data protection criteria

Establishing that your product collects, stores and uses data compliantly

C2.1 - Please provide evidence of your Information Commissioner’s Office (ICO) registration and payment

Response option: Attach file

Supporting guidance: Evidence of payment

C2.2 - Do you have a nominated Data Protection Officer (DPO). Please provide their details.

Response option: Free text

Supporting guidance: Data Protection Officers

C2.3 - Does your product have access to NHS held patient data or records?

Response option: Yes I No

Supporting guidance: n/a

C2.3.1 - If yes please confirm you are compliant with the annual Data Security and Protection Toolkit assessment.

Supporting guidance: Data Security and Protection Toolkit

C2.3.2 - If yes have you carried out a Data Protection Impact Assessment (DPIA) in relation to processing patient data? Have your risk assessments and mitigations/access controls/system level security policies been signed-off by your Data Protection Officer? Please provide detail

Response option: Free text

Supporting guidance: Data Protection Impact Assessments

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/

C2.4 - Provide detail on where you store and process data

Response option:

1. Within UK only
2. Within EU
3. Outside of EU and where

C2.5 - Is your organisation compliant with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) Please provide the following evidence...

Response option:

Please provide the following evidence:


  1. The right to be informed
  2. The right of access
  3. The right of rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

  • Process for identifying, reporting and managing breaches
  • Confirmation that adequate contracts and processing arrangements are in place with all sub processors


Supporting guidance: Resources from the Information Commissioner’s Office

Information:

C3 - Technical security criteria

Establishing that your product meets industry best practice security standards.

C3.1 - In order to handle sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification. Please provide your certificate ID.

Response option: Free text | Upload

Supporting guidance: Link to Cyber Essentials self-assessment portal

C3.2 - Please evidence that vulnerability, load and penetration testing has been conducted on your product and the frequency

Response option: Free text I Upload evidence

Supporting guidance: Resources from National Cyber Security Centre

C3.3 - Was the testing outlined in 3.2 conducted internally or using a 3rd party? If 3rd Party please indicate who conducted the assessment.

Response option: Internal I External, Company Name

Supporting guidance: n/a

C3.4 - Are you ISO 27001 compliant?

Response option: Yes | No

Supporting guidance: Upload copy of certificate of compliance

Information:

C4 - Interoperability criteria

Establishing how well your product exchanges data with other systems.

C4.1 - Does your product expose any Application Programming Interfaces (APIs) or integration channels for other consumers?

Response option: Yes | No | Not Applicable

Supporting guidance: n/a

C4.2 - If your product is reliant on exchanging data with other systems via APIs, do the APIs adhere to the Government Digital Services (GDS) Open API Best Practices?

Response option: Yes | No

Supporting guidance: n/a

C4.3 - Do you use NHS Number to identify patient record data?

Response option: Yes | No

Supporting guidance: n/a

C4.4 - If your product uses NHS Number does it use NHS Login to establish a user's verified NHS Number?

Response option: Yes | No

Supporting guidance: NHS login

C4.5 - State the reasons for not using NHS Login and relevant method of establishing an assured NHS Number?

Response option: Free text

Supporting guidance: n/a

C4.6 - Does your API adopt generally accepted healthcare standards of data interoperability (e.g. HL7 / FHIR)?

Response option: Yes I No

Supporting guidance: n/a

C4.7 - Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2, Signed JWTs)

Response option: Yes I No, Free text

Supporting guidance: n/a

C4.8 - State the reasons and relevant mitigations if it does not.

Response option: Free text

Supporting guidance: n/a

C4.9 - Is your product a wearable or device, or does it integrate with them?

Response option: Yes | No

Supporting guidance: n/a

C4.10 - Provide evidence of how it complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards.

Response option: Free text

Supporting guidance: Access the ISO Standard. This is a paid-for document

Next section

Continue on to section D: Key principles for success.