Curenium

The DTAC Readiness Checklist: Deploying SaaS in the NHS

Published on:July 9, 20264 min readMustaphaBy:Mustapha
The DTAC Readiness Checklist: Deploying SaaS in the NHS

Deploying digital health software into the National Health Service (NHS) in the United Kingdom requires meeting rigorous assessment standards. The primary framework for this is the Digital Technology Assessment Criteria (DTAC).

Managed by the NHS Transformation Directorate, DTAC ensures that digital tools meet core standards across clinical safety, data protection, technical security, interoperability, and usability. For SaaS startups and enterprise developers alike, passing DTAC is a prerequisite to NHS integration.

Here is a practical, developer-focused checklist to prepare your SaaS platform for DTAC compliance.

1. Clinical Safety (DCB0129)

To satisfy the clinical safety section, you must demonstrate that your software does not introduce unacceptable clinical risks. This is often the most challenging section for external software companies.

  • Appoint a Clinical Safety Officer (CSO): You must have a registered clinician acting as your CSO to oversee the safety assessment. The CSO must hold an active registration with a professional body (e.g., GMC, NMC) and be trained in clinical risk management.
  • Produce a Clinical Safety Case Report (CSCR): This document details your platform's clinical risk assessment, architectural design, and mitigation strategies.
  • Maintain a Hazard Log: Document all potential software hazards, their clinical impact, and how they are controlled. Every code release must trigger a review of the safety hazard log to ensure new features don't introduce regression risks.

2. Data Protection & GDPR Compliance

NHS patient data is protected under the UK GDPR and the Data Protection Act 2018.

  • Perform a DPIA: Complete a detailed Data Protection Impact Assessment (DPIA) to outline how patient data is processed, stored, and secured.
  • Register with the ICO: Your organization must be registered with the Information Commissioner's Office (ICO).
  • Data Protection Officer (DPO): Appoint a dedicated DPO to monitor GDPR compliance.
  • Host Data within the UK/EEA: Ensure all patient data resides within UK-based server infrastructure. Using UK-specific cloud regions (such as AWS London or Azure UK South) is highly recommended.
  • Data Security and Protection Toolkit (DSPT): Complete the NHS DSPT self-assessment annually to demonstrate compliance with the National Data Guardian's standards.

3. Technical Security

DTAC requires verification that your software is secure against modern cyber threats.

  • Cyber Essentials Plus: Obtain Cyber Essentials or Cyber Essentials Plus certification, which validates your organization's perimeter security and endpoint management.
  • Annual Penetration Testing: Provide a recent penetration test report conducted by a CREST-approved third party, along with proof that all high and medium vulnerabilities have been patched. The report must be less than 12 months old.
  • Encrypt All Data: Implement AES-256 encryption for data at rest and TLS 1.3 for data in transit.

4. Interoperability & Usability

Your platform must easily exchange data with NHS systems (such as GP systems or hospital EHRs) and be accessible to all users.

  • FHIR API Compliance: Ensure your APIs conform to HL7 FHIR standards (particularly the UK Core profile) for structured data exchange.
  • WCAG 2.1 AA Accessibility: Your user interface must meet the Web Content Accessibility Guidelines (WCAG) 2.1 at level AA. This requires extensive testing for keyboard navigation, screen reader compatibility, and color contrast.
  • NHS Login Integration: Where applicable, support NHS Login for secure patient authentication.

By prioritizing these four areas early in your development cycle, you can significantly reduce the time it takes to clear the DTAC process. At Plannorium, our products are engineered from the ground up with international compliance frameworks in mind, enabling UK and global health networks to deploy our systems with peace of mind.

Want to explore more technology and compliance topics?

View All Articles