Digital Technology Assessment Criteria (DTAC)
DTAC Assessment Document
This DTAC assessment is based on the template downloaded from the NHS England Transformation Directorate website.
As part of our effort to use modern web standards and publish documents more openly, we have converted the .odt original document into a native web page in our documentation site.
DTAC Document
The assessment criteria is made up of five core components. Sections A and B will provide the assessors the context required to understand your product and support your evidence. The core assessment criteria is defined in section C1-C4. Section D details the key Usability and Accessibility principles required. Further frequently asked questions are available at the end of the document.
The core criteria in Section C will determine the overall success of the assessment of your product or service. The accompanying score provided from Section D will show the level of adherence to the NHS Service Standard.
Section A. Company information
Non-assessed section
Information about your organisation and contact details.
| Code | Question | Response |
|---|---|---|
| A1 | Provide the name of your company | Royal College of Paediatrics and Child Health (RCPCH) |
| A2 | Provide the name of your product | RCPCH Digital Growth Charts |
| A3 | Provide the type of product | Digital Growth Charts Application Programming Interface and related tools and platform |
| A4 | Provide the name and job title of the individual who will be the key contact at your organisation | Richard Burley - Chief Digital Officer |
| A5 | Provide the key contact's email address | richard.burley@rcpch.ac.uk |
| A6 | Provide the key contact's phone number | 020 70926037 |
| A7 | Provide the registered address of your company | 5-11, Theobalds Rd, London WC1X 8SH, United Kingdom |
| A8 | In which country is your organisation registered? | England, Wales and Scotland |
| A9 | If you have a Companies House registration in the UK please provide your number | A Registered Charity in England and Wales (1057744) and in Scotland (SC038299) |
| A10 | If applicable, when was your last assessment from the Care Quality Commission (CQC)? | Not applicable |
| A11 | If applicable, provide your latest CQC report. | N/A |
Section B. Value proposition
Non-assessed section
Please set out the context of the clinical, economic or behavioural benefits of your product to support the review of your technology. This criteria will not be scored but will provide the context of the product undergoing assessment.
Where possible, please provide details relating to the specific technology and not generally to your organisation.
| Code | Question | Options | Response |
|---|---|---|---|
| B1 | Who is this product intended to be used for? | Patients | Diagnostics | Clinical Support | Infrastructure | Workforce | Other |
Diagnostics/Clinical Support This product is used by a range of health care professionals (GPs, paediatricians, nurses, health visitors, midwives, school nurses) to evaluate and record a child's growth. |
| B2 | Provide a clear description of what the product is designed to do and of how it is expected to be used | Free text |
The RCPCH Digital Growth Charts API provides reliable growth calculation for children of all ages capturing sex, DOB, weight, length, head circumference and BMI, for the range of 23 weeks premature to 20 years old for standard charts, and also provides Turner Syndrome and Down Syndrome calculations. The product allows the returned structured data to be displayed in a number of different ways depending on the clinician's needs, and for the data to be saved, charted, and trended within Electronic Patient Record systems. This richly functional solution with features such as automatic gestational age correction, bone age, mid-parental height, event recording, and specialist references is designed to bring high-quality growth parameter calculations to clinicians at the point of care. |
| B3 | Describe clearly the intended or proven benefits for users and confirm if / how the benefits have been validated | Free text |
|
| B4 |
Please attach one or more user journeys which were used in the development of this product Where possible please also provide your data flows |
Provided | Not available |
User journeys are provided on our documentation website. |
Section C. Technical questions
Assessed sections
C1 - Clinical safety
Establishing that your product is clinically safe to use.
You must provide responses and documentation relating to the specific technology product that is subject to assessment.
The DCB0129 standard applies to organisations that are responsible for the development and maintenance of health IT systems. A health IT system is defined as “product used to provide electronic information for health and social care purposes”. DTAC is designed as the assessment criteria for digital health technologies and C1 Clinical Safety Criteria is intended to be applied to all assessments. If a developer considers that the C1 Clinical Safety is not applicable to the product being assessed, rationale must be submitted exceptionally detailing why DCB0129 does not apply.
The DCB0160 standard applies to the organisation in which the health IT is deployed or used. It is a requirement of the standard (2.5.1) that in the procurement of health IT systems the organisation must ensure that the manufacturer and health IT system complies with DCB0129. The organisation must do so in accordance with the requirements and obligations set out in the DCB0160 standard. This includes personnel having the knowledge, experience and competences appropriate to undertaking the clinical risk management tasks assigned to them and organisations should ensure that this is the case when assessing this section of the DTAC.
If the Clinical Safety Officer or any other individual has concerns relating to safety of a medical device including software and apps, this should be reported to the Medicines and Healthcare products Regulatory Agency (MHRA) using the Yellow Card reporting system:
Report a problem with a medicine or medical device - GOV.UK (www.gov.uk).
| Code | Question | Options | Supporting information | Response |
|---|---|---|---|---|
| C1.1 | Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129? | Yes | No | The DCB0129 standard applies to organisations that are responsible for the development and maintenance of health IT systems. A health IT system is defined as "a product used to provide electronic information for health and social care purposes". | Yes |
| C1.1.1 | Please detail your clinical risk management system | Provided | No evidence available |
DCB0129 sets out the activities that must and should be undertaken for health IT systems. An example clinical risk management system template can be downloaded from the NHS Digital website. |
Provided. All details of the Clinical Risk Management System in place at RCPCH Digital Growth Charts are held on our public documentation site at |
| C1.1.2 | Please supply your Clinical Safety Case Report and Hazard Log | Provided | No evidence available |
Specifically, your DTAC submission should include:
It should not include the hazard log in the body of the document - this should be supplied separately. Example Clinical Safety Case Report and Hazard Log templates can be downloaded from the NHS Digital website. |
Provided. Clinical Safety Case Report: https://growth.rcpch.ac.uk/safety/csmf/clinical-safety-case-report/ Hazard Log: |
| C1.2 | Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details | Free Text |
The CSO must:
The work of the CSO can be undertaken by an outsourced third party. |
Dr Marcus Baw GMC: 4712729 General Practitioner Software Developer NHS Digital Trained Clinical Safety Officer |
| C1.3 | If your product falls within the UK Medical Devices Regulations 2002, is it registered with the Medicines and Healthcare products Regulatory Agency (MHRA)? | Yes | No | Not applicable |
If this question is not applicable, because your product does not fall within the UK Medical Devices Regulations 2002, continue to question C1.4. If No, but the product falls within the UK Medical Devices Regulations 2002, continue to question C.1.3.2. The MHRA provides guidance on medical devices to place them on the market in Great Britain and Northern Ireland, regulatory requirements for all medical devices to be placed on the UK market, conformity assessment and the UK Conformity Assessed (UKCA) mark, classification of stand-alone medical device software (including apps) and how to tell if your product falls within the UK Medical Devices Regulations 2002. |
Yes, the RCPCH Digital Growth Charts API is registered as a Class I Medical Device with the MHRA. Our GMDN Term is 65712 - Paediatric growth calculation API software |
| C1.3.1 | If yes, please provide your MHRA registration number | Free text |
MHRA Account Number 13251 Digital Growth Charts Device Application reference 2022020401237576 |
|
| C1.3.2 | If the UK Medical Device Regulations 2002 are applicable, please provide your Declaration of Conformity and, if applicable, certificate of conformity issued by a Notified Body / UK Approved Body | Provided | No evidence available |
Medical device manufacturers must ensure that their device complies with the relevant Essential Requirements of the legislation and draw up a Declaration of Conformity to declare this. Class I devices with a measuring function and devices in Class IIa, IIb and III must undergo conformity assessment from an EU Notified Body or UK Approved Body which has been designated for medical devices, and be issued a certificate of conformity (commonly referred to as a “CE certificate” or “UKCA certificate” |
Provided. https://growth.rcpch.ac.uk/safety/medical-device-reg/doc-api/ As a Class I Medical Device there is no requirement for Notified Body / UK Approved Body certificate of conformity. |
| C1.4 | Do you use or connect to any third-party products? | Yes | No |
If no, continue to section C2. DCB0129 contains the requirements in relation to third party products. |
No |
| C1.4.1 | If yes, please attach relevant Clinical Risk Management documentation and conformity certificate | Provided | No evidence available | Not applicable |
C2 - Data protection
Establishing that your product collects, stores and uses data (including personally identifiable data) compliantly.
This section applies to the majority of digital health technology products however there may be some products that do not process any NHS held patient data or any identifiable data. If this is the case, the Data Protection Officer, or other suitably authorised individual should authorise this data protection section being omitted from the assessment.
| Code | Question | Options | Supporting information | Response |
|---|---|---|---|---|
| C2.1 |
If you are required to register with the Information Commissioner, please attach evidence of a current registration. If you are not required to register, please attach a completed self-assessment showing the outcome from the Information Commissioner and your responses which support this determination. |
Provided | Not provided |
There are some instances where organisations are not required to register with the Information Commissioner. This includes where no personal information is being processed. The Information Commissioner has a registration self-assessment tool to support this decision making. |
Provided. The RCPCH has ICO Registration, registration number: Z5143673 |
| C2.2 | Do you have a nominated Data Protection Officer (DPO)? | Yes | No | We do not need one |
Not all organisations are required to have a Data Protection Officer (DPO). This is determined by the type of organisation and core activities. The most common reason for organisations providing digital health technologies to have a DPO is due to the core activities involving processing health data (being a special category). The Information Commissioner has a self-assessment tool to determine whether you must appoint a DPO. |
Yes. |
| C2.2.1 |
If you are required to have a nominated Data Protection Officer, please provide their name. If you are not required to have a DPO please attach a completed self-assessment showing the outcome from the Information Commissioner and your responses which support this determination. |
Free text | Provided |
Adele Picken RCPCH Head of Information Governance Tel. 020 7092 6030 |
|
| C2.3 | Does your product have access to any personally identifiable data or NHS held patient data? | Yes | No |
The UK General Data Protection Regulation (GDPR) applies to the processing of personal data. If no, continue to question C2.4 |
No |
| C2.3.1 |
Please confirm you are compliant (having standards met or exceeded status) with the annual Data Security and Protection Toolkit Assessment. If you have not completed the current year's assessment and the deadline has not yet passed, please confirm that you intend to complete this ahead of the deadline and that there are no material changes from your previous years submission that would affect your compliance. |
Confirmed | Unable to confirm | The Data Security and Protection Toolkit allows organisations to measure performance against the National Data Guardian's 10 data security standards. |
Confirmed. Standards Exceeded. |
| C2.3.2 | Please attach the Data Protection Impact Assessment (DPIA) relating to the product. | Provided | Not provided |
DPIAs are a key part of the accountability obligations under the UK GDPR, and when done properly help organisations assess and demonstrate how they comply with data protection obligations. The Information Commissioner has provided guidance on how to complete a DPIA and a sample DPIA template. |
The RCPCH used the ICO DPIA Checklist to determine if a DPIA was required and the outcome was that a DPIA was NOT required on the basis that personally identifiable data is not handled. The information submitted does not identify the individual on its own. RCPCH also does not have access to the information nor stores. RCPCH does not use the information to learn, record or decide anything about the data subject. RCPCH is not data controller of this information. The healthcare organization using the tool, as data controller of the data being provided, may be required to undertake a DPIA but this will depend on their own assessment. We have consulted with our Data Protection Officer on all matters of data protection and have their agreement. |
| C2.4 | Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer (if one is in place) or an accountable officer where exempt in question C2.2. | Confirm | Cannot confirm | Confirm. | |
| C2.5 | Please confirm where you store and process data (including any third-party products your product uses) | UK only | In EU | Outside of EU | Individual organisations within the Health and Social Care system are accountable for the risk-based decisions that they must take. |
UK Only (London, England) |
| C2.5.1 | If you process store or process data outside of the UK, please name the country and set out how the arrangements are compliant with current legislation | Free text |
From 1 January 2021, the UK GDPR applies in the UK in place of the “EU GDPR'. The UK GDPR will carry across much of the existing EU GDPR legislation. The Department for Digital, Culture, Media & Sport has published two Keeling Schedules which show the changes to the Data Protection Act 2019 and EU GDPR. The Information Commissioner has published guidance on international data transfers after the UK exit from the EU Implementation Period. |
Not applicable. All data is processed in the UK. |
C3 - Technical security
Establishing that your product meets industry best practice security standards and that the product is stable.
Dependent on the digital health technology being procured, it is recommended that appropriate contractual arrangements are put in place for problem identification and resolution, incident management and response planning and disaster recovery.
Please provide details relating to the specific technology and not generally to your organisation.
| Code | Question | Options | Supporting information | Response |
|---|---|---|---|---|
| C3.1 | Please attach your Cyber Essentials Certificate | Provided | No evidence available |
Cyber Essentials helps organisations guard against the most common cyber threats. The National Cyber Security Centre (NCSC) have published cyber security guidance for small to medium enterprises (SME's). |
Our Cyber Essentials certificate is published here https://growth.rcpch.ac.uk/technical/security/#cyber-essentials |
| C3.2 | Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12-month period. | Provided | No evidence available | The NCSC provides guidance on penetration testing. The OWASP Foundation provides guidance on the OWASP top 10 vulnerabilities. |
Penetration testing is in the process of being conducted. Evidence from this is to be provided. |
| C3.3 | Please confirm whether all custom code had a security review. | Yes - Internal code review | Yes - External code review | No | No because there is no custom code |
The NCSC provides guidance on producing clean and maintainable code. | Yes - Internal code review |
| C3.4 | Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? | Yes | No | The NCSC provides guidance on Multi-Factor Authentication. | Yes. |
| C3.5 | Please confirm whether logging and reporting requirements have been clearly defined. | Yes | No |
The NCSC provides guidance on logging and protective monitoring. To confirm yes to this question, logging (e.g., audit trails of all access) must be in place. It is acknowledged that not all developers will have advanced audit capabilities. |
Yes. |
| C3.6 | Please confirm whether the product has been load tested | Yes | No | Load testing should be performed. | Yes. |
C4 - Interoperability criteria
Establishing how well your product exchanges data with other systems.
To provide a seamless care journey, it is important that relevant technologies in the health and social care system are interoperable, in terms of hardware, software and the data contained within. For example, it is important that data from a patient's ambulatory blood glucose monitor can be downloaded onto an appropriate clinical system without being restricted to one type. Those technologies that need to interface within clinical record systems must also be interoperable. Application Programme Interfaces (APIs) should follow the Government Digital Services Open API Best Practices, be documented and freely available and third parties should have reasonable access in order to integrate technologies.
Good interoperability reduces expenditure, complexity and delivery times on local system integration projects by standardising technology and interface specifications and simplifying integration. It allows it to be replicated and scaled up and opens the market for innovation by defining the standards to develop upfront.
This section should be tailored to the specific use case of the product and the needs of the buyer however it should reflect the standards used within the NHS and social care and direction of travel.
Please provide details relating to the specific technology and not generally to your organisation.
| Code | Question | Options | Supporting information | Response |
|---|---|---|---|---|
| C4.1 | Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? | Yes | No |
The NHS website developer portal provides guidance on APIs and the NHS. Government Digital Services provide guidance on Open API best practice. |
Yes. |
| C4.1.1 |
If yes, please provide detail and evidence:
If no, please set out why your product does not have APIs. |
Free text |
Our product is entirely designed to be interoperable and our primary offering is a Digital Growth Charts API which is interoperable. Our API and ancillary development toolkits are fully documented at our public documentation site at API documentation is in the international OpenAPI3 documentation standard. Government Digital Services Open API Best Practice is followed throughout. Connection to third parties is our intended business model as we actively encourage connection and full integration, providing both free access at lower levels of usage, and supported enterprise integration support. |
|
| C4.2 | Do you use NHS number to identify patient record data? | Yes | No | No, because product does not identify patient record data | NHS Digital provides guidance on NHS Login for partners and developers. | No, because product does not identify patient record data |
| C4.2.1 |
If yes, please confirm whether it uses NHS Login to establish a user's verified NHS number. If no, please set out the rationale, how your product established NHS number and the associated security measures in place. |
Free text | N/A | |
| C4.3 | Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2) | Yes | No | No, because the product does not read/ write into EHRs | No, because the product does not read/ write into EHRs | |
| C4.3.1 | If yes, please detail the standard | ree text | ||
| C4.3.2 | If no, please state the reasons and mitigations, methodology and security measures. | ree text | ||
| C4.4 | Is your product a wearable or device, or does it integrate with them? | Yes | No | If no, continue to section D. | No |
| C4.4.1 | If yes, provide evidence of how it complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards. | Provided | No evidence available | Access the ISO Standard. This is a paid-for document. |
Section D. Key principles for success
The core elements defined in this section will form part of the overall review of the product or service and is a key part to ensuring that the product or service is suitable for use. The assessment will set a compliance rating and where a product or developer is not compliant highlight areas that the organisation could improve on with regards to following the core principles.
This section will be scored in relation to the NHS service standard. This will not contribute to the overall Assessment Criteria as set out in Section C.
D1 - Usability and accessibility
scored section
Establishing that your product has followed best practice.
Please note that not all sections of the NHS Service Standard are included where they are assessed elsewhere within DTAC, for example clinical safety.
| Code | Question | Options | Supporting information | Weighted score | Scoring criteria |
|---|---|---|---|---|---|
| D1.1 |
Understand users and their needs in context of health and social care Do you engage users in the development of the product? |
Yes | No | Working towards it | NHS Service Standard Point 1 | 0% |
Yes. User needs are continually integrated into the development workflow. The user needs of Paediatricians, nurses and other clinical staff are represented by the Digital Growth Charts Project Board, which is composed of nominated user representatives https://growth.rcpch.ac.uk/about/team/#project-board Additionally we have open Issue reporting which allows anyone, whether user, patient, or parent/carer to report a user need or requirement for consideration by the development team. |
| D1.1.1 | If yes or working towards it, how frequently do you consider user needs in your product development and what methods do you use to engage users and understand their needs? |
text |
User needs are constantly re-evaluated and are a central part of our development workflow. New user needs can be incorporated into our 2-weekly development cycles quite easily and new deployments of improved platform features can be achieved rapidly |
||
| D1.2 |
Work towards solving a whole problem for users Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey? |
Yes | No | Working towards it |
NHS Service Standard Point 2 and Point 3 are often dealt with by teams together. | 0% | User journeys to follow |
| D1.2.1 | If yes or working towards it, please attach the user journeys and/or how the product fits into a user pathway or journey | Provided | No evidence available | |||
| D1.3 |
Make the service simple to use Do you undertake user acceptance testing to validate usability of the system? |
Yes | No | Working towards it |
NHS Service Standard Point 4 | 0% |
No. The product we provide is a toolkit and API which is integrated into EHRs by our customers (the EHR suppliers). Our toolkit does not in itself have users. Those EHR suppliers perform their own UAT on their implementation of our toolkit and API, to validate usability of their system. If a supplier found a usability issue which originated within our toolkit or API they would escalate this back to us for action. |
| D1.3.1 | If yes or working towards it, please attach information that demonstrates that user acceptance testing is in place to validate usability. |
Provided | No evidence available |
N/A | ||
| D1.4 |
Make sure everyone can use the service Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? |
Yes | No | Working towards it |
a href="https://service-manual.nhs.uk/service-standard/5-make-sure-everyone-can-use-the-service">NHS Service Standard Point 5
The Service Manual provides information on WCAG 2.1 level AA. The Government Digital Service provides guidance on accessibility and accessibility statements, including a sample template. |
0% | Yes. |
| D1.4.1 | Provide a link to your published accessibility statement. |
Free text |
0% | https://growth.rcpch.ac.uk/ | |
| D1.5 |
Create a team that includes multi-disciplinary skills and perspectives Does your team contain multidisciplinary skills? |
Yes | No | Working towards it |
a href="https://service-manual.nhs.uk/service-standard/6-create-a-team-that-includes-multidisciplinary-skills-and-perspectives">NHS Service Standard Point 6 | 2.5% | Yes. |
| D1.6 |
Use agile ways of working Do you use agile ways of working to deliver your product? |
Yes | No | Working towards it |
a href="https://service-manual.nhs.uk/service-standard/7-use-agile-ways-of-working">NHS Service Standard Point 7 | 2.5% | Yes. |
| D1.7 |
Iterate and improve frequently Do you continuously develop your product? |
Yes | No | Working towards it |
a href="https://service-manual.nhs.uk/service-standard/8-iterate-and-improve-frequently">NHS Service Standard Point 8 | % | Yes. |
| D1.8 |
Define what success looks like and be open about how your service is performing Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? |
Yes | No| Working towards it |
NHS Service Standard Point 10 | 0% | Yes. |
| D1.9 |
Choose the right tools and technology Does this product meet with NHS Cloud First Strategy? |
Yes | No | No because it is not applicable |
a href="https://service-manual.nhs.uk/service-standard/11-choose-the-right-tools-and-technology">NHS Service Standard Point 11 | % |
Yes. Yes. |
| D1.9.1 | Does this product meet the NHS Internet First Policy? | es | No | No because it is not applicable | |||
| D1.10 |
Use and contribute to open standards, common components and patterns Are common components and patterns in use? |
Yes | No | Working towards it |
NHS Service Standard Point 13 | % |
Yes. |
| D1.10.1 | If yes, which common components and patterns have been used? |
Free text |
Microsoft Azure API Management Platform FastAPI framework React.js Semantic UI Python SNOMED-CT |
||
| D1.11 |
Operate a reliable service Do you provide a Service Level Agreement to all customers purchasing the product? |
es | No | NHS Service Standard Point 14 | 0% |
Yes. |
| D1.12 | Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? | es | No |
Yes. A public uptime monitor is always visible on our documentation site |
||
| D1.12.1 | Please attach a copy of the information provided to customers |
Provided | No evidence available |
Provided (SLA) |
||
| D1.12.2 | Please provide your average service availability for the past 12 months, as a percentage to two decimal places |
Free text |
Last 90 days 99.839% uptime. Information for last 12 months is not yet available. |
Supporting documentation
Please ensure that when providing evidence, documents are clearly labelled with the name of your company, the question number and the date of submission.
Possible documents to be provided are:
-
A11 - CQC Report
-
B4 - User journeys and data flows
-
C1.1.1 - Clinical Risk Management System
-
C1.1.2 - Clinical Safety Case Report
-
C1.1.2 - Hazard Log
-
C1.3.2 - UK Medical Device Regulations 2002 Declaration of Conformity and if applicable Certificate of Conformity
-
C1.4.1 - Clinical Risk Management documentation and Conformity certificate for third party suppliers
-
C2.1 - Information Commissioner's registration or completed Self-assessment Outcome Tool
-
C2.2.1 Completed Information Commissioner's Self-Assessment Outcome Tool
-
C2.3.2 - Data Protection Impact Assessment (DPIA)
-
C3.1 - Cyber Essentials Certification
-
C3.2 - External Penetration Test Summary Report
-
C4.4.1 - If a wearable, evidence of how the product complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards
-
D1.2.1 - User Journeys and/or how the product fits into a user pathway or journey
-
D1.3.1 - Supporting information showing user acceptance testing to validate usability
-
D1.13.2 - Customer Performance Report
Document origin
Based on the OpenDocument version of the Digital Technology Assessment Criteria for Health and Social Care (DTAC), Version 1.0 22 February 2021, last updated 16th April 2021. RCPCH responses are in bold type.