Skip to content

Digital Technology Assessment Criteria (DTAC)

DTAC Assessment Document

This DTAC assessment is based on the template downloaded from the NHS England Transformation Directorate website.

As part of our effort to use modern web standards and publish documents more openly, we have converted the .odt original document into a native web page in our documentation site.

DTAC Document

The assessment criteria is made up of five core components. Sections A and B will provide the assessors the context required to understand your product and support your evidence. The core assessment criteria is defined in section C1-C4. Section D details the key Usability and Accessibility principles required. Further frequently asked questions are available at the end of the document.

The core criteria in Section C will determine the overall success of the assessment of your product or service. The accompanying score provided from Section D will show the level of adherence to the NHS Service Standard.

Section A. Company information

Non-assessed section

Information about your organisation and contact details.

Code Question Response
A1 Provide the name of your company Royal College of Paediatrics and Child Health (RCPCH)
A2 Provide the name of your product RCPCH Digital Growth Charts
A3 Provide the type of product Digital Growth Charts Application Programming Interface and related tools and platform
A4 Provide the name and job title of the individual who will be the key contact at your organisation Richard Burley - Chief Digital Officer
A5 Provide the key contact's email address
A6 Provide the key contact's phone number 020 70926037
A7 Provide the registered address of your company 5-11, Theobalds Rd, London WC1X 8SH, United Kingdom
A8 In which country is your organisation registered? England, Wales and Scotland
A9 If you have a Companies House registration in the UK please provide your number A Registered Charity in England and Wales (1057744) and in Scotland (SC038299)
A10 If applicable, when was your last assessment from the Care Quality Commission (CQC)? Not applicable
A11 If applicable, provide your latest CQC report. N/A

Section B. Value proposition

Non-assessed section

Please set out the context of the clinical, economic or behavioural benefits of your product to support the review of your technology. This criteria will not be scored but will provide the context of the product undergoing assessment.

Where possible, please provide details relating to the specific technology and not generally to your organisation.

Code Question Options Response
B1 Who is this product intended to be used for? Patients | Diagnostics | Clinical Support | Infrastructure | Workforce | Other

Diagnostics/Clinical Support

This product is used by a range of health care professionals (GPs, paediatricians, nurses, health visitors, midwives, school nurses) to evaluate and record a child's growth.

B2 Provide a clear description of what the product is designed to do and of how it is expected to be used Free text

The RCPCH Digital Growth Charts API provides reliable growth calculation for children of all ages capturing sex, DOB, weight, length, head circumference and BMI, for the range of 23 weeks premature to 20 years old for standard charts, and also provides Turner Syndrome and Down Syndrome calculations.

The product allows the returned structured data to be displayed in a number of different ways depending on the clinician's needs, and for the data to be saved, charted, and trended within Electronic Patient Record systems. This richly functional solution with features such as automatic gestational age correction, bone age, mid-parental height, event recording, and specialist references is designed to bring high-quality growth parameter calculations to clinicians at the point of care.

B3 Describe clearly the intended or proven benefits for users and confirm if / how the benefits have been validated Free text
  • Produced by a multidisciplinary group of members and other experts from clinical paediatrics, health informatics, statistics and programming, as well as childhood growth and nutrition specialists, health visitors and information governance experts.
  • Access includes RCPCH-created guidelines and advice for health professionals aiming to improve standards of growth measurement and assessment.
  • API returns structured data, and recommended SNOMED -CT clinical terminology.
  • Easy creation of apps and interfaces that will give clinicians accurate data to improve care and give access to their children's growth records online.
  • Access to ongoing maintenance and future development.
  • The ability to receive longitudinal growth data of individual children, which will enable the API to map children's growth pattern, trajectory and thrive lines.
  • Standardised open data format for all growth references, allowing research groups to develop specialist or localised growth charts using third party dataset.
  • Registered with the Medicines and Healthcare Products Regulatory Agency as a UKCA marked Medical Device.
  • Provision of the Clinical Standard Service Level Agreement, i.e., provision of support from 9am to 5pm, Monday to Friday.

Please attach one or more user journeys which were used in the development of this product

Where possible please also provide your data flows

Provided | Not available

User journeys are provided on our documentation website.

Section C. Technical questions

Assessed sections

C1 - Clinical safety

Establishing that your product is clinically safe to use.

You must provide responses and documentation relating to the specific technology product that is subject to assessment.

The DCB0129 standard applies to organisations that are responsible for the development and maintenance of health IT systems. A health IT system is defined as “product used to provide electronic information for health and social care purposes”. DTAC is designed as the assessment criteria for digital health technologies and C1 Clinical Safety Criteria is intended to be applied to all assessments. If a developer considers that the C1 Clinical Safety is not applicable to the product being assessed, rationale must be submitted exceptionally detailing why DCB0129 does not apply.

The DCB0160 standard applies to the organisation in which the health IT is deployed or used. It is a requirement of the standard (2.5.1) that in the procurement of health IT systems the organisation must ensure that the manufacturer and health IT system complies with DCB0129. The organisation must do so in accordance with the requirements and obligations set out in the DCB0160 standard. This includes personnel having the knowledge, experience and competences appropriate to undertaking the clinical risk management tasks assigned to them and organisations should ensure that this is the case when assessing this section of the DTAC.

If the Clinical Safety Officer or any other individual has concerns relating to safety of a medical device including software and apps, this should be reported to the Medicines and Healthcare products Regulatory Agency (MHRA) using the Yellow Card reporting system:

Report a problem with a medicine or medical device - GOV.UK (

Code Question Options Supporting information Response
C1.1 Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129? Yes | No The DCB0129 standard applies to organisations that are responsible for the development and maintenance of health IT systems. A health IT system is defined as "a product used to provide electronic information for health and social care purposes". Yes
C1.1.1 Please detail your clinical risk management system Provided | No evidence available

DCB0129 sets out the activities that must and should be undertaken for health IT systems.

An example clinical risk management system template can be downloaded from the NHS Digital website.


All details of the Clinical Risk Management System in place at RCPCH Digital Growth Charts are held on our public documentation site at

C1.1.2 Please supply your Clinical Safety Case Report and Hazard Log Provided | No evidence available

Specifically, your DTAC submission should include:

  • A summary of the product and its intended use

  • A summary of clinical risk management activities

  • A summary of hazards identified which you have been unable to mitigate to as low as it is reasonably practicable

  • The clear identification of hazards which will require user or commissioner action to reach acceptable mitigation (for example, training and business process change)

It should not include the hazard log in the body of the document - this should be supplied separately.

Example Clinical Safety Case Report and Hazard Log templates can be downloaded from the NHS Digital website.


Clinical Safety Case Report:

Hazard Log:

C1.2 Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details Free Text

The CSO must:

  • Be a suitably qualified and experienced clinician

  • Hold a current registration with an appropriate professional body relevant to their training and experience

  • Be knowledgeable in risk management and its application to clinical domains

  • Be suitably trained and qualified in risk management or have an understanding in principles of risk and safety as applied to Health IT

  • Have completed appropriate training

The work of the CSO can be undertaken by an outsourced third party.

Dr Marcus Baw

GMC: 4712729

General Practitioner

Software Developer

NHS Digital Trained Clinical Safety Officer

C1.3 If your product falls within the UK Medical Devices Regulations 2002, is it registered with the Medicines and Healthcare products Regulatory Agency (MHRA)? Yes | No | Not applicable

If this question is not applicable, because your product does not fall within the UK Medical Devices Regulations 2002, continue to question C1.4.

If No, but the product falls within the UK Medical Devices Regulations 2002, continue to question C.1.3.2.

The MHRA provides guidance on medical devices to place them on the market in Great Britain and Northern Ireland, regulatory requirements for all medical devices to be placed on the UK market, conformity assessment and the UK Conformity Assessed (UKCA) mark, classification of stand-alone medical device software (including apps) and how to tell if your product falls within the UK Medical Devices Regulations 2002.

Yes, the RCPCH Digital Growth Charts API is registered as a Class I Medical Device with the MHRA.

Our GMDN Term is 65712 - Paediatric growth calculation API software

C1.3.1 If yes, please provide your MHRA registration number Free text

MHRA Account Number 13251

Digital Growth Charts Device Application reference 2022020401237576

C1.3.2 If the UK Medical Device Regulations 2002 are applicable, please provide your Declaration of Conformity and, if applicable, certificate of conformity issued by a Notified Body / UK Approved Body Provided | No evidence available

Medical device manufacturers must ensure that their device complies with the relevant Essential Requirements of the legislation and draw up a Declaration of Conformity to declare this.

Class I devices with a measuring function and devices in Class IIa, IIb and III must undergo conformity assessment from an EU Notified Body or UK Approved Body which has been designated for medical devices, and be issued a certificate of conformity (commonly referred to as a “CE certificate” or “UKCA certificate”


As a Class I Medical Device there is no requirement for Notified Body / UK Approved Body certificate of conformity.

C1.4 Do you use or connect to any third-party products? Yes | No

If no, continue to section C2.

DCB0129 contains the requirements in relation to third party products.

C1.4.1 If yes, please attach relevant Clinical Risk Management documentation and conformity certificate Provided | No evidence available Not applicable

C2 - Data protection

Establishing that your product collects, stores and uses data (including personally identifiable data) compliantly.

This section applies to the majority of digital health technology products however there may be some products that do not process any NHS held patient data or any identifiable data. If this is the case, the Data Protection Officer, or other suitably authorised individual should authorise this data protection section being omitted from the assessment.

Code Question Options Supporting information Response

If you are required to register with the Information Commissioner, please attach evidence of a current registration.

If you are not required to register, please attach a completed self-assessment showing the outcome from the Information Commissioner and your responses which support this determination.

Provided | Not provided

There are some instances where organisations are not required to register with the Information Commissioner. This includes where no personal information is being processed.

The Information Commissioner has a registration self-assessment tool to support this decision making.


The RCPCH has ICO Registration, registration number: Z5143673

C2.2 Do you have a nominated Data Protection Officer (DPO)? Yes | No | We do not need one

Not all organisations are required to have a Data Protection Officer (DPO). This is determined by the type of organisation and core activities. The most common reason for organisations providing digital health technologies to have a DPO is due to the core activities involving processing health data (being a special category).

The Information Commissioner has a self-assessment tool to determine whether you must appoint a DPO.


If you are required to have a nominated Data Protection Officer, please provide their name.

If you are not required to have a DPO please attach a completed self-assessment showing the outcome from the Information Commissioner and your responses which support this determination.

Free text | Provided

Adele Picken

RCPCH Head of Information Governance

Tel. 020 7092 6030

C2.3 Does your product have access to any personally identifiable data or NHS held patient data? Yes | No

The UK General Data Protection Regulation (GDPR) applies to the processing of personal data.

If no, continue to question C2.4


Please confirm you are compliant (having standards met or exceeded status) with the annual Data Security and Protection Toolkit Assessment.

If you have not completed the current year's assessment and the deadline has not yet passed, please confirm that you intend to complete this ahead of the deadline and that there are no material changes from your previous years submission that would affect your compliance.

Confirmed | Unable to confirm The Data Security and Protection Toolkit allows organisations to measure performance against the National Data Guardian's 10 data security standards.


Standards Exceeded.

C2.3.2 Please attach the Data Protection Impact Assessment (DPIA) relating to the product. Provided | Not provided

DPIAs are a key part of the accountability obligations under the UK GDPR, and when done properly help organisations assess and demonstrate how they comply with data protection obligations.

The Information Commissioner has provided guidance on how to complete a DPIA and a sample DPIA template.

The RCPCH used the ICO DPIA Checklist to determine if a DPIA was required and the outcome was that a DPIA was NOT required on the basis that personally identifiable data is not handled.
The information submitted does not identify the individual on its own. RCPCH also does not have access to the information nor stores. RCPCH does not use the information to learn, record or decide anything about the data subject. RCPCH is not data controller of this information. The healthcare organization using the tool, as data controller of the data being provided, may be required to undertake a DPIA but this will depend on their own assessment. We have consulted with our Data Protection Officer on all matters of data protection and have their agreement.
C2.4 Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer (if one is in place) or an accountable officer where exempt in question C2.2. Confirm | Cannot confirm Confirm.
C2.5 Please confirm where you store and process data (including any third-party products your product uses) UK only | In EU | Outside of EU Individual organisations within the Health and Social Care system are accountable for the risk-based decisions that they must take.

UK Only

(London, England)

C2.5.1 If you process store or process data outside of the UK, please name the country and set out how the arrangements are compliant with current legislation Free text

From 1 January 2021, the UK GDPR applies in the UK in place of the “EU GDPR'. The UK GDPR will carry across much of the existing EU GDPR legislation. The Department for Digital, Culture, Media & Sport has published two Keeling Schedules which show the changes to the Data Protection Act 2019 and EU GDPR.

The Information Commissioner has published guidance on international data transfers after the UK exit from the EU Implementation Period.

Not applicable. All data is processed in the UK.

C3 - Technical security

Establishing that your product meets industry best practice security standards and that the product is stable.

Dependent on the digital health technology being procured, it is recommended that appropriate contractual arrangements are put in place for problem identification and resolution, incident management and response planning and disaster recovery.

Please provide details relating to the specific technology and not generally to your organisation.

Code Question Options Supporting information Response
C3.1 Please attach your Cyber Essentials Certificate Provided | No evidence available

Cyber Essentials helps organisations guard against the most common cyber threats.

The National Cyber Security Centre (NCSC) have published cyber security guidance for small to medium enterprises (SME's).

Our Cyber Essentials certificate is published here

C3.2 Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12-month period. Provided | No evidence available The NCSC provides guidance on penetration testing. The OWASP Foundation provides guidance on the OWASP top 10 vulnerabilities.

Penetration testing is in the process of being conducted.

Evidence from this is to be provided.

C3.3 Please confirm whether all custom code had a security review. Yes - Internal code review |
Yes - External code review |
No | No because there is no custom code
The NCSC provides guidance on producing clean and maintainable code. Yes - Internal code review
C3.4 Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? Yes | No The NCSC provides guidance on Multi-Factor Authentication. Yes.
C3.5 Please confirm whether logging and reporting requirements have been clearly defined. Yes | No

The NCSC provides guidance on logging and protective monitoring.

To confirm yes to this question, logging (e.g., audit trails of all access) must be in place. It is acknowledged that not all developers will have advanced audit capabilities.

C3.6 Please confirm whether the product has been load tested Yes | No Load testing should be performed. Yes.

C4 - Interoperability criteria

Establishing how well your product exchanges data with other systems.

To provide a seamless care journey, it is important that relevant technologies in the health and social care system are interoperable, in terms of hardware, software and the data contained within. For example, it is important that data from a patient's ambulatory blood glucose monitor can be downloaded onto an appropriate clinical system without being restricted to one type. Those technologies that need to interface within clinical record systems must also be interoperable. Application Programme Interfaces (APIs) should follow the Government Digital Services Open API Best Practices, be documented and freely available and third parties should have reasonable access in order to integrate technologies.

Good interoperability reduces expenditure, complexity and delivery times on local system integration projects by standardising technology and interface specifications and simplifying integration. It allows it to be replicated and scaled up and opens the market for innovation by defining the standards to develop upfront.

This section should be tailored to the specific use case of the product and the needs of the buyer however it should reflect the standards used within the NHS and social care and direction of travel.

Please provide details relating to the specific technology and not generally to your organisation.

Code Question Options Supporting information Response
C4.1 Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? Yes | No

The NHS website developer portal provides guidance on APIs and the NHS.

Government Digital Services provide guidance on Open API best practice.



If yes, please provide detail and evidence:

  • The API's (e.g., what they connect to) set out the healthcare standards of data interoperability e.g. Health Level Seven International (HL7) / Fast Healthcare Interoperability Resources (FHIR)

  • Confirm that they follow Government Digital Services Open API Best Practice

  • Confirm they are documented and freely available

  • Third parties have reasonable access to connect

If no, please set out why your product does not have APIs.

Free text

Our product is entirely designed to be interoperable and our primary offering is a Digital Growth Charts API which is interoperable.

Our API and ancillary development toolkits are fully documented at our public documentation site at

API documentation is in the international OpenAPI3 documentation standard.

Government Digital Services Open API Best Practice is followed throughout.

Connection to third parties is our intended business model as we actively encourage connection and full integration, providing both free access at lower levels of usage, and supported enterprise integration support.

C4.2 Do you use NHS number to identify patient record data? Yes | No | No, because product does not identify patient record data

NHS Digital provides guidance on NHS Login for partners and developers. No, because product does not identify patient record data

If yes, please confirm whether it uses NHS Login to establish a user's verified NHS number.

If no, please set out the rationale, how your product established NHS number and the associated security measures in place.

Free text

C4.3 Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2) Yes | No | No, because the product does not read/ write into EHRs No, because the product does not read/ write into EHRs

C4.3.1 If yes, please detail the standard ree text

C4.3.2 If no, please state the reasons and mitigations, methodology and security measures. ree text

C4.4 Is your product a wearable or device, or does it integrate with them? Yes | No If no, continue to section D. No
C4.4.1 If yes, provide evidence of how it complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards. Provided | No evidence available Access the ISO Standard. This is a paid-for document.

Section D. Key principles for success

The core elements defined in this section will form part of the overall review of the product or service and is a key part to ensuring that the product or service is suitable for use. The assessment will set a compliance rating and where a product or developer is not compliant highlight areas that the organisation could improve on with regards to following the core principles.

This section will be scored in relation to the NHS service standard. This will not contribute to the overall Assessment Criteria as set out in Section C.

D1 - Usability and accessibility

scored section

Establishing that your product has followed best practice.

Please note that not all sections of the NHS Service Standard are included where they are assessed elsewhere within DTAC, for example clinical safety.

Code Question Options Supporting information Weighted score Scoring criteria

Understand users and their needs in context of health and social care

Do you engage users in the development of the product?

Yes | No | Working towards it

NHS Service Standard Point 1 0%


User needs are continually integrated into the development workflow.

The user needs of Paediatricians, nurses and other clinical staff are represented by the Digital Growth Charts Project Board, which is composed of nominated user representatives

Additionally we have open Issue reporting which allows anyone, whether user, patient, or parent/carer to report a user need or requirement for consideration by the development team.

D1.1.1 If yes or working towards it, how frequently do you consider user needs in your product development and what methods do you use to engage users and understand their needs?


User needs are constantly re-evaluated and are a central part of our development workflow. New user needs can be incorporated into our 2-weekly development cycles quite easily and new deployments of improved platform features can be achieved rapidly


Work towards solving a whole problem for users

Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey?

Yes | No | Working towards it

NHS Service Standard Point 2 and Point 3 are often dealt with by teams together.


User journeys to follow

D1.2.1 If yes or working towards it, please attach the user journeys and/or how the product fits into a user pathway or journey Provided | No evidence available

Make the service simple to use

Do you undertake user acceptance testing to validate usability of the system?

Yes | No | Working towards it

NHS Service Standard Point 4



The product we provide is a toolkit and API which is integrated into EHRs by our customers (the EHR suppliers). Our toolkit does not in itself have users.

Those EHR suppliers perform their own UAT on their implementation of our toolkit and API, to validate usability of their system.

If a supplier found a usability issue which originated within our toolkit or API they would escalate this back to us for action.

D1.3.1 If yes or working towards it, please attach information that demonstrates that user acceptance testing is in place to validate usability.

Provided | No evidence available


Make sure everyone can use the service

Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant?

Yes | No | Working towards it

a href="">NHS Service Standard Point 5

The Service Manual provides information on WCAG 2.1 level AA.

The Government Digital Service provides guidance on accessibility and accessibility statements, including a sample template.


D1.4.1 Provide a link to your published accessibility statement.

Free text


Create a team that includes multi-disciplinary skills and perspectives

Does your team contain multidisciplinary skills?

Yes | No | Working towards it

a href="">NHS Service Standard Point 6

2.5% Yes.

Use agile ways of working

Do you use agile ways of working to deliver your product?

Yes | No | Working towards it

a href="">NHS Service Standard Point 7

2.5% Yes.

Iterate and improve frequently

Do you continuously develop your product?

Yes | No | Working towards it

a href="">NHS Service Standard Point 8



Define what success looks like and be open about how your service is performing

Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking?

Yes | No| Working towards it

NHS Service Standard Point 10



Choose the right tools and technology

Does this product meet with NHS Cloud First Strategy?

Yes | No | No because it is not applicable

a href="">NHS Service Standard Point 11

NHS Internet First Policy.




D1.9.1 Does this product meet the NHS Internet First Policy? es | No | No because it is not applicable


Use and contribute to open standards, common components and patterns

Are common components and patterns in use?

Yes | No | Working towards it

NHS Service Standard Point 13 %


D1.10.1 If yes, which common components and patterns have been used?

Free text

Microsoft Azure API Management Platform

FastAPI framework


Semantic UI




Operate a reliable service

Do you provide a Service Level Agreement to all customers purchasing the product?

es | No

NHS Service Standard Point 14 0%


D1.12 Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? es | No


A public uptime monitor is always visible on our documentation site

D1.12.1 Please attach a copy of the information provided to customers

Provided | No evidence available

Provided (SLA)

D1.12.2 Please provide your average service availability for the past 12 months, as a percentage to two decimal places

Free text

Last 90 days 99.839% uptime.

Information for last 12 months is not yet available.

Supporting documentation

Please ensure that when providing evidence, documents are clearly labelled with the name of your company, the question number and the date of submission.

Possible documents to be provided are:

  • A11 - CQC Report

  • B4 - User journeys and data flows

  • C1.1.1 - Clinical Risk Management System

  • C1.1.2 - Clinical Safety Case Report

  • C1.1.2 - Hazard Log

  • C1.3.2 - UK Medical Device Regulations 2002 Declaration of Conformity and if applicable Certificate of Conformity

  • C1.4.1 - Clinical Risk Management documentation and Conformity certificate for third party suppliers

  • C2.1 - Information Commissioner's registration or completed Self-assessment Outcome Tool

  • C2.2.1 Completed Information Commissioner's Self-Assessment Outcome Tool

  • C2.3.2 - Data Protection Impact Assessment (DPIA)

  • C3.1 - Cyber Essentials Certification

  • C3.2 - External Penetration Test Summary Report

  • C4.4.1 - If a wearable, evidence of how the product complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards

  • D1.2.1 - User Journeys and/or how the product fits into a user pathway or journey

  • D1.3.1 - Supporting information showing user acceptance testing to validate usability

  • D1.13.2 - Customer Performance Report

Document origin

Based on the OpenDocument version of the Digital Technology Assessment Criteria for Health and Social Care (DTAC), Version 1.0 22 February 2021, last updated 16th April 2021. RCPCH responses are in bold type.