DTAC stands for Digital Technology Assessment Criteria, a framework created by NHS England to evaluate digital health technology products before they can be used in the NHS or adult social care. It sets baseline standards across five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility. If you’re a technology supplier looking to work with the NHS, or a healthcare organization evaluating digital tools, DTAC is the checklist that determines whether a product meets the minimum requirements.
What DTAC Actually Does
DTAC gives NHS commissioners and care providers a standardized way to assess digital health products. Before DTAC, organizations buying health apps, remote monitoring tools, or clinical software had no consistent method for checking whether those products were safe, secure, and fit for purpose. The framework fills that gap by asking suppliers to demonstrate compliance across its five assessment areas, providing a structured form that covers the core standards, policies, and best practices required for NHS use.
The framework applies broadly to digital health technologies, sometimes abbreviated as DHTs. That includes patient-facing apps, clinical decision support tools, telehealth platforms, and other software that touches NHS systems or patient data.
The Five Assessment Areas
Clinical Safety
This is arguably the most critical area. Products must comply with two national information standards that govern clinical risk management in health IT. One standard applies to manufacturers, requiring them to assess and manage clinical risks during the design and development of their product. The other applies to the NHS organizations deploying the technology, ensuring they manage risks in how the product is actually used in practice. Compliance with these standards is a legal requirement under the Health and Social Care Act 2012.
Data Protection
DTAC checks that privacy is built into the product from the ground up, not bolted on as an afterthought. Suppliers need to demonstrate they have a registered data protection officer, have completed a Data Protection Impact Assessment, and have clear policies on where data is stored and processed. If the product accesses NHS systems or patient data, the supplier must also complete the Data Security and Protection Toolkit (DSPT), a separate NHS assessment that covers a wider set of data security obligations. DTAC includes questions to help identify when DSPT is necessary and avoids duplicating questions already covered there.
Technical Security
This area evaluates whether the product meets cybersecurity standards. It covers how the technology protects against unauthorized access, data breaches, and other security threats. Suppliers may need to complete and attach additional documentation such as a Pre-Acquisition Questionnaire as part of the assessment.
Interoperability
Health technology rarely works in isolation. DTAC assesses whether a product can exchange data with other NHS systems in a structured, standardized way. This matters because patient information often needs to flow between GP systems, hospital records, and specialist services. Products that lock data into proprietary formats create barriers to coordinated care.
Usability and Accessibility
A clinical tool that’s difficult to use or inaccessible to people with disabilities creates risk. This section evaluates whether the product has been designed with real users in mind, including people with visual, hearing, motor, or cognitive impairments. The NHS serves a diverse population, and digital tools need to work for all of them.
Who Needs to Complete DTAC
DTAC is primarily aimed at two groups. Suppliers of digital health technology complete the assessment form to demonstrate their product meets the required standards. NHS commissioners and care providers use the completed assessment to make informed purchasing decisions. The framework is not a one-time certification that a supplier earns permanently. It’s a due diligence tool used during procurement, meaning it should be revisited when products are updated or contracts renewed.
The assessment process involves filling out the DTAC form, which walks suppliers through each of the five areas with specific questions. Depending on the product and the data it handles, suppliers may be asked to attach supporting documents like a Data Protection Impact Assessment or Pre-Acquisition Questionnaire. Different sections of the form require sign-off from different specialists within the supplier’s organization. The data protection section, for example, needs oversight from a data protection officer and an information governance specialist.
Why DTAC Matters for Patients
The practical effect of DTAC is that it raises the floor for digital health products used in the NHS. Without it, an NHS trust could adopt a patient app that stores sensitive health data insecurely, or a clinical tool that hasn’t been properly tested for safety risks. DTAC doesn’t guarantee a product is excellent, but it ensures certain non-negotiable standards are met before the technology reaches patients or clinicians.
For anyone using an NHS-approved health app or digital service, DTAC is part of the reason that product was vetted for data privacy, security, clinical safety, and basic usability before it reached you. It’s the quality gate sitting between a technology company’s product and the NHS patients who will rely on it.