DTAC and CSO requirements

Digital Technology Assessment Criteria (DTAC) and Clinical Safety Officer (CSO) requirements

Date published:
Date last updated:
Next review date:

Overview

The Digital Technology Assessment Criteria for Health and Social Care (DTAC) is a framework created by NHS England to ensure that any digital tools used in the NHS meet consistent standards for clinical safety, data protection, technical security, interoperability, and usability.

It was first published in 2021 and applies to all new or updated digital technologies used in health and social care. The DTAC is intended to give patients, clinicians, and organisations confidence that the tools they use are safe and well built.

What practices need to know

  • DTAC brings together several national standards, including the Data Security and Protection Toolkit (DSPT), the Data Protection Impact Assessment (DPIA) process, and the clinical safety standards DCB0129 and DCB0160.
  • The Clinical Safety Officer (CSO) role is part of this framework. A CSO must be a registered clinician who has completed formal training in clinical risk management.
  • The standards were written mainly for large provider organisations and system suppliers. It is not realistic or proportionate for every GP practice to appoint its own CSO.
  • In primary care, DTAC compliance and clinical safety assurance should sit at ICB or regional level, ideally through a shared CSO function.
  • Practices should continue to complete DPIAs when deploying or trialling new digital systems that involve patient data, using the SCW IG templates or their own local process.
  • When adopting ICB-approved or nationally supplied systems, practices can reasonably rely on the ICB’s or supplier’s DTAC assurance, rather than duplicating the process locally.

Why this matters

The DTAC framework and associated standards (DCB0129/0160) are designed to reduce patient safety risks arising from digital technology. Each organisation using digital systems must ensure that safety is considered, but the practical burden for practices should be managed at system level.

LMC View

The LMC supports the principle of digital safety assurance but believes:

  • Practices should not be expected to undertake full DTAC assessments or maintain their own CSO roles.
  • ICBs should coordinate clinical safety assurance, appointing trained CSOs to oversee compliance for primary care deployments.
  • Practices should focus on DPIA completion, staff awareness, and ensuring only assured digital products are adopted.

This is consistent with our advice on AI-enabled ambient scribing technologies, which you can read here.

Further informaton

If your practice is considering implementing new digital tools or software, please contact the SSLMC office before deployment for advice on information governance, DPIA completion, and assurance requirements. We can also help you engage with your ICB to confirm DTAC and clinical safety responsibilities.

Related content