Digital Technology Assessment Criteria (DTAC)

Digital Technology Assessment Criteria (DTAC)

Dafydd Loughran
by Dafydd Loughran, CEO
June 2021

NHSx’s Digital Technology Assessment Criteria for health and social care (DTAC) gives staff, patients and citizens confidence that the digital health tools they use meet our clinical safety, data protection, technical security, interoperability and usability and accessibility standards. This page outlines Concentric Health’s conformance with the DTAC.

The DTAC is divided into 4 sections:

Company information

  • Company name: Concentric Health Ltd
  • Product name: Concentric
  • Type of product: Software as a Service (SaaS)
  • Key contact: Dr Dafydd Loughran | | +44 1446 773032
  • Registered address: Tramshed Tech, Pendyris Street, Cardiff, CF11 6BH
  • Country of registration: England and Wales
  • Companies house registration number: 10733991
  • CQC assessment: Not applicable

Value proposition

  • Who is this product intended to be used for?

    • Patients and Clinical workforce

  • What is the product designed to do and how is it used?

    • Concentric is a digital consent to treatment (aka econsent) application that is used in place of traditional paper consent forms. Concentric supports clinicians and patients with evidence-based information that can be personalised to the individual. Consent information is made available to patients outside their consultation, including the ability to give consent remotely where appropriate.

  • What are the intended or proven benefits for users?

    • Consent process flexibility - Consent process becomes more flexible and adaptable to the needs of the individual and the system, including access over time, access from anywhere, and remote consent functionality through an intuitive application.
    • Consent information personalisation - Consent information can be easily adapted and personalised to the individual.
    • Integration delivering joined-up care - Integration of the consent process into other systems to deliver joined-up care, including (where available) a main electronic health record (EHR) and patient held record (PHR).
    • Trusted content across all specialties - Standardised, evidence-based information and risk profiles - including COVID-19 risks - across over 1,200 operations, procedures and treatments to support use across the organisation as the default mechanism of consent. Trusted across multiple NHS and private sector organisations.
    • Supporting best practice - Support in meeting best practice consent processes through visibility of process (e.g rate of consent on the day of surgery), and nudges (e.g personalisation of information and documenting personalised notes).
    • Reduced clinical errors - Reduced risk of wrong site surgery and patient identification errors through legible consent PDF’s.
    • Accessible from anywhere - Cloud-based, integrated system meaning that the clinical consent record can be accessed and amended from anywhere without the need for complex paper logistics.
    • Full audit trail, cryptographically secured - Full audit trail maintained and available for each consent episode, including any customisations, when information was shared, when consent was given etc. Advanced cryptography ensures that the audit trail cannot be tampered with and the state of the episode at each stage can be demonstrated.
    • Advanced Electronic Signature - The patient signature recorded within Concentric is classed as an advanced electronic signature by eIDAS UK reglulation and is fully admissible in a court of law.
    • Improved clinician experience and wellbeing - Improved clinician experience of the consent process, including the ability to deal with complex clinical scenarios (e.g combined procedures). Improved clinician wellbeing due to reduced clinical risk associated with the consent process.
    • Saves clinicians time - Reduced consent process administration time due to integration with patient demographics, document storage, and user authentication, an intuitive application and procedure-specific templates.
    • Reduced day-of-surgery cancellations and delays - Increased completion of consent prior to the day of surgery (supported by remote consent) and improved visibility of the consent status within Concentric and the EHR reduces day of surgery delays and cancellations.
    • Reduced medico-legal risk from lost forms - The risk of losing legal consent forms is removed with a digital process.
    • Reduction to near zero use of paper for consent forms and information leaflets - Use of paper, both carbon-copy consent forms and paper information leaflets can be reduced, with paper copies printed only where necessary for a patient without digital access.

  • What are the user journeys when using the product?

    • This page describes the user flow, and the different ways Concentric is used.
    • This page outlines the data flows between clinician, patient, Concentric, and the healthcare organisation’s other systems.

Technical questions

Clinical safety

  • Clinical Safety Officer (CSO) details:

    • Dr Dafydd Loughran | GMC 7265351 | CSO training completed (NHS Digital)

Data protection

  • Are you required to be registered with the Information Commissioner? No

    • As an organisation which is only a data processor, not a data controller, there is no expectation to be registered with the Information Commissioner (ICO).

    • ICO Self-assessment questionnaire:

      • Do you use CCTV for the purposes of crime prevention? No
      • Are you processing personal information? Yes
      • Do you process the information electronically? Yes
      • Is your organisation responsible for deciding how the information is processed? No
    • ICO Self-assessment outcome: No requirement for registration to pay a fee

  • Do you have a nominated Data Protection Officer (DPO)? Yes

  • DPO details: Martyn Loughran | CTO |

  • Does your product have access to any personally identifiable data or NHS held patient data? Yes

  • Please confirm you are compliant with the annual Data Security and Protection Toolkit Assessment. Confirmed (

  • Please attach the Data Protection Impact Assessment (DPIA) relating to the product.

    • Different integrations mean that organisations put in place slightly different DPIA’s based on the data flows occurring within the organisation. This is the template DPIA used.
  • Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer. Confirmed

  • Please confirm where you store and process data: UK Only (for UK healthcare organisations)

Technical security

  • Please attach your Cyber Essentials Certificate: Attached (valid until 28 June 2022)

  • Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12 month period.

    • Summary from Sapphire Web Application Vulnerability Assessment on the 29th October 2020:

      The security application based assessment was conducted against the targeted systems involving both automated scanning and manual testing, in order to identify a range of possible vulnerabilities and any potential misconfiguration of the systems.

      Overall the web application was found to have a good security posture with no serious risk issues identified throughout the duration of the engagement. One high risk vulnerability was identified but this was fixed during the testing window.

      A number of medium and low severity vulnerabilities were also identified referring to the secure configuration of the applications and recommendations have been made within the report in order to improve the security of the application.

  • Please confirm whether all custom code had a security review: Yes, internal code review

  • Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? Yes

  • Please confirm whether logging and reporting requirements have been clearly defined: Yes

  • Please confirm whether the product has been load tested: Yes

Interoperability criteria

  • Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? Yes

    • Please provide detail and evidence: Details relating to our integrations, including FHIR integrations are found within this publically available documentation.
  • Do you use NHS number to identify patient record data? Yes

    • Is this done via NHS Login? No
    • If no, please set out the rationale, how your product establishes NHS number, and the associated security measures in place: Secure integrations are put in place between Concentric and the PAS database for the healthcare organisation, including search by NHS number where available. For patient access, a secure link is shared with the patient and authenticated with the patient’s date of birth. Read more about our authentication
  • Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability?

    • Yes. Industry standard approaches for secure interoperability are preferred, such as FHIR API’s for patient demographics and document storage. Regarding data security in transit, web and API servers only allow requests made using TLS version 1.2 or above, which provides protection against snooping and man in the middle attacks on data. Non-HTTPS requests are denied by API servers.
  • Is your product a wearable or device, or does it integrate with them? No

Usability and accessibility

Understand users and their needs in context of health and social care

  • Do you engage users in the development of the product?

    • User research: Throughout development and live use, user research insights - both patient and clinician - have driven development decisions. Patient and clinician insights from Autumn 2020 user interviews are described in this summary document.

    • Patient feedback: If wished by the healthcare organisation (as the data controller) a digital patient feedback survey is sent to all patients 2 weeks following consent to get their feedback on experience, ease of use, quality of information, and areas for improvement. Approximately 2000 patient feedback responses have been received in the past 12 months (average overall experience = 9/10), and directly input into sprint planning. Patient feedback can also be shared within the application at any time.

    • Clinician feedback: Collected within the application and feedback survey sent out at intervals, asking for feedback on overall experience, preference compared to paper process, perceived quality of consent process compared to paper process, and any areas of improvement.

    • Publications: The Concentric team, alongside academics, have published findings relating to the problems of traditional paper-based consent processes, and early work demonstrating the impact of introducing digital consent. Examples include:

    • Search data and analytics: Real world use of the product is monitored to guide improvements in product, content, and process. Examples include:

      • Consent statistics demostrating use of ‘on the day’ consent, guiding quality improvement programmes.
      • Custom modifications to templates allowing content review based on real-world use.
      • ‘No treatment search results’ allowing addition of missing but required content.

Work towards solving a whole problem for users

  • Are all key user journeys mapped to ensure that the whole user problem is solved or it is clear to users how it fits into their pathway or journey?

    • Concentric has a clear role in the treatment pathway, with consent being a required step prior to undergoing invasive treatment. Clinicans initiate a Concentric episode for patients, and share the information with patients during or following a consultation. A system map was developed during development to ensure consideration of all key user journeys.

Concentric system map

Make the service simple to use

  • Do you undertake user acceptance testing to validate usability of the system? Please describe:

    • Patients are routinely asked at 2 weeks post consent for their feedback on usability of the system. The following are usability testing results from patients at one healthcare organisation over the past 12 months.

Concentric patient usability feedback

  • Quality assurance testing is undertaken on all common browsers prior to each release.
  • Responsive web application with all functionality available across all screen sizes.

Make sure everyone can use the service

  • Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? Yes, most recent accessibility audit 4 Aug 2020.


  • Does your team contain multidisciplinary skills? Yes, the Concentric web application is developed by a multidisciplinary team including developers, clinicians, designers, and service users.

  • Do you use agile ways of working to deliver your product? Yes, product development is undertaken in two week sprints in response to user requirements and research insights.

  • Do you continuously develop your product? Yes, continuous updates are released approximately every 2 weeks. Updates may include new features, bug fixes, security patches, and other changes in response to feedback and changes in user needs, clinical evidence, or policy. There are mechanisms and appropriate resource in place to identify and respond to feedback, review content, understand user priorities.

  • Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes, this can be found here.

  • Does this product meet with NHS Cloud First Strategy? Does this product meet the NHS Internet First Policy? Yes. Concentric Health advocates a cloud first approach (all current deployments are cloud deployments).

  • Are common components and patterns in use? Yes, common components such as the Common User Interface patient banner are used, and data patterns such as the FHIR patient demographic lookup. Integration of further common components such as the NHS FHIR PDS and NHS Login are currently in progress.

  • Do you provide a Service Level Agreement to all customers purchasing the product? Yes, a service level agreement of 99.9% uptime or above is offered to all healthcare organisations.

  • Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes, uptime reporting is made available to customers. A template report is shown here.

  • Average service availability for past 12 months: >99.95%. Statuspage with latest uptime data available here.