Digital Technology Assessment Criteria (DTAC)

NHS England’s Digital Technology Assessment Criteria for health and social care (DTAC) gives staff, patients and citizens confidence that the digital health tools they use meet our clinical safety, data protection, technical security, interoperability and usability and accessibility standards. This page outlines Concentric Health’s conformance with the DTAC.

Last updated: 22 May 2026

Value proposition

What is the intended use of the product? Patient Care or Support | Clinical Support.

What is the product designed to do and how is it used? Concentric is a digital consent application which supports the consent process for clinicians, patients, and healthcare organisations. It is designed to support the preparation, sharing, and review of treatment information and the recording and ongoing access to consent records.

Clinicians prepare consent information using configurable templates, then share it with patients in person and/or digitally for remote review, before completing the consent process within the application. A demo video showing the consent workflow is available at our demo page.

Who are the intended users, and what are the benefits for users? The primary users of Concentric are clinical teams responsible for obtaining and reviewing treatment consent, and their patients. Real-world evaluations and peer-reviewed publications, described fully in our digital consent research overview have shown Concentric:

• reduces consent-related medicolegal risk through improving the quality and consistency of consent documentation
• improves shared decision making and patient experience prior to treatment
• improves efficiency by reducing day-of-treatment delays and cancellations
• reduces consent-related financial, carbon, and time costs

What are the data flows between the product and other clinical systems? Our information security page outlines the data flows, including:

• Retrieval of patient demographics
• Sharing of consent information with patients
• Sending metadata and summary PDFs to other clinical systems

Technical questions

Clinical safety

Does the product qualify as Software or Artificial Intelligence as a Medical Device under the UK Medical Devices Regulations 2002? No.

Does the product provide electronic information to influence, support or manage the real time direct care of patients? Yes.

Have you undertaken Clinical Risk Management activities which comply with DCB0129? Yes.

Clinical risk management system: Incorporated within our clinical safety case report.

Clinical Safety Case Report and Hazard Log: Clinical safety case report with linked clinical safety hazard log.

Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details: Dr Dafydd Loughran | Co-founder and CEO | GMC 7265351 | Trained CSO.

Data protection

• Information Commissioner’s Office (ICO) registration: Concentric Health ICO registration.

• Data Security and Protection Toolkit (DSPT) compliance: Compliant DSPT profile.

• Does the product process any personal data? Yes.

• Data Protection Impact Assessment (DPIA) for the product: The data controller is responsible for completion of a DPIA relating to their use of Concentric. A DPIA template is provided to support this process.

• Product transparency information: Our transparency information is outlined in our data processing page, and linked privacy notice.

• Product terms and conditions: The terms and conditions can depend on the contractual mechanism. Our Government Commercial Agency (previously Crown Commercial Service) G Cloud framework operational terms are provided as a representative example.

• Where does the product store and process data? Within and outside the UK. Data storage details are outlined in our information security page, and our data processing page outlines how data is processed, by who, and where.

• State where outside of the UK data may be processed, and how the arrangements are compliant with current legislation: Our use of third-party processors for processing data outside the UK is compliant with UK GDPR and does not involve special category data. Our data processing page details our use of third parties and any cross-border data transfers.

Technical security

Cyber Essentials certificate: Our latest Cyber Essentials certificate can be viewed at the BlockMark registry Concentric Health profile.

Have you signed the Cyber Security Charter for Suppliers to the NHS? Yes.

Interoperability criteria

• Does the product expose any Application Program Interfaces (API) or integration channels? Yes - details relating to our integrations, including FHIR integrations are found within this publicly available integration documentation.

• Do the integrations use appropriate, interoperable, industry standards? Concentric supports established, industry-standard approaches – including HL7 and FHIR – for demographic and document integrations, and OIDC for single-sign on. Our integration page details the relevant integration touchpoints and technical approaches to integration.

• Do the APIs follow GDS Open API Best practice guidance, and are they openly documented and freely available to third parties? If not, on what basis are the APIs documented and made available to third parties? Cannot confirm. Concentric provides documented integration interfaces, as outlined in our integration page. Detailed specification and implementation documentation is provided during the implementation phase to partner organisations and their integration partners. This includes supported standards, data structures and message formats across the supported standards, and recommended integration workflow and architecture patterns. This approach ensures that secure, high reliability integrations are implemented collaboratively, with the appropriate clinical safety, data protection, and operational governance in place.

• Does the product share or receive data from national or local systems for delivering patient care? Yes.

• Is your product capable of using the NHS number to identify patient data when exchanging data? Yes, Concentric uses the NHS number as an identifier for patients where available.

• Does your product integrate with either the NHS Personal Demographics Service or other local systems to establish the patient NHS number? Both national (NHS Personal Demographics Service) and local integration approaches can be used for patient demographics, depending on the healthcare organisation’s preference.

• Do you use NHS login to verify the identity of and authenticate the user? If not, what is the approach to authenticating the user and what data protection measures are in place? No. Patients access their consent information via a unique link with secondary factor verification (DOB). Full details, including data protection measures are outlined in our technical details page.

Usability and accessibility

Understand users and their needs in context of health and social care

• How is the product used, and how does it fit alongside other systems? Our onboarding guides for each organisation, including video guide, describes the various user flows and how Concentric sits alongside other clinical systems in use at the organisation, such as an electronic patient record (EPR) or electronic document management system (EDMS).

• Have you read the Accessible Information Standard and considered how its requirements should be reflected in the design of the product? Confirmed.

Make the service simple to use

• Do you undertake testing with users to validate product usability? Yes. Clinician and patient users are given the opportunity to share feedback directly within their respective applications. Feedback is reviewed to identify usability themes and opportunities for product and operational improvement, informing internal product development and service reviews with healthcare organisations.

Make sure everyone can use the service

• Web or mobile application? Yes.

• Compliant with the Web Content Accessibility Guidelines (WCAG) 2.2, scoring AA or higher? Yes.

• Published accessibility statement: Accessibility statement.

Miscellaneous

• Does your team contain multidisciplinary skills? Yes, the Concentric web application is developed by a multidisciplinary team including developers, clinicians, designers, and service users.

• Do you use agile ways of working to deliver your product? Yes, product development is undertaken in two week sprints in response to user requirements and research insights.

• Do you continuously develop your product? Yes, continuous updates are released approximately every 4 weeks. Updates may include new features, bug fixes, security patches, and other changes in response to feedback and changes in user needs, clinical evidence, or policy - these are summarised in our release notes. There are mechanisms and appropriate resource in place to identify and respond to feedback, review content, and understand user priorities.

• Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes, this can is detailed within our business case template.

• Does this product meet with NHS Cloud First Strategy? Yes. Concentric Health advocates a cloud first approach (all current deployments are cloud deployments).

• Are common components and patterns in use? Yes, common components such as the Common User Interface patient banner are used, and data patterns such as the FHIR patient demographic lookup. Integration with national infrastructure such as NHSmail login and the NHS FHIR PDS API (demographics search) are in place.

• Do you provide a Service Level Agreement to all customers purchasing the product? Yes, our application support and service level agreements (SLAs) page details these across system availability, integration monitoring, and issue resolution.

• Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes, uptime reporting is made available to customers via our status page.

• Average service availability for the past 12 months: Over 99.95% availability.