UK NHS Digital Development Guide (2026)

🏥 NHS⚖️ DTAC💊 MHRA🔒 UK GDPR🆓 Free Review
April 202615 min readJames Whitmore, CTO

Direct Answer

Building software for the NHS requires compliance with six frameworks simultaneously: DTAC (Digital Technology Assessment Criteria — all 5 domains), DCB0129 (clinical safety), NHS FHIR R4 (data standards), NHS Login (patient identity), IEC 62304 (if SaMD — Software as a Medical Device), and UK GDPR Article 9 (special category health data). ClickMasters has achieved DTAC approval for 18 NHS products. This guide covers everything you need to build NHS-compliant software.

NHS Digital Compliance Overview — 6 Frameworks

FrameworkWhat It IsWhen It AppliesClickMasters Experience
NHS DTAC (all 5 domains)Digital Technology Assessment Criteria — data flows, security, interoperability, usabilityAll NHS digital products — mandatory pre-procurement assessment18 DTAC-approved products
DCB0129 (Clinical Safety)Clinical risk management — hazard log, clinical safety case, Clinical Safety Officer sign-offAny software used in or affecting clinical careAll 18 DTAC products include DCB0129
NHS FHIR R4 (UK Core)HL7 FHIR R4 with NHS UK Core profiles — interoperability standardAll NHS system integrations (PDS, GP Connect, eRS, EPS)12 NHS FHIR R4 integrations built
IEC 62304 (SaMD)Software lifecycle standard for medical devices — applies to SaMD AI and clinical decision supportIf software is Software as a Medical Device (aids diagnosis/treatment)4 MHRA SaMD registered products
NHS Login (patient identity)NHS identity platform — patient authentication (P5 email, P9 verified NHS number)Patient-facing NHS apps and portals8 NHS Login integrations built
UK GDPR Article 9 (health data)Special category health data — enhanced protections, explicit legal basis requiredAll NHS systems processing patient identifiable dataEvery NHS project — DPIA produced

DTAC 5 Domains — Evidence Requirements

DomainWhat DTAC AssessesEvidence RequiredClickMasters Production
Domain 1: Data FlowsHow personal data flows through the systemMermaid data flow diagram — every data source, processor, destination labelledProduced in Sprint 1, updated per sprint
Domain 2: Data ProtectionUK GDPR compliance — Article 9 safeguards for health dataDPIA, ICO registration, Article 30 ROPA, DSP Toolkit alignmentDPIA template adapted per project
Domain 3: Technical SecurityCode security, network security, penetration testingSemgrep SAST, Trivy, OWASP ZAP, pen test report (CREST for higher assurance)CI/CD artefacts + annual pen test
Domain 4: InteroperabilityNHS FHIR R4 UK Core compliance, NHS API integrationFHIR conformance statement, NHS API onboarding evidence, HAPI validator outputFHIR validation in every CI/CD pipeline
Domain 5: UsabilityWCAG 2.1 AA accessibility, user research evidenceaxe-core report (zero critical violations), NVDA screen reader test, 3+ user research participantsaxe-core in CI/CD + quarterly screen reader test

NHS FHIR R4 UK Core — Most Used APIs and Resources

NHS APIFHIR Resources UsedUK Core ProfileClickMasters Integration
PDS (Patient Demographics)PatientUKCore-PatientNHS number lookup — every patient-facing system
GP Connect (Read)Patient, MedicationStatement, AllergyIntolerance, Condition, AppointmentUKCore profiles for all6-week onboarding — GPSoC clinical assurance required
eRS (Referrals)ServiceRequest, Appointment, HealthcareServiceUKCore-ServiceRequestIAPT, CAMHS, outpatient referrals
EPS (Prescriptions)MedicationRequest, MedicationDispenseUKCore-MedicationRequestPharmacy dispensing systems
NHS Bulk Data ($export)Patient, Encounter, Observation (bulk)UKCore profilesICB population health analytics
NRL (National Record Locator)DocumentReferenceUKCore-DocumentReferenceMental health, maternity records across trusts

Frequently Asked Questions

Common questions about uk nhs digital development guide (2026).

NHS DTAC timeline: (1) evidence preparation (ClickMasters produces DTAC evidence pack across all 5 domains): 4–8 weeks depending on project complexity. (2) NHSX DTAC review (assessor reviews submitted evidence): 4–8 weeks. (3) Clarification questions (assessor may request additional evidence): 2–4 weeks. Total: 10–20 weeks from evidence pack submission to DTAC approval. ClickMasters has achieved DTAC approval on first submission for 14 of 18 projects (78% first-submission success rate — industry average: approximately 40%). Keys to first-submission success: complete data flow diagram (most common rejection cause), WCAG 2.1 AA zero critical violations (most common Domain 5 failure), and CREST penetration test for Domain 3 (required for higher assurance products).

DTAC (Digital Technology Assessment Criteria) and DCB0129 are different NHS frameworks that often apply simultaneously. DTAC: procurement assessment — NHS organisations are required to assess all digital products against DTAC before procurement. Assesses the product across 5 domains (data protection, security, interoperability, usability — not clinical safety specifically). DCB0129 (Clinical Safety Standard): requires clinical software to have a documented clinical risk management process — hazard log, clinical safety case, Clinical Safety Officer sign-off. When both apply: almost all NHS clinical software needs both DTAC AND DCB0129 — DTAC Domain 2 includes some safety-adjacent questions, but DCB0129 is the separate and more rigorous clinical safety framework. ClickMasters produces both simultaneously — DTAC evidence pack and DCB0129 clinical safety case — as part of every NHS clinical project.

About the Author

James Whitmore, CTO NHS digital specialist — 18 DTAC-approved products, 12 NHS FHIR R4 integrations ClickMasters has delivered more NHS-compliant products than any comparable UK software development company of our size. This guide is our team's institutional knowledge made public.

Free NHS DTAC Readiness Assessment ClickMasters...

Free NHS DTAC Readiness Assessment ClickMasters will assess your product against all 5 DTAC domains and identify gaps before you submit. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation