NHS Digital Compliance Overview — 6 Frameworks
| Framework | What It Is | When It Applies | ClickMasters Experience |
|---|---|---|---|
| NHS DTAC (all 5 domains) | Digital Technology Assessment Criteria — data flows, security, interoperability, usability | All NHS digital products — mandatory pre-procurement assessment | 18 DTAC-approved products |
| DCB0129 (Clinical Safety) | Clinical risk management — hazard log, clinical safety case, Clinical Safety Officer sign-off | Any software used in or affecting clinical care | All 18 DTAC products include DCB0129 |
| NHS FHIR R4 (UK Core) | HL7 FHIR R4 with NHS UK Core profiles — interoperability standard | All NHS system integrations (PDS, GP Connect, eRS, EPS) | 12 NHS FHIR R4 integrations built |
| IEC 62304 (SaMD) | Software lifecycle standard for medical devices — applies to SaMD AI and clinical decision support | If software is Software as a Medical Device (aids diagnosis/treatment) | 4 MHRA SaMD registered products |
| NHS Login (patient identity) | NHS identity platform — patient authentication (P5 email, P9 verified NHS number) | Patient-facing NHS apps and portals | 8 NHS Login integrations built |
| UK GDPR Article 9 (health data) | Special category health data — enhanced protections, explicit legal basis required | All NHS systems processing patient identifiable data | Every NHS project — DPIA produced |
DTAC 5 Domains — Evidence Requirements
| Domain | What DTAC Assesses | Evidence Required | ClickMasters Production |
|---|---|---|---|
| Domain 1: Data Flows | How personal data flows through the system | Mermaid data flow diagram — every data source, processor, destination labelled | Produced in Sprint 1, updated per sprint |
| Domain 2: Data Protection | UK GDPR compliance — Article 9 safeguards for health data | DPIA, ICO registration, Article 30 ROPA, DSP Toolkit alignment | DPIA template adapted per project |
| Domain 3: Technical Security | Code security, network security, penetration testing | Semgrep SAST, Trivy, OWASP ZAP, pen test report (CREST for higher assurance) | CI/CD artefacts + annual pen test |
| Domain 4: Interoperability | NHS FHIR R4 UK Core compliance, NHS API integration | FHIR conformance statement, NHS API onboarding evidence, HAPI validator output | FHIR validation in every CI/CD pipeline |
| Domain 5: Usability | WCAG 2.1 AA accessibility, user research evidence | axe-core report (zero critical violations), NVDA screen reader test, 3+ user research participants | axe-core in CI/CD + quarterly screen reader test |
NHS FHIR R4 UK Core — Most Used APIs and Resources
| NHS API | FHIR Resources Used | UK Core Profile | ClickMasters Integration |
|---|---|---|---|
| PDS (Patient Demographics) | Patient | UKCore-Patient | NHS number lookup — every patient-facing system |
| GP Connect (Read) | Patient, MedicationStatement, AllergyIntolerance, Condition, Appointment | UKCore profiles for all | 6-week onboarding — GPSoC clinical assurance required |
| eRS (Referrals) | ServiceRequest, Appointment, HealthcareService | UKCore-ServiceRequest | IAPT, CAMHS, outpatient referrals |
| EPS (Prescriptions) | MedicationRequest, MedicationDispense | UKCore-MedicationRequest | Pharmacy dispensing systems |
| NHS Bulk Data ($export) | Patient, Encounter, Observation (bulk) | UKCore profiles | ICB population health analytics |
| NRL (National Record Locator) | DocumentReference | UKCore-DocumentReference | Mental health, maternity records across trusts |