top of page

Data Protection Requirements for DTAC 2026: A Complete Guide for HealthTech Companies

  • Writer: Joe Stock
    Joe Stock
  • Mar 9
  • 3 min read

Updated: Mar 16


As DTAC Version 2 launches in 2026, HealthTech companies preparing for NHS adoption need a clear understanding of what the updated Digital Technology Assessment Criteria requires, especially around data protection, DSPT, ICO registration, and DPIA obligations. With the NHS simplifying DTAC and reducing duplication across frameworks, strong data‑protection compliance is a key way to support procurement and build trust with NHS organisations.


What Is DTAC? (Digital Technology Assessment Criteria)

The Digital Technology Assessment Criteria (DTAC) is the NHS’s baseline framework for evaluating whether digital health technologies are safe, secure and suitable for use across health and social care settings. DTAC covers five key areas:

  • Data Protection

  • Clinical Safety

  • Technical Security

  • Interoperability

  • Usability & Accessibility

For HealthTech innovators, DTAC acts as the gateway to NHS adoption, ensuring products meet national expectations around information governance, risk management and responsible data handling.


How Do You Become DTAC “Approved”?

There is no national DTAC certification scheme. Instead, each NHS organisation evaluates DTAC submissions locally, and your approval depends on the clarity and completeness of the evidence you provide.


NHS England has also confirmed it does not endorse third‑party DTAC certification schemes, meaning HealthTech companies should prioritise genuine compliance rather than paid “badge‑based” services.


DTAC 2026 Data Protection Requirements: What HealthTech Companies Must Provide

Data protection is one of the most heavily weighted sections of DTAC. Below is a breakdown of every requirement HealthTech suppliers must meet, rewritten for clarity and optimised for the search terms digital health teams commonly use.


C2.1 – DSPT Compliance (Data Security and Protection Toolkit)


You must confirm whether you meet the DSPT (Data Security and Protection Toolkit) standards if your product will access NHS systems or process NHS data. DSPT is a mandatory self‑assessment for any organisation handling NHS information and sits alongside DTAC as a core compliance requirement.


C2.2 – Personal Data Processing

You must clearly state whether your product processes personal data, including data relating to deceased individuals. This must also include any processing carried out by sub‑processors, ensuring full transparency across your data supply chain, a critical expectation for NHS digital compliance.


C2.2.1 – ICO Registration

You must provide evidence of your Information Commissioner’s Office (ICO) registration.


C2.2.2 – Data Protection Impact Assessment (DPIA)

You must submit a Data Protection Impact Assessment (DPIA) covering your product or service. This helps NHS organisations understand your risk‑mitigation strategies, your lawful basis for processing (where applicable), and how you safeguard user or patient data throughout the product lifecycle.


C2.2.3 – Transparency Information

You must include your Privacy Notice or equivalent transparency documentation. This should clearly explain what data you collect, why you collect it, and how you use it.


C2.2.4 – Product Terms and Conditions / EULA

You must supply the relevant Terms & Conditions or End User Licence Agreement (EULA) outlining how user data is processed. If your product does not process personal data, you must explicitly state this and provide justification.


C2.2.5 – Data Storage and Processing Locations

You must confirm where all data, including any third‑party processing, is stored and handled. This is essential for NHS due diligence, as data residency and jurisdictional risk assessments form part of every NHS procurement workflow.


C2.2.6 – Overseas Processing

If any personal data is stored or processed outside the UK, you must name each country and explain how the transfer complies with UK GDPR, such as:

  • Adequacy regulations

  • International Data Transfer Agreements (IDTAs)

  • Appropriate contractual safeguards

This is especially relevant for cloud‑based HealthTech products and digital therapeutics.


Beyond DTAC: What HealthTech Companies Should Prepare For

While DTAC provides the baseline, many NHS organisations require more robust evidence across information governance, cyber security and clinical safety. Completing the DTAC data protection requirements does also not mean you are 'GDPR Compliant'. HealthTech teams should ensure they have:

  • A comprehensive, documented data‑protection programme

  • Strong technical security controls

  • A clear data‑flow map and information governance programme

  • Updated DPIAs, RoPAs and sub‑processor lists

  • A Data Protection Officer where required by law

For early‑stage or scaling HealthTech companies, preparing this evidence proactively can significantly accelerate NHS procurement discussions and reduce administrative friction.


How Iniver Supports HealthTech With DTAC and Data Protection

At Iniver, we support HealthTech companies to implement and manage data‑protection programmes that not only satisfy DTAC and DSPT, but also improve trust, transparency and NHS adoption speed. Whether you need help with your DPIA, Outsourced Data Protection Officer , DTAC Version 2 questions, or broader data‑protection strategy, we can help you become NHS‑ready with clarity and confidence.


Read more about we support HealthTech organisations here

bottom of page