Digital Technology Assessment Criteria (DTAC)

NHS England’s Digital Technology Assessment Criteria for health and social care (DTAC) gives staff, patients and citizens confidence that the digital health tools they use meet our clinical safety, data protection, technical security, interoperability and usability and accessibility standards. This page outlines Concentric Health’s conformance with the DTAC.

Last updated: 13 June 2025

Company information

  • Company name: Concentric Health Ltd
  • Product name: Concentric
  • Type of product: Software as a Service (SaaS)

  • Key contact: Dr Dafydd Loughran | Co-founder and CEO | Contact via our contact form

  • Registered address: Concentric Health, Sbarc Spark, Maindy Road, Cardiff, CF24 4HQ
  • Country of registration: England and Wales
  • Companies house registration number: 10733991
  • CQC assessment: Not applicable

Value proposition

Who is this product intended to be used for? Patients and clinical workforce.

What is the product designed to do and how is it used? Concentric is a digital consent to treatment (aka econsent) application that is used in place of traditional paper consent forms. Concentric supports clinicians and patients with evidence-based information that can be personalised to the individual. Consent information is made available to patients outside their consultation, including the ability to give consent remotely where appropriate.

What are the intended or proven benefits for users? At a high level, the benefits for digital consent are outlined on our ‘Why switch to digital consent?’ page, with further detail within the benefits case in the template business case.

What are the user journeys when using the product? Our onboarding guide, including video guide, describes the various user flows.

Technical questions

Clinical safety

Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129? Yes.

Please supply your clinical risk management plan: Incorporated within our clinical safety case report.

Please supply your Clinical Safety Case Report and Hazard Log: Clinical safety case report with linked clincal safety hazard log.

Clinical Safety Officer (CSO) details: Dr Dafydd Loughran | Co-founder and CEO | GMC 7265351 | CSO training completed (NHS Digital) and refresher training completed annually.

Is the product registered with the Medicines and Healthcare products Regulatory Agency (MHRA)? Not applicable, outside of the scope of the UK Medical Devices Regulations 2002.

Do you use or connect to any third party products? If yes please detail relevant Clinical risk management documentation. Yes. Our data processing page details of third-party products used. The clinical risks associated with each are considered as part of our clinical safety case report.

Data protection

  • Are you required to be registered with the Information Commissioner? Yes - Concentric Health ICO registration.

  • Do you have a nominated Data Protection Officer (DPO)? Yes - Dr Dafydd Loughran | Co-founder and CEO | Biennial DPO- and Cadicott Guardian-related CPD undertaken.

  • Does your product have access to any personally identifiable data or NHS held patient data? Yes, data flows are outlined within our information security page.

  • Please confirm you are compliant with the annual Data Security and Protection Toolkit Assessment. Yes, you can view our latest assessment on the DSPT website.

  • Please attach the Data Protection Impact Assessment (DPIA) relating to the product. Different integrations mean that organisations put in place slightly different DPIAs based on the data flows occurring within the organisation. We have a DPIA template that is used by deploying organisations.

  • Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer. Yes, details regarding access controls are within our information security page.

  • Please confirm where you store and process data: Data storage details are outlined in our information-security page, and our data processing page outlines how data is processed, by who, and where.

Technical security

Do you maintain Cyber Essentials Plus certification, and undertake annual external penetration testing? Yes, our policy is that both are undertaken between October and December of each year.

  • Cyber Essentials Plus certificate on BlockMark Registry

  • Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12 month period.

    • Executive summary from Pen Test Partners Web Application Security Assessment conducted between the 25th November and 2nd December 2024:

    Introduction Concentric Health Ltd (Concentric) engaged Pen Test Partners to perform a security assessment of the Concentric web application. The purpose of the engagement was to provide visibility of security risks and to understand how to remediate any findings identified to improve resilience against attempted compromise. Testing was conducted in line with internally developed methodologies based on relevant industry standards and the Open Web Application Security Project (OWASP) web application security guidelines.

    Key Findings The application was resilient to most common web attacks, and thus no critical-, high-, or medium-risk issues were identified during the assessment. Only one low-risk vulnerability was found.

    Conclusion Security best practices were observed to be followed throughout the web application, including the implementation of the WebSocket. Although the identified issue does not present an immediate or direct security threat, addressing it would enhance Concentric’s resilience against potential attacks and mitigate the risk of any reputational damage by reducing further its attack surface. This proactive approach will help maintain the high security standards Concentric currently adheres to.

  • Please confirm whether all custom code had a security review: Yes, internal code review

  • Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? Yes

  • Please confirm whether logging and reporting requirements have been clearly defined: Yes

  • Please confirm whether the product has been load tested: Yes

Interoperability criteria

  • Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? Yes - details relating to our integrations, including FHIR integrations are found within this publicly available integration documentation.

  • Do you use NHS number to identify patient record data? Yes

    • Is this done via NHS Login? No
    • If no, please set out the rationale, how your product establishes NHS number, and the associated security measures in place: Secure integrations are put in place between Concentric and the PAS database for the healthcare organisation, including search by NHS number where available. For patient access, a secure link is shared with the patient and authenticated with the patient’s date of birth. Read more about our authentication approach.

  • Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability? Yes. Industry standard approaches for secure interoperability are preferred, such as FHIR APIs for patient demographics and document storage. Regarding data security in transit, web and API servers only allow requests made using TLS version 1.2 or above, which provides protection against snooping and man in the middle attacks on data. Non-HTTPS requests are denied by API servers.

  • Is your product a wearable or device, or does it integrate with them? No

Usability and accessibility

Understand users and their needs in context of health and social care

  • Do you engage users in the development of the product? Yes, in the following ways:

    • User research: Throughout development and live use, user research insights - both patient and clinician - have driven development decisions.

    • Patient feedback: If wished by the healthcare organisation (as the data controller) a patient feedback survey is sent digitally to patients following consent to get their feedback on the digital consent experience, ease of use, quality of information, and areas for improvement. Over 200,000 patient feedback responses have been received since 2020 (average overall experience = 4.65/5). Patient feedback can also be shared within the application at any time.

    • Clinician feedback: Collected within the application and feedback survey sent out at intervals, asking for feedback on overall experience and areas for improvement.

    • Publications: Our research overview page outlines the published research evidence the Concentric Health team have led or been a part of, regarding the implementation of digital consent across a healthcare organisation. It details findings from multiple studies demonstrating impact on documentation quality, error rates, patient experience, shared decision-making, and cost implications compared to traditional paper-based consent methods.

    • Search data and analytics: Real world use of the product is monitored to guide improvements in product, content, and process. Analytics data shared with deploying organisations is outlined in our admin application guide.

Work towards solving a whole problem for users

  • Are all key user journeys mapped to ensure that the whole user problem is solved or it is clear to users how it fits into their pathway or journey? Concentric has a clear role in the treatment pathway, with consent being a required step prior to undergoing invasive treatment. Clinicians initiate a Concentric episode for patients, and share the information with patients during or following a consultation. A system map was developed during development to ensure consideration of all key user journeys.

Concentric system map

Make the service simple to use

  • Do you undertake user acceptance testing to validate usability of the system? Patients are routinely asked post-consent for their feedback on the usability of the system. Quality assurance testing is undertaken on common browsers prior to each release (see our browser support policy for details). Concentric is a responsive web application with all functionality available across all screen sizes.

Make sure everyone can use the service

  • Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? Yes, most recent accessibility audit 4 Aug 2020. Published accessibility statement.

Miscellaneous

  • Does your team contain multidisciplinary skills? Yes, the Concentric web application is developed by a multidisciplinary team including developers, clinicians, designers, and service users.

  • Do you use agile ways of working to deliver your product? Yes, product development is undertaken in two week sprints in response to user requirements and research insights.

  • Do you continuously develop your product? Yes, continuous updates are released approximately every 4 weeks. Updates may include new features, bug fixes, security patches, and other changes in response to feedback and changes in user needs, clinical evidence, or policy - these are summarised in our release notes. There are mechanisms and appropriate resource in place to identify and respond to feedback, review content, and understand user priorities.

  • Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes, this can is detailed within our business case template.

  • Does this product meet with NHS Cloud First Strategy? Yes. Concentric Health advocates a cloud first approach (all current deployments are cloud deployments).

  • Are common components and patterns in use? Yes, common components such as the Common User Interface patient banner are used, and data patterns such as the FHIR patient demographic lookup. Integration with national infrastructure such as NHSmail login and the NHS FHIR PDS API (demographics search) are in place.

  • Do you provide a Service Level Agreement to all customers purchasing the product? Yes, our application support and service level agreements (SLAs) page details these across system availability, integration monitoring, and issue resolution.

  • Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes, uptime reporting is made available to customers, following our system performance report template.

  • Average service availability for past 12 months: >99.95%. Status page with latest uptime data available at our statuspage.

Further reading

Standards and Guidelines Conformance

An outline of how Concentric meets the relevant standards and guidelines, including GMC, RCS, NICE and NHS England standards.

Read

Clinical safety case report

Our clinical safety case report outlines the evidence regarding the clinical safety of the Concentric digital consent application and conformance to the DCB0129 standard.

Read