Is AI Safe and Compliant in NHS Primary Care? DCB0129, DTAC, DSPT & UKCA Explained
AI and automation can be used safely in NHS primary care when the supplier meets the recognised UK standards: the DSP Toolkit for data security, DCB0129 for clinical risk management (legally mandatory for Health IT manufacturers), UKCA marking where the software is a medical device, and DTAC as the overarching NHS assurance framework buyers apply. Practices should ask any AI vendor to evidence these before deploying anything that touches patient data.
Why this matters
Healthcare AI carries real risk if it’s poorly governed — wrong codes, mis-filed results, data leaving the UK. The good news is the UK has a clear, well-defined set of standards designed exactly for this. Understanding them turns “is this AI safe?” into a concrete checklist.
The four standards that matter
DTAC — the overarching assurance framework
The Digital Technology Assessment Criteria (DTAC) is NHS England’s baseline framework for assessing digital health products. It covers five domains: clinical safety, data protection, technical security, interoperability, and usability/accessibility. It’s the de facto threshold for selling into NHS organisations and is typically completed per deployment. DTAC doesn’t replace the other standards — it brings them together.
DCB0129 — clinical risk management (legally mandatory)
DCB0129 is published under section 250 of the Health and Social Care Act 2012, making it a legal duty for manufacturers of Health IT systems. It requires a Clinical Risk Management Plan, a Hazard Log, a Clinical Safety Case Report, and a named Clinical Safety Officer (a registered clinician). Its deployment-side counterpart, DCB0160, applies to the NHS organisation putting the system live.
DSP Toolkit — data security & protection
The NHS Data Security and Protection Toolkit (DSPT) is the annual self-assessment that evidences a supplier handles patient data to NHS standards. A “Standards Met” status maps to DTAC’s data-protection domain.
UKCA — medical-device marking
If software performs a function that makes it a medical device (for example, software that files clinical results), it must be UKCA-marked under the UK Medical Devices Regulations 2002, classified by risk (results-filing software is typically Class I). Administrative automation generally isn’t a medical device, but anything making or supporting a clinical decision usually is.
The buyer’s compliance checklist
| Standard | What it covers | Ask for |
|---|---|---|
| DSP Toolkit | Data security & protection | Current “Standards Met” status |
| DCB0129 | Clinical risk management | Clinical Safety Case, Hazard Log, named CSO |
| UKCA (if applicable) | Medical-device safety | UKCA mark + device class |
| DTAC | Overall NHS assurance | Completed/ready DTAC for your deployment |
| Cyber Essentials / ISO 27001 | Security management | Current certificates |
| UK data residency / HSCN | Where data lives & travels | UK-only processing; HSCN connection |
Two more questions worth asking
- Generative AI or deterministic rules? For high-stakes tasks like filing results, a deterministic rules engine is more predictable and auditable than generative AI. (ApolloIQ’s Pathology Automation is a rules engine; its document tool uses generative AI only for readable titles.)
- Is there a human-in-the-loop? Safe systems file only rule-based, in-protocol items and escalate everything else to a clinician.
How ApolloIQ meets these standards
- DSP Toolkit: “Standards Met”.
- DCB0129: flagship clinical services governed with a Clinical Safety Case and Hazard Log, ALARP-verified, with a named Clinical Safety Officer.
- UKCA: Pathology Automation is UKCA-marked as a Class I Software as a Medical Device; ScribeCraft is a Class I medical device under UK MDR 2002.
- Security: Cyber Essentials and ISO 27001.
- Data residency: all patient data processed and stored in UK Azure, never leaving the country, over HSCN, with a zero-retention architecture.
- Endorsement: endorsed by Somerset ICB.
ApolloIQ provides the underlying evidence (data protection, clinical safety, security, interoperability) that populates a practice’s or ICB’s DTAC assessment.
Learn more: About ApolloIQ · Products.
Frequently asked questions
Is AI safe to use in NHS general practice?
Yes, when the supplier meets UK standards: the DSP Toolkit for data security, DCB0129 for clinical risk management (with a named Clinical Safety Officer), UKCA marking where the software is a medical device, and DTAC as the overarching NHS assurance framework. Safe systems also keep a human-in-the-loop, escalating anything outside protocol to a clinician.
What is DCB0129?
DCB0129 is the NHS clinical risk management standard for manufacturers of Health IT systems, published under section 250 of the Health and Social Care Act 2012, which makes it legally binding. It requires a Clinical Risk Management Plan, a Hazard Log, a Clinical Safety Case Report and a named Clinical Safety Officer.
What is DTAC?
The Digital Technology Assessment Criteria (DTAC) is NHS England's baseline framework for assessing digital health products across five domains: clinical safety, data protection, technical security, interoperability, and usability/accessibility. It's the de facto procurement threshold for NHS organisations and is usually completed per deployment.
Does healthcare AI need to be a UKCA-marked medical device?
Only if it performs a medical-device function — for example, software that files clinical results. Purely administrative automation generally isn't a medical device, but anything making or supporting a clinical decision usually requires UKCA marking under UK MDR 2002.
Where should NHS patient data be processed?
In the UK. Look for suppliers that process and store data in UK-based infrastructure (such as UK Azure), connect over HSCN, and ideally operate a zero-retention architecture so data isn't held longer than needed.
See how much your practice could save
Free Practice Efficiency Audit with a clear ROI breakdown.