Glossary of Terms for NHS Medical Device Compliance

UKCA (UK Conformity Assessed) Marking

A product marking used for goods placed on the market in Great Britain (England, Wales, and Scotland) that indicates compliance with UK legislation. It replaces the CE mark post-Brexit for medical devices and other regulated products.

📎 Learn more about UKCA and MHRA support

MHRA (Medicines and Healthcare products Regulatory Agency)

The UK government body responsible for regulating medicines, medical devices, and blood components. All medical devices must be registered with the MHRA to be legally sold in the UK.

DTAC (Digital Technology Assessment Criteria)

A framework developed by NHS England to assess whether digital health technologies meet NHS standards for:

• Clinical safety
• Data protection
• Technical security
• Interoperability
• Usability/accessibility

📎 Full DTAC support and guidance

DSPT (Data Security and Protection Toolkit)

An annual self-assessment tool required by NHS England for any organisation that processes NHS patient data or accesses NHS systems. It ensures compliance with data security and information governance standards.

📎 DSPT consultancy services

ISO 13485

An international standard for Quality Management Systems (QMS) specific to the medical devices industry. It demonstrates that your organisation consistently meets regulatory and customer requirements across the device lifecycle.

📎 ISO 13485 consultancy

ISO 27001

An international standard for Information Security Management Systems (ISMS). Although not required by the NHS, it supports strong data protection practices and complements DSPT and DTAC requirements.

📎 ISO 27001 consultancy services

Cyber Essentials

A UK government-backed cybersecurity scheme that outlines basic security controls to protect organisations against common cyber threats. A valid Cyber Essentials certificate is required for DTAC and recommended for DSPT.

📎 Cyber Essentials certification support

Cyber Essentials Plus

An enhanced version of Cyber Essentials that involves an independent technical assessment. Often required for high-risk health technologies or sensitive NHS integrations.

DCB0129

A mandatory NHS Digital standard that sets out clinical risk management requirements for the manufacture of health IT systems. Compliance is essential for DTAC clinical safety assurance.

📎 More on DCB0129

DCB0160

A complementary NHS Digital standard for clinical risk management in the deployment and use of health IT systems. Required by NHS organisations adopting digital technology.

Data Protection Impact Assessment (DPIA)

A structured assessment of how a project or system will affect the privacy of individuals. Required under UK GDPR when personal or health data is processed, and needed as part of DTAC evidence.

GDPR (General Data Protection Regulation) – UK GDPR

The UK version of the EU’s GDPR legislation post-Brexit. It governs the processing of personal data, and is critical for compliance in both DTAC and DSPT.

WCAG (Web Content Accessibility Guidelines) 2.1

A set of guidelines for making web content more accessible to people with disabilities. Compliance is required under the DTAC’s usability and accessibility standards.

FHIR (Fast Healthcare Interoperability Resources)

A data standard developed by HL7 that allows different healthcare systems to share data effectively. NHS interoperability standards often require FHIR compliance.

ORCHA (Organisation for the Review of Care and Health Applications)

An independent body that evaluates health and care apps based on clinical assurance, data privacy, and usability. Accreditation is optional but helps improve NHS trust and adoption.

📎 ORCHA Accreditation services

UK Responsible Person (UKRP)

A person or organisation based in the UK appointed by non-UK manufacturers to act on their behalf in meeting UK medical device regulations, including MHRA registration.

NHS Standard Contract

A contractual framework used by NHS organisations when procuring services or technologies. Suppliers must demonstrate compliance with DSPT, DTAC (where applicable), and data protection policies.

ODS Code (Organisation Data Service Code)

A unique identifier used within NHS systems. Required when registering for DSPT or interacting with NHS procurement systems.

Penetration Testing (Pen Test)

A controlled security assessment simulating cyber-attacks to identify vulnerabilities in systems. Required for DTAC technical security evidence, especially for high-risk technologies.

Clinical Safety Officer (CSO)

A qualified individual responsible for ensuring clinical safety in the development and deployment of digital health systems. Required under DCB0129 and DCB0160 standards.

Need Help Navigating NHS Compliance Frameworks?

Understanding these terms is the first step—implementing them successfully is where JVR Consultancy comes in.

We provide end-to-end support to help your organisation achieve NHS compliance across all relevant frameworks.

📞 Contact us today for tailored consultancy services.