the knowledge platform

ai scribe governance (nhs): dtac, dcb0129/0160, mhra — what clinicians need to know

a practical governance map: clinical safety case, procurement checks, dpia basics, and what ‘compliant’ tends to mean in nhs settings.

The Bottom Line

  • In NHS settings, ambient scribing adoption typically expects DTAC-style due diligence plus digital clinical safety assurance.
  • DCB0129 applies to manufacturers; DCB0160 applies to adopting organisations — both matter to your governance story.
  • If a product is (or functions as) a medical device, MHRA/UKCA considerations may apply (supplier should evidence their position).
Most frontline problems are not ‘AI quality’ problems — they’re governance problems: unclear accountability, uncontrolled retention, weak access controls, and missing clinical safety documentation. The goal is not to slow adoption; it’s to avoid preventable risk that later triggers a shutdown.

Two standards you’ll hear repeatedly

Digital clinical safety in England commonly references DCB0129 (manufacturer responsibilities) and DCB0160 (adopter responsibilities). Even if you’re not writing the safety case, you should know what evidence to ask for.
1

Step 1 — Ask for DTAC evidence early

DTAC is used at procurement/due diligence to check baseline standards (e.g., security, clinical safety, interoperability, data protection). Don’t leave this until after a pilot is embedded.
2

Step 2 — Confirm clinical safety documentation

Request the supplier’s DCB0129 artefacts and your organisation’s plan for DCB0160 adoption (clinical safety officer involvement, hazard log approach, go-live controls).
3

Step 3 — Run a DPIA-quality data-flow review

Document: what data is captured, where processed, where stored, retention periods, who can access, and how deletion works. Ensure the ‘audio layer’ is not a blind spot.
4

Step 4 — Clarify medical device status

Ask the vendor how they classify the product and what regulatory evidence supports that. If it’s a medical device, make sure UK regulatory requirements for NHS use are addressed.
5

Step 5 — Define minimum safe operating controls

Examples: mandatory human review, audit logs, role-based access, ‘pause recording’ protocol, incident reporting pathway, and periodic sampling for quality checks.
Practice

Test your knowledge

Apply this concept immediately with a high-yield question block from the iatroX Q-Bank.

Generate Questions
SourceNHS England: DTAC (Digital Technology Assessment Criteria)
Open Link
SourceNHS England (Digital): Clinical risk management standards (DCB0129/DCB0160)
Open Link
SourceNHS England (Digital): DCB0129 standard page
Open Link

Official Sources

NHS England — DTAC
NHS England (Digital) — Clinical risk management standards (DCB0129/DCB0160)
NHS England (Digital) — DCB0129 standard page