A Simple Guide to DCB0160

What is DCB0160?

The Health and Social Care Act 2012 gave the government powers to set information standards for technology used in healthcare. The standard they set for clinical safety is called DCB0160.

DCB0160 sets out what is required when an organisation—such as a GP practice, Primary Care Network (PCN), federation, or Integrated Care Board (ICB)—uses a digital tool to provide care to patients.

At its core, the purpose of DCB0160 is straightforward: it requires organisations to assess whether the benefits gained from deploying a digital tool are worth the risks.

Who Does DCB0160 Apply To?

DCB0160 applies to deploying organisations—any health or care body that puts a digital health system into live use. This includes:

• GP practices and primary care surgeries
• Primary Care Networks (PCNs)
• Federations and provider collaboratives
• Integrated Care Boards (ICBs)
• NHS trusts and community health services
• Any organisation providing NHS-funded care

If you are introducing, configuring, or operating a digital tool in a clinical setting, DCB0160 applies to you.

Why DCB0160 is Different

DCB0160 places most of the responsibility for safety onto the deploying organisation. This is different to how safety works in other areas of healthcare.

With pharmaceuticals or medical devices, the manufacturer retains significant responsibility for ensuring safety. The product arrives with testing, evidence, and instructions, and the healthcare provider follows those instructions.

With digital health technology, the situation is more complex. How a tool is configured, deployed, trained, and used in your specific setting can change the safety profile dramatically. A system that is safe in one practice may be unsafe in another if workflows, training, or governance differ.

That is why DCB0160 says: you, the deploying organisation, are responsible for ensuring the digital tool is safe in your environment.

What You Need to Do Under DCB0160

DCB0160 requires you to follow a structured approach to managing clinical risk. Here is what that means in practice:

1. Identify All the Risks (Called Hazards)

You must identify every potential hazard that could arise from using the digital tool. A hazard is anything that could cause harm to patients, staff, or carers.

Examples include:

• A patient being triaged incorrectly by an automated system
• Clinical information being lost during a system update
• Staff misinterpreting a risk score generated by AI
• Delays in care caused by system downtime

Write down every hazard you can think of. Involve frontline staff, clinicians, and administrators—they often spot risks that would not appear on paper.

2. Identify How to Reduce the Risks (Control Measures)

For each hazard, you must identify control measures to reduce the likelihood or impact of that risk.

Control measures might include:

• Staff training on safe use of the tool
• Regular audits of system outputs
• Backup processes in case the system fails
• Clear escalation routes for unusual cases
• Configuration changes to reduce risk

Once you have identified control measures, you must implement them.

3. Track Incidents and Analyse Them

Things will not always go to plan. You must track any incidents or near misses related to the digital tool, analyse what went wrong, and identify whether your controls need improving.

If a hazard materialises, ask:

• Was the control measure in place?
• Did it work as expected?
• Do we need a stronger or different control?

Use this learning loop to improve your controls so incidents do not happen again.

4. Appoint Someone Qualified to Assess Risk

The person responsible for assessing clinical risk must be able to do the job properly. DCB0160 says this person must be:

• A senior clinician (a doctor, nurse, or other registered healthcare professional)
• Suitably qualified and experienced in clinical risk management

This person is called the Clinical Safety Officer (CSO). Learn more about what a Clinical Safety Officer does.

The CSO has authority to pause or stop the deployment of a digital tool if they judge it to be unsafe.

How DCB0160 Links to Other Standards

DCB0160 does not exist in isolation. It works alongside other standards and frameworks:

DCB0129 (Supplier Obligations)

DCB0129 applies to suppliers (vendors and manufacturers). It requires them to provide their own clinical safety case, hazard log, and evidence of risk management.

When you are procuring a digital tool, ask the supplier for their DCB0129 documentation. This gives you the starting point for your own DCB0160 assessment. Learn more about DCB0129 and what to ask suppliers (coming soon).

Digital Technology Assessment Criteria (DTAC)

DTAC is an NHS England framework that assesses digital health products against standards including clinical safety, data protection, technical security, interoperability, and usability.

Evidence you gather for DCB0160 can often be reused to demonstrate DTAC compliance.

Data Security and Protection Toolkit (DSPT)

DSPT is the annual self-assessment that NHS organisations complete to demonstrate they are handling data securely and lawfully.

Many DCB0160 processes—such as change control, staff training, and incident management—overlap with DSPT requirements. Align them to avoid duplication.

Next Steps: Putting DCB0160 Into Practice

Now you understand what DCB0160 is and why it places responsibility on your organisation, you are ready to implement it.

The practical work involves:

• Setting up a Clinical Safety Officer role and giving them the authority and time they need
• Building a clinical safety management system with the right documents, processes, and rhythms
• Understanding what to ask suppliers under DCB0129 and how to integrate their evidence into your own risk assessments

These topics are covered in detail in the following guides:

• What is a Clinical Safety Officer? – Learn about the CSO role, qualifications, responsibilities, and how to set one up
• What is a Digital Clinical Safety Management System? (coming soon) – Learn how to build and operate the governance framework, documents, and operational rhythms you need
• A Simple Guide to DCB0129 (coming soon) – Learn what suppliers must provide and what questions to ask before signing contracts
• Why DCB0129 is Not a Substitute for DCB0160 (coming soon) – Understand the difference between vendor and practice responsibilities

Resources to Bookmark

• DCB0160 – Clinical Risk Management Standard (NHS England)
• Health and Social Care Act 2012 (legislation.gov.uk)
• Digital Technology Assessment Criteria (DTAC) (NHS England)
• Data Security and Protection Toolkit (DSPT) (NHS Digital)

Key Takeaways

DCB0160 exists because digital health technology does not arrive in a box with a guarantee of safety. How you configure, deploy, train, and operate a digital tool determines whether it is safe in your environment.

The standard places responsibility on you, the deploying organisation, to assess whether the benefits are worth the risks. You do this by identifying hazards, implementing controls, tracking incidents, and appointing a qualified Clinical Safety Officer to oversee the process.

Understanding DCB0160 is the first step. The next step is building the management system that brings it to life.