Digital Technology Acceptance Criteria (DTAC)

Company name: Decently Limited

Product name: Melo

Type of product: Software as a Service (SaaS)

Key contact: James Burch | Contact via hello@decently.co.uk

Registered address: Manchester Technology Centre, 103 Oxford Road, Manchester, M1 7ED

Country of registration: UK

Companies house registration number: 13604268

CQC assessment: Not applicable

Who is this product intended to be used for? Patients and clinical workforce.

What is the product designed to do and how is it used? Melo is a digital behavioural assessment & management application that is used in place of traditional paper assessment forms. Melo supports clinicians with evidence-based information that can be used to better understand changes in patient behaviour so that appropriate care planning decisions can be made in a timely and appropriate way. Melo does not seek to replace the clinical decision making already taking place, rather to enhance decision making and improve the efficiency of how behavioural data is collected and shared across multi-disciplinary clinical teams.

What are the intended or proven benefits for users? At a high level, the benefits for digital behavioural assessments are:

• Helps deliver joined-up care - patient data can be efficiently collected, to a high degree of accuracy with minimum burden on busy NHS staff.

• Improved clinical decision support - this data can be presented in such a way, at a patient, ward and hospital level to inform clinical staff of a deeper understanding of their patients. Improving intervention effectiveness, avoiding challenging/dangerous situations and improving working environments.

• Saves clinicians time - this data can be used to save time when clinical staff are assessing a patient or making decisions about a patient (for example, in an MDT meeting).

• Supporting best practice - the data collected within the Melo prototype can be used to build data models that can be used to train AI models to spot trends, with the goal of providing information that will help staff proactively reduce/mitigate challenging behaviour. Data used for building the initial model will be anonymised by decoupling identifiable information. Historic data can be used as a measure to show the improvement a digital system could bring. Historic data can be used to help build and prove AI models are successful.

• Accessible from anywhere - Cloud-based system meaning that the patient assessment data can be securely accessed without the need for complex paper logistics.

• Full audit trail - maintained and available for each behavioural assessment.

• Reduced medico-legal risk from lost forms - the risk of losing assessment forms is removed with a digital process.

• Reduced clinical errors - reduced risk of wrong clinical decision making through removal of handwritten assessment data.

• Reduction to near zero use of paper for behavioural assessments - use of paper, both carbon-copy assessment forms and paper information leaflets can be reduced, with paper copies printed only where necessary for a clinician without digital access.

What are the user journeys when using the product?

• Our User journey document outlines the user flow, and the different ways Melo is used.

• Our Data-flow document outlines the data flows between clinician and Melo.

Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129? Yes.

Please supply your clinical risk management plan:

We have a number of processes and policies in place to manage clinical safety risk in live service between releases. They are outlined in the following Risk management policies/documents

• Clinical Risk Management Standard

• Decently Internal Audit Procedure

• Clinical Event & Security Incident Reporting Process

• Decently Clinical Risk and Safety Meeting minutes

• Decently Clinical Risk Mgt Legal Register

• Decently Clinical Change Management Policy

• Decently Document Control Standard

• Decently Information Handling and Classification Standard

All clinical staff using Melo will have received appropriate training in the appropriate and safe use of Melo, including how to report potential problems or ‘bugs’ with the Melo system, and how to access and input data into Melo system in the event of system down-time.

Please supply your Clinical Safety Case Report and Hazard Log:

• Clinical safety case report

• Clinical safety hazard report

Clinical Safety Officer (CSO) details: Dr Stephen Mullin | HCPC - PYL17468 and BPS 85168 | CSO training completed (NHS Digital)

Is the product registered with the Medicines and Healthcare products Regulatory Agency (MHRA)? Not applicable, outside of the scope of the UK Medical Devices Regulations 2002.

Do you use or connect to any third party products? If yes please detail relevant Clinical risk management documentation.

Yes, the following are third-party products used to deliver the Melo product. The clinical risks associated with each are considered as part of our clinical safety case report and clinical safety hazard log.

• Microsoft Azure (cloud hosting).

Are you required to be registered with the Information Commissioner? No - as per ICO self-assessment questionnaire, as an organisation which is only a data processor, not a data controller, there is no expectation to be registered with the Information Commissioner (ICO). However, we have gone above and beyond and registered with the ICO.

• ICO Registration details

Do you have a nominated Data Protection Officer (DPO)? Yes - James Burch | Contact via hello@decently.co.uk

Does your product have access to any personally identifiable data or NHS held patient data? Yes

Please confirm you are compliant with the annual Data Security and Protection Toolkit Assessment. Confirmed - Decently DSPT

Please attach the Data Protection Impact Assessment (DPIA) relating to the product. Different integrations mean that organisations put in place slightly different DPIAs based on the data flows occurring within the organisation. This is the template DPIA provided by Decently:

• Melo DPIA

Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer. Confirmed

Please confirm where you store and process data:

• For UK healthcare organisations Microsoft Azure is used for cloud hosting (storage), within UK-based data-centres.

• Other third-party processing may involve data processing outside of the UK, we ensure that all third-party services we elect to use comply with UK GDPR requirements and have relevant security certifications.

Do you maintain Cyber Essentials certification, and undertake annual external penetration testing? Yes, our policy is that both are undertaken between April and June of each year.

• Cyber Essentials certificate

Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12 month period.

• Executive summary from CybaVerse Web Application Security Assessment conducted between the 8th and 12th April 2024 (together with re-assessment completed on 30th April 2024).

• Introduction Decently Limited required CybaVerse to conduct a web application assessment of the Melo platform. The testing was conducted in line with CybaVerses’ standard methodology which is based on the Open Web Application Security Project (OWASP) web application security guidelines.

• Key Findings During the assessment, no critical or high-risk vulnerabilities were identified in the application. The issues that have been discovered during the test could not be directly exploited to allow an attacker to access sensitive patient data or application functionality, either from an authenticated or unauthenticated perspective. Issues identified during previous assessments of the application have been resolved, indicating that the application is undergoing continual improvement of its security posture. As the application is multi-tenanted, and due to the sensitive data stored surrounding patient’s medical histories, particular focus was given to cross-tenant access. The horizontal access restrictions preventing cross-tenant attacks were found to be well implemented and robust, and no vector to access another organisation’s data was discovered.

• Conclusion The Melo application was found to be well secured from both an authenticated and unauthenticated perspective, with clear implementation of security best practice throughout. Overall the security posture exceeds industry standards and it was evident security had been considered during the design of the application.

Please confirm whether all custom code had a security review: Yes, internal code review. At Decently we follow a security development process to reduce the risk of introducing code that could result in a breach in security. Our security checklist includes OWASP top 10 security considerations and code review. Our lifecycle includes ongoing reviews to improve quality, performance and security of the application.

Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? Yes

Please confirm whether logging and reporting requirements have been clearly defined: Yes, all API calls are recorded and logged. Change to code/endpoints are dated and timestamped and recorded against an individual. Default Microsoft Windows logging is used on laptop devices.

Please confirm whether the product has been load tested: Yes

Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? No - not yet implemented.

Do you use NHS number to identify patient record data? Yes

Is this done via NHS Login? No. The current version requires manual entry of NHS number

Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability? No - not yet. This is in development for further along our product roadmap.

Is your product a wearable or device, or does it integrate with them? No

Do you engage users in the development of the product? Yes, in the following ways:

• User research - throughout development and live use, user research insights - both patient and clinician - have driven development decisions.

• Patient feedback - we periodically run PPI (Patient & Public Involvement) listening sessions to seek the feedback and input of patients, families and carers. We do this in collaboration with the UK Acquired Brain Injury Forum (UKABIF) and also with NIHR Brain Injury Medtech Co-operative.

• Clinician feedback - we reach out to customers on a weekly basis via face to face and online sessions to receive feedback on current usage and inform the design of new features. This allows us to develop the product to ensure usability and customer need. This is typically done by video call and includes the Co-founders, product and a development representative when required. All this information is gathered and stored within in our product tracking tools to determine a roadmap of features.

• Publications - the Melo team, alongside academics, have published findings relating to the problems of traditional paper-based assessment processes, and early work demonstrating the impact of introducing digital assessment. Examples include: INSERT LINK TO POSTERS

• Search data and analytics - real world use of the product is monitored to guide improvements in product, content, and process.

Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey? Yes.

• User journeys

Do you undertake user acceptance testing to validate usability of the system? Yes

• UAT example

Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? Yes Melo is fully compliant with the Web Content Accessibility Guidelines version 2.1 AA standard.

We want our users to find Melo as easy to use as possible. For example, that means users should be able to:

• change colours, contrast levels and fonts using browser or device settings

• zoom in up to 400% without the text spilling off the screen

• navigate most of Melo using a keyboard or speech recognition software

• listen to most of Melo using a screen reader (including the most recent versions of JAWS, NVDA and VoiceOver)

• We’ve also made the text on Melo as simple as possible to understand.

Does your team contain multidisciplinary skills? Yes, the Melo web application is developed by a multidisciplinary team including developers, clinicians, designers, and service users.

Do you use agile ways of working to deliver your product? Yes, product development is undertaken in two week sprints in response to user requirements and research insights.

Do you continuously develop your product? Yes, continuous updates are released approximately every 2-4 weeks. Updates may include new features, bug fixes, security patches, and other changes in response to feedback and changes in user needs, clinical evidence, or policy - these are summarised in our release notes. There are mechanisms and appropriate resource in place to identify and respond to feedback, review content, understand user priorities.

Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes.

Does this product meet with NHS Cloud First Strategy? Yes. Decently advocates a cloud first approach (all current deployments are cloud deployments).

Are common components and patterns in use? No - not yet. We will implement this as part of our future interoperability strategy.

Do you provide a Service Level Agreement to all customers purchasing the product? Yes, a service level agreement of 99.9% uptime or above is offered to all healthcare organisations.

Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes, currently we do this informally through user and steering group meetings as part of the pilot but we will further develop this as part of a future release to fully satisfy this standard.

Average service availability for past 12 months: Not yet available, 12 months live will be Summer 2024 -however no major issues to date.