wound logo

Privacy Notice - Minuteful for Wound

Last updated: 10/04/2023

Note to healthcare professionals: If you are using the services on behalf of an organisation that has entered into a contractual relationship with us for these services, those contractual terms will govern your use of the services and supersede the terms and this Privacy Notice in the event of any conflict. In line with UK Data Protection Legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please contact your organisation if you have any questions or queries.

Note to patients: This Privacy Notice is provided to you because you and your care team have agreed that a digital wound assessment is required as part of your treatment. This service is being offered to you by your healthcare provider, who for the purposes of Data Protection Legislation, is the Data Controller and is responsible for how your personal data is processed. In line with UK Data Protection Legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please contact your healthcare provider if you have any questions or concerns.

Who is Healthy.io?

This document describes how Healthy.io (UK) Limited (“Healthy”, “Healthy.io”, “we”, “our” or “us”), a company registered in the UK,

  • with Companies House registration number 10996079, and
  • with the Information Commissioner’s Office (“ICO”), our Data Protection registration reference is ZA289700,

use your personal data in relation to support your trust, hospital, or healthcare organisation (“healthcare provider”) with the Minuteful™ for Wound service.

What is Minuteful™ for Wound and how does the service work?

Healthy.io’s Minuteful™ for Wound digital wound management solution ensures clinicians can capture and assess wounds quickly, accurately and easily utilising a smartphone device and calibration stickers. In addition to a smartphone application, clinicians are also provided with a portal where they can see the scans captured as a time series to track progression of the wound.

The application guides clinicians on how to conduct the wound scan and in-app measurements, this improves quality and standardisation of the wound assessment. The application also uses deep learning artificial intelligence that converts the scan into 3D images, auto-calculates the area of the wound, depth measurement and auto-segments as a percentage tissue types. The clinician then completes a configurable assessment within the app before submitting the data which is stored in the cloud.

The Minuteful™ for Wound portal supports quality of handover of care enabling teams to review and discuss each patient’s wound progression and enables quicker access to specialist advice by providing a platform that specialists can be invited to, to review and advise on treatment plans. These benefits improve patient outcomes by enabling visualisation of wound progress across teams and specialties leading to a reduction in healing times.

More information on Healthy.io’s Minuteful™ for Wound service can be found on our website:https://healthy.io/eu/services/wound/

Who is the Data Controller?

A ‘Data Controller’ determines the purposes for and the means by which personal data is processed. A Data Processor carries out tasks on behalf of a Data Controller.

For the purposes of this processing, which is to support your healthcare provider in providing you with direct care:

  • Your healthcare provider is the Data Controller and
  • Healthy.io is the Data Processor.

In line with UK Data Protection Legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please refer to your healthcare provider’s Privacy Notice for further information.

Before a clinician can use the Minuteful™ for Wound application, we ensure that a signed Data Processing Agreement (“DPA”) is in place between us and your healthcare provider. A DPA is a legally binding document to be entered into between the Controller and the Processor that regulates the scope and purpose of processing, as well as the relationship between the Controller and the Processor.

What is the purpose and lawful basis for processing my personal data?

Please see below an outline of the personal data processed, purpose and lawful basis for processing.

What personal data items are processed?

  • Patient data processed: NHS Number, first name, last name, date of birth, wound assessment data (scan and assessment date, scan images, scan calculations).
  • Staff data processed: First name, last name, email address, smartphone information (carrier, operating system, device, model, app version, city), app information (IP Address) [1].

Is special category data processed?

Yes. The following special category, in this case, patient health data are processed: wound assessment data (scan and assessment date, scan images, scan calculations).

What is the purpose of the processing?

To support the provision of direct care by allowing clinicians to use Healthy.io’s Minuteful™ for Wound digital wound management solution ensuring clinicians can capture and assess wounds quickly, accurately and easily utilising a smartphone device and calibration stickers. In addition to a smartphone application, clinicians are also provided with a portal where they can see the scans captured as a time series to track the progression of a wound.

What is the lawful basis under the UK General Data Protection Regulation (GDPR)?

  • Personal data: Article 6, 1 (e) public task.
  • Special category data: Article 9, 2 (h) Health or social care.

What is the lawful basis under the Data Protection Act 2018?

Schedule 1, Part 1: (2) Health or social care purposes.

How does this personal data sharing comply with the Common Law Duty of Confidentiality (CDLC)?

  • The CDLC is satisfied as Healthy.io’s Minuteful™ for Wound app will be used by clinicians for the purpose of direct care.

  • It should be noted that when personal data is processed and shared for the purpose of direct care, consent is not required.

How do you obtain my personal data and for how long is it retained?

When a staff member uses the Minuteful™ for Wound system, your personal data is held on Healthy.io systems. Only the minimum amount of personal data needed is processed by Healthy.io so the healthcare provider can provide you with direct care. Only Healthy.io staff members in authorised roles will have access to your data.

Data set one

Data items processed for this service

Patient Data: NHS Number, Patient Data: First Name, Patient Data: Last Name, Patient Data: Date of Birth, Address (optional)

How do we obtain your personal data?

These data items are obtained from your electronic patient record and uploaded onto the Minuteful™ for Wound app by the clinician providing you with care.

What happens to your data at the end of the retention period?

Personal data is deleted.

Data set two

Data items processed for this service

Patient Data: wound assessment data, scan and assessment date, scan images, scan calculations

How do we obtain your personal data?

These data items are obtained when a clinician scans your wound using the Minuteful™ for Wound app.

What happens to your data at the end of the retention period?

Personal data is anonymised.

Data set three

Data items processed for this service

Staff Data: First Name, Staff Data: Last Name, Staff Data: Email Address

How do we obtain your personal data?

These data items are obtained when a clinician is registered to use the Minuteful™ for Wound app.

What happens to your data at the end of the retention period?

Personal data is deleted.

Data set four

Data items processed for this service

Staff Data: Smartphone information (carrier, OS, device, model, app version, city)

How do we obtain your personal data?

These data items are obtained by Healthy.io when the clinician uses the Minuteful™ for Wound app.

What happens to your data at the end of the retention period?

Personal data is anonymised.

Data set five

Data items processed for this service

Staff Data: Smartphone information - IP Address

How do we obtain your personal data?

These data items are obtained by Healthy.io when the clinician uses the Minuteful™ for Wound app.

What happens to your data at the end of the retention period?

Personal data is anonymised and retained on a separate database for forensic and information security purposes and deleted after 12 months.

We will retain your personal data for the duration of the contract between your healthcare provider and us. If required by UK law, we will keep your data for the minimum time required under the applicable UK law.

When personal data is no longer required, Healthy.io delete or anonymise data in line with Data Protection Legislation and appropriate industry guidance.

Will you share my personal data with other organisations for purposes other than direct care?

When the Minuteful™ for Wound app is used, the data input into the Minuteful™ for Wound platform is stored on our systems. We will only use your personal data to provide direct care to the patient.

A Sub-processor is a trusted third-party data processor engaged by us who has access to personal data. We use third party Sub-processors to provide elements of services (such as data hosting). We have contracts in place with Sub-processors which ensure appropriate use of your data.

In some circumstances we are legally obliged to share information. If we do need to share personal data with other organisations, this is in line with the Data Protection Act 2018, the UK GDPR and relevant legislation or court order and only the minimum amount of information required.

Is my personal data processed outside the UK?

We (or Sub-processors acting on our behalf) may store or process limited data about you in countries outside the UK. Most of the data processing is carried out in the UK or the EEA.

  • Patient personal data is stored in the UK or EEA.
  • Most staff personal data is stored in the UK or EEA. However, in order for us to provide you with our service, a limited amount of personal data may be processed outside the UK and the EEA.

Where data is processed outside of the UK or EEA, we will take the required steps to ensure that your personal data is protected to the standard and data transfer mechanisms required by UK Data Protection Law.

As a Data Processor acting under the instruction of the healthcare organisation, we cannot use a third party supplier without informing and getting sign off from your healthcare provider. Your healthcare provider will have signed off the use of all of our Sub-processors during the Information Governance review stage of the service before the service went live.

How is my personal data protected?

In order to protect your personal data, we and our Sub-processors use all reasonable industry-standard physical, procedural and electronic security measures (such as access control, secure servers, firewalls, internal policies, encryption, database backup etc.). We cannot and do not guarantee the absolute safety of any Personal Data stored with us or with any third-party.

We are committed to complying with information security industry standards such as:

  • Data Security and Protection Toolkit (DSPT): Reference 8KC08

  • ISO 27001:2013 Information Security Management System (ISMS)

  • ISO 22301:2019 Business Continuity Management System (BCMS)

  • ISO 13485:2016 Medical devices - Quality management systems - Requirements for regulatory purposes

  • Cyber Essentials

You can find more information about our information security practices on the Trust Centre webpage of our website.

What are my data rights, and can I object to you processing my personal data?

Individual rights requests are the responsibility of the healthcare provider where you are receiving care. Any individual rights requests that are made directly to Healthy.io will be reported to your healthcare provider for them to process and confirm actions required to be taken by Healthy.io. This process is in place as we can only act under the instruction of your healthcare provider to process your data.

You have the right to object processing and opt out of the service. If you would like to object, you can contact your healthcare provider.

Who can I contact if I have any questions or queries?

As we can only act under the instruction of your healthcare provider (or for staff members, your employing organisation) to process your data, if you have any questions or queries about how your data is used, please contact your healthcare provider where you are receiving care.

How can you make a complaint?

As we can only act under the instruction of your healthcare provider to process your data, if you have any questions or queries about how your data is used, please contact your healthcare provider where you are receiving care.

You have a right to make a complaint if you are unhappy about how your personal data is processed.

Please note that the ICO will not normally consider an appeal until you have exhausted your rights of complaint. Please see the ICO website (link below) for further advice.

Please note that the ICO will not normally consider an appeal until you have exhausted your rights of complaint. Please see the ICO website (link below) for further advice.

If you remain dissatisfied, you may wish to contact the ICO:

Information Commissioner's Office Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

  • Telephone: 0303 123 1113

Copyright © 2022, Healthy.io LTD. All rights reserved.

Citations and Footnotes

[1] Smartphone information, including IP address is processed for operational purposes, including, troubleshooting, maintenance, support, and information security purposes