Portal user agreement

SkinSelfie Portal  User agreement- T&C

The SkinSelfie Portal is owned by Newcastle Upon Tyne Hospitals NHS Trust.

 

Version 1

Date: May 2021

 

  1. Definition of key words

The MySkinSelfie Platform ( MSP) describes the system comprising the mobile phone app, MySkinSelfie and the web viewing portal SkinSelfie Portal ( SSP)

MySkinSelfie ( MSS)  is the app where patients record images of their skin problems. The images are owned by the patients . They give consent for use in medical records when they share access to their image cloud with an MSS digital clinic.

SkinSelfie Portal  ( SSP). This is the website for viewing images that have been shared by patients from their MySkinSelfie (MSS) app account

User – individual who has been given access to the SkinSelfie Portal by their institution.

Newcastle Upon Tyne Hospitals NHS Trust ( NUTH) are the owner of MSS and MSP.

Electronic Medical record ( EPR)

  1. User rights and responsibilities

The user is given access by their institution MSS administrator. The institution has access to the MSP on an annual basis following payment of the license fee. The MSS administrator can create digital clinics and can add and remove users from the system. NUTH will ensure that the MSP system is functioning correctly and that any errors that arise are sorted promptly.

The Terms and Conditions for using the MSS app are detailed on the website. These are the concern of the individual patient user who agrees to download the app and use it to record images and to share images with a clinic.

The MSP is not a medical records system. The images that are shared to the SSP are the property of the patient. If they give consent for images to be used for medical records the images can be downloaded into an EPR

  1. Proper or expected usage of the portal.

The MSP is designed to be used to view patient medical images. The MSP is configured to be accessed via lap top or desktop. The view is not optimally configured for mobile or tablet as it is not designed to be viewed on these devices which are generally personal devices. Patient data can be downloaded via the MSP and this should only be done when using a secure clinic computer. Data should only be downloaded in order for it to be transferred to a secure electronic medical notes platform. Patient images should never be left on a device that is not secure and meeting all NHS or other Institution data security standards.

An admin user can create new digital MSP clinics. An admin user can invite a clinic user and remove a clinic user.  An admin user can not view images. A clinic user can view clinical images

  1. Intellectual property protection

All IP is the property of NUTH

  1. Accountability for actions, behaviour, and conduct

All MSP users must follow professional medical , nursing , medical admin and other institution guidelines including data protection laws when using the MSP. Individuals are individually responsible for ethical and legal handling of patient data.

  1. Payment details for purchases

Following sign up to MSP and contract confirmation payment will be needed before accounts are created.

  1. Disclaimers and warranties

The MSP is owned by NUTH . The system is maintained under contract with Komodo digital (Newcastle) who have no access to any patient image data. Komodo do have access to the app user database which includes forename, surname and email. These are the only three bits of data required for app sign up. When a patient shares access to their images with a clinic they follow a within app consent process and add further data including DOB and NHS number. This data is all encrypted along with the images and is only visible within the digital clinic that the patient has shared with.

Specific encryption information: Transfer between Web Server and public Client/Portal MySkinSelfie protects data in transit to using a domain verified SSL Certificate using the algorithm SHA256 with RSA Encryption. The certificate only protects www.myskinselfie.co.uk and myskinselfie.com domains. No other subdomain is protected. The minimum TLS protocol version is 1.2. This applies to both the Mobile App and the Clinician Portal. Photo Encryption at rest on Server Photos are stored in a Microsoft Azure Storage account. Each Photo is encrypted using AES256 and FIPS 140-2 compliant using Azure Storage FileEncryption with the RSA 2048 Key stored in Azure Key Vault. This Key is only accessible to the Web Server for decrypting photos before transfer and encrypting photos before storage. Cached Photo Encryption at rest on App Photos transferred from the Web Service which are cached in the app using the Rijndael symmetric encryption algorithm with a key size of 256 (AES256 compliant)

 

  1. Procedure for account termination

If an account is not renewed the client will be given 30 days to extract any data from image shared before their account access is removed.

  1. Exclusion or Limitation of Liability

NUTH is not liable for the loss of data following download from the SSP. It is the responsibility of institutions and clinical users

  1. Notification of modification of terms

30 days notice will be given to any modification of terms.