Privacy notice

Who are we:

For the purposes of data protection legislation, the data controller is Pioneer Wound Healing & Lymphoedema Care Limited (Pioneer), Wish Tower House, 1c Edward Road, Eastbourne, East Sussex BN23 8AS.

We are registered with the Information Commissioner Office as Data Controller Reg No: ZA840571, ZA101854, ZB387035, ZB387023, ZB387014.

Pioneer specialise in the provision of wound healing and lymphoedema services. Using an evidence-based systematic approach to chronic wound healing, Pioneer provides speciality wound care and lymphoedema services to both NHS and Private Patients.

Pioneer collects and processes information about you in accordance with the Data Protection Act 2018 and the provisions of UK GDPR.

Our commitment to meet the requirements of the Data Protection Act 2018 and the provisions of UK GDPR includes:

  • meeting the guidelines for the collection and processing of personal identifiable information, your information;
  • undertaking regular reviews of our Data Protection Impact Assessment;
  • keeping your information safe;
  • fully respecting your rights.

Please read the following carefully to understand our approach and practices regarding your personal data and how we will treat it. We take any complaints we receive very seriously. If you think our collection or use of your personal data is unfair, misleading or inappropriate, please bring it to our attention and we will be happy to provide any additional data or explanations needed.

You can also contact the Data Commissioner’s Office at ICO, or write to ICO, Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF or telephone 0303 123 1113 for advice or to make a complaint.

Why we collect information about you:

We aim to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.

We require this information to:

  • assess your wound and to arrange consultations.
  • make sure your treatment is safe and effective and the advice we provide is appropriate and relevant to you;
  • facilitate the acquisition of wound care products, supplies or treatments, in support of your care;
  • communicate with you, to send you appointment reminders;
  • to receive payment for the care that we provide to you;
  • work effectively with others providing you with treatment or advice;
  • to properly investigate your concerns if you raise a complaint;
  • to provide feedback to improve the services we offer;
  • to assist law enforcement to deal with criminal activities.
  • in the event of an incident within a 3rd party premises, (such as a satellite clinic), we may require to share your information with that 3rd party to ensure we meet legal obligations in relation to Health & Safety legislation during combined investigations;
  • to provide anonymised statistics in support of business development and service improvements;
  • to provide anonymised information to support reporting for NHS Contracts, including for the purpose of charging for our service;
  • to provide information to regulatory authorities, including Care Quality Commission;;
  • to support internal audits as required by regulatory authorities;
  • to ensure we meet legal obligations;

We may also utilise your information for the training and education of other healthcare professionals to enhance their knowledge and skills. We take the utmost care to hide your identity when using your information in this way.

We may incorporate testimonial comments onto our website and distributed leaflets. This will be done after consultation with you and only with your consent.

What information we collect about you:

We collect a range of data about you, some of which is special category data, meaning it is sensitive information relating to you. We collect:

  • basic details about you, such as name, address, date of birth, mobile/home telephone numbers and email address (if provided);
  • details relating to ethnic origin, cultural / religious beliefs;
  • details of allergies, special needs, hosiery measurements;
  • contact we have had with you such as appointments and home visits;
  • notes and reports about your health, physical and mental condition;
  • details and records about your treatment and care;
  • images of your wound or swelling, to assess and monitor your care;
  • results of investigations such as x-rays and laboratory test results;
  • relevant information from people who care for you and know you well, such as healthcare professionals and relatives;
  • accident, incident reporting;
  • surveillance camera photographic data which we collect to help us keep you and your information safe;
  • in the event that you have a Lasting Power of Attorney in place we will record this.

The legal basis for collecting and processing information about you includes:

We must have a lawful basis for processing your information; this will vary on the circumstances of why we process and how we use your information, but typical examples include:

  • Article 6(1)(a) Consent: you have given clear consent for us to process their personal data for a specific purpose.
  • Article 6(1)(b) Necessary for Contract: the processing of your information is necessary for the Patient Contract that we hold directly with you as a Private Patient or our NHS Contract, as commissioned by the Clinical Commissioning Group, of the healthcare professional who referred you to our service.
  • Article 6(1)(c) Legal Obligations: we collect and process your information to meet our legal obligations for records management, including archiving your information which is held in your patient record. We collect and process your information to meet our legal obligations to Health & Safety Legislation.
  • Article 6(1)(d) Vital Interest: in extreme circumstances, we may share personal information if it is necessity for protecting life and the individual is unable to give consent.
  • Article 6(1)(e) Public Task: to support education and training for local / national healthcare professionals, via journals, publications and education/training events, we may process your information, to present it in a format that is anonymised so that you cannot be identified.
  • Article 6(1)(f) Legitimate Interests: Pioneer may process your information to use for improving the health care service we provide for you. We manage your information to allow us to charge for the care that we provide to you. We also use your information to communicate with you about your booked appointments and about your ongoing treatment plans.

As we process any special categories of information, we must have a further lawful basis from article 9 of the UK GDPR for the processing. This may include:

  • Article 9(2)(a) – In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on Pioneer or the data subject in connection with employment, social security or social protection.
  • Article 9(2)(c) – where processing is necessary to protect the vital interests of our staff and our clients, for example to protect their life or the life of somebody else.
  • Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
  • Article 9(2)(g) – where processing is necessary for reasons of substantial public interest.
  • Article 9(2(h) – where the processing is necessary for any health or social care purposes.

How we keep your information safe:

  • by providing Information Governance Awareness Training annually for all of our staff;
  • by ensuring robust Information Governance Security measures are in place;
  • we undertake regular Information Governance Security Audits;
  • we undertake annual Information Governance Compliance Audit / Training;
  • we adhere to the legislation including the Human Rights Act (1998) and the Common Law Duty of Confidentiality;
  • adherence to the Data Security & Protection Toolkit;
  • by committing to Data Quality supported through training and annual audits;
  • through our commitment to the Records Management Policy;
  • by encrypting our surveillance camera photographic data, and
  • by ensuring our IT suppliers have ISO 27001:2013 and/or Cyber Essentials certification.

We only share your personal information with our trusted partners, our data processors, to process data on our behalf which is necessary to deliver our service. We ask them to demonstrate compliance with our security requirements, adherence to any instructions we give them and compliance with relevant data protection legislation. We have contractual agreements with these organisations which clearly define their obligations about what information they hold and how they use it.


Storing or transferring your data outside the European Economic Area (“EEA”)

We endeavour to store all our data in the UK or within the European Economic Area (EEA). We do not transfer or store your personal data to any third countries.

Some organisations which provide services to us may transfer personal data outside the EEA for processing purposes, but we will only allow them to do so if your data is adequately protected and in line with legal requirements. This includes, for example, ensuring that appropriate safeguards in relation to international transfers of data are included in contracts.

How long do we keep your data:

We only retain your data for as long as we need to. Our data retention policy is our guide to keeping your personal data, but the length of time depends on the purpose of the processing.


When we might share information about you:

Your information is kept secure and only shared on a ‘need to know’ basis. Limited and proportional sharing may occur with:

  • healthcare professionals (such as doctors, nurses, pharmacists, physiotherapists and occupational therapists, for example);
  • 3rd party premises management, for non Pioneer managed sites and then only in the event of an incident or safety concern;
  • suppliers of wound dressings, hosiery, treatments;
  • administrative support staff, including accountants;
  • healthcare students in training;
  • pathology and radiology staff involved in the analysis and reporting of diagnostic tests;
  • staff conducting local clinical audits to evaluate the care provided to you;
  • authorised personnel from visiting regulatory authorities, including the Care Quality Commission, The Health & Safety Executive;
  • Insurance Company(s) associated with company benefits, employers and public liability insurance, medical malpractice cover.

We also share with our trusted partners to help us provide services to you. For example, as a private patient paying for our service, you will be directed, to Stripe, a global leader in card payments, who process secure payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) standards. We do not store or record any of your bank or card details during this process.

We may also share your information with your consent and subject to strict sharing protocols about how it will be used, with:

  • social services;
  • education services;
  • local authorities;
  • translation services should you require this support;
  • voluntary sector providers.

We may also share your information with your consent with others that need to use records about you to:

  • check the quality of treatment or advice we have given you;
  • protect the health of the general public;
  • manage the health service;
  • help investigate any concerns or complaints you or your family have about your health care.

There may be times when we need to share your information without your consent, for example:

  • where there is a risk of harm to you or other people;
  • where we believe that the reasons for sharing are so important that they override our obligation of confidentiality (for example, to support the investigation and prosecution of offenders or to prevent serious crime);
  • where we have been instructed to do so by a Court;
  • where we are legally required to do so;
  • to control infectious diseases such as meningitis, tuberculosis (TB) or measles;
  • if you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object.

The national data opt-out is a service that enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment; patients can change their national data opt-out choice at any time.

To find out more visit: to view the National Data Opt-out Statement or

Pioneer WHLC Ltd Website:

We use reasonable, organisational, technical and administrative measures to protect personal information under our control. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Our website may include links to third-party websites. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.


You can view our full cookies policy at

Your rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

You can enquire as to how to enact any of these rights by contacting us as described below.

We are bound both by law and a strict code of confidentiality. In accordance with NHS guidance, Pioneer has appointed a Caldicott Guardian; a senior member of staff responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.

In addition, we have appointed a Data Protection Officer (DPO) who is responsible for ensuring Pioneer adheres to the Data Protection Act 2018 and the provisions of UK GDPR. The DPO ensures that we are registered with the Information Commissioner’s Office (ICO). The DPO is an independent external party.

How does this affect you:

You can be confident that we are adhering to the regulations and laws that apply to us about how we manage your information. You should know that anyone who receives your information from us also has a legal duty to keep it confidential.

If you wish to discuss the management of your information, discuss your rights under the Data Protection Act 2018 and the provisions of UK GDPR, please contact our Governance Lead:

Sue D’Ancey, Governance Lead
Pioneer Wound Healing & Lymphoedema Care Limited,
Wish Tower House,
1c Edward Road, Eastbourne,
East Sussex
BN23 8AS.
Telephone: 01323 735588

* Data protection legislation means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000(SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes or practice issued by the UK Information Commissioner or such other relevant data protection authority.