The Sexual Health Hub privacy notice
1. Patient privacy notice
We want you to be confident that your information is kept safe and secure and understand how and why we use it to support your care. This privacy policy explains:
Who we are?
Why we collect information about you
How your information will be used
How we keep it safe and confidential
2. How we use your personal data
The following legislation will both be referred as, UK Data Protection Laws:
UK General Data Protection Regulation (UK GDPR)
DPA 18, Data Protection Act 2018
Personal data: Any information relating to an identifiable individual such as your name, NHS number, contact details. It can also be location data or an online identifier.
Special categories of personal data are defined as: Racial or ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, biometrics (where used for identification) information concerning your health, sex life or sexual orientation.
3. Who are we?
HCRG Care Limited are commissioned to provide integrated sexual health services in Coventry and Warwickshire. HCRG Care group are the data controller’s for any personal information we hold about you.
For more information please visit: digital.thesexualhealthhub.co.uk
HCRG Care Limited is a limited company registered in England and Wales, number 5466033. Registered office: HCRG Care Group, The Heath Business and Technical Park, Runcorn, Cheshire, WA7 4QX.
HCRG Care Group is partnering with SH:24, Community Interest Company (SH:24 CIC, company number: 08737119); SH:24 are commissioned to provide postal STI testing kits, emergency hormonal contraception and supplementary services on our behalf.
Details on how SH:24 deliver this service and handle, process and store patient data can be found at sh24.org.uk/privacy-policy
4. Who can you contact regarding your personal information we hold?
General Manager Kerrie Beasley
Coventry and Warwickshire Integrated Sexual Health
West Orchard Shopping Centre
Smithford Way
Coventry
CV1 1QX
Tel: 0300 247 0069
Data Protection Officer
Deborah Tonkin
HCRG Care Group LTD
The Heath Business & Technical Park
Runcorn
Cheshire
WA7 4QX
Tel: 01925 302 514
Email: ask.IG@hcrgcaregroup.com
If you are not happy about the way your information is handled, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioners Office (ICO).
The Information Commissioner’s Office
Wycliffe House
Cheshire
SK9 5AF
Helpline: 0303 123 1113 (local rate)
Email: casework@ico.org.uk Website: www.ico.org.uk
5. What are your rights?
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent.
Under the UK Data Protection Laws, you have the following rights. If you have any queries around your rights, please contact the Data Protection Officer details in section 3 or use a link to our privacy portal in section 5.
The right to be informed - As a data controller, we are obliged to provide understandable and transparent information about the way we process your data (this is provided by our privacy policy).
The right of access - You are entitled to request a copy of the personal data we hold about you.
The right to rectification - You are entitled to request changes to information if it is inaccurate or incomplete.
The right to erasure - Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.
The right to restrict processing - Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.
The right to restrict processing - Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.
The right to data portability - Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.
The right to object to processing - You have the right to object to our processing of your data where:
Processing is based on legitimate interest.
Processing involves automated decision-making and profiling.
Processing would be for a purpose beyond your care and treatment, e.g. direct marketing and scientific or historic research; you can opt-out to the sharing of this information under the National Data Opt-Out.
Friends and Family Test
Please note that the above rights may not apply in all circumstances.
Keep us updated of any changes
Please let us know if you change your address or contact details etc. so that we can keep your information accurate and up to date.
6. How to request a copy of your records
You can request a copy of your records directly from the Access to Records Team via accesstorecordsteam@hcrgcaregroup.com
The team supports the management of requests with regards to records and/or alterations/concerns. Your request will be directed to the correct service who will process it promptly.
To progress the request, you will need proof of identity as follows:
Driving license or passport or work ID badge or bus pass or a witness to your signature by someone who is over 18 and is not a relative, (preferably by your doctor/solicitor on their headed business paper) as proof of identity.
Bank statement or pay slip or utility bill or a letter on headed paper from a local authority or similar as proof of residence.
If you are a Representative acting on a data subject’s behalf you will need proof of your identity as well as proof that the data subject is freely giving consent to the request, or you have the appropriate legal authority.
If you would like more information about your records, please ask at reception, speak to the person proving your care or contact our Data Protection Officer: David Watkins General Counsel, HCRG Care Group. Email: ask.IG@hcrgcaregroup.com
7. The information we collect and use
We will collect basic ‘personal data’ about you such as your name, date of birth (DOB). We may also ask you for more sensitive data, called ‘special category data’ such as your ethnicity and information about your health and outcomes of needs assessments. This information is held in written form and/or in digital form.
The types of information that will be collected by HCRG Care Group Ltd when you are using our online service are:
Name
Postcode (to receive your test, if requested)
Gender
DOB
Translator
Contact preference details
Learning disability/impairment
Sexual orientation
Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation (e.g. information from Hospitals, GP surgeries etc.) These records help to provide you with the best possible healthcare and help us to protect your safety.
In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We may collect information from you, or other trusted parties involved in your care.
We will collect basic ‘personal data’ about you once you register with us such as:
This may include:
Details about you, such as your address, NHS number, next of kin and/or carer information
In addition to the above we may also hold more sensitive personal data, called ‘special category data’ which could include:
Any contact the service has had with you, such as appointments, clinic visits, emergency appointments, etc
Notes and reports about your health and safeguarding
Details about your treatment and care
Results of investigations, such as laboratory tests, x-rays, etc
Relevant information from other health professionals, relatives or those who care for you
8. How we use your information
Your records are used to:
Provide information to make health decisions made by care professional with and for you
To register you on our clinical system and book an appointment
To send appointment reminders with your permission, to the mobile number you supplied
You will also have the option to add your appointment directly in to your mobile calendar at the end of the online booking process
To post home sampling kits with your consent
Make sure your care is safe and effective
To issue treatments or supply contraception
Without your permission we will not:
Inform your GP or healthcare professional about the fact that you had the test or your results
Refer you to other specialist services
Share your information
The only time we may need to discuss your results with a GP or healthcare professional is if we are unable to contact you by your chosen method of communication and your test is positive. This is to help protect your health.
We may also use, or share, your information for the following purposes:
Looking after the health of the public
Making sure that our services can meet patient needs in the future
Preparing statistics on NHS performance and activity
Investigating concerns, complaints, or legal claims
Helping colleagues review the care they provide to make sure it is of the highest standards
Training and educating staff
For research purposes (we will always ask your consent for this)
Invoice validation - invoice validation enables us to identify which local authority or ICB is responsible for paying for your treatment. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes and uses your NHS number to validate payment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly. For more information see NHS Digital - how we use your information for invoice validation.
Sending SMS results when a patient is tested at our services - We will ask you to update your contact preferences when you book an appointment or visit the service. This is to understand how you wish to be contacted about your results. If you need to update your contact preferences or opt out of receiving SMS messages, please contact your local service. Some of our services have a dedicated results line for you to contact to obtain your results. If this service is available in your area, details will be provided when you take your test.
Recall SMS messages - When you order a postal kit on our website, we will send out your results via SMS text. If you do not wish to be contacted via SMS text, please visit your local service to have a test. If your contact details have changed following completion of your postal order, please contact your local service for support.
Postal testing, SH:24 - In our Coventry and Warwickshire Sexual Health Services, we are partnering with SH:24, Community Interest Company (SH:24 C.I.C., company number: 08737119); SH:24 are commissioned to provide postal STI testing kits, emergency hormonal contraception and supplementary services on our behalf. Details on how SH:24 deliver this service and handle, process and store patient data can be found at sh24.org.uk/privacy-policy
SMS text reminder service - When you book an appointment or visit the service we will also ask if you wish to receive SMS reminders for your appointment. If you wish to change your preferences, you can do so by contacting your local service or by logging into your online account.
The Friends and Family Test (FFT) - NHS organisations including HCRG Care Ltd are required to use the Friends and Family Test (FFT) to capture feedback and submit response data to NHS England each month. Patients can access the data which will then help them make informed choices about their future care. We collect feedback from several different channels, including SMS text messaging, online – via our HCRG Care Group website and paper questionnaires/feedback forms. All personal information collected is processed and stored in accordance with the Data Protection Act 2018/UK GDPR 2016.
Contacting our services via email - If you contact our services via email, this method of communication will not be secure. If you choose to use this method, you are agreeing to share your information in this way.
9. Services we provide
Coventry and Warwickshire
We provide free and confidential sexual health and HIV services in Coventry and Warwickshire. This includes information and advice on all types of contraception and STI testing and treatment. Our service is confidential, non-judgmental and for people of all ages, genders, and orientations.
More information can be found on digital.thesexualhealthhub.co.uk
10. Who we share your information with
We may also share your information for the provision of your care or for another legal obligation with the following organisations and partners:
NHS Trusts/Foundations
South Warwickshire NHS Foundation Trust
GP’s
Integrated Care Boards (NHS)
NHS England (NHSE) and NHS Digital (NHSD)
Local Authorities
Police and Judicial Services
HCRG Care Group Support teams
TDL (The Doctors Laboratory)
British Pregnancy Advisory Service (BPAS)
Brook
SH:24 for online STI testing and emergency hormonal contraception
Pharmacies
Idox Health
Chat Health – SMS messaging application
Accurx – Video consultation platform
When we share your information:
We may share information about you for the following purposes;
To support your health and care arrangements including referrals, pathology, and other results
If it is in your best interests
To manage incidents that you have been involved in
To deal with complaints and investigations
Requests for information from official authorities or your representatives
Your records if the service is transferring to us under contract or if you are moving out of area
The prevention and detection of crime
Funding requests or payments
Legal advice or proceedings
Responding to legal requests and court orders
Public health notifications
Partner notification to protect partners and the public
To gather feedback through the friends and family test
Our partners and other recipients:
We work in partnership with commissioners, other health and care providers such as primary care services, local authorities, NHS trusts, pathology providers etc
Prison service relating to prison healthcare
Local Safeguarding Boards
Regulators
We may use trusted providers to host our IT, archiving, email and texting services and surveys
We may use corporate teams within the HCRG Care Group who provide ‘back office’ support on behalf of services within our group such as communications and marketing, information governance, clinical governance and IMT
11. What is our legal basis for processing your information?
For the Sexual Health services to legally process your information a ‘lawful basis’ needs to be identified. Data protection law recognises the difference between personal data and that of a more sensitive nature known as special categories of data; such as racial or ethnic origin, political opinions, religious beliefs, trade union activities and physical or mental health.
Our legal basis for processing your personal information falls under one of the following legal bases:
Providing and managing health and social cares services to our patient’s service users and clients
Performance of a task carried out in the public interest or in the exercise of official authority
Necessary for a legal obligation such as responding to a request from a coroner
Necessary for reasons in public health such as in the event of an outbreak of a disease
Our legal basis for processing special categories “sensitive” personal information falls under one of the following legal bases:
We need to use the data to provide medical diagnosis, health and social care treatment services to you
Social protection law for safeguarding purposes
12. How long do we keep your information?
We will keep your healthcare records in accordance with the national guidance: Records Management Code of Practice for Health and Social Care 2021, after which records, and confidential information are securely destroyed in line with this code of practice.
13. CCTV
Where there are CCTV systems outside of our premises for the purposes of public and staff safety and crime and prevention and detection, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information.
14. How we keep your information safe
We take the security of your personal data very seriously. We have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:
Training
Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient data; this includes their mandatory annual training in data security and confidentiality to demonstrate they understand and are complying with policies on confidentiality.
Access controls
Any member of staff who has access to personal confidential data will have a username and unique password. This will reduce the risk of unauthorised access to your personal data and all access is auditable.
Technical measures
We complete due diligence and impose contractual obligations on our trusted providers and persons working under our instruction.
We have a duty to:
Maintain full and accurate records of the care we provide to you
Keep records about you confidential and secure
Provide information in a format that is accessible to you
Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.
The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.
The health records we use will be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
Data Protection Act 2018
UK General Data Protection Regulation
Human Rights Act
Common Law Duty of Confidentiality
NHS Codes of Confidentiality and Information Security
Health and Social Care Act 2015
And all applicable legislation
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it.
We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
When booking appointments online, HCRG Care Group Ltd. will not share your information (other than for direct care) without your permission unless there are exceptional circumstances, such as where the health and safety of others is at risk, or where we are legally obliged to pass on information. Like all health providers,
We reserve the right to disclose your personal information to comply with applicable laws and government or regulatory bodies’ lawful requests for information
Any other agency receiving information from us is also under a legal duty to keep your information confidential
Without your permission we will not:
inform your GP or healthcare professional about the fact that you have had the test or your results
refer you to other specialist services
share your information
The only time we may need to discuss your results with a GP or healthcare professional is if we are unable to contact you by your chosen method of communication and your test is positive. This is to help protect your health.
15. What if you’re under 16?
Under 16’s have the same rights to confidentiality as anyone else and will not be treated any differently. However, if you are under 13, we are likely to be more worried about you having sex.
16. What if you test positive for a sexually transmitted infection?
Confidentiality is no different if you test positive unless we’re completely unable to contact you to inform you of your infection.
In some instances we may not be able to contact you due to incorrect contact details. It is important that you regularly inform us of any changes to your contact details, especially new mobile phone numbers. We always recommend if you have not received your results within 2 weeks of your test you contact your local clinic.
17. How the NHS and care services use your information
Sexual Health Services are one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
18. Social media and our website
When you contact us through social media such as Facebook and Twitter, we hold your information and reason for contact in our social media management portal to enable us to easily access and manage our engagement with you. This may result in us sharing your information with other parties within the HCRG Care Group e.g. individuals involved in your care, managing your complaint etc.
When you visit our websites we collect standard internet log information and details of visitor behaviours. This is statistical data only which we collect in order to find out the numbers of visitors to the site and the pages visited. The information is collected in such a way that does not identify individuals and we do not make any attempts to identify visitors this way.
Where we do collect personal information on our website, this will be made obvious to you through the relevant pages.
19. Contract end provisions
In the event of the contract with the service and HCRG Care Group Ltd coming to an end, all relevant documentation and records will be transferred to the new provider(s).
The transfer of records will be conducted in accordance with the current UK Data Protection Law.
20. Changes to our privacy notice
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our Data Protection Officer if you would like more information.
Date privacy notice last updated: March 2024