The Sexual Health Hub privacy notice

1. Patient privacy notice

We want you to be confident that your information is kept safe and secure and understand how and why we use it to support your care. This privacy policy explains:

  • Who we are?

  • Why we collect information about you

  • How your information will be used

  • How we keep it safe and confidential

2. How we use your personal data

The following legislation will both be referred as, UK Data Protection Laws:

  • UK General Data Protection Regulation (UK GDPR)

  • DPA 18, Data Protection Act 2018

Personal data: Any information relating to an identifiable individual such as your name, NHS number, contact details. It can also be location data or an online identifier.

Special categories of personal data are defined as: Racial or ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, biometrics (where used for identification) information concerning your health, sex life or sexual orientation.

3. Who are we?

HCRG Care Limited are commissioned to provide integrated sexual health services in Coventry and Warwickshire. HCRG Care group are the data controller’s for any personal information we hold about you.

For more information please visit:

HCRG Care Limited is a limited company registered in England and Wales, number 5466033. Registered office: HCRG Care Group, The Heath Business and Technical Park, Runcorn, Cheshire, WA7 4QX.

HCRG Care Group is partnering with SH:24, Community Interest Company (SH:24 CIC, company number: 08737119); SH:24 are commissioned to provide postal STI testing kits, emergency hormonal contraception and supplementary services on our behalf.

Details on how SH:24 deliver this service and handle, process and store patient data can be found at

4. Who can you contact regarding your personal information we hold?

General Manager Kerrie Beasley

Coventry and Warwickshire Integrated Sexual Health

West Orchard Shopping Centre
Smithford Way

Tel: 0300 247 0069

Data Protection Officer
Deborah Tonkin
HCRG Care Group LTD
The Heath Business & Technical Park

Tel: 01925 302 514


If you are not happy about the way your information is handled, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioners Office (ICO).

The Information Commissioner’s Office
Wycliffe House
Helpline: 0303 123 1113 (local rate)
Email: Website:

5. What are your rights?

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent.

Under the UK Data Protection Laws, you have the following rights. If you have any queries around your rights, please contact the Data Protection Officer details in section 3 or use a link to our privacy portal in section 5.

The right to be informed - As a data controller, we are obliged to provide understandable and transparent information about the way we process your data (this is provided by our privacy policy).

The right of access - You are entitled to request a copy of the personal data we hold about you.

The right to rectification - You are entitled to request changes to information if it is inaccurate or incomplete.

The right to erasure - Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.

The right to restrict processing - Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.

The right to restrict processing - Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.

The right to data portability - Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.

The right to object to processing - You have the right to object to our processing of your data where:

  • Processing is based on legitimate interest.

  • Processing involves automated decision-making and profiling.

  • Processing would be for a purpose beyond your care and treatment, e.g. direct marketing and scientific or historic research; you can opt-out to the sharing of this information under the National Data Opt-Out.

  • Friends and Family Test

Please note that the above rights may not apply in all circumstances.

Keep us updated of any changes

Please let us know if you change your address or contact details etc. so that we can keep your information accurate and up to date.

6. How to request a copy of your records

You can request a copy of your records directly from the Access to Records Team via

The team supports the management of requests with regards to records and/or alterations/concerns. Your request will be directed to the correct service who will process it promptly.

To progress the request, you will need proof of identity as follows:

  • Driving license or passport or work ID badge or bus pass or a witness to your signature by someone who is over 18 and is not a relative, (preferably by your doctor/solicitor on their headed business paper) as proof of identity.

  • Bank statement or pay slip or utility bill or a letter on headed paper from a local authority or similar as proof of residence.

If you are a Representative acting on a data subject’s behalf you will need proof of your identity as well as proof that the data subject is freely giving consent to the request, or you have the appropriate legal authority.

If you would like more information about your records, please ask at reception, speak to the person proving your care or contact our Data Protection Officer: David Watkins General Counsel, HCRG Care Group. Email:

7. The information we collect and use

We will collect basic ‘personal data’ about you such as your name, date of birth (DOB). We may also ask you for more sensitive data, called ‘special category data’ such as your ethnicity and information about your health and outcomes of needs assessments. This information is held in written form and/or in digital form.

The types of information that will be collected by HCRG Care Group Ltd when you are using our online service are:

  • Name

  • Postcode (to receive your test, if requested)

  • Gender

  • DOB

  • Translator

  • Contact preference details

  • Learning disability/impairment

  • Sexual orientation

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation (e.g. information from Hospitals, GP surgeries etc.) These records help to provide you with the best possible healthcare and help us to protect your safety.

In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We may collect information from you, or other trusted parties involved in your care.

We will collect basic ‘personal data’ about you once you register with us such as:

This may include:

  • Details about you, such as your address, NHS number, next of kin and/or carer information

In addition to the above we may also hold more sensitive personal data, called ‘special category data’ which could include:

  • Any contact the service has had with you, such as appointments, clinic visits, emergency appointments, etc

  • Notes and reports about your health and safeguarding

  • Details about your treatment and care

  • Results of investigations, such as laboratory tests, x-rays, etc

  • Relevant information from other health professionals, relatives or those who care for you

8. How we use your information

Your records are used to:

  • Provide information to make health decisions made by care professional with and for you

  • To register you on our clinical system and book an appointment

  • To send appointment reminders with your permission, to the mobile number you supplied

  • You will also have the option to add your appointment directly in to your mobile calendar at the end of the online booking process

  • To post home sampling kits with your consent

  • Make sure your care is safe and effective

  • To issue treatments or supply contraception

Without your permission we will not:

  • Inform your GP or healthcare professional about the fact that you had the test or your results

  • Refer you to other specialist services

  • Share your information

The only time we may need to discuss your results with a GP or healthcare professional is if we are unable to contact you by your chosen method of communication and your test is positive. This is to help protect your health.

We may also use, or share, your information for the following purposes:

  • Looking after the health of the public

  • Making sure that our services can meet patient needs in the future

  • Preparing statistics on NHS performance and activity

  • Investigating concerns, complaints, or legal claims

  • Helping colleagues review the care they provide to make sure it is of the highest standards

  • Training and educating staff

  • For research purposes (we will always ask your consent for this)

  • Invoice validation - invoice validation enables us to identify which local authority or ICB is responsible for paying for your treatment. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes and uses your NHS number to validate payment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly. For more information see NHS Digital - how we use your information for invoice validation.

  • Sending SMS results when a patient is tested at our services - We will ask you to update your contact preferences when you book an appointment or visit the service. This is to understand how you wish to be contacted about your results. If you need to update your contact preferences or opt out of receiving SMS messages, please contact your local service. Some of our services have a dedicated results line for you to contact to obtain your results. If this service is available in your area, details will be provided when you take your test.

  • Recall SMS messages - When you order a postal kit on our website, we will send out your results via SMS text. If you do not wish to be contacted via SMS text, please visit your local service to have a test. If your contact details have changed following completion of your postal order, please contact your local service for support.

  • Postal testing, SH:24 - In our Coventry and Warwickshire Sexual Health Services, we are partnering with SH:24, Community Interest Company (SH:24 C.I.C., company number: 08737119); SH:24 are commissioned to provide postal STI testing kits, emergency hormonal contraception and supplementary services on our behalf. Details on how SH:24 deliver this service and handle, process and store patient data can be found at

  • SMS text reminder service - When you book an appointment or visit the service we will also ask if you wish to receive SMS reminders for your appointment. If you wish to change your preferences, you can do so by contacting your local service or by logging into your online account.

  • The Friends and Family Test (FFT) - NHS organisations including HCRG Care Ltd are required to use the Friends and Family Test (FFT) to capture feedback and submit response data to NHS England each month. Patients can access the data which will then help them make informed choices about their future care. We collect feedback from several different channels, including SMS text messaging, online – via our HCRG Care Group website and paper questionnaires/feedback forms. All personal information collected is processed and stored in accordance with the Data Protection Act 2018/UK GDPR 2016.

  • Contacting our services via email - If you contact our services via email, this method of communication will not be secure. If you choose to use this method, you are agreeing to share your information in this way.

9. Services we provide

Coventry and Warwickshire

We provide free and confidential sexual health and HIV services in Coventry and Warwickshire. This includes information and advice on all types of contraception and STI testing and treatment. Our service is confidential, non-judgmental and for people of all ages, genders, and orientations.

More information can be found on

10. Who we share your information with

We may also share your information for the provision of your care or for another legal obligation with the following organisations and partners:

  • NHS Trusts/Foundations

  • South Warwickshire NHS Foundation Trust

  • GP’s

  • Integrated Care Boards (NHS)

  • NHS England (NHSE) and NHS Digital (NHSD)

  • Local Authorities

  • Police and Judicial Services

  • HCRG Care Group Support teams

  • TDL (The Doctors Laboratory)

  • British Pregnancy Advisory Service (BPAS)

  • Brook

  • SH:24 for online STI testing and emergency hormonal contraception

  • Pharmacies

  • Idox Health

  • Chat Health – SMS messaging application

  • Accurx – Video consultation platform

When we share your information:

We may share information about you for the following purposes;

  • To support your health and care arrangements including referrals, pathology, and other results

  • If it is in your best interests

  • To manage incidents that you have been involved in

  • To deal with complaints and investigations

  • Requests for information from official authorities or your representatives

  • Your records if the service is transferring to us under contract or if you are moving out of area

  • The prevention and detection of crime

  • Funding requests or payments

  • Legal advice or proceedings

  • Responding to legal requests and court orders

  • Public health notifications

  • Partner notification to protect partners and the public

  • To gather feedback through the friends and family test

Our partners and other recipients:

  • We work in partnership with commissioners, other health and care providers such as primary care services, local authorities, NHS trusts, pathology providers etc

  • Prison service relating to prison healthcare

  • Local Safeguarding Boards

  • Regulators

  • We may use trusted providers to host our IT, archiving, email and texting services and surveys

  • We may use corporate teams within the HCRG Care Group who provide ‘back office’ support on behalf of services within our group such as communications and marketing, information governance, clinical governance and IMT

11. What is our legal basis for processing your information?

For the Sexual Health services to legally process your information a ‘lawful basis’ needs to be identified. Data protection law recognises the difference between personal data and that of a more sensitive nature known as special categories of data; such as racial or ethnic origin, political opinions, religious beliefs, trade union activities and physical or mental health.

Our legal basis for processing your personal information falls under one of the following legal bases:

  • Providing and managing health and social cares services to our patient’s service users and clients

  • Performance of a task carried out in the public interest or in the exercise of official authority

  • Necessary for a legal obligation such as responding to a request from a coroner

  • Necessary for reasons in public health such as in the event of an outbreak of a disease

Our legal basis for processing special categories “sensitive” personal information falls under one of the following legal bases:

  • We need to use the data to provide medical diagnosis, health and social care treatment services to you

  • Social protection law for safeguarding purposes

12. How long do we keep your information?

We will keep your healthcare records in accordance with the national guidance: Records Management Code of Practice for Health and Social Care 2021, after which records, and confidential information are securely destroyed in line with this code of practice.

13. CCTV

Where there are CCTV systems outside of our premises for the purposes of public and staff safety and crime and prevention and detection, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information.

14. How we keep your information safe

We take the security of your personal data very seriously. We have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:


Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient data; this includes their mandatory annual training in data security and confidentiality to demonstrate they understand and are complying with policies on confidentiality.

Access controls

Any member of staff who has access to personal confidential data will have a username and unique password. This will reduce the risk of unauthorised access to your personal data and all access is auditable.

Technical measures

We complete due diligence and impose contractual obligations on our trusted providers and persons working under our instruction.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you

  • Keep records about you confidential and secure

  • Provide information in a format that is accessible to you

Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.

The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.

The health records we use will be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.

We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018

  • UK General Data Protection Regulation

  • Human Rights Act

  • Common Law Duty of Confidentiality

  • NHS Codes of Confidentiality and Information Security

  • Health and Social Care Act 2015

  • And all applicable legislation

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it.

We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

When booking appointments online, HCRG Care Group Ltd. will not share your information (other than for direct care) without your permission unless there are exceptional circumstances, such as where the health and safety of others is at risk, or where we are legally obliged to pass on information. Like all health providers,

  • We reserve the right to disclose your personal information to comply with applicable laws and government or regulatory bodies’ lawful requests for information

  • Any other agency receiving information from us is also under a legal duty to keep your information confidential

Without your permission we will not:

  • inform your GP or healthcare professional about the fact that you have had the test or your results

  • refer you to other specialist services

  • share your information

The only time we may need to discuss your results with a GP or healthcare professional is if we are unable to contact you by your chosen method of communication and your test is positive. This is to help protect your health.

15. What if you’re under 16?

Under 16’s have the same rights to confidentiality as anyone else and will not be treated any differently. However, if you are under 13, we are likely to be more worried about you having sex.

16. What if you test positive for a sexually transmitted infection?

Confidentiality is no different if you test positive unless we’re completely unable to contact you to inform you of your infection.
In some instances we may not be able to contact you due to incorrect contact details. It is important that you regularly inform us of any changes to your contact details, especially new mobile phone numbers.  We always recommend if you have not received your results within 2 weeks of your test you contact your local clinic.

17. How the NHS and care services use your information

Sexual Health Services are one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.

Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided

  • research into the development of new treatments

  • preventing illness and diseases

  • monitoring safety

  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

18. Social media and our website

When you contact us through social media such as Facebook and Twitter, we hold your information and reason for contact in our social media management portal to enable us to easily access and manage our engagement with you. This may result in us sharing your information with other parties within the HCRG Care Group e.g. individuals involved in your care, managing your complaint etc.

When you visit our websites we collect standard internet log information and details of visitor behaviours. This is statistical data only which we collect in order to find out the numbers of visitors to the site and the pages visited. The information is collected in such a way that does not identify individuals and we do not make any attempts to identify visitors this way.

Where we do collect personal information on our website, this will be made obvious to you through the relevant pages.

19. Contract end provisions

In the event of the contract with the service and HCRG Care Group Ltd coming to an end, all relevant documentation and records will be transferred to the new provider(s).

The transfer of records will be conducted in accordance with the current UK Data Protection Law.

20. Changes to our privacy notice

We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our Data Protection Officer if you would like more information.

Date privacy notice last updated: March 2024