Privacy notice

SH:24 Community Interest Company (SH:24 C.I.C., company number: 08737119) is the data controller and is responsible for your personal data (collectively referred to as ‘SH:24’, ‘we’, ‘us’ or ‘our’ in this Privacy Notice). SH:24 respects your privacy and is committed to protecting your personal data.

This Privacy Notice will tell you how we look after your personal data, and how and why we process any personal data we collect from you.

This Privacy Notice applies to you if you are:

  • a service user of this Website (https://sh24.org.uk)

  • a service user of SH:24 Services

  • an employee, contractor or other associated party contracted by SH:24’s Service Providers; or

  • any other individual with whom SH:24 may conduct commercial operations

This Privacy Notice does not apply to any services offered, or businesses operated by, other companies, legal entities, or individuals. For example, to learn more about how your local NHS Trust process your Personal Data, you will need to visit the relevant NHS Trust’s Privacy Notice(s).

This Privacy Notice may change from time to time. We will post any changes to this Privacy Notice on the ‘Privacy’ section of our website. We have a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice.

If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact:

  • Data Protection Officer, The DPO Centre Ltd, 50 Liverpool Street, London, EC2M 7PY

  • Email: dpo@sh24.org.uk

  • Telephone: +44 (0)203 797 6340

  • EU Representative: The DPO Centre (Europe) Ltd, Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland

Information we may collect from you

Personal data, or personal information, means any information about an individual from which that person can be identified, whether directly or indirectly.

It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you. We have grouped the types of data together as follows:

  • identity data includes: first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender or gender identity and ethnicity

  • contact data includes: billing address, delivery address, email address and telephone numbers

  • health data includes: any information about your physical health including your medical history and/or current health status including but not limited to photographs you may provide, sexual history (including sexual orientation – where relevant) and information regarding test results, diagnoses and medications

  • technical data includes: internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our site

  • usage data includes: information about how you use our site, products and services

  • feedback data includes: information relating to your use of our site or services

We use your NHS number to help verify your identity and enable us to offer you the option of sharing your SH:24 record with your GP.

We also collect, use and share aggregated data such as statistical or demographic data, but only where such data is anonymous. Data is considered to be anonymous where you cannot be identified (whether directly or indirectly). For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.

However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data, which will be used in accordance with this Privacy Notice.

We do not collect, use or share any of your personal data for marketing purposes.

Keeping your data secure

We know that data security is important to you and it's therefore important to us. We have put in place appropriate security measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage of your personal data.

We also limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, in accordance with this policy, and they’re subject to a duty of confidentiality.

We have put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We use SMS (text messaging). Most phone handsets provide a preview of incoming SMS on receipt – be aware that this may make your interaction with SH:24 visible to people around you. However, it’s possible to adjust your phone’s settings to prevent SMS previewing – it’s easy to change on most handsets. You may also wish to consider periodically deleting your SMS history with us, just in case you lose your handset.

Where we provide you with an account on our website, we have taken measures to ensure that your data is secure and encrypted at all times, both in transit and at rest.

How we will collect your data

In general, we will collect this data directly from you. Where this is the case, you are under no obligation to provide us with your Personal Data. However, a failure to provide Personal Data may result in us being unable to provide you with our Services. There may be instances where we need to collect data from third parties; for instance, we may use the Personal Demographic Service (PDS) to obtain your NHS Number.

We use different methods to collect data from and about you including through:

Direct interactions

You may give us any of the categories of data identified above by filling in forms on our site or by corresponding with us by phone, email or otherwise. This includes personal data you provide when you:

  • register to use our site

  • make a request for our products or services

  • create an account

  • give us feedback

Automated technologies or interactions

As you interact with our site, we may automatically collect Technical Data about your equipment, browsing actions and patterns.

We collect this personal data by using cookies, and other similar technologies.

We may also receive technical data about you if you visit other websites employing our cookies.

Please see our cookie policy for further details.

No decisions are made about you based solely on automated processing, including profiling, where that decision has a significant or legal effect.

Identity and contact data

From data brokers or aggregators such as Google Analytics (or similar organisations).

Why we will use your data

The lawful bases for processing are set out in Articles 6 and 9 of the UK General Data Protection Regulation (UK GDPR).

We may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.

At least one of these must apply whenever we process personal data:

  • consent: you’ve given clear consent for us to process your personal data for a specific purpose. You can let SH:24 know at any time that you would like to withdraw your consent. Your request will be reviewed. Under certain circumstances if you withdraw your consent, we cannot always delete your data. Where this is the case, we'll inform you before you give your consent (For example, during the order journey on our website). For more information, please see the section on your legal rights below.

  • contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract

  • legal obligation: the processing is necessary for us to comply with the law

  • vital interests: the processing is necessary to protect someone’s life

  • public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law

  • legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests

We may use your information for the following purposes:

Handling an initial request for a test kit and/or other services provided by SH:24, where processing of your Personal Data is necessary for the performance of a contract between you and SH:24

Lawful basis: In order to take steps so you can enter into a contract with us for the delivery of healthcare.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Handling an initial request for a test kit and/or other services provided by SH:24, where processing of your Personal Data is necessary in the public interest

Lawful basis: In order to perform a task in the public interest.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Handling an initial request for a test kit and/or other services provided by SH:24, where processing of your Personal Data is in SH:24’s legitimate interest

Lawful basis: Our legitimate interests in providing our services.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Processing information about your sexual or medical history, including sensitive photographs for diagnostic purposes, where processing of your Personal Data is necessary for the performance of a contract between you and SH:24

Lawful basis: In order to take steps so you can enter into a contract with us for the delivery of healthcare.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Processing information about your sexual or medical history, including sensitive photographs for diagnostic purposes, where processing of your Personal Data is necessary in the public interest

Lawful basis: In order to perform a task in the public interest.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Processing information about your sexual or medical history, including sensitive photographs for diagnostic purposes, where processing of your Personal Data is in SH:24’s legitimate interest

Lawful basis: Our legitimate interests in providing our services.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Providing healthcare (or health assessment) and related services, where processing of your Personal Data is necessary for the performance of a contract between you and SH:24

Lawful basis: Fulfilling our contract with you for the delivery of healthcare.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Providing healthcare (or health assessment) and related services, where processing of your Personal Data is necessary in the public interest

Lawful basis: In order to perform a task in the public interest.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Providing healthcare (or health assessment) and related services, where processing of your Personal Data is in SH:24’s legitimate interest

Lawful basis: Our legitimate interests in providing our services.

Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.


Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice, and sharing your information with your GP where relevant), where processing of your Personal Data is necessary for the performance of a contract between you and SH:24

Lawful basis: Fulfilling our contract with you for the delivery of healthcare.

Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment.


Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice, and sharing your information with your GP where relevant), where processing of your Personal Data is necessary in the public interest

Lawful basis: In order to perform a task in the public interest.

Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment.


Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice, and sharing your information with your GP where relevant), where processing of your Personal Data is in SH:24’s legitimate interest

Lawful basis: Our legitimate interests in providing our services.

Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment.


Retention of your information where a medical record has been created

Lawful basis: Our legal obligation in retaining medical records according to statutory retention periods.

Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment.


Providing you with an account for the purposes of accessing your health data and health assessment results

Lawful basis: Our legitimate interest in providing you with a secure method of accessing your health data.

Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment.


Investigating complaints

Lawful basis: Our legitimate interests in improving our services.

Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.


Communicating with you and resolving any queries or complaints that you might have

Lawful basis: Our legitimate interests in providing the SH:24 service.

Additional legal basis for special categories of personal data: In order for us or a third party to establish, exercise or defend our legal rights.


Provision of feedback to help us improve our services

Lawful basis: Our legitimate interests in improving our service.


Clinical research and development

Lawful basis: Our legitimate interests in undertaking research and development.

Additional legal basis for special categories of personal data: Scientific research purposes.


Clinical research and development, where your explicit consent is required

Lawful basis: Your consent.

Additional legal basis for special categories of personal data: Your explicit consent.


Complying with our legal and regulatory requirements

Lawful basis: Compliance with a legal obligation.

Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.


Responding to any legal requests, including Data Subject Requests, Court Orders, requests from the Police or other relevant competent authorities and public bodies

Lawful basis: Compliance with a legal obligation to respond to legal requests, including Data Subject Requests, Court Orders, requests from the Police or other relevant competent authorities and public bodies.

Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.


Establishing, exercising, or defending our legal rights

Lawful basis: Our legitimate interests in establishing, exercising, or defending our legal rights.

Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.


Disclosing your personal data

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

  • sub-contractors for the performance of any contract we enter into with them or you (for example, distributors who may deliver test kits) or,

  • service providers acting as processors who provide IT and system administration services

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us or further sub-processors who must comply with our instructions. They will hold your Personal Data securely and retain it for the period we instruct.

In addition to the Data Processors indicated above, we may have to share your personal data with third party Data Controllers in order to provide our services to you or otherwise fulfil our legal obligations.

Examples of third parties include:

  • local authorities/public services

  • NHS bodies

  • the Police, and other competent authorities

  • the Courts

  • accredited pharmacies

  • academic institutions for research purposes

We transfer personal data from the UK to the EEA, which the UK government has recognised as adequate for the purposes of the UK implementation of the GDPR. We may also transfer personal data from the UK to non-adequate countries such as the US on the basis of appropriate safeguards, such as approved standard data protection clauses. You can obtain a copy of these safeguards by contacting our Data Protection Officer using the contact details above.

Cookies

Consider whether you want a digital log of your visit to sh24.org.uk to be recorded in your browser.

If you do not want a record to be kept, you can choose to delete your browser history afterwards or view our pages in incognito mode or private browsing, which won’t store your browser history, cookies, or search history after you’ve closed your browsers. However, you are not invisible.

Using incognito mode or private browsing does not hide your browser history from your internet service provider, SH:24 (or your employer if you’re using a company device).

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.

If you disable or refuse cookies, please note that some parts of this site may become inaccessible or not function properly.

Read more about the cookies we use.

Change of purpose

We’ll only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details at the top of this page.

If we need to use your personal data for an unrelated purpose, we’ll notify you and explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How long we will keep your data

We will only retain records in accordance with the minimum periods required by law, NHS directions, including for example, in accordance with the IGA Records Management Code of Practice for Health and Social Care, other applicable orders and guidance, and guidance published by the British Association for Sexual Health and HIV. This means we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal data are available in our records management policy which you can request from us by contacting us.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

You have certain rights in respect of your Personal Data. These rights include:

The right to be informed about our collection and use of personal data

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

The right to access your personal data

You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes called a ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data. If you would like to exercise this right, please contact us as set out below.

The right to rectify your personal data

If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.

Please note that there may be circumstances where the data we hold about you cannot be rectified for legal reasons, such as insertions onto your medical record. However, where you indicate to us that the data is inaccurate, or you dispute the accuracy, we will add a clear note to the file to indicate that this is the case.

The right to erasure

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.

There will be occasions where you ask us to delete your data, but we are unable to do so. For example, when we have a legal obligation to process the data about you for a specific period of time. If this is the case, we will reply and let you know. Please note that if you give us information that forms part of your medical record, we will not be able to delete this information (after the order is placed, this will include your answers to the questions that we ask on our website). Additionally, if we have sent out a testing kit to you, we will be unable to delete your data. This is because once a test kit is sent out, we cannot determine whether or not you go ahead and submit the test to a laboratory. If we delete your data at this point and you decide to go ahead with the test, we would have no way of informing you of the results.

The right to restrict processing

You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.

The right to portability

Where we are processing your Personal Data on the lawful bases of consent or contractual obligation, the right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.

The right to object

You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.

Rights related to automated decision-making

You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. At SH:24, no decisions are made about you based solely on automated processing, including profiling, where that decision has a significant or legal effect. If you would like to contact us regarding this right, please contact us as set out below.

The right to withdraw consent

Where the lawful basis for processing your Personal Data is your Consent, you can withdraw your consent at any time, and we will no longer process your Personal Data for that purpose going forward. If you would like to exercise this right, please contact us as set out below.

As stated elsewhere in this notice, please note that there may be circumstances where you withdraw your consent, but we will not be able to delete the data that we hold about you. However, if you withdraw your consent, we will provide the next steps to give you the options to remove yourself from any further activity for which you originally gave your consent. The data that we hold will only be kept on file to comply with the legal obligations to which we are subject, such as maintaining your medical record.

The right to object to direct marketing

Where we are processing your Personal Data for the purposes of direct marketing, you can object to this purpose, and we will no longer process your Personal Data for this purpose going forward. If you would like to exercise this right, please contact us as set out below.

The right to complain to the supervisory authority

You can make a complaint to the Information Commissioner’s Office (ICO), or any other supervisory authority, at any time about the way we use your information. You can contact the ICO through their website located here. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

Children’s rights

We do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our database. If you are the parent or guardian of a minor child who has provided us with personal information, you may contact us using the information below to request it be deleted.

More information about your privacy rights

Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. If you are a Data Subject in the EU, you can find your country’s regulatory body here. If you have any questions about which supervisory authority applies in your jurisdiction, please contact us as set out below.

In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website.

Contact us

If you have any questions about this Privacy Notice, or should you need to raise a complaint concerning your Personal Data, please contact us at dpo@sh24.org.uk.