We update this Policy from time to time so please do review this Policy regularly, and before consenting to future services.Importantly, your information may be shared with third-parties (such as your local NHS Trust) who we partner with to deliver services such as your onward care. We try to ensure this is made clear to you when you use our service and is explained in more detail below.
Information About Our Organisation
SH.UK is operated by Preventx Limited, who is the data controller for the service.
Preventx and its partners make decisions on what data is processed and how this is done.
These decisions are undertaken in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
For all requests regarding the control of your data, please contact our Data Protection Officer:
Meadowhall Business Park
Carbrook Hall Road
The Purposes of Processing
We process your data in order to deliver the SH.UK service to you. You are asked for your consent for us to process your data in order to register with our services, receive test kits, etc.
Lawful Basis for Processing
In order to access our services, we ask for your consent and this is the primary basis on which we process your data.
However, in most cases we process your data in order to provide services for the prevention, diagnosis and treatment of illness in line with the Health and Social Care Act (2012) which are funded via your local authority or NHS Trust.
Additionally, some of the data we collect is processed in the public interest such as to provide mandatory national data to Public Health England.
Due to the complex nature of consent and legal exemption, we are not always able to fulfil deletion ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service.
What Data We Collect
The information that we collect and store relating to you is primarily used to enable us to provide our services to you, which you have explicitly ordered or requested. For example, to request a free sexual health test you will be asked a number of questions, including some personal questions. In some cases, you may opt-out of certain questions.
The information you give will be recorded and includes details such as your name, address, date of birth, contact information (e.g. telephone number).
Special category data may also be collected including items such as ethnicity, gender identity, responses to medical and safeguarding screening questions, medical testing history, details of attendance with health providers that may have provided treatment.
Your data is stored in the UK on secure servers which sit within the NHS network (N3/HSCN), however are firewalled from both the NHS N3/HSCN network and the public internet. All personal data is transferred securely and there is no transfer of personal data to countries outside of the UK or international organisations.
In addition to the above, by accessing our website we also collect some information about your visit such as details of the resources that you access, including, but not limited to, traffic data, location data, weblogs and other communication data.
Recipients of your Personal Data
In the case of most of our free testing services, your data/record will be accessible by the nominated Patient Management Provider (PMP). Such providers will be responsible for your ongoing care, for example if you require treatment, support or further testing.
A full list of PMPs has not been included as this may change over time and will depend on your geographic location in the UK and the services you wish to use. Instead, we will explicitly and clearly inform you of the PMP with access to your record(s) and responsible for your care before you enrol in a service.
The PMP is usually the funding organisation, or a specialist sexual health service or charity who are partnered with us to manage patients testing via SH.UK, however this can change over time due to new commissioning and service migrations. Both SH.UK and any providers managing results adhere to strict privacy guidelines in order to protect your data, and all information will be treated in strict confidence by the current or future service providers.
The PMP can securely access your full personal record and test results, and in some cases may share your information but must always comply with data protection law.
Sometimes a PMP may share your data with a parent or related organisation, for example an NHS service may share data with other local NHS trusts, where they are party to Data Protection Impact Assessment (DPIA) and a formal data sharing agreement.
You may wish to contact your PMP for more information on their data protection practices.
Please be advised that we never reveal information about identifiable individuals to other parties outside of our standard pathway (as described above) but we may, on occasion, provide them with aggregate or anonymous statistical information about our visitors.
Other organisations such as the Department of Health (including Public Health England) may receive anonymised and/or aggregate data only.
Why and When we Contact You
Depending on your contact preferences we may notify you by SMS or email:
- Once that we have dispatched your self-sampling kit.
- Up to three times if you do not return your test kit promptly.
- When your kit has arrived at the laboratory, and when your results are ready.
- Once in the future to remind you to get tested again unless you’ve opted out.
Where you may require treatment or onward care, or in certain circumstances where our system determines you may need additional support (for example if we believe you may be at risk) our care partners may make direct contact with you.
If our clinical partners really need to contact you regarding treatment or onward care and are unable to do so (i.e. after a number of unsuccessful attempts) they may contact your GP to ensure you can receive the care you need.
Sometimes we have a legal duty to provide personal information to other organisations.
We may also share your personal information when we consider/believe that there is a good reason to do so, which is more important than protecting your privacy. This doesn’t happen often, but in these circumstances, we may share your information:
- to find and stop crime and fraud; or
- if there are serious risks to the public, our staff or to other professionals.
- to protect a child; or
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
For all these reasons, the risk must be serious before we can override your right to privacy.
If we are worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we or our partners will discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to others is serious enough to do so.If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why, if we think it is safe to do so.
Duration of Storage
We will only hold your personal information for as long as it is necessary to fulfil our legal duties or business purposes.
In line with national clinical guidelines, your record will be retained for a minimum of 10 years after the last recorded entry. If you are aged 16 or 17 years your record will be retained for a minimum of 10 years after your 18th birthday.
After that point, we may remove personal identifying information (e.g. name, house number, street name, telephone number and email) to provide an anonymised data set which is retaied for legal, statistical and research purposes only.
The law gives you a number of rights in relation to what personal information is used by Preventx, and how it is used. These rights allow you to ask us to:
- provide you with a copy of the personal information that we hold about you
- correct personal information about you which you think is inaccurate
- delete personal information about you if you think we no longer should be using it
- stop using your personal information if you think it is wrong, until it is corrected
- transfer your personal information to another provider in a commonly used format
- review automated decision-making processes that have been used to make decisions about you.
The right to withdraw consent and the right to erasure may not apply due to the nature of the services being provided and our basis in law for processing this data. We will consider requests to remove personal identifying information from your record to ensure that the data we do retain is anonymised, while enabling us to meet our statutory requirements.
As outlined above, due to the complex nature of the service we are not always able to fulfil deletion ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service. We are usually able to delete an account where there has been no clinical interaction (e.g. where you have not enrolled in a service and completed a consultation).
You have the right to lodge a complaint with a supervisory authority. For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at www.ico.org.uk.
We use automated decision-making to confirm eligibility for the services you may wish to access, for example based on your geographic postcode of residence and age.
We also use automated decision making, based on clinical input, to determine whether our services are appropriate for your individual circumstance and to determine which type of service is most suitable for you.
If the automated decision-making process determines that you are not suitable for the service, you will be provided with information about accessing care from alternate locations and services.
A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone (referred to here as a "device") browser from a website's computer and is stored on your device's memory.
We require cookies to be enabled so we can keep track of your progress through the request procedure. No personal or confidential information is stored in cookies, and most are only active whilst you are visiting the site.
Your sample will be tested in Preventx's specialist laboratory and in accordance with the laboratories quality system. Standard testing carried out via the SH.UK service is accredited to international standards, and more information can be read in the Preventx Laboratory Services document (https://www.preventx.com/laboratory).
In some cases, we may use non-accredited tests to supplement your screening, however this would only ever be in agreement with doctors or clinicians (for example, specific sample and test combinations may be recommended but may fall outside of accreditation scope).
Please note that some test samples may be retained by the laboratory after testing for internal studies and verification purposes (such as performing equipment validation). Samples used for wider validation or laboratory studies will be anonymised.
Third Party Links
You may find links to third party websites on our website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.