We update this Policy from time to time so please do review this Policy regularly, and before consenting to the use of future services. Importantly your information may be shared with third-parties (such as your local NHS Trust) who we partner with to deliver services such as your onward care. We try to ensure this is made clear to you when you use our service, and this is explained in more detail below.
Our services are not intended for children, and we do not knowingly collect data relating to children. You must be 16 years and over to access and use the services provided via this website.
1. Information About Our Organisation
SH.UK is operated by Preventx Limited, who is the data controller for the service.
Preventx and its partners make decisions on what data is processed and how this is done. These decisions are undertaken in accordance with the current data protection legislation.
Preventx is registered in England and Wales under Company number 06603066 and our registered office is at Meadowhall Business Park, Carbrook Hall Road, Sheffield, South Yorkshire, S9 2EQ.
Preventx is registered with the Information Commissioner’s Office (ICO), which regulates data protection in the UK, and our registration number is Z1828250.
For all requests regarding the control of your data, please contact our Data Protection Officer:
Meadowhall Business Park
Carbrook Hall Road
2. The Purposes of Processing
We process your data in order to deliver the SH.UK service to you. We will only use your personal data for the purposes for which we collected it, as described in section 3 below, such as when you registered to use our services.
3. Lawful Basis for Processing
Consent - You are asked for your consent for us to process your data in order to register with us, enrol onto our services, receive test kits, return samples for testing, provide test results.
Public Interest - The processing of personal data is necessary for us to analyse the samples you return to us and to provide test results to you.
Prevention, diagnosis and treatment - In most cases we process your data in order to provide services for the prevention, diagnosis and treatment of illness in line with the Health and Social Care Act (2012). This service is funded by your local authority or NHS Trust.
4. What Data We Collect
The information that we collect and store relating to you is primarily used to enable us to provide you with services that you have explicitly ordered or requested. For example, to request a free sexual health test you will be asked a number of questions, including some personal questions. In some cases, you may opt-out of certain questions.
Personal Data - The information you give will be recorded and includes details such as your name, address, date of birth, contact information (e.g. telephone number).
Health Data - Special category data may also be collected, including data such as ethnicity, gender identity, responses to medical and safeguarding screening questions, medical testing history, and details of attendance with health providers that may have provided treatment.
Technical Data - This includes your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Preference Data - This includes your preferences on receiving communications from us.
Profile Data - This includes your username and password, orders made by you, feedback and survey responses.
Usage Data - This includes information about how you use our website and services.
Anonymous Data - We also use and share anonymous data such as statistical or demographic data for reporting or research purposes. Anonymous data could be derived from your personal data but is not considered personal data in data protection law as this data will not directly reveal your identity. This includes providing mandatory national anonymised or aggregated data to the UK Health Security Agency and Office for Health Improvement and Disparities.
5. How Your Personal Data is Collected
We use different methods to collect data from and about you including through:
Direct Interactions – when you make contact with us by telephone, email, post, online or otherwise. This includes personal data you provide when you:
- Use our services.
- Create an Account.
- Subscribe to receive communications or publications.
- Request marketing information to be sent to you.
- Complete a survey.
- Give us feedback or contact us.
Automated Interactions -as you interact with our website, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
We require cookies to be enabled so we can keep track of your progress through the request procedure. No personal or confidential information is stored in cookies, and most are only active whilst you are visiting the site.
6. Automated Decision-Making
We use automated decision-making to confirm eligibility for the services you may wish to access, for example based on your geographic postcode of residence and age.
We also use automated decision making, based on clinical input, to determine whether our services are appropriate for your individual circumstance and to determine which type of service is most suitable for you.
If the automated decision-making process determines that you are not suitable for the service, you will be provided with information about accessing care from alternate locations and services.
7. How we Use your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Your data/record will be accessible by the NHS Trust, Sexual Health Service or Charity (also known as service providers) with whom we are partnered with to manage service user testing through our service and who has directed you to our services. You will be made aware of your Service Provider who will have access to your personal data and who will be responsible for your ongoing care, for example if you require treatment, support or further testing, before your online consultation, or you may be able to derive your local service provider by visiting our website www.sh.uk which will enable you to check if we offer services in your area.
- To receive, store and analyse your samples.
- To receive, store, review and communicate your test results to you and to provide this through our website.
- To provide you with your test result and where appropriate, relevant follow-up guidance.
- To anonymise your personal data for service improvement, product or quality improvement and / or research, as relevant.
- Other organisations such as the Department of Health (including the UK Health Security Agency and Office for Health Improvement and Disparities (formerly known as Public Health England)) may receive anonymised and/or aggregate data only.
We will never reveal personal information about our service users to other parties not described above but we may, on occasion, provide them with aggregate or anonymous statistical information about our visitors.
8. Recipients of your Personal Data
Both SH.UK and the NHS Trust, Sexual Health Service or Charity managing your results adhere to strict privacy guidelines in order to protect your data and all information will be treated in strict confidence by the current or future service providers.
These service providers can securely access your full personal record and test results, and in some cases may share your information but must always comply with data protection law.
Some of these service providers will transfer your full personal record and test results to their own electronic health record system in order to manage any onward care that you may need.
Sometimes a service provider may share your data with a parent or related organisation, for example an NHS service may share data with other local NHS trusts, where a formal data sharing agreement is in place.
9. Laboratory Testing
Your sample will be tested in Preventx's specialist laboratory and in accordance with the laboratories quality system. Standard testing carried out via the SH.UK service is accredited to international standards, and more information can be read in the Preventx Laboratory Services document (https://www.preventx.com/laboratory).
In some cases, we may use non-accredited tests to supplement your screening, however this would only ever be in agreement with doctors or clinicians of local sexual health service providers (with whom our services are contracted) (for example, specific sample and test combinations may be recommended but may fall outside of accreditation scope).
Please note that some test samples may be retained by the laboratory after testing. These samples may be used for internal studies, public health initiatives (such as surveillance work with the UK Health Security Agency (UKHSA) or for verification purposes (such as performing equipment validation). Samples used for these purposes will be anonymised so will always exclude personal data such as your name, date of birth, contact details, address and postcode.
10. Keeping Your Data Secure
We apply technical and organisational security measures to safeguard your personal data from accidental or unlawful destruction, loss, alteration or unauthorised disclosure and all personal data is stored in the UK on secure servers.
The effectiveness of our security controls are assessed and verified at least annually to standards set by the UK National Cyber Security Centre.
11. Why and When we Contact You
Depending on your contact preferences we may notify you by SMS, email, telephone or post:
- Once that we have dispatched your self-sampling kit.
- If you do not return your test kit promptly.
- When your kit has arrived at the laboratory, and when your results are ready.
- Once in the future to remind you to get tested again unless you have opted out.
We will send a text message to the mobile number used to register your account to let you know when information in your account has been updated, for instance, when results have been added to your account and are ready for you to view.
Where you may require treatment or onward care, or in certain circumstances where our system determines you may need additional support (for example if we believe you may be at risk) our clinical partners may make direct contact with you.
If we have an urgent need to speak to you regarding your results, we will telephone you using the mobile number registered to your account. If our clinical partners really need to contact you regarding treatment or onward care and are unable to do so (i.e. after a number of unsuccessful attempts) they may contact your GP to ensure you can receive the care you need.
12. Legal Disclosure
Sometimes we have a legal duty to provide personal information to other organisations.
We may also share your personal information where allowed under data protection legislation, known as exemptions, and it is more important than protecting your privacy. This doesn’t happen often, but in these circumstances, we may share your information:
- to find and stop crime and fraud; or
- if there are serious risks to the public, our staff or to other professionals; or
- to protect a child; or
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
For all these reasons, the risk must be serious before we can override your right to privacy.
If we are worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we or our partners will discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to others is serious enough to do so. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why, if we think it is safe to do so.
13. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
In accordance with the NHS Records Management Code of Practice, your record will be retained for a minimum of 8 years after the last recorded entry. If you are aged 16 or 17 years your record will be retained for a minimum of 10 years after your 18th birthday.
After that point, we will remove personal information (e.g. name, house number, street name, telephone number and email) to provide an anonymised data set which is retained for statistical and research purposes only.
14. Your Rights
The law gives you a number of rights in relation to what personal information is used by Preventx, and how it is used. These rights allow you to ask us to:
Request Access – to your personal data (or "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request Correction - of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request Erasure - of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, where the information we process is used to assist clinicians at your NHS Trust with your care we are not always able to fulfil deletion ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service.
Object to Processing - of your personal data where we are processing it for direct communications purposes.
Request Restriction of Processing - of your personal data where you may need us to hold the data even if we no longer require it as you may need to establish, exercise or defend a legal claim.
Request the Transfer - of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the data to perform a contact with you.
Withdraw Consent at any time - where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. The right to withdraw consent and the right to erasure may not apply due to the nature of the services being provided and our basis in law for processing this data. We will consider requests to remove personal identifying information from your record to ensure that the data we do retain is anonymised, while enabling us to meet our statutory requirements.
As outlined above, we are not always able to fulfil erasure ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service. We are usually able to delete an account where there has been no clinical interaction (e.g. where you have not enrolled in a service and completed a consultation).
If you wish to exercise any of the rights set out above, please contact our data protection officer at [email protected]
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to assist us with our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you are not satisfied with how we are processing your personal data or with the response you have received from us, you have the right to lodge a complaint with a supervisory authority for the UK who is the Information Commissioner’s Office (ICO).
The ICO contact details are as follows:
Telephone: 0303 123 1113
15. Third Party Links
You may find links to third party websites on our website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
Privacy Notice – last updated February 2023.