Guidance

STI and HIV surveillance systems: legal basis and confidentiality controls

Updated 26 February 2024

Applies to England

The UK Health Security Agency (UKHSA) uses surveillance data to understand the sexual health and wellbeing of the population in England, and to help improve services that prevent, diagnose and treat HIV and STIs.

Sexual health, reproductive health, and HIV services, as well as laboratories in England are required to submit surveillance data to UKHSA, which uses this data to protect and improve the population’s health.

Surveillance data submitted to UKHSA does not include names, addresses or other contact details.

UKHSA only collects the minimum necessary information from people accessing sexual health and HIV services, such as age in years, gender, and unique, non-identifying patient pseudonyms.

De-personalised data, including behavioural, diagnosis or treatment information, is submitted to UKHSA using the CTAD Chlamydia and GUMCAD STI surveillance systems, as well as the HIV and AIDS Reporting System (HARS).

CTAD, GUMCAD and HARS data is handled securely at UKHSA; use, storage and access is highly restricted and held to the same strict data security and confidentiality standards as those of the NHS; the collected data is stored and processed in the UK only.

UKHSA has a legal basis to collect this data without individuals’ consent under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 for the purposes of communicable disease surveillance and control, such as recognising risks and trends, identifying, monitoring and managing disease outbreaks.

UKHSA staff are bound by law to protect the confidentiality of the information they collect and use.

UKHSA never publishes or shares any information that could be used to identify anyone diagnosed with HIV or STIs.

All data published by UKHSA conforms with our HIV and STI data sharing policy to eliminate the risk of deductive disclosure.

People attending sexual health, reproductive health or HIV services may opt out of having their personal data shared with UKHSA by requesting this from the services they access.

NHS England has published guidance on patient confidentiality at sexual health and HIV services in England.

UKHSA is an executive agency of the Department of Health and Social Care (DHSC); the DHSC is the data controller for the data processed by UKHSA. UKHSA has published a general privacy notice explaining the data it processes to fulfil its remit from the government.