Sexual health and HIV: privacy notice
Updated 26 February 2024
Applies to England
About UKHSA
The UK Health Security Agency (UKHSA) is responsible for planning, preventing and responding to external health threats, and providing intellectual, scientific and operational leadership at national and local level, as well as internationally. It combines many of the health protection activities previously undertaken by Public Health England (PHE) together with all of the activities of the NHS Test and Trace Programme and the Joint Biosecurity Centre (JBC).
UKHSA is an executive agency of the government, sponsored by the Department of Health and Social Care (DHSC). The DHSC is the data controller for the personal information we collect to help fulfil our remit to protect the public’s health. You can find out more about UKHSA and what we do. You can also find out about the data and information we collect in our general privacy notice.
UKHSA’s responsibilities include collecting information on sexually transmitted infections (STIs) and human immunodeficiency virus (HIV). We use this information to help improve the nation’s sexual health and wellbeing, to understand more about people’s access to care and the effectiveness of interventions such as HIV pre-exposure prophylaxis (PrEP) or human papillomavirus (HPV) vaccination, and to monitor outbreaks of STIs and HIV across the nation.
This privacy notice explains the information on STIs and HIV that we collect and use for these purposes. It explains what your rights are if we hold your information, and how you can find out more or raise a concern.
The information collected by sexual health and HIV clinics and laboratories
When you attend a sexual health or HIV clinic or access their services through their website or by phone, they collect a range of personal information to provide you with individual care.
This information comes directly from you and may include:
- demographic information – such as your name, date of birth, gender, ethnicity and contact details (including your address)
- health information – such as details about your general health, your symptoms and your sexual risk factors (such as having sex with a new partner without using a condom)
- treatment information – such as information on the medicines you have been prescribed
Information about changes in your health is collected at regular points by your clinic as you reattend for follow up visits or progress through your treatment.
NHS England has published guidance on patient confidentiality at sexual health and HIV services in England.
The information shared with UKHSA
STIs and HIV can have a serious impact on people’s health and wellbeing and, if left untreated, can present a serious risk to your health and the health of your sex partners.
If you have received STI or HIV testing or care, your sexual health or HIV clinic or their laboratory will report some of your information to UKHSA.
To protect your confidentiality, the information we collect is de-personalised and does not include anything that directly identifies you.
For example, we do not collect your name, address or NHS number. Instead, we use unique, non-identifying codes that allow us to review the information we receive in a way that does not reveal who you are.
How the information is used by us
The de-personalised information we collect is used for the following purposes to:
- measure numbers and trends in STIs and HIV – this may involve linking together information about your sexual health and treatment using unique, non-identifying codes
- measure access to sexual health services – this includes looking at differences by age, gender, ethnicity, geographical location and sexual orientation
- determine the effectiveness of preventative interventions such as PrEP or HPV vaccination
- monitor outbreaks of STIs and HIV
- publish reports on STIs and sexual health services – you can find these reports on the STI annual data tables page and the National Chlamydia Screening Programme data tables page
- publish reports on HIV diagnoses and care
- advise the DHSC and the NHS on further actions to improve the nation’s sexual health and wellbeing, and to reduce the public health impacts of STIs and HIV
The reports we publish and share are based on de-personalised information and do not include anything that can be used to identify individual people.
How we protect your information
The de-personalised information we collect from sexual health and HIV clinics and laboratories is protected by us in a number of ways.
It is sent to us using a secure online data collection service and is held on computer systems that are kept up-to-date and regularly tested to make sure they are protected from viruses and hacking. Our computer systems use robust security protections and encryption measures.
The information we collect can only be seen by UKHSA staff who are trained in the requirements of data protection law and protecting confidentiality. Strict controls are in place to make sure these staff can only see the minimum amount of information they need to do their job.
The information we collect from sexual health and HIV clinics and laboratories is stored in the UK only.
How long we keep your information
We only keep your information for as long as we need it.
Most of the time, we will keep your information in accordance with the time periods specified in the Records Management Code of Practice for Health and Social Care 2021. For example, the Code sets out an 8-year retention period for general medical records.
As one of our purposes for collecting information on STIs and HIV is to recognise trends and monitor the impact of diseases and conditions that have a long natural history, we may need to keep your information for longer.
Our legal basis to use your information
The law on protecting personal information, known as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, allows UKHSA to use the de-personalised information it collects from sexual health and HIV clinics and laboratories.
The sections of the UK GDPR and the Data Protection Act that apply are:
- UK GDPR Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest’
- UK GDPR Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health’
- Data Protection Act 2018 Schedule 1 Part 1 (3) ‘public health’
Your rights over your information
Under data protection law, you have a range of rights over your personal information.
As the information we collect from sexual health and HIV clinics and laboratories is de-personalised, this means we cannot identify you from the information we collect.
Should you wish to exercise any of your rights, such as the right to receive a copy of your personal information, you will need to contact the clinic that provided your care.
You can also opt out of your de-personalised information being collected by UKHSA from your clinic. Please contact the clinic that provided your care for further information.
How to find out more or raise a concern
If you have any questions about the de-personalised data UKHSA collects on STIs and HIV, you can contact us at gumcad@ukhsa.gov.uk
If you have any questions about how UKHSA uses and protects your information, you can contact the Department of Health and Social Care’s Data Protection Officer at data_protectionofficer@dhsc.gov.uk or by writing to:
Office of the Data Protection Officer
Department of Health and Social Care
1st Floor North
39 Victoria Street
London SW1H 0EU
You also have the right to contact the Information Commissioner’s Office (ICO) if you have any concerns about how UKHSA uses and protects your information. You can do so by calling the ICO’s helpline on 0303 123 1113, visiting the ICO’s website or writing to the ICO at:
Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
About this privacy information
The information we collect may change so we may need to revise this notice. If we do, the publication date provided at the top of this notice will change.