What Happens to my information?

Sexual Health Services (Embrace) privacy notice

Embrace is the name of Wolverhampton’s Sexual Health Service, providing confidential and non-judgmental services to residents of Wolverhampton. This includes all types of contraception and emergency contraception, testing and treatment for sexually transmitted infections (STIs), sexual health information and advice, and HIV care. We run clinics from our base at The Fowler Centre for Sexual Health at New Cross Hospital and also at the following community venues as well as outreach venues:
  • West Park Hospital
  • Bilston Health Centre
  • The Way Youth Centre
  • Base 25 
  • As well as a number of remote clinics held within other education and community venues
The following platforms are used to provide our service:
  • Online STI testing kit via our provider: SH UK - PreventX
  • Chat Sexual Health secure text messaging service for Wolverhampton residents of all ages
  • Telephone consultations
  • Face-to-face consultations
  • Video consultations via accuRx
Embrace processes information about you in order to provide health care services and in so doing, has to comply with the requirements under General Data Protection Regulations (GDPR).

This Fair Processing Notice informs all of our users why information is collected and held, the ways in which personal information may be used, who Embrace shares information with and how patient confidentiality is maintained. It applies to:
  • Patients
  • Complaints
  • Statistical data submissions and audits

  What information do we collect about you?

At Embrace we collect and process data on a daily basis in order to deliver the best possible care and treatment. We keep a record of your personal information as well as a record of each episode of care as this allows for continuity of care. Records within the service are stored in both paper and electronic format and include information such as:
  • Patient Demographics: e.g. name, address, contact details, date of birth, gender, ethnicity and registered GP practice.
  • Consent: e.g. permission for service to contact the patient (telephone/letter)
  • Clinical consent: patient consent to undergo a clinical procedure
  • Investigations, e.g. laboratory test results (paper copies and electronic records).
  • Diagnosis and Treatment, e.g. chronological record of support and treatment received 
  • Record of information shared with other health and social care professionals, e.g. Multi Agency Risk Assessment Conference (MARAC) referrals, homecare delivery system.
  • Details of any sexual partners if provided.

To ensure that our records are kept to a high standard it is essential that we hold up to date and accurate patient information. It is your responsibility to ensure we as a service hold up to date contact information for you. Therefore, you will be asked to review and update any changes to your information at every point of care episode to assist with the delivery of quality healthcare.

Records are stored electronically for patients who have accessed our service. Patients are asked for their consent before any information is shared or uploaded onto the Trust electronic patient record system (Clinical Web Portal), which helps to ensure continuity of care across the Trust.

Chat Sexual Health
If you have accessed our texting service and have shared your identity with the clinician replying to your messages, a record will be created (or updated if an existing record is available) on our local electronic patient record system. The transcript of the conversation will be saved on this record. Copies of all conversation transcripts are held on a secure drive within Embrace. If you require services such as an appointment, we will require the demographic information detailed above.

SH UK - PreventX
Our online STI testing platform require you to input the following personal information to enable the correct test kit to be delivered:
  • Name
  • Date of birth
  • Post code
  • Email address
  • Postal address
  • Mobile number
  • Gender
  • Sexual health and behaviour related information

SH UK - PreventX may collect statistical data about your browsing patterns and actions but does not identify you. Any personal data is held securely.


  How do we use this and what is the legal basis?

Information is collated by Embrace to allow the service to:
  • Provide a good basis for all healthcare decisions by you and care professionals.
  • Provide safe and effective care and treatment.
  • Offer services, referrals or information based on your profile.
  • Provide statistics on performance / audit of services.
  • Investigate complaints, legal claims or incidents.
  • Remind you of your appointment and contact you to notify when results are available.
  • Provide statistics on performance / audit of services.

To enable easier access to Embrace, we have access to a video consultation provider called accuRx. If it is deemed appropriate and the patient consents to a video consultation, we input the patient’s preferred telephone number which generates a text message with a link to start the consultation. Recording of consultation notes would take place in the same manner as face-to-face or telephone appointments, via our local electronic patient record system and there would be no storing of the video consultation by Embrace or accuRx. Full details of accuRx’s security and privacy policy can be found at  accuRx - Our Principles

Purpose of using personal data in Embrace Legal basis of processing personal data
Provision of direct care and related administrative purposes, for example: appointment booking, referrals to hospital or other agencies (with patient consent where required) and patient communication.

GDPR Article 6(1)(e) - for the performance of a task carried out in the public interest or in the exercise of official authority.

GDPR Article 9(2)(h) - medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

For commissioning and healthcare planning purposes, for example: collection of STI testing data.

GDPR Article 6(1)(c) - for compliance with a legal obligation.
GDPR Article 9(2)(h) -medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

For planning, general running purposes and system improvements, for example: Care Quality Commission powers to require information and records.

Lawful basis for regulatory and public health functions

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

GDPR Article 6(1)(c) - necessary for compliance with a legal obligation

GDPR Article 9(2)(j) - necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices

Lawful basis for safeguarding GDPR Article 6(1)(e) - for the performance of a task carried out in the public interest or in the exercise of official authority.

GDPR Article 9(2)(b) - is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’


  Who do we share your information with?

All services within the NHS have a legal duty to keep information about you secure and confidential. We will not disclose your information to third parties without your consent unless there are exceptional circumstances. These may be situations when the health and safety of yourself or others is at risk, or where the law permits information to be passed on. Anyone who receives information from us is also under a legal duty to keep it confidential.  Occasions when we must pass on information include:
  • Where a formal court order has been issued.
  • Where a serious crime has been committed.
The service is required by law to report statistical information to the appropriate authorities for commissioning and planning purposes (under GDPR Article 6 (1)(c) and Article 9(2)(h). Strict security measures are taken to anonymise patient information to ensure individuals cannot be identified outside the service. Statistical reports are shared with:
  • Within the Royal Wolverhampton NHS Trust – (e.g. Patient Advise Liaison Service)
  • Wolverhampton Public Health Service
  • Wolverhampton Clinical Commissioning Group (CCG)
  • Public Health England
  • NHS England
To support the investigation of any concerns or complaints, information relating to episodes of care or treatment received will be shared with the Trusts Patient Advise and Liaison Service (PALS). This includes:
  • Date/time of appointment/attendance.
  • Name of healthcare professional seen.
  • Investigations required.
  • Diagnosis.
  • Care/treatment provided, including prescriptions.

All information requests are managed and processed by the Royal Wolverhampton NHS Trust Health Records Service to enable the appropriate and lawful sharing of information and to protect the confidentiality of patient information. Upon receiving a request for information, the service will share all information pertinent to the request to the Health Records Service.

The NHS Trusts National Health Service and Community Care Act 1990 sets out the statutory basis for all health and adult social care providers to share information about a patient for their direct care. The lawful basis (GDPR Article 6 Condition for personal data and GDPR Article 9 Condition for special categories) for processing personal data is detailed within The Royal Wolverhampton NHS Trusts Privacy Notice.

Chat Sexual Health
A confidentiality statement is sent to each patient at the beginning of a text conversation and full details of the provider’s (Chat Health) privacy notice can be found at  Chat Health - Privacy

Please note, although Chat Health’s Privacy Notice states records may be viewable by GPs and other health care professionals, due to this platform being used in a Sexual Health Service, records are not routinely shared or able to be viewed by other departments including GPs unless patient consent has been obtained.


  Who and where do we obtain your information from?

Embrace collects personal information from a number of different sources, including:

  • Directly from yourself when accessing healthcare services, e.g. contacting us via telephone to make an appointment, attending a walk in and via email, online STI testing widgets on our website and the Chat Sexual Health text messaging service
  • From other health and social care organisations following the transfer of patient medical records (HIV services) or referral to service.
  • From other organisations, requesting information e.g. Solicitors requesting medical records

  What rights do I have in relation to my information?

Below is a list of the rights you have in relation to your data and when they apply. To make an application for any of the below rights please contact the Health Records Access Team rwh-tr.healthrecordsaccess@nhs.net in the first instance. All rights should be considered within 30 calendar days from date of receipt, but may be extended if complex.

The Right of Access
You have the right to request a copy of any information held by the Trust as well as any supplementary information. See How do I request my information? for details on how to request your information.

Right to Rectification
If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed.

The Right to Erasure
The right to erasure is also known as the ‘right to be forgotten’ introduces a right for you to have personal data erased. Generally this right is not available with health care data. Where this right is available for specific processing you will be notified.

The Right to Restrict Processing
The right to restriction allows you to request the restriction or suppression your personal data. This right is closely linked with the right to rectify and the right to object and will only apply if:
  • you contest the accuracy of your personal data and the accuracy is being verified by the trust;
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead;
  • the personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.
The Right to Data Portability
The right to data portability allows you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability is not an absolute right and generally will not apply to your health care record unless:
  • The processing is based on your consent or in the performance of a contract;
  • When processing is carried out by automated meanss

The Right to Object
The right to object to processing means that data should cease to be processed. This right applies only where data is obtained with your consent. In most cases we rely on our legal basis to process your data and not consent and therefore for care purposes this right may not apply. If your data is used for any other reason this right may apply, but would have to be assessed on an individual basis.

Use of profiling
Profiling is automated processing of personal data to evaluate certain things about an individual. The Trust may use profiling techniques for health care planning purposes. An example of this type of processing is the process of risk stratification of patients based on frequency of attendance.

For further enquiries about how your information is used via our online STI testing Saving Lives platform, please email dpo.savinglives@cordillo.com.


  National Data Opt Out: How we use your information for purposes in addition to your individual care

RWT is working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. This is called the National Data Opt Out.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

On this web page you will:
  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is currently compliant with the national data opt-out policy.


  How do I request my information?

You have a right to see or have copies of any information held by the Trust that relates to you free of charge. We have the right to charge an administration fee in situations where repeated requests are received for the same information or the request is excessive. You will be required to prove your identity when making requests.

Subject Access Requests under GDPR rules (post 25 May 18) will be processed within 30 days. However, once our teams have established the volume of records requested there may be a requirement to extended this up to a further 2 months. We will contact you within 30 days should this be the case.

To request access to health records please complete a Subject Access Request form, link provided below, and forward on to:

Health Records Access Team
Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
Wolverhampton
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 307999 Extension 85544/85545/88093

Subject Access Request form (PDF, 171Kb)
Subject Access Request form (Word, 54Kb)


  How long is my information kept for?

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary. All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. For more information please see the Record Management Code for Practice for Health and Social Care 2016, retention schedules

Contraception and Sexual Health Retention Periods
Basic retention requirement is 8 years unless the patient had an implant or device inserted, in which case it is 10 years. All records must be appraised prior to destruction, taking in to consideration any serious long-term conditions (for example HIV) which may extend the retention period to 30 years. Children’s records are held until the child’s 25th birthday (or 26th if the patient was 17 at the conclusion of treatment).


   How to make a complaint

If you have any questions about your care or a complaint, please speak to the health professional with your care in the first instance.If this is not resolved to your satisfaction you can contact the Patient Advice and Liaison Service (PALS).

Data Protection Officer (DPO): Raz Edwards
Email: rwh-tr.IG-Enquiries@nhs.net
Address: New Cross Hospital, Wolverhampton Road, Heath Town, Wolverhampton WV10 0QP

The Data Protection Officer is a point of contact for advice and guidance in relation to your rights. The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as any policies the Trust has in relation to the protection of personal data. The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

If you have any concerns about how your information is being processed or any of the rights as detailed above, please contact the Trust in the first instance through:

Health Records Access Team
Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
Wolverhampton
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 307999 Extension 85544/85545/88093

You also have a right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively to any of the above.

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Telephone: 0303 123 1113
Website: https://ico.org.uk