Skip to content

Sexual health services privacy notice

We keep this privacy notice under regular review and it was last updated on 11 April 2025.

Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

Who we are

Kent County Council (KCC) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.

Under the Health and Social Care Act 2012 Section 12(c) KCC has a statutory responsibility for public health including Sexual Health (SH).

Under Regulation 6.1 (a) of The Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) Regulations 2013, Local Authorities have a statutory obligation to meet the three broad responsibilities of testing and treatment for Sexually Transmitted Infections (STIs), advice on, and reasonable access to a broad range of contraceptive substances and appliances, and general advice and promotion of key messages to enable positive SH outcomes and to prevent ill SH.

As part of its response to this duty, KCC commissions:

NHS and Care Services

We have processes in place for considering requests for data disclosures for purposes beyond direct care which is consistent with the national data opt-out policy. Our organisation is compliant with the national data opt-out policy.

To find out more about the NHS’ wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website. If you do choose to opt out, you can still consent to your data being used for specific purposes.

Personal information we collect and use

Information collected by us

When you present to a sexual health service, and throughout your care, you will be asked a series of questions which the services keep as a record of your treatment. The following personal information may be collected as part of this process:

  • Personal information, for example, your name, address, age and/or date of birth, sex, NHS Number.
  • Contact information, for example, your telephone number, email address, postal address, or contact details for members of your family and support network.

The following ‘special category data’ (personal data which is more sensitive and is treated with care and protection) can also be collected as part of this process:

  • Biometric data, including sexually transmitted infection (STI) status.
  • Health and wellbeing information, for example, information on health conditions, your circumstances, health concerns and personal safety concerns, needs and wishes.
  • Information about your current and or past treatment.
  • Equality monitoring information, such as ethnic origin, gender identity or sexual orientation.

In the instance that you are diagnosed with an STI whilst in contact with our commissioned services, you will be given encouragement and support from a healthcare professional to notify any recent sexual partners about the STI so that they can get tested. This may include collection of personal data of recent sexual partners.

In addition, information on criminal proceedings may also need to be disclosed and shared with services involved in your treatment, care and support. This will only be shared in very narrow circumstances, for example, to ensure yours and others safety.

Our services also keep records of professionals involved with the services, for example for mailing lists or training and administration purposes.

KCC does not receive or process any personally identifiable patient information, this is done by your provider to the extent described in this notice. Our contractual arrangements with our service providers ensure that the grounds on which they may collect, and process data are clear, and there are appropriate arrangements for data security (including a process for dealing with any data breaches) and for the deletion of data when it is no longer required.

Even if KCC does not receive personally identifiable details about you from our providers, KCC is a data controller as we determine the manner and processing of the data on behalf of the providers. In some cases, such as the LARC in Primary Care service, the provider is also a data controller for the patient records, while KCC controls only the records relating to management of the service. In other cases, the controllership may be shared with the provider, such as in the Integrated sexual health service.

Please refer to our providers’ own Privacy Notices via the links below or contact them if you wish to know more.

Data sharing

Some partially identifiable information is shared with the UK Health Security Agency (UKHSA) and the Office for Health Improvement and Disparities (OHID), overseen by the Department of Health and Social Care (DHSC), using the CTAD Chlamydia and GUMCAD STI surveillance systems, as well as the HIV and AIDS Reporting System (HARS) and Sexual and Reproductive Health Activity Dataset (SRHAD).  KCC, OHID and UKHSA never publish any information that could be used to identify individual people. Your data may be shared with other organisations and combined with other datasets for further analyses such as system and service planning, and research. Any shared data will be de-identified (or depersonalised) at source as appropriate, before it is shared elsewhere, to protect confidentiality.

Sexual health and HIV: privacy notice - GOV.UK and UKHSA privacy notice - GOV.UK explain the personal information they collect, how they use it and who it may be shared with. DHSC is the data controller for the personal information UKHSA collects, stores and uses to fulfil their organisational remit.

We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings.

How we use your personal information

The data is used within the local authority, UK Health Security Agency (UKHSA) and the Office for Health Improvement and Disparities (OHID) to:

  • monitor how effective sexual health services are;
  • monitor contractual performance of the commissioned services;
  • plan and develop services that best meet local needs;
  • produce statistics and support research about sexual health and treatment.

Any information that is submitted for national analysis and publication is processed in a way that means individuals cannot be identified.

Reasons we can collect and use your personal data

When we collect your personal data, we rely on the following legal bases:

  • Article 6(1)(a) – the individual has given clear consent for you to process their personal data for a specific purpose.
  • Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When we collect your ‘special categories of personal data’ (such as health and wellbeing), we rely on the following legal bases:

  • Article (9)(2)(h) - processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services
  • Article (9)(2)(i) – processing is necessary for reasons of public interest in the area of public health
  • Article (9)(2)(j) – processing is necessary for archiving, research and statistics

We rely on the Public Health, health or social care purposes and research conditions from Schedule 1 of the Data Protection Act 2018 when relying on Article(9)(2)(h) or (i) to process your special category data.

We take the following appropriate safeguards in respect of your special category data when relying on the conditions above:

  • ‘Data Protection by Design’ is implemented in all processing of personal data.
  • We maintain a record of our processing in our ‘Record of Processing Activities’.
  • We have a retention schedule which explains how long data is retained and we record any reasons deviating from the periods in it.
  • We adhere to a Data Protection and Information Governance Policy and Framework.

We may share personal information with our legal and professional advisers in the event of a dispute, complaint or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

How long your personal data will be kept

We will only hold your personal information for as long as necessary. To work out how long KCC needs to keep the information for we use our retention schedule (AS6.1.3, AS6.1.4 and AS6.6.4).

How long our providers will hold your personal data will be outlined in their privacy notices.

Your rights

Under the UK GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioners Office.

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the United Kingdom General Data Protection Regulation.

Your right to withdraw your consent

Where we rely on your consent to process your personal information, you can withdraw your consent to our use of your data at any time. You can do this by contacting public.health@kent.gov.uk.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Contact

Contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk.

UK GDPR also gives you right to lodge a complaint with Information Commissioner, who may be contacted via the Information Commissioner's website or call 03031 231113.

Read our corporate privacy statement.