Hep C Website Privacy Policy

Hepctest.nhs.uk is operated by Preventx in partnership with NHS England.

This privacy policy provides an explanation as to what happens to any personal data that you provide to us, or that we collect from you.

We update this privacy policy from time to time so please do review this policy regularly, and before consenting to the use of future services.

Importantly your information may be shared with third-parties (such as the NHS and charities) who we partner with to deliver services such as your onward care. We try to ensure this is made clear to you when you use our service, and this is explained in more detail below.

Our services are not intended for children, and we do not knowingly collect data relating to children. You must be 16 years and over to access and use the services provided via this website.

1. Information About Our Organisation

Hepctest.nhs.uk is operated by Preventx Limited, who is the joint data controller for the service with NHS England.

Preventx and its partners make decisions on what data is processed and how this is done. These decisions are undertaken in accordance with the current data protection legislation.

Preventx is registered in England and Wales under Company number 06603066 and our registered office is at Meadowhall Business Park, Carbrook Hall Road, Sheffield, South Yorkshire, S9 2EQ.

Preventx is registered with the Information Commissioner’s Office (ICO), which regulates data protection in the UK, and our registration number is Z1828250.

For all requests regarding the control of your data, please contact our Data Protection Officer: [email protected]

Preventx Limited

Meadowhall Business Park

Carbrook Hall Road


S9 2QE

2. The Purposes of Processing

We process your data in order to deliver the hepctest.nhs.uk service to you. We will only use your personal data for the purposes for which we collected it, as described in section 3 below, such as when you registered to use our services.

3. Lawful Basis for Processing

Consent - You are asked for your consent for us to process your data in order for us to send you test kits, receive your samples for testing, and provide test results.

Public Interest - The processing of personal data is necessary for us to analyse the samples you return to us and to provide test results to you.

Prevention, diagnosis and treatment - In most cases we process your data in order to provide services for the prevention, diagnosis and treatment of illness in line with the Health and Social Care Act (2012).

4. What Data We Collect

The information that we collect and store relating to you is primarily used to enable us to provide you with services that you have explicitly ordered or requested. In some cases, you may opt-out of certain questions.

Personal Data - The information you give will be recorded and includes details such as your first name, last name, address, post code, date of birth, mobile number, email address, country of birth.

Health Data - Special category data may also be collected, including data such as gender identity, possible transmission route, and test results.

Technical Data - This includes your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Preference Data - This includes your preferences on receiving communications from us.

Usage Data - This includes information about how you use our website and services.

Anonymous Data - We also use and share anonymous data such as statistical or demographic data for reporting or research purposes. Anonymous data could be derived from your personal data but is not considered personal data in data protection law as this data will not directly reveal your identity. This includes providing mandatory national anonymised or aggregated data to NHS England, to the UK Health Security Agency and Office for Health Improvement and Disparities.

5. How Your Personal Data is Collected

We use different methods to collect data from and about you including through:

Direct Interactions – when you make contact with us by telephone, email, post, online or otherwise.  This includes personal data you provide when you:

- Use our services.

- Subscribe to receive communications or publications.

- Request marketing information to be sent to you.

- Complete a survey.

- Give us feedback or contact us.

Use of Cookies - a cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone (referred to here as a "device") browser from a website's computer and is stored on your device's memory. Read more about how we use cookies in our cookie policy [link].

6. Automated Decision-Making

We use automated decision-making to confirm eligibility for the services you may wish to access, for example based on your geographic postcode of residence and age.

7. How we Use your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

- Preventx will share the following personal data (via secure email exchange) with the partner who will be managing communication and support for any positive test results: Your first name, last name, date of birth, mobile number, positive result details

- To receive, store and analyse your samples.

- To receive, store, review and communicate your test results to you.

- To provide you with your test result and where appropriate, relevant follow-up guidance.

- To anonymise your personal data for service improvement, product or quality improvement and / or research, as relevant.

- We may share anonymised and/or aggregated data with other organisations such as NHS England, the Department of Health (including the UK Health Security Agency and Office for Health Improvement and Disparities (formerly known as Public Health England)).

We will never reveal personal information about our service users to other parties not described above but we may, on occasion, provide them with aggregate or anonymous statistical information about the users of our service and visitors to our service.

8. Recipients of your Personal Data

Both hepctest.nhs.uk and our partner organisation NHS England  will manage the ongoing treatment of any positive test results and will adhere to strict privacy guidelines in order to protect your data and all information will be treated in strict confidence by the current or future partner organisations.

For the management of any positive test results our partners will be able to securely access your personal record and test results, and in some cases may share your information if required to do so, but always complying with data protection law.

Sometimes you may require assistance from our partner interpreting service, where this is necessary we will ensure that the minimum amount of personal information is shared with the interpreting service in order for you to obtain the support that you need to access the hepctest.nhs,uk service.

9. Laboratory Testing

Your sample will be tested in Preventx's specialist laboratory and in accordance with the laboratories quality system. Standard testing carried out via this service is accredited to international standards, and more information can be read in the Preventx Laboratory Services document (https://www.preventx.com/laboratory).

Please note that some test samples may be retained by the laboratory after testing. These samples may be used for internal studies, public health initiatives (such as surveillance work with the UK Health Security Agency (UKHSA) or for verification purposes (such as performing equipment validation). Samples used for these purposes will be anonymised so will always exclude personal data such as your name, date of birth, contact details, address and postcode.

10. Keeping Your Data Secure

We apply technical and organisational security measures to safeguard your personal data from accidental or unlawful destruction, loss, alteration or unauthorised disclosure and all personal data is stored in the UK on secure servers.

The effectiveness of our security controls is assessed and verified at least annually to standards set by the UK National Cyber Security Centre.

11. Why and When we Contact You

Depending on your contact preferences we may notify you by SMS, email, or telephone:

- Once we have dispatched your self-sampling kit.

- We will send a message with your results when they are ready.

- If you test positive, an NHS healthcare professional will call you to discuss the result.

- If you do not return your test kit promptly.

- When your kit has arrived at the laboratory.

- Once in the future to remind you to get tested again unless you have opted out.

Where you our clinical partners will make direct contact with you.

12. Legal Disclosure

Sometimes we have a legal duty to provide personal information to other organisations.

We may also share your personal information, where allowed under data protection legislation, known as exemptions, and it is more important than protecting your privacy. This doesn’t happen often, but in these circumstances, we may share your information:

- to find and stop crime and fraud; or

- if there are serious risks to the public, our staff or to other professionals; or

- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.

For all these reasons, the risk must be serious before we can override your right to privacy.

If we are worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we or our partners will discuss this with you and, if possible, get your permission to tell others about your situation before doing so.

We may still share your information if we believe the risk to others is serious enough to do so. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why, if we think it is safe to do so.

13. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In accordance with the NHS Records Management Code of Practice, your record will be retained for a minimum of 8 years after the last recorded entry. If you are aged 16 or 17 years your record will be retained for a minimum of 10 years after your 18th birthday.

After that point, we will remove personal information (e.g. name, house number, street name, telephone number and email) to provide an anonymised data set which is retained for statistical and research purposes only.

14. Your Rights

The law gives you a number of rights in relation to what personal information is used by Preventx, and how it is used. These rights allow you to ask us to:

Request Access – to your personal data (or "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request Correction - of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request Erasure - of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, where the information we process is used to assist clinicians at your NHS Trust with your care we are not always able to fulfil deletion ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service.

Object to Processing - of your personal data where we are processing it for direct communications purposes.

Request Restriction of Processing - of your personal data where you may need us to hold the data even if we no longer require it as you may need to establish, exercise or defend a legal claim.

Request the Transfer - of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the data to perform a contact with you.

Withdraw Consent at any time - where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. The right to withdraw consent and the right to erasure may not apply due to the nature of the services being provided and our basis in law for processing this data. We will consider requests to remove personal identifying information from your record to ensure that the data we do retain is anonymised, while enabling us to meet our statutory requirements.

As outlined above, we are not always able to fulfil erasure ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service. We are usually able to delete an account where there has been no clinical interaction (e.g. where you have not enrolled in a service and completed a consultation).

If you wish to exercise any of the rights set out above, please contact our data protection officer at [email protected]

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to assist us with our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you are not satisfied with how we are processing your personal data or with the response you have received from us, you have the right to lodge a complaint with a supervisory authority for the UK who is the Information Commissioner’s Office (ICO).

The ICO contact details are as follows:

Telephone: 0303 123 1113

Website: https://ico.org.uk/make-a-complaint/

15. Third Party Links

You may find links to third party websites on our website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

16. Changes to this privacy policy

We will keep this privacy policy under review, and we may update it from time to time for example to reflect changes that we might make to our services or to reflect changes in the law or best practice.

Any changes we make to this privacy policy in the future will be posted on this page. It was last updated in March 2023.  We will notify you of any changes by posting a new version of the document on this page and updating the date. We will also report on such updates in our blog and news channels. We will undertake to inform you by your chosen communication route about all significant changes affecting the processing of personal data and its use by us.