Embrace is the name of Wolverhampton’s Sexual Health Service, providing confidential and non-judgmental services to residents of Wolverhampton. This includes all types of contraception and emergency contraception, testing and treatment for sexually transmitted infections (STIs), sexual health information and advice, and HIV care. We run clinics from our base at The Fowler Centre for Sexual Health at New Cross Hospital and also at the following community venues as well as outreach venues:

  • West Park Hospital
  • Bilston Health Centre
  • Phoenix Health Centre
  • The Way Youth Centre
  • Base 25 

The following platforms are used to provide our service:

  • Online STI testing kit via two providers: Saving Lives (Take a Test) and Quality Education Solutions Ltd (QES)
  • Chat Sexual Health secure text messaging service for Wolverhampton residents of all ages
  • Telephone consultations
  • Face-to-face consultations
  • Video consultations via accuRx

Embrace processes information about you in order to provide health care services and in so doing, has to comply with the requirements under General Data Protection Regulations (GDPR).

This Fair Processing Notice informs all of our users why information is collected and held, the ways in which personal information may be used, who Embrace shares information with and how patient confidentiality is maintained. It applies to:

  • Patients
  • Complaints
  • Statistical data submissions and audits

At Embrace we collect and process data on a daily basis in order to deliver the best possible care and treatment. We keep a record of your personal information as well as a record of each episode of care as this allows for continuity of care. Records within the service are stored in both paper and electronic format and include information such as:

  • Patient Demographics: e.g. name, address, contact details, date of birth, gender, ethnicity and registered GP practice.
  • Consent: e.g. permission for service to contact the patient (telephone/letter)
  • Clinical consent: patient consent to undergo a clinical procedure
  • Investigations, e.g. laboratory test results (paper copies and electronic records).
  • Diagnosis and Treatment, e.g. chronological record of support and treatment received 
  • Record of information shared with other health and social care professionals, e.g. Multi Agency Risk Assessment Conference (MARAC) referrals, homecare delivery system.
  • Details of any sexual partners if provided.

To ensure that our records are kept to a high standard it is essential that we hold up to date and accurate patient information. It is your responsibility to ensure we as a service hold up to date contact information for you. Therefore, you will be asked to review and update any changes to your information at every point of care episode to assist with the delivery of quality healthcare.  

Records are stored electronically for patients who have accessed the service for CaSH (contraception and sexual health) and/or GUM (genitourinary medicine) care. Records for patients who are living with HIV are currently in both paper and electronic format within Embrace. These patients are asked for their consent before any information is shared or uploaded onto the Trust electronic patient record system (Clinical Web Portal), which helps to ensure continuity of care across the Trust.

Chat Sexual Health

If you have accessed our texting service and have shared your identity with the clinician replying to your messages, a record will be created (or updated if an existing record is available) on our local electronic patient record system. The transcript of the conversation will be saved on this record. Copies of all conversation transcripts are held on a secure drive within Embrace. If you require services such as an appointment, we will require the demographic information detailed above.

Saving Lives and QES

Our online STI testing platforms require you to input the following personal information through secure widgets via our website, to enable the correct test kit to be delivered:

  • Name
  • Date of birth
  • Post code
  • Email address
  • Postal address
  • Mobile number
  • Gender
  • Sexual health and behaviour related information

QES may collect statistical data about your browsing patterns and actions but does not identify you. Any personal data is held securely. For further information, please email info@qes-online.com.

Information is collated by Embrace to allow the service to:

  • Provide a good basis for all healthcare decisions by you and care professionals.
  • Provide safe and effective care and treatment.
  • Offer services, referrals or information based on your profile.
  • Provide statistics on performance / audit of services.
  • Investigate complaints, legal claims or incidents. 
  • Remind you of your appointment and contact you to notify when results are available.
  • Provide statistics on performance / audit of services.

To enable easier access to Embrace, we have access to a video consultation provider called accuRx. If it is deemed appropriate and the patient consents to a video consultation, we input the patient’s preferred telephone number which generates a text message with a link to start the consultation. Recording of consultation notes would take place in the same manner as face-to-face or telephone appointments, via our local electronic patient record system and there would be no storing of the video consultation by Embrace or accuRx. Full details of accuRx’s security and privacy policy can be found at accuRx - Our Principles.

Purpose of using personal data in Embrace Legal basis of processing personal data
Provision of direct care and related administrative purposes, for example: appointment booking, referrals to hospital or other agencies (with patient consent where required) and patient communication.

GDPR Article 6(1)(e) - for the performance of a task carried out in the public interest or in the exercise of official authority.

GDPR Article 9(2)(h) - medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

For commissioning and healthcare planning purposes, for example: collection of STI testing data.

GDPR Article 6(1)(c) - for compliance with a legal obligation.

GDPR Article 9(2)(h) -medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

For planning, general running purposes and system improvements, for example: Care Quality Commission powers to require information and records.

Lawful basis for regulatory and public health functions

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

GDPR Article 6(1)(c) - necessary for compliance with a legal obligation

GDPR Article 9(2)(j) - necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices

Lawful basis for safeguarding

GDPR Article 6(1)(e) - for the performance of a task carried out in the public interest or in the exercise of official authority.

GDPR Article 9(2)(b) - is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’


All services within the NHS have a legal duty to keep information about you secure and confidential. We will not disclose your information to third parties without your consent unless there are exceptional circumstances. These may be situations when the health and safety of yourself or others is at risk, or where the law permits information to be passed on. Anyone who receives information from us is also under a legal duty to keep it confidential.  Occasions when we must pass on information include:

  • Where a formal court order has been issued.
  • Where a serious crime has been committed.

The service is required by law to report statistical information to the appropriate authorities for commissioning and planning purposes (under GDPR Article 6 (1)(c) and Article 9(2)(h). Strict security measures are taken to anonymise patient information to ensure individuals cannot be identified outside the service. Statistical reports are shared with:

  • Within the Royal Wolverhampton NHS Trust – (e.g. Patient Advise Liaison Service)
  • Wolverhampton Public Health Service
  • Wolverhampton Clinical Commissioning Group (CCG)
  • Public Health England
  • NHS England

To support the investigation of any concerns or complaints, information relating to episodes of care or treatment received will be shared with the Trusts Patient Advise and Liaison Service (PALS). This includes:

  • Date/time of appointment/attendance.
  • Name of healthcare professional seen.
  • Investigations required.
  • Diagnosis.
  • Care/treatment provided, including prescriptions.

All information requests are managed and processed by the Royal Wolverhampton NHS Trust Health Records Service to enable the appropriate and lawful sharing of information and to protect the confidentiality of patient information. Upon receiving a request for information, the service will share all information pertinent to the request to the Health Records Service.

The NHS Trusts National Health Service and Community Care Act 1990 sets out the statutory basis for all health and adult social care providers to share information about a patient for their direct care. The lawful basis (GDPR Article 6 Condition for personal data and GDPR Article 9 Condition for special categories) for processing personal data is detailed within The Royal Wolverhampton NHS Trusts Privacy Notice.

Saving Lives terms and Conditions

Once you have inputted your details into the online testing widget, TakeATestUK (Saving Lives’ trading name) will pass your name and address details to their logistics supplier MedDX within an encrypted file so that they can send a testing kit to you. They will not send them any further personal information and they will not pass your name and address on to any other 3rd party.

MedDX will notify TakeATestUK when they dispatch your envelope. They will not keep your details once the address label has been printed and the request form has been inserted into your pack. Further information about Saving Lives’ terms and conditions can be accessed before confirming your kit to be dispatched and via Take a Test UK - Terms and Conditions.

Chat Sexual Health

A confidentiality statement is sent to each patient at the beginning of a text conversation and full details of the provider’s (Chat Health) privacy notice can be found at Chat Health - Privacy.

Please note, although Chat Health’s Privacy Notice states records may be viewable by GPs and other health care professionals, due to this platform being used in a Sexual Health Service, records are not routinely shared or able to be viewed by other departments including GPs unless patient consent has been obtained.

Embrace collects personal information from a number of different sources, including:

  • Directly from yourself when accessing healthcare services, e.g. contacting us via telephone to make an appointment, attending a walk in and via email, online STI testing widgets on our website and the Chat Sexual Health text messaging service
  • From other health and social care organisations following the transfer of patient medical records (HIV services) or referral to service.
  • From other organisations, requesting information e.g. Solicitors requesting medical records

Below is a list of the rights you have in relation to your data and when they apply. To make an application for any of the below rights please contact the Health Records Access Team rwh-tr.healthrecordsaccess@nhs.net in the first instance. All rights should be considered within 30 calendar days from date of receipt, but may be extended if complex.

The Right of Access

You have the right to request a copy of any information held by the Trust as well as any supplementary information. See How do I request my information? for details on how to request your information.

Right to Rectification

If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed. 

The Right to Erasure

The right to erasure is also known as the ‘right to be forgotten’ introduces a right for you to have personal data erased. Generally this right is not available with health care data. Where this right is available for specific processing you will be notified.

The Right to Restrict Processing

The right to restriction allows you to request the restriction or suppression your personal data. This right is closely linked with the right to rectify and the right to object and will only apply if: 

  • you contest the accuracy of your personal data and the accuracy is being verified by the trust; 
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead; 
  • the personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.

The Right to Data Portability

The right to data portability allows you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability is not an absolute right and generally will not apply to your health care record unless: 

  • The processing is based on your consent or in the performance of a contract; 
  • When processing is carried out by automated means.

The Right to Object

The right to object to processing means that data should cease to be processed. This right applies only where data is obtained with your consent. In most cases we rely on our legal basis to process your data and not consent and therefore for care purposes this right may not apply. If your data is used for any other reason this right may apply, but would have to be assessed on an individual basis.

Use of profiling

Profiling is automated processing of personal data to evaluate certain things about an individual.  The Trust may use profiling techniques for health care planning purposes.  An example of this type of processing is the process of risk stratification of patients based on frequency of attendance.

For further enquiries about how your information is used via our online STI testing Saving Lives platform, please email dpo.savinglives@cordillo.com.

You have a right to see or have copies of any information held by the Trust that relates to you free of charge. We have the right to charge an administration fee in situations where repeated requests are received for the same information or the request is excessive. You will be required to prove your identity when making requests. 

Subject Access Requests under GDPR rules (post 25th May18) will be processed within 30days. However, once our teams have established the volume of records requested there may be a requirement to extend this up to a further 2 months. We will contact you within 30days should this be the case.

To request access to health records please complete a Subject Access Request form, link provided below and forward on to: 

Health Records Access Team

Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 307999 Extension 5544

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary.  All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. For more information please see the Record Management Code for Practice for Health and Social Care 2016, retention schedules.

Contraception and Sexual Health Retention Periods

Basic retention requirement is 8 years unless the patient had an implant or device inserted, in which case it is 10 years. All records must be appraised prior to destruction, taking in to consideration any serious long-term conditions (for example HIV) which may extend the retention period to 30 years. Children’s records are held until the child’s 25th birthday (or 26th if the patient was 17 at the conclusion of treatment).

If you have any questions about how your information and would like to make a complaint, please speak to the health professional with your care in the first instance. If this is not resolved to your satisfaction you can contact:

Data Protection Officer (DPO): Raz Edwards

Email: rwh-tr.IG-Enquiries@nhs.net
Address: New Cross Hospital, Wolverhampton Road, Heath Town, Wolverhampton WV10 0QP

The Data Protection Officer is a point of contact for advice and guidance in relation to your rights. The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as any policies the Trust has in relation to the protection of personal data. The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 

If you have any questions about your care or a complaint, please speak to the health professional with your care in the first instance.If this is not resolved to your satisfaction you can contact the Patient Advice and Liaison Service (PALS).

If you have any concerns about how your information is being processed or any of the rights as detailed above, please contact the Trust in the first instance through:

Health Records Access Team

Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 307999 Extension 85544/85545/88093

You also have a right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively to any of the above.

Information Commissioners Office

Wycliffe House
Water Lane

Telephone: 0303 123 1113
Website: https://ico.org.uk/

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, and sometimes provide useful information to the owners of the site.

There are some cookies necessary to this site functioning, such as interacting with our accessibility toolbar. These cookies will usually remove themselves when you close your browsing session. More information can be found in the ‘Necessary cookies’ section.

We use some additional cookies, such as Google Analytics, to help us gather information and improve the website. You have the option to deny use of these cookies; more information can be found in the ‘Additional cookies’ section.

You can find more information on managing and deleting cookies on About Cookies.

Necessary cookies

The following cookies are necessary to our site functioning.

Cookie Purpose Expiry
cookieconsent_status Persistently records your option regarding additional cookies. 1 year

Necessary accessibility cookies

The following necessary cookies allow the functions within our accessibility toolbar to work optimally.

Cookie Purpose Expiry
accessibility-controls Records option regarding additional cookies. End of browsing session
saveFontSize Allows the website (CMS) to record if the user’s font size selection. End of browsing session
contrast-mode Allows the website (CMS) to record the user’s contrast mode selection. End of browsing session
googtrans Allows the language of page content to be changed and records the language selected. End of browsing session

Additional cookies

In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the using Google Analytics.

You can read Google’s extensive information on data practices in Google Analytics.

You can opt-out of Google Analytics on our website by denying additional cookies or by using the Google Analytics Opt-out Browser Add-on.

Cookie Purpose Expiry
_ga Distinguishes user for Google Analytics. 2 years
_gid Distinguishes user for Google Analytics. 1 day
_gat Throttles request rate for Google Analytics. 1 minute
_ga_{ID} Persists session state for newer versions of Google Analytics. 2 years
_gat_gtag_UA_{ID} Persists session state for older versions of Google Analytics. 1 minute
__utma Distinguishes user and session for Google Analytics. 2 years
__utmb Determines new session or visit for Google Analytics. 30 minutes
__utmc Determines new session or visit for Google Analytics. End of browsing session
__utmz Stores traffic source for Google Analytics. 6 months

Captcha cookies 

We use Google reCAPTCHA in order to verify whether or not you are a human when submitting data to the website. Most of the time, this will only be present on pages containing forms. 

Cookie Source Path Purpose Expiry
Google (www.google.com /recaptcha Provides risk analysis to Google spam protection.  6 months