• Help & Advice
  • Find a Service
    Close icon

Privacy and confidentiality

Everyone has the right to confidential sexual health advice and services, including young people

This page contains information about privacy and confidentiality when using Brook services. For information about privacy and data protection when using our website, receiving communications or applying for jobs, please view the privacy policy.

Confidentiality at Brook

At Brook we offer a confidential service. This means that we do not talk about your visit to anyone outside Brook without your permission unless you or another person are in serious danger. If you have any worries or questions about confidentiality, don’t hesitate to ask us.

Read general information about your rights when visiting other sexual health services.

At Brook we have a Caldicott Guardian, this is a senior staff member responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. If you need to contact the Caldicott Guardian please email dataprotection@brook.org.uk.


Brook adheres at all times to data protection legislation, currently DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation), which provide the following rights for individuals:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

You can read more about your data rights on the Information Commissioner’s website.  

This statement outlines our policies for ensuring these rights are met and maintained. If you have any concerns or questions relating to your rights regarding personal data, please contact us on dataprotection@brook.org.uk. You can also read more information about accessing your records below.

How we use your information when visiting a Brook service

When you use a Brook service, whether that’s by attending a clinic, accessing an online service (for example, requesting an STI home test kit, treatment or contraception) or participating in education programmes, any information you provide will be given to Brook Young People (which is Brook’s full legal name). This means that Brook is the ‘Data Controller’ for your data and we are responsible for keeping it safe. You can find the contact details for Brook’s Data Protection Officer below.

Our promise of confidentiality relates to the organisation as a whole. To make sure that we provide you with the best care members of staff have to share information about you with other members of the Brook team.

When Brook works with another health service provider

Brook services often work together with another Health Service provider in a partnership arrangement. Should this be the case in the service you access, the information about you will be shared with them, but your rights to confidentiality remain exactly the same. You can ask your local service for information on any partners that your data will be shared with.

DrDoctor online appointment booking

Brook uses the DrDoctor appointment booking platform to offer online appointment booking for certain services in some locations. 

We have worked closely with DrDoctor to make sure that your personal data is collected, held and managed securely and in line with UK General Data Protection Regulation (UK GDPR). The information you provide through the DrDoctor platform will only be used for the purposes of booking and managing your appointment. 

More information about how DrDoctor collect, store and manage your data securely is available at my.drdoctor.co.uk/privacy.

SXT online appointment booking

Brook uses the SXT appointment booking platform to offer online appointment booking for certain services in some locations. 

We have worked closely with SXT to make sure that your personal data is collected, held and managed securely and in line with UK General Data Protection Regulation (UK GDPR). The information you provide through the SXT platform will only be used for the purposes of booking and managing your appointment. SXT remove all data from the platform after an appointment has taken place or when a booking is cancelled. 

More information about how SXT collect, store and manage your data securely is available at sxt.health/privacy_policy.

My Brook

My Brook

The My Brook portal is available to people living in Dudley and Thurrock who want to access Brook services online. It is not currently available for users of any other Brook service.

My Brook was developed and configured for Brook by Mindwave Ventures Limited (hereafter referred to as Mindwave).

We have worked closely with Mindwave to make sure that your personal data is collected, held and managed securely and in line with UK General Data Protection Regulation (UK GDPR). The information you provide through the My Brook portal will only be used for the purposes of booking and managing your appointments, managing your test results, or providing you with a requested service, for example, and STI test, contraception or treatment.

The information you provide us through My Brook will be stored on your Brook record and, if you are new to our service, may be used to create a record for you.

Please continue reading to find our more about your Brook record, including:

  • Who can see my Brook record?
  • What information do we collect about you and why?
  • How your records are used
  • How do we store your records
  • Accessing your records

You can read Mindwave’s own Privacy Policy here: mindwaveventures.com/privacy-policy/

My Brook text messages (SMS) and emails

My Brook uses Firetext, also used by the NHS, to send text messages. More information about how Firetext keeps your data safe can be found at firetext.co.uk/privacy/gdpr

My Brook uses SendGrid to send emails. More information about how SendGrid keeps your data safe can be found at sendgrid.com/policies/security

How will we contact you

We will not send test results or contact you at home unless you have given us your permission. That’s why we always ask if we can write to you at home. It’s important that we have some way to contact you so we will always ask if there is another address we can use or some other way to contact you such as email or mobile phone.

We will never leave messages for you with someone else, or on voicemail, unless you have told us that was OK.

We may be able to send you a text with your STI test results. If we can do this at the service you are visiting, we will tell you first. Where we use an external SMS provider, we will make sure they won’t share your phone number or use it for anything else.

Will you contact my doctor?

We won’t tell your family doctor about your visit if you don’t want us to.

You might be asked each time you visit us whether it’s OK for us to contact your doctor. If you don’t want your doctor to know you are a client of Brook we would encourage you to contact us if your doctor gives you any medicine just in case it interferes with any contraception we have given you.

Who can see my Brook record?

You can see your records but we won’t show them to anyone else without your permission – even your parents, guardian or carer. 

All our staff are specially trained to keep your confidentiality and they have all agreed to stick to our policies.

Are there any exceptions?

If you are or others are at risk of serious harm

If we believe that you, or another person, are at risk of serious harm we may need to talk to other people outside of Brook so that you can get additional support to protect you. We will always discuss this with you first before talking to anyone else.

Violent or criminal behaviour

If a client behaves in a violent, aggressive or anti-social way or commits a crime against another Brook client, a member of staff or against Brook property we may have to call the police and give them the name of the client. We would not give the police any information about the reason for the client’s visit to us.

Required by law

Sometimes we may be required by law to share information about you. This may happen if the police or a court orders us to disclose information.


In some cases people who work for approved organisations who are also legally required to maintain your confidentiality may also have the right to see your records as part of their job. This can happen when an organisation like the Care Quality Commission inspects us to ensure the quality and safety of our services or if an inquiry has been ordered into the serious injury or death of a child or young person.

Female Genital Mutilation (FGM)

In England, if someone aged under 18 tells one of our doctors or nurses that they have experienced Female Genital Mutilation we have to tell the police. We wouldn’t do that without telling you first.

STI treatment

Sometimes we are contacted by STI testing providers to ask if specific people have come to us for treatment. If you have been to us for treatment and the testing provider gets in touch, we would confirm you had been treated. We would not provide any further information.

What information do we collect about you and why?

At Brook we want to provide you with the best quality care. To do this we need to keep records about you and the advice and treatment we have given you. The information in your records will include:

  • basic details about you, such as your name, date of birth and contact details;
  • contacts we have had with you, such as clinic visits;
  • notes about your health;
  • details of the advice and treatment (e.g. contraceptive pills) we have given you;
  • results of tests we have taken;
  • information about any risks to your safety.

We promise that:

  • we will only collect the information we need to provide you with the service you want and to keep you safe;
  • we will keep your information secure and protect it from being lost, damaged, or being seen by people who aren’t allowed to see it;
  • we will keep your information up to date and accurate – this means that you need to give us accurate information and let us know if your information changes;
  • we won’t keep your information for any longer than we need.

Sometimes information about you may be given to us by other organisations. This is the case if you are referred to Brook’s services, for example by another healthcare provider, or a school. Sometimes information may be shared with us by other organisations if they are concerned that you are at risk of harm.

How your records are used

We will use your information to:

  • decide the best advice and treatment to give you;
  • check if you (or anyone else) is in serious danger;
  • assess the type and quality of care you have received.

We may use your information to:

  • investigate your concerns if you need to complain about our services;
  • refer you to another support service (in consultation with you);
  • check the quality of care we provide (this is known as clinical audit and involves us reviewing client records. This is done in such a way that you can’t be individually identified);
  • investigate serious incidents (this is when we notice that something has gone wrong, or nearly went wrong, with the service we provide to you);

​We use information you give us to help us to plan our services to make sure we meet the needs of service users and local young people, and also to report on our performance to the organisations who fund us and to the Department of Health. When we do this, we only use your information in a way that means you can’t be individually identified.

Sometimes Brook would like to use your information in other ways, but we will only ever do after contacting you, and only if you give your consent. This will include:

  • conducting health research and development;
  • communicating publicly about the difference that we make to service users and/or young people. This would never be done in a way that would identify individual people without their explicit permission.

In addition to the staff who work in our clinics and education teams, our managers and our small team of data analysts may have access to your data. Everyone who works at Brook has signed an agreement to keep your information confidential.

How do we store your records?

Paper and electronic records

We store your information in computer systems and in paper records. Paper records are kept in locked cabinets. Electronic records are saved on a secure database.

When we work in partnership with another Health Service provider your electronic record will either be held on a secure database owned by that partner, or the partner will have access to Brook’s database.  This is so that the partners can provide you with the best possible care and help to keep you safe.  Where information is shared between partners in this way there will always be a contract in place, and both partners are required to keep your information confidential.

Our database of electronic records sits within our IT network. We outsource our IT support services to an external organisation. This company is based within the European Economic Area and they are also required to comply with UK data protection legislation to keep your information safe.

How long do you keep the records?

We follow NHS guidelines for retaining records. This usually means that we keep your records for either 10 years after you last accessed our services or until your 25th birthday, whichever is longer and depending on your age when you first used our services. After that time they are securely destroyed.

Currently there is a national Inquiry into Child Sexual Abuse. Organisations that hold records that may be of use to the Inquiry have been asked not to destroy any records that they have. This means that at the moment, we are required to hold on to your records indefinitely.  This will change once the Inquiry tells us that it’s ok to start following standard procedures again.

All staff who have access to your records have been trained to work to the same confidentiality policy where your rights to confidentiality are adhered to.

Accessing your records

Brook is committed to providing a confidential service. The General Data Protection Regulation (GDPR) gives our clients the right to access their personal data and this includes their health records (right to access). Individuals are also entitled to have any mistakes in their record corrected or noted (right to rectification).

Under the GDPR, individuals also have other rights regarding their personal data. These are the right to erasure, right to restrict processing, right to data portability, right to object and rights related to automated decision making. Not all these rights are absolute and some only apply in certain circumstances.

Our clients may request access to their data, or corrections to their data, in person (for example at reception), or in writing by way of email to dataprotection@brook.org.uk.

Under the General Data Protection Regulation there is no obligation to comply with an access request unless enough information is provided to identify the individual. This means we may ask for more information if we need it to confirm your identity or locate the information requested.

Further information and contact

Brook Young People is registered with the Information Commissioner’s Office as a Data Controller (registration number ZA022088).

If you have any questions about the use of your data you can contact Brook’s Data Protection Officer at dataprotection@brook.org.uk or you can write to us at Data Protection Officer, Brook, PO Box 78732, London EC2P 2TA.

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. It would be helpful if you contact Brook’s Data Protection Officer in the first instance so we can try to fix the problem.

If you remain dissatisfied, you may then wish to contact our supervisory authority, the Information Commissioner’s Office (ICO). You can contact the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; 0303 123 1113; www.ico.org.uk/concerns.

We will regularly review this privacy notice. Please check this page for updates.