Join our mailing list to get regular email updates and info on what we're up to!
If you are under 18, please make sure you have your parents’ permission before providing us with any personal details.
Everyone has the right to confidential sexual health advice and services, including young people
At Brook we offer a confidential service. This means that we do not talk about your visit to anyone outside Brook without your permission unless you or another person are in serious danger. If you have any worries or questions about confidentiality, don’t hesitate to ask us.
Read general information about your rights when visiting other sexual health services.
At Brook we have a Caldicott Guardian, this is a senior staff member responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. If you need to contact the Caldicott Guardian please email firstname.lastname@example.org.
Brook adheres at all times to data protection legislation, currently DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation), which provide the following rights for individuals:
You can read more about your data rights on the Information Commissioner’s website.
This statement outlines our policies for ensuring these rights are met and maintained. If you have any concerns or questions relating to your rights regarding personal data, please contact us on email@example.com. You can also read more information about accessing your records below.
When you use a Brook service, whether that’s by attending a clinic, accessing an online service (for example, requesting an STI home test kit, treatment or contraception) or participating in education programmes, any information you provide will be given to Brook Young People (which is Brook’s full legal name). This means that Brook is the ‘Data Controller’ for your data and we are responsible for keeping it safe. You can find the contact details for Brook’s Data Protection Officer below.
Our promise of confidentiality relates to the organisation as a whole. To make sure that we provide you with the best care members of staff have to share information about you with other members of the Brook team.
Brook services often work together with another Health Service provider in a partnership arrangement. Should this be the case in the service you access, the information about you will be shared with them, but your rights to confidentiality remain exactly the same. You can ask your local service for information on any partners that your data will be shared with.
Brook uses the DrDoctor appointment booking platform to offer online appointment booking for certain services in some locations.
We have worked closely with DrDoctor to make sure that your personal data is collected, held and managed securely and in line with UK General Data Protection Regulation (UK GDPR). The information you provide through the DrDoctor platform will only be used for the purposes of booking and managing your appointment.
More information about how DrDoctor collect, store and manage your data securely is available at my.drdoctor.co.uk/privacy.
Brook uses the SXT appointment booking platform to offer online appointment booking for certain services in some locations.
We have worked closely with SXT to make sure that your personal data is collected, held and managed securely and in line with UK General Data Protection Regulation (UK GDPR). The information you provide through the SXT platform will only be used for the purposes of booking and managing your appointment. SXT remove all data from the platform after an appointment has taken place or when a booking is cancelled.
More information about how SXT collect, store and manage your data securely is available at sxt.health/privacy_policy.
The My Brook portal is available to people living in Dudley who want to access Brook services online. It is not currently available for users of any other Brook service.
My Brook was developed and configured for Brook by Mindwave Ventures Limited (hereafter referred to as Mindwave) and is a custom version of MAIA, Mindwave’s own patient engagement platform.
We have worked closely with Mindwave to make sure that your personal data is collected, held and managed securely and in line with UK General Data Protection Regulation (UK GDPR). The information you provide through the My Brook portal will only be used for the purposes of booking and managing your appointments, managing your test results, or providing you with a requested service, for example, and STI test, contraception or treatment.
The information you provide us through My Brook will be stored on your Brook record and, if you are new to our service, may be used to create a record for you.
Please continue reading to find our more about your Brook record, including:
More information about MAIA is available at mindwaveventures.com/patient-engagement-portal
My Brook text messages (SMS) and emails
My Brook uses Firetext, also used by the NHS, to send text messages. More information about how Firetext keeps your data safe can be found at firetext.co.uk/privacy/gdpr
My Brook uses SendGrid to send emails. More information about how SendGrid keeps your data safe can be found at sendgrid.com/policies/security
We will not send test results or contact you at home unless you have given us your permission. That’s why we always ask if we can write to you at home. It’s important that we have some way to contact you so we will always ask if there is another address we can use or some other way to contact you such as email or mobile phone.
We will never leave messages for you with someone else, or on voicemail, unless you have told us that was OK.
We may be able to send you a text with your STI test results. If we can do this at the service you are visiting, we will tell you first. Where we use an external SMS provider, we will make sure they won’t share your phone number or use it for anything else.
We won’t tell your family doctor about your visit if you don’t want us to.
You might be asked each time you visit us whether it’s OK for us to contact your doctor. If you don’t want your doctor to know you are a client of Brook we would encourage you to contact us if your doctor gives you any medicine just in case it interferes with any contraception we have given you.
You can see your records but we won’t show them to anyone else without your permission – even your parents, guardian or carer.
All our staff are specially trained to keep your confidentiality and they have all agreed to stick to our policies.
If we believe that you, or another person, are at risk of serious harm we may need to talk to other people outside of Brook so that you can get additional support to protect you. We will always discuss this with you first before talking to anyone else.
If a client behaves in a violent, aggressive or anti-social way or commits a crime against another Brook client, a member of staff or against Brook property we may have to call the police and give them the name of the client. We would not give the police any information about the reason for the client’s visit to us.
Sometimes we may be required by law to share information about you. This may happen if the police or a court orders us to disclose information.
In some cases people who work for approved organisations who are also legally required to maintain your confidentiality may also have the right to see your records as part of their job. This can happen when an organisation like the Care Quality Commission inspects us to ensure the quality and safety of our services or if an inquiry has been ordered into the serious injury or death of a child or young person.
In England, if someone aged under 18 tells one of our doctors or nurses that they have experienced Female Genital Mutilation we have to tell the police. We wouldn’t do that without telling you first.
Sometimes we are contacted by STI testing providers to ask if specific people have come to us for treatment. If you have been to us for treatment and the testing provider gets in touch, we would confirm you had been treated. We would not provide any further information.
At Brook we want to provide you with the best quality care. To do this we need to keep records about you and the advice and treatment we have given you. The information in your records will include:
We promise that:
Sometimes information about you may be given to us by other organisations. This is the case if you are referred to Brook’s services, for example by another healthcare provider, or a school. Sometimes information may be shared with us by other organisations if they are concerned that you are at risk of harm.
We will use your information to:
We may use your information to:
We use information you give us to help us to plan our services to make sure we meet the needs of service users and local young people, and also to report on our performance to the organisations who fund us and to the Department of Health. When we do this, we only use your information in a way that means you can’t be individually identified.
Sometimes Brook would like to use your information in other ways, but we will only ever do after contacting you, and only if you give your consent. This will include:
In addition to the staff who work in our clinics and education teams, our managers and our small team of data analysts may have access to your data. Everyone who works at Brook has signed an agreement to keep your information confidential.
We store your information in computer systems and in paper records. Paper records are kept in locked cabinets. Electronic records are saved on a secure database.
When we work in partnership with another Health Service provider your electronic record will either be held on a secure database owned by that partner, or the partner will have access to Brook’s database. This is so that the partners can provide you with the best possible care and help to keep you safe. Where information is shared between partners in this way there will always be a contract in place, and both partners are required to keep your information confidential.
Our database of electronic records sits within our IT network. We outsource our IT support services to an external organisation. This company is based within the European Economic Area and they are also required to comply with UK data protection legislation to keep your information safe.
We follow NHS guidelines for retaining records. This usually means that we keep your records for either 10 years after you last accessed our services or until your 25th birthday, whichever is longer and depending on your age when you first used our services. After that time they are securely destroyed.
Currently there is a national Inquiry into Child Sexual Abuse. Organisations that hold records that may be of use to the Inquiry have been asked not to destroy any records that they have. This means that at the moment, we are required to hold on to your records indefinitely. This will change once the Inquiry tells us that it’s ok to start following standard procedures again.
All staff who have access to your records have been trained to work to the same confidentiality policy where your rights to confidentiality are adhered to.
Brook is committed to providing a confidential service. The General Data Protection Regulation (GDPR) gives our clients the right to access their personal data and this includes their health records (right to access). Individuals are also entitled to have any mistakes in their record corrected or noted (right to rectification).
Under the GDPR, individuals also have other rights regarding their personal data. These are the right to erasure, right to restrict processing, right to data portability, right to object and rights related to automated decision making. Not all these rights are absolute and some only apply in certain circumstances.
Our clients may request access to their data, or corrections to their data, in person (for example at reception), or in writing by way of email to firstname.lastname@example.org.
Under the General Data Protection Regulation there is no obligation to comply with an access request unless enough information is provided to identify the individual. This means we may ask for more information if we need it to confirm your identity or locate the information requested.
Brook Young People is registered with the Information Commissioner’s Office as a Data Controller (registration number ZA022088).
If you have any questions about the use of your data you can contact Brook’s Data Protection Officer at email@example.com or you can write to us at Data Protection Officer, Brook, PO Box 78732, London EC2P 2TA.
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. It would be helpful if you contact Brook’s Data Protection Officer in the first instance so we can try to fix the problem.
If you remain dissatisfied, you may then wish to contact our supervisory authority, the Information Commissioner’s Office (ICO). You can contact the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; 0303 123 1113; www.ico.org.uk/concerns.
We will regularly review this privacy notice. Please check this page for updates.