HIV and Sexually Transmitted Infections (STIs) guidance for IG professionals

There is no HIV or STI condition specific legislation governing the information of people accessing these services. The NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 have been revoked as of 12 October 2023.

Patient information obtained by STI and HIV services can be lawfully used and shared in the circumstances permitted within the legal framework described below.

Under UK GDPR, the legal bases for processing HIV/STI information are:

• Article 6 1(e) - public task
• Article 9 2(h) - for individual care
• Article 9 2(i) - for public health protection

References to consent in the guidance do not refer to UK GDPR consent (see the section on common law duty of confidentiality in relation to consent).

The Health and Social Care (Safety and Quality) Act 2012 (HSCA) includes a duty on health and care providers to share information for individual care purposes. It also imposes a duty to use a consistent identifier (NHS number) when sharing information with other health and care providers.

However, the HSCA sets out that where a service is anonymous access provision, such as a dedicated HIV and STI service, the duty to share information with other health and care organisations and use a consistent identifier does not apply. This means that dedicated HIV and STI services should not routinely share information and should seek explicit patient consent before sharing information with other health and care organisations.

Services covered by the anonymous access provision include:

• Genitourinary medicine (GUM) clinics, sexual health clinics or services - dedicated for testing and treatment of STIs and diagnosing HIV
• HIV clinics that are integrated with a GUM clinic or sexual health service dedicated for testing and treatment of STIs and HIV
• integrated sexual health services: GUM and contraception integrated dedicated as above and provide contraception
• Contraception services offering STI screening dedicated as above

For individual care, dedicated HIV and STI clinics will satisfy the common law duty of confidentiality by seeking explicit patient consent prior to sharing confidential patient information outside the service.

Other care settings can rely on implied consent where they are confident that the patient has a reasonable expectation that information relating to their HIV or STIs will be shared. In some circumstances this may be clear for example if referring a patient for treatment specifically relating to their STI or HIV diagnosis. However, where health and care staff are not confident that the patient would expect information relating to their HIV or STIs to be shared for their care, they must seek explicit consent from the patient before sharing information. This is because they may have expectations that this information will not be shared without explicit consent because they have been given this expectation through their contact with dedicated sexual health services.

Where a health and care professional has judged that a patient lacks the mental capacity to be able to make the decision whether or not information should be shared, and the information sharing decision must be urgently made, they should make a decision in the patient’s best interests. This must take into account any known wishes or indications around information sharing. The principles of the Mental Capacity Act 2005 should be followed.

UK Health Security Agency (UKHSA) has a legal basis to collect the data for the purpose of communicable disease surveillance and control, such as recognising risks and trends, identifying monitoring and managing disease outbreaks. The legal basis that permits the data to be pseudonymised and collected without consent is Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

This legislation allows for confidential patient information about communicable diseases to be shared with relevant public health bodies, such as the UKHSA.

The UKHSA also collects routine pseudonymised STI and HIV surveillance data. This data is used to publish official STI and HIV statistics.

Information may be disclosed where the public interest served by disclosure outweighs the public interest served by respecting the privacy of the individual and the public interest served by maintaining public trust in the confidentiality of the health and care system. An example would be where disclosure is necessary to protect another person from serious harm.

Staff should be routinely encouraged to seek the advice of their organisation’s Caldicott Guardian in this situation.

As with any other information, HIV and STI information must be disclosed when there is a legal requirement to do so. This includes where there is a court order. NHS England can require data from health and care organisations where they have been directed to establish an information system.

Organisations can request data held by NHS England. Before agreeing to share any STI and HIV data, NHS England will ensure that the organisation requesting the data has a lawful basis and ethical need for the data, and that they can maintain the security and integrity of the data. Prior to sharing STI and HIV data, NHS England will pseudonymise it to remove any information that could identify an individual patient. Identifiable data will only be used where lawful and absolutely necessary. A robust approval process will be undertaken prior to release including a data protection impact assessment as appropriate.

It is best practice that dedicated sexual health services maintain their own patient record systems, separate from other health care services. Services that use Electronic Patient Records (EPRs) should ensure that HIV and STI patient records are not freely available to all those with access to the EPR system. Access to these records should be restricted to those that need to have access (such as staff providing care and support to HIV and STI patients).

Only EPR systems that have gone through a robust IG due diligence process should be used for sexual health and HIV services as these systems can disable or restrict access to specific information, including relating to sexual health in individual records. Due diligence should include conducting a Data Protection Impact Assessment (DPIA) and a Digital Technology Assessment Criteria (DTAC), covering information management, storage and data transfer.

Healthcare organisations must provide information to patients about how their information will be used, how it may be accessed by or shared with other organisations and when, if at all, their identifiable information will be used. Where sexual health services are provided within a larger organisation such as a trust, you should ensure that there is separate section in your privacy notice which sets out clearly how HIV and STI information is used and shared.