Privacy Notice

University of Hertfordshire – Privacy Notice for the Halo Research Project

Effective date: September 25, 2025

Last updated: September 25, 2025

This privacy notice explains how the University of Hertfordshire Higher Education Corporation (the University) processes your personal data in relation to its study entitled The Halo Randomised Controlled Trial (“the Halo Research Project”), which aims to increase condom use amongst young people aged 16-24 who are accessing STI self-sampling services online.

This Privacy Notice may be updated from time-to-time. You should check this page regularly to ensure that you are happy with any changes. 

The University is the Data Controller in respect of the personal information it collects from you and receives about you from other organisations and is subject to the Data Protection Act 2018 (the DPA) and the UK General Data Protection Regulation (the GDPR). The University is registered with the ICO and our registration number is Z5759523. The University will receive personal information about you from either Preventx Limited (ICO registration no. Z1828250) or the London Corporation (ICO registration no. Z5996206). The university will also share your data with your local trust where required. What data is shared, when, and for what purpose, is set out below.

This privacy notice also outlines your rights in relation to the personal data we hold. Our full Data Protection and Privacy Policy is available at: https://www.herts.ac.uk/__data/assets/pdf_file/0017/233090/IM08-Data-Protection.pdf

Why are you collecting my personal data?

We have developed a website called Halo which aims to increase condom use amongst young people (16-24 years) who are accessing STI self-sampling services online. Your data is being collected for the purposes of a Randomised Controlled Trial (RCT). The primary aim of this is to determine whether the website works. Secondary aims include to determine who engages with it and in what way, how it works, and what the cost savings might be.

What personal data are you collecting?

In order to carry out the Halo Research Project we need to collect some personal data from you, including sensitive personal information which is classed as special category data. Personal data is information which individually or in combination, allows a person to be identified. Special category data is information which may be considered sensitive, such as information relating to your health.

The personal/special category data being collected and/or processed at each stage of the Halo Research Project is as follows:

Advert URL

Preventx research ID (randomly generated code, created for the purposes of this research, provided to the University by Preventx Limited)

Consent to participate in the Halo Research Project (data collected at the start of the study when you are agreeing to statements about what the study involves)

  • Name,
  • Signature
  • Participant ID

Initial Survey Data

  • Preventx ID number or Preventx order number  
  • Participant ID
  • Contact information (email address, mobile phone number, postal address)
  • Demographic data (sexual orientation, Index of Multiple Deprivation quintile (generated using postcode taken from postal address), gender, age, ethnicity)
  • Data about your sex life
    • How often you have sex and the type of partners (exclusive or non-exclusive)
    • Your condom use (e.g. how often use condoms, what you think of them, your confidence in using, how accessible they are to you, any problems experienced)
  • Data about your general and sexual health and well-being, and use of relevant services
  • Safeguarding concerns (where applicable)

Initial freetest.me/SH.UK/SH:L test result

  • Provided to Preventx Limited by the University:
    • Preventx research ID
    • Date of birth
    • Name
    • Telephone number
  • Provided to the University by Preventx Limited:
    • Chlamydia and gonorrhoea test result

Treatment outcome survey

  • Self-reported adherence to treatment of a positive chlamydia or gonorrhoea infection

Website

  • Participant trial ID
  • Use of the website

Follow up survey data (at 3 Months, 6 Months, 12 Months)

  • Data about your sex life
    • How often you have sex and the type of partners (exclusive or non-exclusive)
    • Your condom use (e.g. how often use condoms, what you think of them, your confidence in using, how accessible they are to you, any problems experienced)
  • Data about your general and sexual health and well-being, and use of relevant services
  • Safeguarding concerns (where applicable)
  • Adverse events (where applicable)

Chlamydia and gonorrhoea test results (3M and 12M)

  • Provided to Preventx Limited by the University:
    • Name
    • Contact information (email address, mobile phone number, postal address)
    • Date of birth
    • Sex
  • Provided to the University by Preventx Limited:
    • Kit code
    • Chlamydia and gonorrhoea test result

Where will you collect my information from?

With three exceptions, all the personal data as set out in the section above will be information that you have provided directly to us. The three exceptions are 1) your participant ID (generated by REDCap, a survey database), 2) Preventx Research ID (shared with us by Preventx Limited), and 3) your chlamydia and gonorrhoea test results (shared with us by Preventx Limited).

Preventx Limited[1] is the company that operates freetest.me/SH.UK/SHL.

Initial freetest.me/SH.UK/SH:L test result  

Preventx Limited are the joint data controller for the data they collect and process for the freetest.me and SH.UK services, along with each respective local authority/trust. City of London Corporation is the joint data controller for the data they collect and process for the SHL.UK service, along with each respective local authority/trust, with Preventx operating as a data processor. For the initial test, data will be collected and processed through either freetest.me, SH.UK, or SHL, depending on which service you used to request that test. This will be shared with the University by Preventx on an independent controller to independent controller basis. We have data sharing agreements in place with Preventx Limited, SHL and the relevant local authorities/trusts to make sure that the test result information is shared in a safe and secure way.

Chlamydia and gonorrhoea test results (3M and 12M) and safeguarding concerns

For subsequent STI testing as part of the Halo research project (M3 and M12), your data will be collected and processed through the freetest.me service. The University and Preventx are independent data controllers of this M3 and M12 data. The M3 and M12 results will be copied by the research team to university systems for the purposes of the study; the University will be an independent controller of this copied data for the purposes of the study, with Preventx remaining an independent controller for the purpose of carrying out its business as a remote sexual health testing service. If you test positive for either chlamydia or gonorrhoea at M3 or M12, this data will be shared by the University with a suitable NHS trust so that follow-up treatment and support can be provided. Furthermore, if you are under the age of 18 (or identified as vulnerable in other ways) and reveal information during the study which indicates that you may be at risk of significant harm, this will also be shared with a suitable NHS trust so that they can provide the necessary help and support. This data (test result data and safeguarding concerns) will be shared with a suitable NHS by the University on an independent controller to independent controller basis. The University has data sharing agreements in place with all the relevant NHS trusts to make sure that this data is shared in a safe and secure way.

See Privacy Notices for the three services here: freetest.me, the SH.UK and the SHL.

What is the legal basis for processing my personal data?

Data protection legislation requires us to have a valid legal reason to process and use personal data about you. This is often called the ‘legal basis’ for processing.

In the context of research undertaken under the Halo Research Project, the legal basis for processing is as follows:

  1. processing your personal data is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) of the GDPR); and
  2. processing special categories of your personal data (which is personal data about your health, ethnicity, sexual orientation, etc.) is necessary for scientific research purposes or statistical purposes (Article 9(2)(j) of the GDPR) and is carried out in accordance with the GDPR and DPA and is in the substantial public interest (Section 10 of the DPA and Schedule 1(1)(para 4)).

Details of participants who have received a positive chlamydia or gonorrhoea test result, or anyone under the age of 18 (or identified as vulnerable in other ways) who has revealed information during the Halo Research Project which indicates that they may be at risk of significant harm, will be shared with the relevant NHS Trust in line with existing sharing protocols that govern this data (see ‘If you are sharing my data, who are you sharing it with’ below).

The legal basis for processing special category personal data on positive chlamydia and gonorrhoea test results and passing it to the relevant NHS Trust is that:

  1. it is necessary for the purposes of providing health treatment (Article 9(2)(h) of the GDPR); and
  2. it is necessary for health or social care purposes, in this case treatment (Section 10 of the DPA and Schedule 1(1)(para 2)).

The legal basis for processing special category personal data which indicates that a person aged under 18 (or vulnerable in other ways) may be at risk of significant harm, and passing that to the relevant NHS Trust is that:

  1. it is necessary for reasons of substantial public interest to safeguard the fundamental rights of the data subject (Article 9(2)(j) of the GDPR); and
  2. the processing is necessary for reasons of substantial public interest and it is necessary for the purpose of protecting an individual who is under the age of 18 (or vulnerable in other ways) from physical, mental or emotional harm and protecting their wellbeing and we cannot reasonably be expected to obtain the individual’s consent (Section 10 of the DPA and Schedule 1(2)(para 18)).

If you are sharing my data with others, who are you sharing it with?

Your personal data will only be accessed by the University’s Halo Research Project team and by nominated  individuals and organisations outside of the University who are specifically working on the Halo Research Project. These nominated individuals and organisations will be given access to the information  as outlined below

We will share data we collect about you with other universities who are collaborating with us on the Halo research project (including one university outside of the UK; Maastricht University). This is so that they can support us with data analysis. We will remove your name and contact details before we share this data. Data sharing agreements between us (the University) and each collaborating university are in place to ensure that your data is treated with the utmost care and security. 

We will share positive chlamydia and gonorrhoea test results data with the relevant NHS Trust in line with the existing processes and sharing protocols that govern this data.

We will also share with the relevant NHS Trust and/or local authority your details if you are under the age of 18, or are over the age of 18 and we have reason to believe you are vulnerable in other ways, and have revealed information during the Halo Research Project which indicates that you may be at risk of significant harm. Data sharing agreements between us (the University) and each NHS trust and/or local authority are in place to ensure that your data is treated with the utmost care and security. 

In order to operate the Halo Research Project and provide products and services in connection with it, we use Red Bullet (Halo website maintenance), WP Engine (Halo website hosting provider) and Bird Email (email delivery platform) both sub-processors engaged by Red Bullet, and Twilio (an American cloud communications platform) to carry out tasks on our behalf. These third parties are known as data processors and when we use them, we have contractual terms, policies and procedures to ensure confidentiality is respected. The University remains responsible for your personal information as the Data Controller.

In using Twilio we will be processing data within the USA. We have put measures in place to minimise the amount and sensitivity of the data transferred. The data will be held on Twilio’s system for a maximum of 60 days.

How long will you retain my personal data?

Personal data collected as part of this project will only be held by the University for as long as is necessary to allow for collection and analysis of the data to take place. Data will be deleted or anonymised at the earliest opportunity so it is no longer attributed to you.

Data collected by Preventx Limited through freetest.me/SH.UK/SHL as part of the testing process will be held for different timescales. Further information can be found in the freetest.me privacy policy, the SH.UK privacy policy and the SHL privacy policy.

Data shared with the NHS will also be subject to separate retention times. More information on how the NHS process your data can be found here – https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your-health-and-care-information

What are my rights and how can I enforce them?

You have certain rights under data protection laws which allow you to say how you wish you data to be processed. There are exemptions from some of these rights where personal data is used for the purposes of research. Further detail on your rights can be found here: https://www.herts.ac.uk/__data/assets/pdf_file/0016/233620/IM08-apxII-Data-Subjects-Rights.pdf

In the first instance, please contact the University’s Data Protection Officer: dataprotection@herts.ac.uk if you would like to discuss any aspect of your rights in relation to your personal data as described in the section ‘Where will you collect my data from

How can I raise concerns about the processing of my personal data?

If you have any feedback or queries, in relation to the processing of your personal data by the University with regards to this project, please contact Halo@herts.ac.uk. If you have any concerns about the processing of this data or wish to request further detail on how we have applied the data protection legislation, please contact the University’s Data Protection Officer: dataprotection@herts.ac.uk.

If you have any feedback or concerns in relation to the processing of your personal data by Preventx Limited, please contact dpo@preventx.com

External advice is available from the Information Commissioner who can be contacted via:

Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF. Tel: 0303 123 1113. Website:  http://www.ico.org.uk

You also have the right to raise a complaint with the Information Commissioner who can be contacted using the details above.

[1] Preventx Limited is a company incorporated and registered in England and Wales with company number 06603066whose registered office is at MBP 5 Meadowhall Business Park, Carbrook Hall Road, Sheffield South Yorkshire, England, S9 2EQ.