The Passionate about Sexual Health (PaSH) Partnership) is a collaboration between BHA for Equality, George House Trust and the LGBT Foundation. The PaSH Partnership delivers a comprehensive programme of interventions to meet the changing needs of people newly diagnosed with HIV, living longer term with HIV or at greatest risk of acquiring HIV.

For the purpose of this policy, George House Trust, BHA for Equality and LGBT Foundation (The PaSH Partnership) are Joint Data Controllers. 

The PaSH Partnership is committed to protecting the rights and privacy of service users, staff, and other stakeholders, where personal data is held, in accordance with the General Data Protection Regulation (GDPR).  The Regulation, effective from 25th May 2018, protects the rights and privacy of individuals and gives more control over how data is used and gathered, giving better protection overall of personal data.

In carrying out the work of the PaSH Partnership, personal data is recorded and processed about people who receive advice or support services from us; about those who attend our training courses or activities and events; about visitors to our website and about those who work for us.

We are committed to protecting personal data and being transparent about what information we hold. This Policy has been developed to help set out how personal data will be treated where there is either online or in-person engagement.

It’s important that everyone we work with knows about, and has confidence and trust in, how we record and process their personal data. We are committed to ensuring that we use the information shared with us in accordance with all applicable laws concerning the protection of personal data. 



The Policy applies to staff and covers any person who has provided their personal data to The PaSH Partnership, be they staff, volunteers, service users, or third parties. 




This Policy sets out:

 what information we may collect about individuals;

  • where we collect personal data from;
  • why we collect personal data;
  • the legal basis for processing personal data;
  • who we may share personal data with;
  • how we keep personal data secure; 
  • how long we keep personal data;
  • updating and accessing personal data 
  • data breaches and more information


By signing up to the PaSH Partnership’s campaigns and using our services, the respective Privacy Notice is deemed to be accepted and authorisation given to The PaSH partnership to collect, store and process personal data in the ways set out.  Data processing may include obtaining, recording, retaining, disclosing, destroying, or otherwise using data.


George House Trust is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number Z2788095.

BHA for Equality is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number ZA327535.

LGBT Foundations is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number Z8069952.


Within the context of this Privacy Policy, ‘we’, ‘us’, or ‘our’ refers to The PaSH Partnership.


As The PaSH Partnership’s Lead Organisation, The Data Protection Lead at BHA for Equality is accountable for ensuring that all personal data is processed in compliance with this Policy.

Qurab Ahmed, Data Protection Lead, BHA, 609 Stretford Road, Old Trafford, Manchester, M16 0QA

Email: smt@thebha.org.uk

Telephone: 0845 450 4247




Non-personal information

This type of information does not identify the individual, but it does help us to improve our services. When visitors look around our website, we record things like their IP (internet protocol) address – the unique number of the device being using to access our website, which pages are visited (on our website only), when they were visited, and the type of device being used. This information helps us create a better experience for everyone who uses our website. Examples of the type of information that can be collected using an IP address include the type and version of browser, and the location from which the site is being accessed. This helps us improve how our page templates appear and change content to make it relevant to our website visitors.


Personal information

This means any information that may be used to identify individuals, such as:

  •  full name
  • contact details including postal address, telephone number(s) and email address
  • records of correspondence and engagement with us and any membership held with us
  • information which may have been entered on the SortHIV website
  • occupation or other biographical information
  • other information shared with us
  • details of advice or support received

We sometimes also collect sensitive information about individuals. This includes information about health (which may include HIV status), religion, sexuality and ethnicity.

We will normally only record this data where we have explicit consent, unless we are permitted to do so in other circumstances under data protection law. For example, we may make a record that a person is in a vulnerable circumstance to comply with legal requirements. 


Children and young people.

Protecting children's privacy is paramount.  However, to deliver a service we need to collect and manage personal data about children and young people and aim to manage it in a way which is appropriate to the age of the child.

Information is usually collected when we are working directly with children and young people. Consent from a parent or guardian, if the child is under 16, or consent from the young person, if they are aged 16 or over, is required before collecting personal data.



We collect information in the following ways:


When it is given to us DIRECTLY

We collect personal information for many reasons, for example to provide a service, to communicate information and send information that’s has been requested, and to run campaigns. Depending on how individuals interact with us, we may process data when they: 

  • register on our website for the Step-Up scheme;
  • request a service from us such as an appointment with an Adviser;
  • register for our training courses, events or activities;
  • complete a survey or take part in research; or
  • give personal data to us.

This information may be collected via any paper forms that are completed, telephone conversations, emails, face-to-face interactions, digital forms completed via our website, online surveys, publicly available sources, or communication via social media.


When it is collected at the time of using our WEBSITE

Like most websites, we use cookies to help us make our website better. Cookies mean that a website will remember an individual. They’re small text files that websites transfer to a computer, phone or tablet. They make visits to websites faster and easier, for example by automatically filling in name and address in the text fields.

We use cookies, like most websites, to help us provide the best experience when visiting our site. Some cookies are essential to the smooth running of our website, for example our donations pages rely on them. Other cookies allow us to understand how visitors are interacting with our website, so that we can improve it.




Service users

Where anyone is receiving support from us we will need to process their personal data because of the specific relationship with us. We use a Customer Relationship Management system (CRM) to support our work. This means that we can keep the information provided to see the history and relevant details of our work, and the interactions that have taken place.

When we work either face to face or by phone with service users relevant notes may be taken of the information that is given to us and recorded on our database. Where communication is by email, these will be recorded on our database. This information is used to enable us to provide the most appropriate and relevant support.  It is also used for quality assurance, complaint investigations, to support our policy work, to fulfil our obligations to our funders, and for anonymised statistical reporting.  Individuals are informed of this before any data collection occurs.

We keep service users up to date about our activities, including information sessions. We use a range of methods to keep in touch including our website, email, telephone calls and occasionally by post. We will always gain consent to make contact and request contact preferences.

Individuals can withdraw consent, unsubscribe, or update their contact preferences at any point.




We must have a lawful basis to collect and use personal data under data protection law. The law allows for six ways to process personal data.  The PaSH Partnership processes data on the basis of:

  • a person’s consent, for example, to send a newsletter by email;
  • a contractual relationship, for example, to provide goods or services that have been purchased from us such as room hire 
  • The PaSH Partnership’s legitimate interests; personal data may be legally collected and used if it is necessary for a legitimate interest of the Partnership using the data, if its use is fair and does not adversely impact the rights of the individual concerned. When we use personal information, we will always consider if it is fair and balanced to do so, and if it is within reasonable expectations. We will balance personal rights and our legitimate interests to ensure that we use personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:                           
    • administration and operational management: including responding to solicited enquiries and providing information and services.




Personal data may be shared internally, with The PaSH Partnership’s staff members for purposes including project administration, service delivery, HR, health and safety, insurance and events. 


Personal data will not be shared with a third party – except where:

  •  it is in connection with supporting the CRM system and IT network 
  • a professional adviser may be party to confidential discussions related to an individual
  • we are required to do so by law, for example to law enforcement or regulatory bodies where this is required or allowed under the relevant legislation;
  • it is necessary to protect the vital interests of an individual – i.e. to protect someone’s life, and in line with The PaSH Partnership’s member organisations’ Safeguarding Policies; 
  • we have obtained consent;
  • external auditors, such as quality assurance auditors, need to check records for compliance purposes.  All auditors are bound by The PaSH Partnership’s member organisations’ confidentiality policies.

We will never share or sell personal data to a third-party organisation for marketing, fundraising or campaigning purposes.




The PaSH Partnership takes the security of personal data seriously.  The PaSH Partnership’s member organisations’ internal policies and controls are in place to protect personal data and to prevent loss, accidental destruction, alteration, misuse, disclosure, or unauthorised access.  Where necessary we implement appropriate network access controls, user permissions and encryption to protect data.  For example, using trusted third-party suppliers to provide secure pages on the website for a clinic referral.  


The PaSH Partnership recognises that sending information via the internet is not completely secure, and although we will do our best to protect personal data, we cannot guarantee the security of the data sent to our website on standard pages.  Once information has been received, procedures and security features are in place to try to prevent unauthorised access.




We will only retain personal information for as long as necessary to fulfil the purposes for which it was collected.  The length of time personal data is kept, depends on the reasons for processing it, on the law or regulations that the information falls under, such as financial regulations, Limitations Act, Health and Safety regulations, or on any contractual obligation which may be in force, such as with government contracts. For business case data, the data will be anonymised so no individual is identifiable.


Data will be retained in line with the organisations Record Retention Policy. Once the retention period has expired, personal data will confidentially be disposed of or permanently deleted.




Where consent has been given for The PaSH Partnership to use personal data, there is always a right to withdraw consent at any time.  


If changes are made to consent, records will be updated as soon as we possibly can. Email communications will be stopped immediately where unsubscribe is clicked or if communication preferences are updated online.

Requests for updates to contact preferences received by email, given by phone or in person may take up to 30 calendar days to process, including stopping any postal communications.  


Individuals have a right to access their personal data and to have any inaccuracies corrected. There is no fee to pay for accessing personal data. However, if it is believed that the request is unfounded, or excessive, a reasonable charge may be made or a refusal to comply with the request given.  Where an individual wishes to exercise these rights, they may need to prove their identity with two pieces of approved identification. Any request will receive a response within 30 calendar days.


Individuals also have the right to request that personal data is erased; to object to the processing of their personal data and for a restriction on processing their personal data.  Any request will receive a response within 30 calendar days.




Any suspected breaches to this Policy should be reported in the first instance to Qurab Ahmed, Data Protection Lead, BHA for Equality as the person accountable for ensuring compliance with this Policy, who will deal with the enquiry directly or liaise with the Data Protection Officer of the member organisation concerned.


Where an individual believes that a member organisation of the PaSH Partnership has not complied with their data protection rights, they can complain to the Information Commissioner's Office (ICO)