Image shows a padlock over computer code

How we handle your information

We want to outline to you how METRO handles the personal information that we collect and use to work with and support you. Given the area we work in and some of the challenges the people we support encounter every single day we very much respect your privacy and always do what we can comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

Some of details below are things that we must tell you under the GDPR and DPA but there are some additional things in here too to help you get a clear picture of how your information is used within METRO.

The Controller and Processor of your information

For some of the services we provide, METRO acts as a ‘Controller’ of that information. You can get hold of us via the contact details below.

However, there are some services where METRO is the ‘Processor’ acting on behalf on another organisation (the NHS for example).

You can find out who is responsible for your information (including some of our partners) and what role METRO plays in each of our services via each service’s privacy notice in the list at the bottom of this page.

What personal information we collect and what we do with it

We mainly ask for your personal information in order to provide the service you have either asked to receive or have been referred to us to receive. Due to the nature of our services some of this information is deemed ‘special’ under Data Protection laws. Especially if it is related to your sexual, physical or mental health, your sexual orientation, your ethnic background or a previous or current criminal history.

We only ask for this information when it relates to your service or we are legally required to and we will not ask for information that we do not need or will never use.

We will not share this data unless we are legally required to or you have asked us to do so and we will do what we can to protect it. This even includes sharing with other teams within METRO.

Below is a summary of all the different services (purposes) METRO has and an overview as to how under the law we use your information. For precise details you can view your service’s specific privacy notice by following the relevant link at the bottom of this page.

What we do and how the law allows it

Hearing from us

When subscribing to hear about our news and updates we will ask for appropriate contact details that you would like us to use. This is used to send you our newsletter with news about METRO. These details are kept confidential and we only provide you with the subscriptions and communications that you want to receive.

You can unsubscribe at any time. Simply click the unsubscribe link at the bottom of any of the newsletters we send to you, or if you prefer you can email your request to [email protected].

We may also need to send you important notices that may affect you and the services you receive from us. We will ask your contact preferences for these notices but we do not need your consent as they are often for emergency contact or where we need to relay important information to you about your service / appointment. You can update your preferred contact for these notices at any point to ensure we have the best and most appropriate channel of contacting you when we need to.

How long do we keep personal data?

Each service you use will keep your information for a different period of time as each service is different. Each service has outlined how long it keeps your data in each of their privacy notices found at the bottom of this page. The longest period we have is 100 years for HIV treatment related records.

By law we have to keep basic information about those that use our services and their contact details for a minimum of 6 years for tax purposes. This information is not re-used for any other purposes.

Subject to any legal requirements stopping us, we will delete your information where you tell us that you will no longer be using our services.

For the purposes of receiving our news and updates we will keep your information until you unsubscribe.

Third parties

Where some of our services are commissioned by a third party (the NHS for example) we may be required to share some personal or statistical information with them.

Each of our services are different and for some this is a requirement but not for others. Each service will tell you in their privacy notice if they are required to do this or not and what this means for you.

In order to provide you with our services we may work with other organisations in order to deliver that service. For example, in order for us to host and maintain your records on our network we use a company called DHTS who, where necessary, will need to access your personal data to maintain and support it.

METRO will never sell your personal data to any other external organisation or individual.

Protecting your information

METRO will always do what it can to keep your information confidential and secure, both internally and externally. In order to prevent any such unpermitted access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect from you. All of our staff receive training on Data Protection and Information Security.

When you visit our premises, we will outline to you the rules for entering the building and also as you to respect other service user’s privacy while you are here.


Cookies are used on this website. A cookie is a text file that sits on your device designed to tailor website content for you or help a website’s functionality work. Cookies make it easier for you to log on to and use the site during future visits. They also allow us to monitor website traffic and to personalise the content of the site for you. Our system will issue cookies to your computer when you log on to the site. However, you can set your web browser to refuse cookies. Some of the services we use such as Google Analytics, set cookies to allow us to gather anonymous data about your usage of our website. Browsers usually will allow you to refuse cookies but this could have a negative impact on the usability of many websites.

Links to other sites

Our web site contains links to other web sites. We are not responsible for the privacy practices of such other sites. When you leave our site please be sure to read the privacy statements of each and every web site that collects personal data about you. This privacy policy applies solely to information collected by METRO.

Your data abroad

Our current IT infrastructure is based on secure servers within EU (currently the UK). Where we can we avoid using services that are based outside of the EU.

Your rights

You have control over the information you provide to us. You can object or withdraw your consent to the use of your personal data at any time. Though in some cases we may not be able to provide your requested service (e.g. membership or course) where the information processing is an integral part of the service. We will tell you if this is likely to be the case.

Subject to some legal exceptions, you have the right to:

To learn more about these rights please see the ICO website.

Please address any such requests to the METRO Data Protection Lead by emailing [email protected].

If you are concerned about the way we handle your data please contact us via the details below.

However, you can also complain to the Information Commissioner's Office via;

Last updated: August 2018

Get in touch

Any concerns or queries about this privacy policy should be sent to the METRO Data Protection Lead at [email protected].

Privacy notices for specific services

These notices are currently being updated and will be available shortly.

Sexual and reproductive health


Mental health and wellbeing



Core services