Privacy policy

How we use your data across our services

How we handle your information

We want to outline to you how METRO handles the personal information that we collect and use to work with and support you. Given the area we work in and some of the challenges the people we support encounter every single day, we very much respect your privacy and always do what we can to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

Some of the details below are things that we must tell you under the GDPR and DPA, but there are some additional things in here too, to help you get a clear picture of how your information is used within METRO.

The Controller and Processor of your information

For some of the services we provide, METRO acts as a ‘Controller’ of that information. You can get hold of us via the contact details below.

However, there are some services where METRO is the ‘Processor’ acting on behalf of another organisation (the NHS, for example).

You can find out who is responsible for your information (including some of our partners) and what role METRO plays in each of our services via each service’s privacy notice in the list at the bottom of this page.

What personal information we collect and what we do with it

We mainly ask for your personal information in order to provide the service you have either asked to receive or have been referred to us to receive. Due to the nature of our services, some of this information is deemed ‘special’ under Data Protection laws. Especially if it is related to your sexual, physical or mental health, your sexual orientation, your ethnic background or a previous or current criminal history.

We only ask for this information when it relates to your service, or we are legally required to, and we will not ask for information that we do not need or will never use.

We will not share this data unless we are legally required to, or you have asked us to do so, and we will do what we can to protect it. This even includes sharing with other teams within METRO.

Below is a summary of all the different services (purposes) METRO has and an overview as to how under the law we use your information. For precise details you can view your service’s specific privacy notice by following the relevant link at the bottom of this page.

What we do and how the law allows it

  • Provision of sexual and reproductive health services - Clinic and testing services are provided to you and maintained under various legal obligations. For most of the services where we are not offering an ‘in person’ sexual health clinic, we use your data with your consent. However, where you are involved in one of the clinics, we have other legal health obligations that require us to use your information. These are outlined in the privacy notices for each service.
  • Provision of HIV-related support and assessment services - In order to assess your needs for living with HIV we need to collect and use information about you as part of our health & care obligations for that assessment. Other HIV support services are provided to you with your consent. Each service's privacy notice will outline this in more detail and what rights you have over that data.
  • Provision of mental health and wellbeing services - Our counselling services will use your data either with your consent or under our statutory health and care obligations. This will often depend on how you have been referred to the service. For example, if you have voluntarily joined the service rather than being referred by a medical professional then we are likely to use your information with your consent. Each service will outline in its privacy notice if it requires your consent and where it does not.
  • Provision of community support programmes - Where we use your personal data to provide any of our community support programmes, we do so with your consent. What this means, what data we use and why is outlined in the privacy notices for each service.
  • Provision of youth support programmes - Where we use your personal data to provide any of our youth support programmes we do so with your consent. What this means, what data we use and why is outlined in the privacy notices for each service.
  • Safeguarding, child protection and health and safety - For individuals that are within our care, we may need to use your information to ensure we have taken any appropriate actions under either our health and safety obligations or our safeguarding and child protection obligations. Where appropriate for us to do so we will tell you when we are using your information for these reasons and what rights you have over that information.
  • Keeping you informed of our news and events - We will only send you informative and promotional material about what we are getting up to and offer with your consent. When we contact you about important changes to your appointments or services you currently receive, this is not marketing, and therefore we do not need your consent.
  • Hosting and maintenance - We are legally obliged to host and maintain the data you give us to a secure standard. It is also in our own legitimate interests to ensure this data is held securely and maintained to a decent level. The majority of our infrastructure remains in the UK / EU. Any exceptions are outlined in the service's privacy notices.

Hearing from us

When subscribing to hear about our news and updates, we will ask for appropriate contact details that you would like us to use. This is used to send you our newsletter with news about METRO. These details are kept confidential, and we only provide you with the subscriptions and communications that you want to receive.

You can unsubscribe at any time. Simply click the unsubscribe link at the bottom of any of the newsletters we send to you, or if you prefer, you can email your request to hello@metrocharity.org.uk.

We may also need to send you important notices that may affect you and the services you receive from us. We will ask your contact preferences for these notices, but we do not need your consent as they are often for emergency contact or where we need to relay important information to you about your service/appointment. You can update your preferred contact for these notices at any point to ensure we have the best and most appropriate channel of contacting you when we need to.

How long do we keep personal data?

Each service you use will keep your information for a different period of time, as each service is different. Each service has outlined how long it keeps your data in each of their privacy notices found at the bottom of this page. The longest period we have is 100 years for HIV treatment-related records.

By law we have to keep basic information about people who use our services and their contact details for a minimum of 6 years for tax purposes. This information is not re-used for any other purposes.

Subject to any legal requirements stopping us, we will delete your information where you tell us that you will no longer be using our services.

For the purposes of receiving our news and updates, we will keep your information until you unsubscribe.

Third parties

Where some of our services are commissioned by a third party (the NHS, for example) we may be required to share some personal or statistical information with them.

Each of our services are different and for some this is a requirement but not for others. Each service will tell you in their privacy notice if they are required to do this or not and what this means for you.

In order to provide you with our services, we may work with other organisations in order to deliver that service. For example, in order for us to host and maintain your records on our network we use a company called DHTS who, where necessary, will need to access your personal data to maintain and support it.

METRO will never sell your personal data to any other external organisation or individual.

Protecting your information

METRO will always do what it can to keep your information confidential and secure, both internally and externally. In order to prevent any such unpermitted access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect from you. All of our staff receive training on Data Protection and Information Security.

When you visit our premises, we will outline to you the rules for entering the building and also as you to respect other service user’s privacy while you are here.


Cookies are used on this website. A cookie is a text file that sits on your device designed to tailor website content for you or help a website’s functionality work. Cookies make it easier for you to log on to and use the site during future visits. They also allow us to monitor website traffic and personalise the content of the site for you. Our system will issue cookies to your computer when you log on to the site. However, you can set your web browser to refuse cookies. Some of the services we use, such as Google Analytics, set cookies to allow us to gather anonymous data about your usage of our website. Browsers usually will allow you to refuse cookies, but this could have a negative impact on the usability of many websites.

Links to other sites

Our website contains links to other websites. We are not responsible for the privacy practices of such other sites. When you leave our site, please be sure to read the privacy statements of each and every website that collects personal data about you. This privacy policy applies solely to information collected by METRO.

Your data abroad

Our current IT infrastructure is based on secure servers within EU (currently the UK). Where we can we avoid using services that are based outside of the EU.

Your rights

You have control over the information you provide to us. You can object or withdraw your consent to the use of your personal data at any time. Though in some cases we may not be able to provide your requested service (e.g. membership or course) where the information processing is an integral part of the service. We will tell you if this is likely to be the case.

Subject to some legal exceptions, you have the right to:

  • request a copy of the personal information METRO holds about you;
  • to have any inaccuracies corrected;
  • to have your personal data erased;
  • to place a restriction on our processing of your data;
  • to object to processing; and
  • to request your data to be ported (data portability).

To learn more about these rights please see the ICO website.

Please address any such requests to the METRO Data Protection Lead by emailing hello@metrocharity.org.uk.

If you are concerned about the way we handle your data please contact us via the details below.

However, you can also complain to the Information Commissioner's Office via;

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Telephone: 0303 123 1113 (local rate) or 01625 545 745
  • Fax: 01625 524 510

Last updated: August 2018

Get in touch

Any concerns or queries about this privacy policy should be sent to the METRO Data Protection Lead at hello@metrocharity.org.uk.

Privacy notices for specific services

These notices are currently being updated and will be available shortly.

Sexual and reproductive health


  • Hate crime
  • Greenwich Advocacy Partnership
  • Walnut
  • Revive
  • Fifty plus group

Mental health and wellbeing

  • Counselling for young people
  • Drop-ins
  • Counselling for adults
  • Advice and advocacy service


  • Young leaders programme
  • Schools
  • Anti-bullying programme
  • Youth groups
  • Boys and young men
  • Trans youth support


Core services