SH:24 C.I.C.

SH:24 online contraception, sexual and reproductive health service

SH:24 is an online sexual and reproductive health service that works in partnership with local clinics to provide access to oral contraception (OC) and emergency hormonal contraception (EHC). Supported by remote clinical support, accredited clinical laboratory, clinical record system, pharmacy, comprehensive performance analytics and online tools to support self-management


  • Seamless user pathway between online and clinic services
  • Track-record on-boarding clinics to an integrated online sexual health service-model
  • Remote clinical support via email, telephone, SMS and webchat
  • Clinically led, user-informed designed risk/safeguarding assessment
  • High visibility using web-analytics, SEO, social media and online signposting
  • CQC registered service compliant with BASHH/FSRH Standards
  • Secure clinic admin portal to manage users and view data
  • Free-access to SH:24's clinically moderated contraception user forum
  • Consultant-led specialist SRH clinical team including nurses and health advisors
  • Integration with GPhc regulated pharmacy provider for dispensing of medicines


  • Evidence of high satisfaction levels with positive service user feedback
  • User co-designed prescription packs with follow-up to confirm adherence
  • Ongoing academic service evaluations informing service innovation
  • Bespoke workflow and user-pathway co-designed with customers
  • Detailed visual analysis of performance metrics on a monthly basis
  • Dedicated data-analyst to provide intelligence and inform service provision
  • Track-record shifting non-complex users online and releasing clinic resource
  • Online algorithm designed to target and support high-risk vulnerable users
  • Added value online tools to support user self-management
  • User safety assured through comprehensive safeguarding and remote support


£18.59 to £35.00 per person

Service documents


G-Cloud 11

Service ID

9 1 8 1 0 0 9 5 9 0 8 3 8 7 9


SH:24 C.I.C.

Blake George

020 7620 2250

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Integration with booking systems, clinical record systems, partner notification tools, pharmacy and laboratory information management systems.
Cloud deployment model
Hybrid cloud
Service constraints
No service constraints
System requirements
Compliance with ICO/DoH/NHS Digital data protection security standards

User support

Email or online ticketing support
Email or online ticketing
Support response times
SH:24 strives to resolve support requests within 1 hour from 9am to 5pm, Monday to Friday, and within 3 hours on weekends.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
SH:24 tests its features on all devices prior to launch and we review our platform analytics to ensure our testing reflects users of the platform.
Onsite support
Onsite support
Support levels
Clinic/buyer support is available 9am to 5pm - 7 days per week, service-user support is available 9am to 5pm - 7 days per week, DevOPs support for any IT technical issues is available 24/7. All support provided at no additional cost.
Support available to third parties

Onboarding and offboarding

Getting started
Online and onsite training is provided to plan the overall user journey, set-up users and train how to use the SH:24 Admin Clinical Record System. Alongside this, customised SH:24 handbooks are provided for reference.
Service documentation
Documentation formats
End-of-contract data extraction
Disaggregated and anonymised raw backing data is shared securely though password protected .csv file via email. This can be provided on request following completion of the contract.
End-of-contract process
Service user eligibility agreed during the contract is removed, access to the SH:24 back-end is revoked.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service interface
Description of service interface
Service users read about their contraception options and decide they would like remote management. The interface is available 24/7 and assesses users eligibility for OC or EHC and any risk/safeguarding needs via an online form and/or via telephone. An SH:24 prescriber reviews the risk assessment and relevant diagnostic material via Admin CRS and makes a decision to prescribe or refer to clinic. SH:24's pharmacy provider accesses approved prescriptions via Admin CRS from within the secure HSCN network, before dispensing and dispatch of the medicine by post. Prescriptions issued by 2pm will be dispensed on the same day.
Accessibility standards
WCAG 2.1 A
Accessibility testing
SH:24 tests its features on all devices prior to launch and we review our platform analytics to ensure our testing reflects users of the platform.
What users can and can't do using the API
A library of APIs exist to perform integration between Laboratory LIMS, Pharmacy, clinical record and booking systems.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
During mobilisation we work with the buyer to co-design the user pathway including triage criteria and referral pathways in order to target high-risk users and reduce inappropriate use. Buyers can elect to cap the number of orders each day based on their affordability limit.


Independence of resources
SH:24's services are designed to scale with IT hardware and resource usage, with system integrity monitored 24/7. SH:24 is supported by interdisciplinary specialists, covering operations, clinical, commercial and service development in order to support the service as it scales and provide contingency during periods of peak demand. We analyse our capacity regularly to ensure our resource planning is robust.


Service usage metrics
Metrics types
Including, but not limited to: orders, prescriptions generated, referrals to clinic, safeguarding cases, user feedback including complaints, heat-map with uptake via LSOA, demographic breakdown of orders (ethnicity, sexuality, age etc). Data is quality assured and buyers are assisted with ongoing and one-off data requests to answer specific questions from our data set.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Disaggregated and anonymised raw backing data is shared securely through password protected CSV file via email each month or as required. SH:24 provides a comprehensive, visual performance report and a safeguarding report each month alongside the backing data. Reports are generated by a fully automated system within the HSCN network and data is quality-assured prior to submission. We highlight trends, concerns or improvements with a detailed qualitative analysis.
Data export formats
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
SH:24 is hosted on AWS utilising a cluster service model with an availability of 99.99%.
Approach to resilience
This information can be made available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Prior to access being granted to Admin CRS, training is provided. We use an internal procedure to vet applications. Once training and approval are complete, users sign a Confidentiality Code of Conduct. Once access is granted each session requires login using 2-factor authentication and a memorable word. Permissions are limited by level and role. The application logs actions performed by users, providing an audit trail. This feature allows review of vies, edits and actions performed.
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Data Security and Protection Toolkit
  • Cyber Essentials
  • External audit of data and security measures/protocols

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Data Security and Protection Toolkit, Cyber Essentials, External audit of data and security measures/protocols
Information security policies and processes
SH:24’s approach to data protection and security is shaped by existing and relevant legislation. When designing our service, SH:24 consulted users, clinicians, data protection experts, Trusts and Public Health experts which has also influenced our approach to data protection and security. We are registered with the Information Commissioner's Office and our service has been peer reviewed and approved by SH:24’s partner NHS Trust Information Governance (IG) Boards and Caldicott Guardians. In our last Data Security and Protection Toolkit submission we provided 100% of the mandatory evidence items and confirmed 100% of all assertions.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes to the application (front-end and the Admin Portal) are reviewed and approved by our Service Development Director and our DPO in accordance with SH:24’s Change Control Procedure. Prior to any deployment of any major updates or changes to the service renewed penetration testing is undertaken to assess the integrity of the SH:24 application. The management of access rights is subject to regular compliance checks.
Vulnerability management type
Vulnerability management approach
Regular audits of our system security including penetration testing are conducted by an accredited third-party. Weekly code reviews take place together with Quality Assurance inspections and user acceptability testing (UAT), carried out by a combination of internal and external reviewers, before any new or revised features are deployed. No code is deployed without a regression test. Urgent security patches are automated and deployed daily. Non-urgent updates are deployed monthly.
Protective monitoring type
Protective monitoring approach
The operating system and user access is monitored on a daily basis as part of SH:24's daily metrics overseen by our DevOps team. Any unusual activity or failure to meet metrics triggers an alarm and subsequent investigation compliant with ICO guidance. We promptly assess the risk to people's rights and freedoms and if appropriate report the breach to the ICO within 72 hours as per GDPR.
Incident management type
Incident management approach
Our Data Breach Policy is updated yearly and sets out how we identify, investigate, manage and report information incidents. SH:24 follows NHS Digital and ICO guidelines to assess whether an incident is reportable on the Data Security and Protection Reporting Tool. If notifiable, the breach reported separately to the ICO. All incidents and near misses are entered onto our incident management system and our information security and data protection officer ensures key members of staff and any individuals/organisations affected are notified.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Connected networks
Health and Social Care Network (HSCN)


£18.59 to £35.00 per person
Discount for educational organisations
Free trial available

Service documents

Return to top ↑