Medway Practices Alliance Ltd. is a provider of NHS services of the Medway Federation for General Practice and Primary Care, a network organisation of the NHS GP Practices in Medway.

We regard the fair and lawful treatment of personal data as very important for maintaining confidence between you and us. We also aim to provide you with the highest quality healthcare. To do this, we must keep records about you and the care we provide. We keep records securely in line with the General Data Protection Regulation (GDPR) and our staff are trained to handle personal information correctly in order to protect your privacy.

Personal data: information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Examples include, but are not limited to, name; address; date of birth; NHS number; occupation.

Special category data: is personal data which the GDPR says is more sensitive, and so needs more protection. Examples include, but are not limited to, race; ethnicity; political opinions, religious beliefs; genetic data; biometric data e.g. fingerprint or facial recognition; health data; and sexual orientation.


Our Data Controller and Data Protection Officer’s contact details

Data Controller

Medway Practices Alliance is the controller for the personal information we process, unless otherwise stated. The responsible individual who can be contacted is:

Lynn Johnston
Medway Practices Alliance
Suite 1&2,
Kent Space,
6-8 Revenge Rd,


Data Protection Officer

Medway Practices Alliance’s core activities involve processing 'special categories' of personal data (health information); therefore under Article 37 of the GDPR we have appointed a Data Protection Officer (DPO). Our DPO is:

Natasha Glover-Jones
c/o Medway Practices Alliance
Suite 1&2,
Kent Space,
6-8 Revenge Rd,


The data protection officer is also the main contact should you have any concerns or queries into how we handle your personal information, however in the first instance we would request you contact our head office on 01634 949500.


How do we get information?

We receive information from you when we see you at an appointment; we take records of the consultation and the care we provide you. We also receive information from your GP; when you make an appointment we receive your personal details such as name, date of birth and contact details.

When you are seen at one of our extended access GP clinics, the practitioner consulting you can view your GP record through the electronic patient record system. This is because we have a data sharing agreement with local GPs who have allowed us to have access. The access is limited to the GP or Nurse who is consulting you. Once your consultation is finished, we no longer have your information except details of your appointment; such as name, date of birth, contact number and the date, time and where your appointment was held.

We might also receive information from you if you contact us direct, to raise a complaint or provide a compliment. This information might be your name, date of birth, address, email address, telephone number and NHS number.


Why do we collect information?

We need to collect information so that we are able to provide you with a healthcare service. Without your personal details (e.g. your name), we can’t book you an appointment or provide you with clinical care.

Clinical staff must enter records into the electronic patient record system which captures the treatment and care you receive from us. Details captured may include:

  • Basic details about you such as name, address, date of birth, next of kin, GP practice etc.
  • Contact we have had with you such as appointments or clinic visits;
  • Notes and reports about your health, treatment and care;
  • Relevant information from people who care for you and know you well such as health or social care professionals, relatives or carers.

There may be extreme circumstances where we have to activate our business continuity plan because of, for example, a power cut or our IT systems fail. To ensure we are able to continue delivering care to you, we will record your information on paper records which will then be scanned to your registered GP practice. The paper records will then be securely destroyed.

It is essential that we have accurate and up to date information about you so that we can give you the best possible care. Please check that your personal details are correct whenever you make an appointment with us and let us know of any changes as soon as possible.


Lawful basis for processing

We recognise that consent should not be relied upon for processing personal information unless it is freely given, specific, informed and unambiguous (explicit). We will not, generally, rely on consent as a legal basis for processing your personal data but in certain circumstances it may be deemed appropriate.

Where we do not rely on consent, we rely on one or more of the following lawful bases:

For processing personal information under Article 6(1) of the GDPR:

  • 6(1)(c) the processing is necessary to comply with legal obligations to which we are subject
  • Example: if you make a claim against, for example, some care you received from us, we may have to share your personal details with lawyers and/or a court
  • 6(1)(d) the processing is necessary to protect the vital interests of you (protect your life)
  • Example: if we had to phone an ambulance we would have to share your personal details with the paramedics and call handler
  • 6(1)(e) the processing is necessary for us to perform specific tasks in the public interest or for our official functions, and the task or function has a clear basis in law
    Example: in order for us to provide healthcare (a public task), we have to process personal information to enable us to care for you

For processing special category (sensitive) information under Article 9(2) of the GDPR:

  • 9(2)(h) for the purposes of preventative or occupational medicine, for us to provide a medical diagnosis, for the provision of health or social care treatment or management of health or social care systems and services, carried out by, or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law. This includes us processing to receive payment for work undertaken as part of a service commissioned with public money.
  • Example: in order for us to provide healthcare (a public task), we have to process special category information about you (like your health diagnosis, or any treatment we provide to you) to enable us to care for you
  • 9(2)(c) to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
    Example: if you lost consciousness during a consultation, we would have to ring you an ambulance and disclose any medical conditions to the paramedics which may aide your recovery and treatment. This would be in your best interests.


How we use your personal information

When you make an appointment at one of our extended access GP clinics, you give the staff member at your registered GP surgery permission to give us your name, date of birth, and contact details.

The practitioner consulting you is the only staff member in MPA who is able to view your record when you have an appointment with us. Our reception staff are only able to see the date and time of your appointment, and your name (to be able to mark you in on arrival).

Once your consultation is completed, your practitioner will create a record of your consultation, detailing a diagnosis or the treatment that you received. This record is then saved automatically to your electronic patient record. MPA do not keep a record of the consultation once the consultation is saved by the practitioner, we can no longer access it.

If, as a result of your consultation, the practitioner would like to refer you to a secondary service (for example to the hospital to see a specialist consultant), we will contact your GP by email and ask them to complete the referral. We do not share any information with any other healthcare provider except your GP; any onward referrals are completed by your GP.

In these cases, we keep emails sent to GPs about you for 1 month then they are deleted. The only information we retain about you will be your name, date of birth, contact number and date/time/whereabouts of your appointment. This is retained in the EMIS clinical system.

To ensure MPA has provided the best care possible, random clinical audits will be undertaken on a small percentage of electronic patient records on a monthly basis. This is carried out by requesting access to the records from the patient’s GP The audits are carried out by our Accountable Officer and Chairman, who has been a GP in Medway for over 30 years. No information that can identify patients is retained after the audit.


When do we share information about you?

In an emergency, we might share information with the ambulance service if you are very poorly during one of our consultations.

If we need to use your personal information for any other reason not covered in this notice, we will aim to discuss this with you. You have the right to ask us not to use your information in this way, but there may be times when we have to share your information without your permission because:

  • the public good is thought to be of greater importance for example:
    • if a serious crime has been committed
    • if there are risks to the public or our staff
    • to protect vulnerable children or adults
  • we have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders
  • we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority)


Your data protection rights

The General Data Protection Regulation (GDPR) grants you rights to enable you to have a better understanding and more control over your personal information:

The right to be informed

Medway Practices Alliance has a duty to let you know how we are using your information. You are informed of this via our privacy notice, our staff, website, posters and leaflets.

The right to access

You have the right to request a copy of the information we hold about you. Because we currently do not keep any records about you (our records are kept via your electronic patient record), we are unable to provide records under a “subject access request”. If you’d like to request a copy of a consultation you had with us, please contact your GP surgery to make the request.

The right to rectification

You can request data found to be factually inaccurate or incorrect be corrected.

The right to restriction of some processing

You have the right to restrict the processing of your data if:

  • You are contesting the accuracy of the data – processing will be restricted to allow us to verify the accuracy
  • Where you request us to retain your information outside of the normal destruction date e.g. if you are pursuing a claim
  • If you object to us processing your data, however, as it is necessary for us to process your data to provide clinical or social care you can request that your data is not shared outside of Medway Practices Alliance for purposes beyond your direct care. However, the request will be reviewed on a case by case basis as we still have a legal obligation to share data in certain circumstances.

If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.

The right to object

You have the right to object to processing for direct marketing and for scientific/historical research/statistical purposes. You must be able to demonstrate grounds relating to your situation for the processing to stop, however if the processing is necessary performance of a task carried out for reasons of public interest, we will be unable to comply with your request. MPA do not process your personal information for direct marketing/scientific/research purposes.


Your right to complain

We would request that in the first instance you talk or write to us or our Data Protection Officer, at or via telephone 01634 949500.

You have the right to make direct complaints to the ICO; however they will not usually respond to your complaint unless you have complained to us and you have attached our response letter.

Complaints can be addressed to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Telephone: 0303 123 1113


Privacy notice review

This privacy notice will be reviewed every 6 months or sooner if there is a change in data protection legislation or we change the way in which we handle information.

Last reviewed: March 2022.



Website Privacy Policy

We are committed to protecting the privacy of all individuals using this website.

This policy explains how we use any personal information we collect from you through this website.


Collection of personal information

You can access most of the pages on our website without giving us your personal information. However, you may choose to provide us with your personal information on some pages of the website by completing an on-line form.

By submitting your personal information, you consent to our use of the information as set out in this privacy policy.


Use of personal information

We shall use any personal information you give to us, in accordance with this policy, and with any additional statements appearing on forms used for submitting your personal information. We shall not disclose your personal information to any third parties without obtaining your prior consent unless we are required by law to do so. In particular:

We shall use your personal information to administer, and may respond to, your request.

We shall securely store the information you supply together with any response we may provide.

If you contact us regarding the website we may use your details to reply to you. If you make a comment or complaint about other aspects of the service we may use your details to investigate your comments.


Website privacy

This website uses https to ensure data is encrypted in transmission. This encryption, known as TLS encryption protocol, allows us to protect your privacy. You can usually verify that the page is encrypted by seeing a small lock symbol in the upper left corner of your browser and the website address is prefixed with https://.


Data storage

All data obtained by us is held and used in compliance with the Data Protection Act 2018.


Cookie Policy

Read our Cookie Policy



This website contains links to other sites. We are not responsible for the privacy practices of third parties that run any other websites. Please refer to their own privacy policies for more information.


Access to your personal information

You have a right under the Data Protection Act 2018 to ask us to provide you with the information we hold about you and to have any inaccuracies corrected. If you would like to access a copy of your information, please contact the Practice Manager at your own surgery as MPA does not hold any personal data.

Contact UsWebsite Accessibility


Check out our current vacancies and sign up to our future opportunities mailings. Never miss out on the perfect job.

MPA Patient Reference Group

Would you like to join the Medway Practices Alliance Patient Reference Group?

Patient Survey

How likely are you to recommend Medway Practices Alliance to friends and family if they needed similar care or treatment? Please spend 2 minutes to take the Friends and Family Test.


The NHS website. Take control of your health and wellbeing. Get medical advice, information about healthcare services and support for a healthy life.

Information Websites

Top of Page