Medway Practices Alliance Ltd. is a provider of NHS services of the Medway Federation for General Practice and Primary Care, a network organisation of the NHS GP Practices in Medway.
We regard the fair and lawful treatment of personal data as very important for maintaining confidence between you and us. We also aim to provide you with the highest quality healthcare. To do this, we must keep records about you and the care we provide. We keep records securely in line with the General Data Protection Regulation (GDPR) and our staff are trained to handle personal information correctly in order to protect your privacy.
Personal data: information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Examples include, but are not limited to, name; address; date of birth; NHS number; occupation.
Special category data: is personal data which the GDPR says is more sensitive, and so needs more protection. Examples include, but are not limited to, race; ethnicity; political opinions, religious beliefs; genetic data; biometric data e.g. fingerprint or facial recognition; health data; and sexual orientation.
Medway Practices Alliance is the controller for the personal information we process, unless otherwise stated. The responsible individual who can be contacted is:
Lorraine Monk - Operations Manager
Medway Practices Alliance
6-8 Revenge Rd,
Medway Practices Alliance’s core activities involve processing 'special categories' of personal data (health information); therefore under Article 37 of the GDPR we have appointed a Data Protection Officer (DPO). Our DPO is:
c/o Medway Practices Alliance
6-8 Revenge Rd,
The data protection officer is also the main contact should you have any concerns or queries into how we handle your personal information, however in the first instance we would request you contact our head office on 01634 949500.
We receive information from you when we see you at an appointment; we take records of the consultation and the care we provide you. We also receive information from your GP; when you make an appointment we receive your personal details such as name, date of birth and contact details.
When you are seen at one of our extended access GP clinics, the practitioner consulting you can view your GP record through the electronic patient record system. This is because we have a data sharing agreement with local GPs who have allowed us to have access. The access is limited to the GP or Nurse who is consulting you. Once your consultation is finished, we no longer have your information except details of your appointment; such as name, date of birth, contact number and the date, time and where your appointment was held.
We might also receive information from you if you contact us direct, to raise a complaint or provide a compliment. This information might be your name, date of birth, address, email address, telephone number and NHS number.
We need to collect information so that we are able to provide you with a healthcare service. Without your personal details (e.g. your name), we can’t book you an appointment or provide you with clinical care.
Clinical staff must enter records into the electronic patient record system which captures the treatment and care you receive from us. Details captured may include:
There may be extreme circumstances where we have to activate our business continuity plan because of, for example, a power cut or our IT systems fail. To ensure we are able to continue delivering care to you, we will record your information on paper records which will then be scanned to your registered GP practice. The paper records will then be securely destroyed.
It is essential that we have accurate and up to date information about you so that we can give you the best possible care. Please check that your personal details are correct whenever you make an appointment with us and let us know of any changes as soon as possible.
We recognise that consent should not be relied upon for processing personal information unless it is freely given, specific, informed and unambiguous (explicit). We will not, generally, rely on consent as a legal basis for processing your personal data but in certain circumstances it may be deemed appropriate.
Where we do not rely on consent, we rely on one or more of the following lawful bases:
For processing personal information under Article 6(1) of the GDPR:
For processing special category (sensitive) information under Article 9(2) of the GDPR:
When you make an appointment at one of our extended access GP clinics, you give the staff member at your registered GP surgery permission to give us your name, date of birth, and contact details.
The practitioner consulting you is the only staff member in MPA who is able to view your record when you have an appointment with us. Our reception staff are only able to see the date and time of your appointment, and your name (to be able to mark you in on arrival).
Once your consultation is completed, your practitioner will create a record of your consultation, detailing a diagnosis or the treatment that you received. This record is then saved automatically to your electronic patient record. MPA do not keep a record of the consultation once the consultation is saved by the practitioner, we can no longer access it.
If, as a result of your consultation, the practitioner would like to refer you to a secondary service (for example to the hospital to see a specialist consultant), we will contact your GP by email and ask them to complete the referral. We do not share any information with any other healthcare provider except your GP; any onward referrals are completed by your GP.
In these cases, we keep emails sent to GPs about you for 1 month then they are deleted. The only information we retain about you will be your name, date of birth, contact number and date/time/whereabouts of your appointment. This is retained in the EMIS clinical system.
To ensure MPA has provided the best care possible, random clinical audits will be undertaken on a small percentage of electronic patient records on a monthly basis. This is carried out by requesting access to the records from the patient’s GP The audits are carried out by our Accountable Officer and Chairman, who has been a GP in Medway for over 30 years. No information that can identify patients is retained after the audit.
In an emergency, we might share information with the ambulance service if you are very poorly during one of our consultations.
If we need to use your personal information for any other reason not covered in this notice, we will aim to discuss this with you. You have the right to ask us not to use your information in this way, but there may be times when we have to share your information without your permission because:
The General Data Protection Regulation (GDPR) grants you rights to enable you to have a better understanding and more control over your personal information:
The right to be informed
Medway Practices Alliance has a duty to let you know how we are using your information. You are informed of this via our privacy notice, our staff, website, posters and leaflets.
The right to access
You have the right to request a copy of the information we hold about you. Because we currently do not keep any records about you (our records are kept via your electronic patient record), we are unable to provide records under a “subject access request”. If you’d like to request a copy of a consultation you had with us, please contact your GP surgery to make the request.
The right to rectification
You can request data found to be factually inaccurate or incorrect be corrected.
The right to restriction of some processing
You have the right to restrict the processing of your data if:
If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
The right to object
You have the right to object to processing for direct marketing and for scientific/historical research/statistical purposes. You must be able to demonstrate grounds relating to your situation for the processing to stop, however if the processing is necessary performance of a task carried out for reasons of public interest, we will be unable to comply with your request. MPA do not process your personal information for direct marketing/scientific/research purposes.
We would request that in the first instance you talk or write to us or our Data Protection Officer, at firstname.lastname@example.org or via telephone 01634 949500.
You have the right to make direct complaints to the ICO; however they will not usually respond to your complaint unless you have complained to us and you have attached our response letter.
Complaints can be addressed to:
Information Commissioner’s Office
Telephone: 0303 123 1113
This privacy notice will be reviewed every 6 months or sooner if there is a change in data protection legislation or we change the way in which we handle information.
Last reviewed: July 2021
We are committed to protecting the privacy of all individuals using this website.
This policy explains how we use any personal information we collect from you through this website.
You can access most of the pages on our website without giving us your personal information. However, you may choose to provide us with your personal information on some pages of the website by completing an on-line form.
We shall use any personal information you give to us, in accordance with this policy, and with any additional statements appearing on forms used for submitting your personal information. We shall not disclose your personal information to any third parties without obtaining your prior consent unless we are required by law to do so. In particular:
We shall use your personal information to administer, and may respond to, your request.
We shall securely store the information you supply together with any response we may provide.
If you contact us regarding the website we may use your details to reply to you. If you make a comment or complaint about other aspects of the service we may use your details to investigate your comments.
This website uses https to ensure data is encrypted in transmission. This encryption, known as TLS encryption protocol, allows us to protect your privacy. You can usually verify that the page is encrypted by seeing a small lock symbol in the upper left corner of your browser and the website address is prefixed with https://.
All data obtained by us is held and used in compliance with the Data Protection Act 2018.
This website contains links to other sites. We are not responsible for the privacy practices of third parties that run any other websites. Please refer to their own privacy policies for more information.
You have a right under the Data Protection Act 2018 to ask us to provide you with the information we hold about you and to have any inaccuracies corrected. If you would like to access a copy of your information, please contact the Practice Manager at your own surgery as MPA does not hold any personal data.
Check out our current vacancies and sign up to our future opportunities mailings. Never miss out on the perfect job.
Would you like to join the Medway Practices Alliance Patient Reference Group?
How likely are you to recommend Medway Practices Alliance to friends and family if they needed similar care or treatment? Please spend 2 minutes to take the Friends and Family Test.
The NHS website. Take control of your health and wellbeing. Get medical advice, information about healthcare services and support for a healthy life.