Privacy Policy

Privacy Policy

How medicalcentreuk.org/ Handles Personal Information — UK GDPR, Data Protection Act 2018, PECR

This Privacy Policy explains what personal information we collect, why, how long we keep it, who we share it with, and your rights under the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). It is written in plain English and is intended to satisfy our transparency obligations under Articles 13 and 14 UK GDPR.

Effective date: 1 January 2026
Last reviewed: April 2026
Data controller: medicalcentreuk.org/ Editorial
⚠ We do not hold any patient health record

medicalcentreuk.org/ is a directory and editorial publisher. We do not hold, process, or store any patient health record. Patient records are held by your registered NHS practice (or your private provider) and by NHS Digital / NHS England Digital. For access to your own NHS record, use the NHS App or submit a Subject Access Request to your practice. We do not need, want, or collect your medical history.

What is on this page

  1. Scope and controller
  2. Information we collect
  3. Why we collect it
  4. Lawful bases — UK GDPR
  5. Sharing
  6. International transfers
  7. Retention
  8. Your rights
  9. Exercising rights
  10. Children
  11. Security
  12. Complaints to the ICO
  13. Changes
  14. Contact

1. Scope and Data Controller

This policy applies to medicalcentreuk.org/. The data controller for the limited personal data we process is medicalcentreuk.org/ Editorial, contactable at info@medicalcentreuk.org.

This policy does not apply to NHS practices, NHS England, NHS Wales, NHS Scotland, HSC Northern Ireland, the CQC, HIW, HIS, RQIA, the GMC, NMC, GPhC, GDC, HCPC, MHRA, NICE, the ICO, the DHSC, or any other third party we link to. Each of those bodies is its own data controller, with its own privacy notice and lawful bases.

2. Information We Collect

CategoryExamplesSource
IdentifiersIP address, device ID, browser user agentAutomatic when you visit
Usage dataPages viewed, time on page, referrer, internal search queries (non-clinical)Automatic
Contact informationEmail address, name (if provided), message contentYou — only if you email us
Cookies and similarSee Cookie PolicyAutomatic; managed via banner and settings
Approximate locationCity / region inferred from IPAutomatic
What we do NOT collect

We do not collect your name, NHS number, date of birth, address, telephone, GP practice details, medical history, symptoms, diagnoses, prescriptions, test results, mental health information, sexual health information, or any other special-category data under UK GDPR Article 9. We do not request or process special-category health data through normal site use. If you accidentally include health information in an email to us, we delete it on receipt and ask you to take any clinical question to your GP, NHS 111, or in an emergency 999.

3. Why We Collect It

  • To operate the site — load pages, remember your cookie preferences, protect against form-submission abuse
  • To understand which directory pages are useful — aggregated, anonymised analytics
  • To respond to you — when you email us a correction, accessibility issue, data-rights request, or other enquiry
  • To display non-personalised or personalised advertising — depending on your consent
  • To detect and prevent abuse — fraud, scraping, attacks
  • To comply with law — for example, retaining contact records for response to lawful requests from the ICO, the police, or the courts

4. Lawful Bases Under UK GDPR Article 6

ProcessingLawful basis
Site operation (server logs, security)Article 6(1)(f) — legitimate interests (operating a safe website)
Strictly necessary cookiesArticle 6(1)(f) — legitimate interests; PECR regulation 6(4) exemption
Functional, analytics, advertising cookiesArticle 6(1)(a) — consent; PECR regulation 6
Responding to your emailArticle 6(1)(b) — performance of a contract / pre-contractual steps; or Article 6(1)(f) — legitimate interests
Compliance with legal requestsArticle 6(1)(c) — legal obligation

We do not process special-category data (UK GDPR Article 9) in the ordinary operation of the site.

5. Who We Share With

  • Service providers (processors under Article 28) — hosting, CDN / security (Cloudflare), analytics (Google Analytics 4), advertising (Google AdSense), email — all under written contracts that limit them to processing data on our instructions
  • Authorities — only when required by law, valid legal process, or to protect rights and safety
  • Successors — in a merger, acquisition, or sale of the publication, in which case we will require the successor to honour this policy

We do not sell personal information. We do not share personal data with the NHS, with NHS practices, with health insurers, or with any health-related body — the only data the NHS holds about you is what you have provided to them directly.

6. International Transfers

Some of our service providers (Cloudflare, Google) process data outside the United Kingdom, including in the United States and the European Economic Area. Where personal data is transferred outside the UK, we rely on:

  • UK adequacy regulations for transfers to countries the UK Government has decided provide an adequate level of protection (including the EEA)
  • The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum for transfers to other countries
  • The UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) for transfers to certified US recipients

7. How Long We Keep Information

CategoryRetention
Web server and security logs30 days
Aggregated GA4 analytics14 months
Email correspondence24 months from last interaction
Cookie-consent records12 months from the choice
Data-rights request audit trail3 years (limitation period for ICO actions)

8. Your Rights Under UK GDPR

  • Right of access (Article 15) — a copy of the personal data we hold about you
  • Right to rectification (Article 16) — correct inaccurate information
  • Right to erasure (Article 17, “right to be forgotten”) — delete your data in the circumstances Article 17 sets out
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20) — receive your data in a structured, machine-readable format
  • Right to object (Article 21) — including to direct marketing
  • Rights related to automated decision-making (Article 22) — we do not carry out automated decision-making producing legal effects, but you have the right not to be subject to it
  • Right to withdraw consent at any time where consent is the lawful basis
  • Right to complain to the ICO — see Section 12

9. How to Exercise Your Rights

Email info@medicalcentreuk.org with subject line “Data rights request.” Include the right you are exercising and enough information to identify you in our limited records (typically the email address you previously used). We will respond within one month as required by UK GDPR Article 12, with a possible two-month extension for complex requests.

Authorised representatives. You may use an authorised representative to submit a request. We may verify both your identity and the representative’s authority.

10. Children

The site is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe a child has provided personal data to us, contact us with subject line “Child data request” and we will delete it.

Under UK GDPR Article 8 and the Data Protection Act 2018, the digital age of consent in the UK is 13. Where a service relies on consent and is offered directly to a child, parental consent is required below that age.

11. Security

We use technical and organisational measures appropriate to the limited categories of personal information we process — HTTPS in transit, encryption at rest where applicable, access controls, vendor due diligence, and breach response procedures. No security measure is perfect; we cannot guarantee that personal information will never be exposed by a security incident. Under UK GDPR Article 33, we will report notifiable breaches to the ICO within 72 hours and (where required by Article 34) notify affected individuals without undue delay.

12. Complaints to the Information Commissioner’s Office

If you are not satisfied with how we have handled your personal data or a data-rights request, you have the right to complain to the Information Commissioner’s Office (ICO), the UK data protection regulator:

  • Online: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You may also have rights to bring a claim in the courts of England and Wales (or Scotland, or Northern Ireland) under sections 167 and 168 of the Data Protection Act 2018 for breach of UK GDPR.

13. Changes to This Policy

We update this policy when our practices change or when applicable laws change. The “Last reviewed” date at the top reflects the current version. Material changes are flagged on the site for 30 days.

14. Contact

For any privacy question or rights request, email info@medicalcentreuk.org.

Exercise a Data Right

Email us with subject line “Data rights request” — we respond within one month as required by UK GDPR Article 12.

📧 info@medicalcentreuk.org