Last updated: July 2026
MedLink Solutions Ltd ("MedLink") provides secure digital healthcare software used by healthcare organisations to support the delivery of patient care.
Our services may be used for:
This Privacy Notice explains how MedLink processes personal information when:
Most patients use MedLink because their healthcare organisation has chosen to use our software. In these situations, your healthcare organisation remains responsible for your personal information and MedLink processes it on their behalf.
For the purposes of this Privacy Notice:
Healthcare organisation means the GP practice, NHS organisation or other healthcare provider using MedLink to deliver healthcare services.
Data Controller means the organisation that decides why and how personal information is processed.
Data Processor means an organisation that processes personal information on behalf of a Data Controller.
The way your personal information is processed depends on how you interact with MedLink.
In most cases, MedLink provides software to healthcare organisations and processes personal information on their behalf. In these situations, the healthcare organisation remains responsible for your personal information as the Data Controller, and MedLink acts as the Data Processor.
In some situations, MedLink processes personal information for its own business purposes, such as managing user accounts, responding to enquiries and operating our website. In these situations, MedLink acts as the Data Controller.
The table below explains the different roles.
| If you are… | Who is the Data Controller? | MedLink's role |
|---|---|---|
| A patient using MedLink because your healthcare organisation has invited you to do so | Your healthcare organisation | Data Processor |
| A patient receiving communications sent through MedLink on behalf of your healthcare organisation | Your healthcare organisation | Data Processor |
| A healthcare professional using MedLink to deliver healthcare services | Your healthcare organisation | Data Processor |
| A healthcare professional using a MedLink account for authentication, account management, support or administration | MedLink Solutions Ltd | Data Controller |
| Someone visiting the MedLink website | MedLink Solutions Ltd | Data Controller |
| Someone contacting MedLink directly | MedLink Solutions Ltd | Data Controller |
Most people use MedLink because their GP practice or another healthcare organisation has chosen to use our software to support the delivery of healthcare services.
MedLink may be used to support a wide range of healthcare activities, including:
Your healthcare organisation decides which patients should be invited to use MedLink and how invitations are sent. Depending on the services available, invitations may be sent using the NHS App, SMS, email, telephone or letter.
MedLink sends invitations and communications on behalf of the healthcare organisation in accordance with their instructions.
MedLink does not decide who receives invitations, what services are offered, or what care is provided.
The information requested depends on the service being provided. This may include:
Much of this information is classified as Special Category Data under the UK GDPR because it relates to your health.
Information you submit through MedLink is made available to your healthcare organisation for review by appropriate members of the healthcare team.
Where relevant to the healthcare service being provided, information submitted through MedLink will normally become part of your healthcare record.
MedLink does not make decisions about your healthcare, diagnosis or treatment. Clinical decisions remain the responsibility of appropriately qualified healthcare professionals.
Your healthcare organisation remains the Data Controller for personal information processed as part of your healthcare.
MedLink Solutions Ltd acts as a Data Processor and processes your information only on behalf of, and in accordance with the instructions of, your healthcare organisation and our contractual obligations with them.
If you have questions about how your healthcare organisation uses your personal information or wish to exercise your rights in relation to your healthcare record, you should normally contact that organisation directly.
The NHS National Data Opt-out allows patients to opt out of their confidential patient information being used for purposes beyond their individual care, such as research and planning.
MedLink is used by healthcare organisations to support the delivery of direct care. The National Data Opt-out does not apply to the processing of personal information through MedLink for these direct care purposes.
Healthcare professionals and other authorised users may have a MedLink account to access and manage MedLink services on behalf of their healthcare organisation.
When you use MedLink to access or process patient information on behalf of your healthcare organisation, your healthcare organisation remains the Data Controller and MedLink acts as the Data Processor.
However, MedLink Solutions Ltd acts as the Data Controller for personal information that we process to create, maintain and secure your MedLink account.
This may include:
We process this information to:
We process this information under one or more lawful bases, including Article 6(1)(b) (performance of a contract), Article 6(1)(c) (legal obligation) and Article 6(1)(f) (legitimate interests) of the UK GDPR, as appropriate.
When you visit the MedLink website or contact us directly, MedLink Solutions Ltd acts as the Data Controller for the personal information processed in connection with those activities.
When you visit our website, we may automatically collect limited technical information, including:
We use this information to:
Where cookies or similar technologies are used, further information, including how to manage your preferences, is available in our Cookie Policy.
If you contact us by email, telephone, our website or other means, we may process information including:
We use this information to:
Where you are contacting us on behalf of a healthcare organisation, we may also process information necessary to investigate and resolve technical or operational issues affecting the services we provide.
The personal information we process depends on how MedLink is being used.
When MedLink is used by a healthcare organisation to support your care, we may process information including:
Much of this information is classified as Special Category Data under the UK GDPR because it relates to your health.
When healthcare professionals or other authorised users use MedLink, we may process information including:
When you visit our website, we may process information including:
Where organisations enquire about or use our services, we may process information relating to:
The lawful basis for processing your personal information depends on how you interact with MedLink and whether MedLink is acting as a Data Processor or a Data Controller.
When MedLink is used by a healthcare organisation to provide healthcare services, the healthcare organisation determines the lawful basis for processing your personal information as the Data Controller.
For organisations providing NHS-funded direct care, this will commonly include:
UK GDPR Article 6
UK GDPR Article 9
In some circumstances, other lawful bases may apply depending on the healthcare organisation providing your care and the purpose for which your personal information is being processed.
Where MedLink processes personal information for its own business purposes, such as operating user accounts, providing support, responding to enquiries or operating our website, we rely on one or more of the following lawful bases:
Where we process Special Category Data in our capacity as a Data Controller, we will do so only where an appropriate condition under Article 9 of the UK GDPR also applies.
We do not sell your personal information or use patient identifiable information for advertising or marketing purposes.
Who we share your information with depends on how MedLink is being used.
When MedLink is providing services on behalf of a healthcare organisation, information may be shared with:
Information submitted through MedLink will normally become part of your healthcare record where relevant to the healthcare service being provided.
Where MedLink is acting as a Data Controller (for example, in relation to website enquiries or user account management), we may share information with:
We only share personal information where there is a lawful basis to do so and where appropriate contractual, technical and organisational safeguards are in place.
Like most providers of cloud-based software, MedLink uses carefully selected third-party service providers ("sub-processors") to help deliver our services.
Examples include providers of secure cloud infrastructure, email delivery, messaging, monitoring and other technical services necessary for the operation of MedLink.
All sub-processors are subject to appropriate contractual obligations, including requirements relating to confidentiality, information security and data protection.
Where MedLink acts as a Data Processor, the appointment and management of sub-processors is carried out in accordance with our contractual obligations to the healthcare organisations that use our services.
A current list of our approved sub-processors, together with details of the services they provide, is available on our Sub-processor List.
MedLink is designed so that access to patient information is limited to authorised personnel and only where this is necessary to provide or support our services.
MedLink staff do not routinely access patient information as part of their day-to-day duties.
Where possible, technical support is provided without accessing patient identifiable information. We encourage healthcare organisations not to send patient identifiable information when reporting issues unless it is necessary to investigate or resolve the problem.
Where a healthcare organisation asks MedLink to investigate a technical or operational issue that requires access to patient information, or provides patient identifiable information to assist with that investigation, we limit access to the minimum information necessary.
Where access to patient information is required:
Any access to patient information is carried out in accordance with our contractual obligations as a Data Processor and the instructions of the healthcare organisation responsible for the patient's care.
Where personal information is transferred outside the United Kingdom, MedLink ensures that appropriate safeguards are in place in accordance with UK data protection legislation.
Depending on the circumstances, these safeguards may include:
Where possible, healthcare data is stored and processed within the United Kingdom.
We assess our suppliers and any international data transfers to ensure that appropriate technical, organisational and contractual safeguards are maintained.
Protecting personal information is fundamental to the design, development and operation of MedLink.
We maintain technical and organisational measures designed to protect the confidentiality, integrity and availability of the information we process. Access to systems and personal information is granted in accordance with the principle of least privilege, ensuring that individuals have access only to the information and systems necessary to perform their role.
Our security measures include:
We regularly review and update our security controls to reflect changes in technology, security threats and regulatory requirements.
MedLink maintains Cyber Essentials Plus certification and completes the NHS Data Security and Protection Toolkit annually as part of our commitment to maintaining appropriate security standards.
We retain personal information only for as long as it is necessary to fulfil the purposes for which it was collected and to meet our legal, contractual and regulatory obligations.
When MedLink processes personal information on behalf of a healthcare organisation, retention is determined by the purpose of the processing and our contractual obligations with that healthcare organisation.
For patient information submitted through MedLink:
Once information has been incorporated into the patient's healthcare record, its retention is determined by the healthcare organisation in accordance with applicable NHS records management requirements.
Where MedLink acts as a Data Controller, we retain personal information only for as long as necessary for the purpose for which it was collected, including to:
Retention periods vary depending on the type of information being processed.
MedLink supports healthcare organisations by facilitating communication with patients, collecting information and presenting it to authorised healthcare professionals.
MedLink does not make automated decisions about your healthcare, diagnosis or treatment.
Information submitted through MedLink is reviewed by the healthcare organisation responsible for your care. Any clinical decisions remain the responsibility of appropriately qualified healthcare professionals.
Where MedLink supports administrative processes, such as identifying patients for invitation, sending communications or facilitating appointment booking, the criteria for those processes are determined by the healthcare organisation using MedLink.
Under the UK GDPR, you may have rights in relation to your personal information, including the right to:
If your request relates to your healthcare record or information processed by MedLink on behalf of your healthcare organisation, you should normally contact your healthcare organisation directly, as they are responsible for responding to your request.
If your request relates to information processed directly by MedLink, such as your MedLink user account, a website enquiry or correspondence with us, you may contact us directly using the contact details at the end of this Privacy Notice.
We will respond to requests in accordance with applicable data protection legislation.
If you have questions or concerns about how MedLink has processed your personal information, please contact us in the first instance using the contact details below.
If your concern relates to the way your healthcare organisation uses your personal information, or to information contained within your healthcare record, you should normally contact your healthcare organisation directly, as they are responsible for your healthcare information.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
We may update this Privacy Notice from time to time to reflect changes to our services, legal requirements or the way we process personal information.
The latest version will always be published on our website. The "Last updated" date at the top of this Privacy Notice indicates when it was most recently revised.
If you have any questions about this Privacy Notice or how MedLink processes personal information, please contact:
MedLink Solutions Ltd
Email: privacy@medlinksolutions.co.uk
Website: https://medlink.co.uk
Registered Office:
4th Floor Radius House
51 Clarendon Road
Watford
Hertfordshire
WD17 1HP
ICO Registration: ZA520573