MedLink
Home Recall Monitoring CVD Risk Reviews Our Team Testimonials Contact
← Back to Home

MedLink Privacy Notice

Last updated: July 2026

Contents

  1. Who we are
  2. Definitions
  3. When MedLink acts as a Data Processor or Data Controller
  4. Using MedLink through your healthcare organisation
  5. Healthcare professionals using MedLink
  6. Visiting our website and contacting MedLink
  7. Personal information we process
  8. Lawful basis for processing
  9. Who we share information with
  10. Sub-processors
  11. Access to patient information
  12. International transfers
  13. Security
  14. Data retention
  15. Automated decision-making
  16. Your rights
  17. Complaints
  18. Changes to this Privacy Notice
  19. Contact us

Who we are

MedLink Solutions Ltd ("MedLink") provides secure digital healthcare software used by healthcare organisations to support the delivery of patient care.

Our services may be used for:

  • Online health questionnaires and reviews
  • Long-term condition management
  • Medication monitoring
  • Collection of home readings and test results
  • Appointment booking and invitations
  • Patient communications and healthcare reminders
  • Other healthcare services provided by your healthcare organisation

This Privacy Notice explains how MedLink processes personal information when:

  • you use MedLink through a healthcare organisation;
  • you are a healthcare professional using MedLink;
  • you visit our website; or
  • you contact MedLink directly.

Most patients use MedLink because their healthcare organisation has chosen to use our software. In these situations, your healthcare organisation remains responsible for your personal information and MedLink processes it on their behalf.

Definitions

For the purposes of this Privacy Notice:

Healthcare organisation means the GP practice, NHS organisation or other healthcare provider using MedLink to deliver healthcare services.

Data Controller means the organisation that decides why and how personal information is processed.

Data Processor means an organisation that processes personal information on behalf of a Data Controller.

When MedLink acts as a Data Processor or Data Controller

The way your personal information is processed depends on how you interact with MedLink.

In most cases, MedLink provides software to healthcare organisations and processes personal information on their behalf. In these situations, the healthcare organisation remains responsible for your personal information as the Data Controller, and MedLink acts as the Data Processor.

In some situations, MedLink processes personal information for its own business purposes, such as managing user accounts, responding to enquiries and operating our website. In these situations, MedLink acts as the Data Controller.

The table below explains the different roles.

If you are… Who is the Data Controller? MedLink's role
A patient using MedLink because your healthcare organisation has invited you to do so Your healthcare organisation Data Processor
A patient receiving communications sent through MedLink on behalf of your healthcare organisation Your healthcare organisation Data Processor
A healthcare professional using MedLink to deliver healthcare services Your healthcare organisation Data Processor
A healthcare professional using a MedLink account for authentication, account management, support or administration MedLink Solutions Ltd Data Controller
Someone visiting the MedLink website MedLink Solutions Ltd Data Controller
Someone contacting MedLink directly MedLink Solutions Ltd Data Controller

Using MedLink through your healthcare organisation

Most people use MedLink because their GP practice or another healthcare organisation has chosen to use our software to support the delivery of healthcare services.

MedLink may be used to support a wide range of healthcare activities, including:

  • Online health questionnaires and reviews
  • Long-term condition management
  • Medication monitoring
  • Collection of home readings and test results
  • Appointment booking and invitations
  • Patient communications and healthcare reminders
  • Other healthcare services provided by your healthcare organisation

Why have I received a MedLink invitation?

Your healthcare organisation decides which patients should be invited to use MedLink and how invitations are sent. Depending on the services available, invitations may be sent using the NHS App, SMS, email, telephone or letter.

MedLink sends invitations and communications on behalf of the healthcare organisation in accordance with their instructions.

MedLink does not decide who receives invitations, what services are offered, or what care is provided.

What information may be collected?

The information requested depends on the service being provided. This may include:

  • Personal details, such as your name, date of birth, NHS number, address and contact details
  • Demographic information, such as age, sex and ethnicity
  • Medical conditions
  • Symptoms
  • Questionnaire responses
  • Home monitoring readings, such as blood pressure, weight or other measurements
  • Blood test and other investigation results
  • Medication information
  • Clinical review information
  • Appointment and communication records
  • Images, documents or other information submitted as part of the healthcare service, where supported
  • Other information relevant to the healthcare service being provided

Much of this information is classified as Special Category Data under the UK GDPR because it relates to your health.

What happens to the information I submit?

Information you submit through MedLink is made available to your healthcare organisation for review by appropriate members of the healthcare team.

Where relevant to the healthcare service being provided, information submitted through MedLink will normally become part of your healthcare record.

MedLink does not make decisions about your healthcare, diagnosis or treatment. Clinical decisions remain the responsibility of appropriately qualified healthcare professionals.

Who is responsible for my information?

Your healthcare organisation remains the Data Controller for personal information processed as part of your healthcare.

MedLink Solutions Ltd acts as a Data Processor and processes your information only on behalf of, and in accordance with the instructions of, your healthcare organisation and our contractual obligations with them.

If you have questions about how your healthcare organisation uses your personal information or wish to exercise your rights in relation to your healthcare record, you should normally contact that organisation directly.

National Data Opt-out

The NHS National Data Opt-out allows patients to opt out of their confidential patient information being used for purposes beyond their individual care, such as research and planning.

MedLink is used by healthcare organisations to support the delivery of direct care. The National Data Opt-out does not apply to the processing of personal information through MedLink for these direct care purposes.

Healthcare professionals using MedLink

Healthcare professionals and other authorised users may have a MedLink account to access and manage MedLink services on behalf of their healthcare organisation.

When you use MedLink to access or process patient information on behalf of your healthcare organisation, your healthcare organisation remains the Data Controller and MedLink acts as the Data Processor.

However, MedLink Solutions Ltd acts as the Data Controller for personal information that we process to create, maintain and secure your MedLink account.

This may include:

  • Your name
  • Work email address
  • Organisation details
  • User account information
  • Authentication and login records
  • Multi-factor authentication information
  • Audit logs
  • Records of support requests and correspondence
  • Service notifications

We process this information to:

  • Create and manage user accounts
  • Authenticate users and protect system security
  • Provide technical support
  • Maintain audit logs and system integrity
  • Communicate important service information
  • Meet legal, regulatory and contractual obligations

We process this information under one or more lawful bases, including Article 6(1)(b) (performance of a contract), Article 6(1)(c) (legal obligation) and Article 6(1)(f) (legitimate interests) of the UK GDPR, as appropriate.

Visiting our website and contacting MedLink

When you visit the MedLink website or contact us directly, MedLink Solutions Ltd acts as the Data Controller for the personal information processed in connection with those activities.

Visiting our website

When you visit our website, we may automatically collect limited technical information, including:

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Date and time of access
  • Pages visited
  • Referring website
  • Website usage information

We use this information to:

  • Operate and secure our website
  • Diagnose technical issues
  • Improve website performance and usability
  • Monitor and protect against malicious activity
  • Understand how our website is used

Where cookies or similar technologies are used, further information, including how to manage your preferences, is available in our Cookie Policy.

Contacting MedLink

If you contact us by email, telephone, our website or other means, we may process information including:

  • Your name
  • Contact details
  • Organisation
  • The content of your enquiry
  • Records of correspondence

We use this information to:

  • Respond to your enquiry
  • Provide customer support
  • Manage sales enquiries
  • Respond to privacy or information governance requests
  • Improve our services
  • Maintain records of communications

Where you are contacting us on behalf of a healthcare organisation, we may also process information necessary to investigate and resolve technical or operational issues affecting the services we provide.

Personal information we process

The personal information we process depends on how MedLink is being used.

Information processed about patients

When MedLink is used by a healthcare organisation to support your care, we may process information including:

  • Personal details, including your name, date of birth, NHS number (where required), address and contact details
  • Demographic information, such as age, sex and ethnicity
  • GP practice or healthcare organisation
  • Medical conditions
  • Symptoms
  • Questionnaire responses
  • Home monitoring readings (such as blood pressure, weight or other measurements)
  • Blood test and other investigation results
  • Medication information
  • Clinical review information
  • Appointment and communication records
  • Images, documents or other information submitted as part of the healthcare service, where supported
  • Other information relevant to the healthcare service being provided

Much of this information is classified as Special Category Data under the UK GDPR because it relates to your health.

Information processed about healthcare professionals

When healthcare professionals or other authorised users use MedLink, we may process information including:

  • Name
  • Work email address
  • Organisation details
  • User account information
  • Authentication and login records
  • Multi-factor authentication information
  • Audit logs
  • Records of support requests and correspondence

Information processed about website visitors

When you visit our website, we may process information including:

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Website usage information
  • Cookie and similar technology information, where applicable

Information processed about organisations

Where organisations enquire about or use our services, we may process information relating to:

  • Organisation name
  • Business contact details
  • Billing contacts
  • Contractual contacts
  • Communications relating to the provision of our services

Lawful basis for processing

The lawful basis for processing your personal information depends on how you interact with MedLink and whether MedLink is acting as a Data Processor or a Data Controller.

Where MedLink acts as a Data Processor

When MedLink is used by a healthcare organisation to provide healthcare services, the healthcare organisation determines the lawful basis for processing your personal information as the Data Controller.

For organisations providing NHS-funded direct care, this will commonly include:

UK GDPR Article 6

  • Article 6(1)(e) — Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

UK GDPR Article 9

  • Article 9(2)(h) — Processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

In some circumstances, other lawful bases may apply depending on the healthcare organisation providing your care and the purpose for which your personal information is being processed.

Where MedLink acts as a Data Controller

Where MedLink processes personal information for its own business purposes, such as operating user accounts, providing support, responding to enquiries or operating our website, we rely on one or more of the following lawful bases:

  • Article 6(1)(b) — Processing necessary for the performance of a contract.
  • Article 6(1)(c) — Processing necessary to comply with a legal obligation.
  • Article 6(1)(f) — Processing necessary for our legitimate interests, provided these are not overridden by your rights and freedoms.

Where we process Special Category Data in our capacity as a Data Controller, we will do so only where an appropriate condition under Article 9 of the UK GDPR also applies.

Who we share information with

We do not sell your personal information or use patient identifiable information for advertising or marketing purposes.

Who we share your information with depends on how MedLink is being used.

Where MedLink acts as a Data Processor

When MedLink is providing services on behalf of a healthcare organisation, information may be shared with:

  • The healthcare organisation responsible for your care
  • Healthcare professionals and authorised staff involved in providing your care
  • Approved technology providers (sub-processors) that help us securely deliver our services
  • Regulators, law enforcement agencies or courts where required by law

Information submitted through MedLink will normally become part of your healthcare record where relevant to the healthcare service being provided.

Where MedLink acts as a Data Controller

Where MedLink is acting as a Data Controller (for example, in relation to website enquiries or user account management), we may share information with:

  • Approved technology providers who support the operation of our services
  • Professional advisers, including legal, financial and insurance advisers where necessary
  • Regulators, law enforcement agencies or courts where required by law
  • Other organisations where necessary to comply with legal or regulatory obligations

We only share personal information where there is a lawful basis to do so and where appropriate contractual, technical and organisational safeguards are in place.

Sub-processors

Like most providers of cloud-based software, MedLink uses carefully selected third-party service providers ("sub-processors") to help deliver our services.

Examples include providers of secure cloud infrastructure, email delivery, messaging, monitoring and other technical services necessary for the operation of MedLink.

All sub-processors are subject to appropriate contractual obligations, including requirements relating to confidentiality, information security and data protection.

Where MedLink acts as a Data Processor, the appointment and management of sub-processors is carried out in accordance with our contractual obligations to the healthcare organisations that use our services.

A current list of our approved sub-processors, together with details of the services they provide, is available on our Sub-processor List.

Access to patient information

MedLink is designed so that access to patient information is limited to authorised personnel and only where this is necessary to provide or support our services.

MedLink staff do not routinely access patient information as part of their day-to-day duties.

Where possible, technical support is provided without accessing patient identifiable information. We encourage healthcare organisations not to send patient identifiable information when reporting issues unless it is necessary to investigate or resolve the problem.

Where a healthcare organisation asks MedLink to investigate a technical or operational issue that requires access to patient information, or provides patient identifiable information to assist with that investigation, we limit access to the minimum information necessary.

Where access to patient information is required:

  • Access is limited to authorised personnel whose role requires it.
  • Where practical, investigations are carried out using anonymised or pseudonymised information rather than patient identifiable information.
  • Access to systems and personal information is granted in accordance with the principle of least privilege, ensuring individuals have access only to the information and systems necessary to perform their role.
  • Only the minimum information necessary to perform the required task is accessed.
  • Access is protected by role-based access controls, strong authentication and audit logging.
  • Staff are subject to contractual confidentiality obligations and receive training in information governance, data protection and cyber security.
  • Access is retained only for as long as necessary to complete the required activity.

Any access to patient information is carried out in accordance with our contractual obligations as a Data Processor and the instructions of the healthcare organisation responsible for the patient's care.

International transfers

Where personal information is transferred outside the United Kingdom, MedLink ensures that appropriate safeguards are in place in accordance with UK data protection legislation.

Depending on the circumstances, these safeguards may include:

  • UK International Data Transfer Agreements (IDTAs)
  • The UK Addendum to the European Commission's Standard Contractual Clauses
  • Adequacy Regulations approved by the UK Government

Where possible, healthcare data is stored and processed within the United Kingdom.

We assess our suppliers and any international data transfers to ensure that appropriate technical, organisational and contractual safeguards are maintained.

Security

Protecting personal information is fundamental to the design, development and operation of MedLink.

We maintain technical and organisational measures designed to protect the confidentiality, integrity and availability of the information we process. Access to systems and personal information is granted in accordance with the principle of least privilege, ensuring that individuals have access only to the information and systems necessary to perform their role.

Our security measures include:

  • Encryption of data in transit and at rest
  • Role-based access controls
  • Strong authentication and multi-factor authentication
  • Audit logging and security monitoring
  • Regular security reviews and vulnerability management
  • Independent penetration testing
  • Business continuity and disaster recovery arrangements
  • Incident management procedures for identifying, investigating and responding to security incidents
  • Staff training in information governance, data protection and cyber security
  • Confidentiality obligations for all staff with access to personal information

We regularly review and update our security controls to reflect changes in technology, security threats and regulatory requirements.

MedLink maintains Cyber Essentials Plus certification and completes the NHS Data Security and Protection Toolkit annually as part of our commitment to maintaining appropriate security standards.

Data retention

We retain personal information only for as long as it is necessary to fulfil the purposes for which it was collected and to meet our legal, contractual and regulatory obligations.

Where MedLink acts as a Data Processor

When MedLink processes personal information on behalf of a healthcare organisation, retention is determined by the purpose of the processing and our contractual obligations with that healthcare organisation.

For patient information submitted through MedLink:

  • Information is made available to the healthcare organisation for review as soon as possible after submission.
  • Patient identifiable information is retained only for the period necessary to support the service and allow the healthcare organisation to manage responses.
  • Patient identifiable information is normally anonymised after two months by removing identifying information from the remaining data.
  • Fully anonymised information may be retained for reporting, service improvement, statistical analysis and research. As this information no longer identifies individuals, it is no longer personal data under UK data protection legislation.

Once information has been incorporated into the patient's healthcare record, its retention is determined by the healthcare organisation in accordance with applicable NHS records management requirements.

Where MedLink acts as a Data Controller

Where MedLink acts as a Data Controller, we retain personal information only for as long as necessary for the purpose for which it was collected, including to:

  • Provide and support our services
  • Manage customer and user accounts
  • Comply with legal and regulatory obligations
  • Resolve disputes and enforce our contractual rights

Retention periods vary depending on the type of information being processed.

Automated decision-making

MedLink supports healthcare organisations by facilitating communication with patients, collecting information and presenting it to authorised healthcare professionals.

MedLink does not make automated decisions about your healthcare, diagnosis or treatment.

Information submitted through MedLink is reviewed by the healthcare organisation responsible for your care. Any clinical decisions remain the responsibility of appropriately qualified healthcare professionals.

Where MedLink supports administrative processes, such as identifying patients for invitation, sending communications or facilitating appointment booking, the criteria for those processes are determined by the healthcare organisation using MedLink.

Your rights

Under the UK GDPR, you may have rights in relation to your personal information, including the right to:

  • Be informed about how your personal information is used
  • Request access to your personal information
  • Request correction of inaccurate or incomplete personal information
  • Request erasure of personal information in certain circumstances
  • Request restriction of processing in certain circumstances
  • Object to certain types of processing
  • Request portability of your personal information where applicable

If MedLink is processing information on behalf of your healthcare organisation

If your request relates to your healthcare record or information processed by MedLink on behalf of your healthcare organisation, you should normally contact your healthcare organisation directly, as they are responsible for responding to your request.

If MedLink is acting as a Data Controller

If your request relates to information processed directly by MedLink, such as your MedLink user account, a website enquiry or correspondence with us, you may contact us directly using the contact details at the end of this Privacy Notice.

We will respond to requests in accordance with applicable data protection legislation.

Complaints

If you have questions or concerns about how MedLink has processed your personal information, please contact us in the first instance using the contact details below.

If your concern relates to the way your healthcare organisation uses your personal information, or to information contained within your healthcare record, you should normally contact your healthcare organisation directly, as they are responsible for your healthcare information.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: https://ico.org.uk
Telephone: 0303 123 1113

Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes to our services, legal requirements or the way we process personal information.

The latest version will always be published on our website. The "Last updated" date at the top of this Privacy Notice indicates when it was most recently revised.

Contact us

If you have any questions about this Privacy Notice or how MedLink processes personal information, please contact:

MedLink Solutions Ltd

Email: privacy@medlinksolutions.co.uk

Website: https://medlink.co.uk

Registered Office:
4th Floor Radius House
51 Clarendon Road
Watford
Hertfordshire
WD17 1HP

ICO Registration: ZA520573

© 2026 MedLink Solutions Ltd | Company number 11897002 | info@medlink.co.uk

Terms & Conditions Privacy Notice Cookie Policy Sub-processors