Privacy policy

Home Privacy policy

Privacy Notice 

How we collect, use and protect your personal data 

Last updated: 05/06/2026  |  Version 2.0 

1. About this notice 

This notice explains how Medmin Limited (“Medmin”, “we”, “us”, “our”) collects, uses, shares and protects personal data (Company number, 11422551). It applies to information we handle through our website at medmin.co.uk, through our work supporting consultants in private practice, and through our marketing and business activities. 

Medmin works with two different audiences whose data we handle in two different ways. We have written this notice so each audience can quickly find the part that applies to them: 

  • Consultants and prospective consultants who use or are considering using our practice management services – see Section 4. 
  • Patients of consultants we support – see Section 5. Your consultant remains in charge of your clinical record; we explain what role we play in handling your information. 
  • Website visitors, enquirers and marketing contacts – see Sections 6 and 7. 

If you are an employee, contractor, job applicant or supplier contact, your data is covered by our separate internal privacy notice – please ask the person you deal with at Medmin for a copy. 

This notice does not cover third-party websites we link to. If you follow a link from our site, please read the privacy notice of the site you arrive at.  

2. How to contact us about privacy 

If you have any questions about this notice, want to exercise your data protection rights, or wish to raise a concern about how we handle personal data, please contact us: 

Email: dpo@medmin.co.uk 

Phone: 0121 716 9044 

Post: 3rd Floor, Trigate House, Hagley Road West, Birmingham, B68 0NP, United Kingdom 

We are registered with the UK Information Commissioner’s Office (ICO) under registration ZA552128 

If you are not satisfied with how we have handled a privacy concern, you have the right to complain to the ICO at ico.org.uk, by phone on 0303 123 1113, or in writing to Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We would always prefer the chance to resolve your concern first, but you can complain to the ICO at any time. 

3. Our role: when we are a controller and when we are a processor 

Under UK data protection law, the organisation that decides why and how personal data is used is called the “controller”. An organisation that handles data only on a controller’s instructions is called a “processor”. Medmin is sometimes a controller and sometimes a processor, depending on the data: 

When we are a controller 

We decide how data is used, and we are directly accountable to the people whose data it is. This is the case for: 

  • Information we collect about consultants who use our services or enquire about them. 
  • Information we collect through our website (enquiries, contact forms, cookies, analytics). 
  • Information about marketing recipients, event attendees and other business contacts. 
  • Our own staff, applicants and supplier contacts (covered by a separate notice). 

When we are a processor 

We handle data only on the instructions of another organisation that is the controller. The most important example is patient data: 

  • When we support a consultant – booking appointments, chasing results, sending letters, raising invoices, taking payments, coordinating with hospitals and insurers – the consultant is the controller of the patient record. Medmin processes that information on the consultant’s behalf, under a written Data Processing Agreement that meets Article 28 of the UK GDPR. 
  • This means a consultant decides what is collected, how long it is kept, who it is shared with, and how patient rights are answered. We support the consultant in delivering on those decisions. 

What this means for patients 

If you are a patient and you want to see your record, correct it, or ask for it to be deleted, the right place to start is your consultant. We will help your consultant respond – but the decision rests with them, not us. Section 5 explains this in more detail. 

4. If you are a consultant client or prospective client 

This section applies if you are a doctor, dentist, surgeon or other clinician using Medmin’s services, or considering using them. 

4.1 What we collect 

  • Identity and professional data: name, GMC or other regulator number, qualifications, specialty, photograph, indemnity provider details. 
  • Contact data: practice address, NHS base, business email and phone numbers. 
  • Practice and financial data: bank details, billing data, invoice and payment records, hospital and insurer codes, performance and revenue reporting. 
  • Onboarding data: information shared during proposal, contracting and set-up – for example, fee schedules, scope of services, KYC and anti-money-laundering checks. Where onboarding also requires hospital practicing privileges to be applied for we may ask for appraisals and other relevant information to support your application.  
  • Communications: emails, calls, recorded calls (where notified), messages and notes from meetings. 
  • Marketing engagement: how you respond to our newsletters, events, surveys and webinars (where you have not opted out). 

4.2 Why we use it and our lawful basis 

What we use it for  Lawful basis 
Providing the practice management services you have engaged us for, or taking pre-contract steps you have asked us to take.  Article 6(1)(b) – performance of a contract 
Verifying your professional standing and meeting our regulatory and money-laundering obligations.  Article 6(1)(c) – legal obligation 
Running our business: billing, accounts, IT security, fraud prevention, and improving our services.  Article 6(1)(f) – legitimate interests 
Marketing our services to you as a business contact, including newsletters and event invitations.  Article 6(1)(f) – legitimate interests, with PECR rules followed and an unsubscribe option in every message 
Recording calls for training, quality and dispute-resolution purposes.  Article 6(1)(f) – legitimate interests; you will be told a call is being recorded 

4.3 Who we share it with 

  • Hospitals, clinics and diagnostic centres where you practise (to coordinate clinics, theatre lists and patient pathways). 
  • Insurers and indemnity providers connected to your practice. 
  • Our partner network (for example, accounting, legal and indemnity services within the Medmin network) – only with your knowledge and where it supports a service you have asked for. 
  • Our sub-processors (Section 8) – IT, billing, CRM, accounting and similar suppliers. 
  • Professional advisers, regulators and authorities where we are required to share information. 

4.4 How long we keep it 

We hold consultant client data for the duration of our relationship with you and afterwards in line with the schedule in Section 11. 

5. If you are a patient of a consultant we support 

This section is for patients whose consultant uses Medmin’s practice management services. 

Your consultant is in charge of your record 

When you are seen by a consultant who uses Medmin, that consultant is the controller of your medical record. Medmin’s role is to handle parts of that information on their instructions – for example, taking your call, booking your appointment, raising an invoice or sending a letter. Decisions about your record (what is kept, who it is shared with, how requests are answered) are taken by your consultant. 

5.1 What we may handle on your consultant’s behalf 

  • Personal details – your name, date of birth, contact details and NHS number. 
  • Health data (a special category under UK GDPR) – referral letters, GP letters, imaging and test results, clinic letters, operation notes, prescriptions and any other clinical correspondence relating to your care with the consultant. 
  • Insurance details – your insurer, membership number, pre-authorisation codes, and information needed to invoice your insurer. 
  • Payment data – for self-pay patients, the information needed to take payment and issue receipts. We do not store full card numbers; payments are taken through a regulated payment processor. 
  • Communications – your emails, calls, voicemails and SMS messages with us, including call recordings where you have been told a call is being recorded. 

5.2 Why we handle it and on what legal basis 

Because Medmin handles your information on your consultant’s instructions, your consultant is responsible for the lawful basis. In practice the bases that apply to private medical care are: 

  • Article 6(1)(b) – performance of your contract with your consultant for private medical treatment. 
  • Article 9(2)(h) – health and social care, where your information is handled by a healthcare professional or by someone working under their authority and a duty of confidentiality (this is the basis we rely on at Medmin when handling your health data on your consultant’s behalf). 
  • Article 6(1)(c) and 9(2)(i) – where your consultant has a legal obligation to share information (for example, statutory notifiable conditions). 
  • Article 6(1)(f) – limited legitimate interests such as fraud prevention and IT security. 

5.3 Who we may share it with 

  • Your consultant and their clinical team. 
  • The hospital, clinic or diagnostic centre where you are seen. 
  • Your GP, any referring clinician, and any clinician or allied health professional to whom your clinician decides to refer, a clinic letter or update should be sent. 
  • Your health insurer, where you are using insurance to pay. 
  • Our sub-processors (Section 8) who help us deliver the service to your consultant – for example, the practice management software your consultant uses. 
  • Anyone you have asked us to share with – for example, a family member or carer. 

We never sell or rent patient information, and we do not use it for our own marketing. 

5.4 Children’s information 

Some of the consultants we support are paediatric specialists. Where a consultant treats children, we may handle children’s information on the same basis as adult patients (Article 9(2)(h)). The consultant is responsible for obtaining appropriate parental consent where required and for any decisions about how the child’s record is shared. 

Our website and marketing are not aimed at under-18s, and we do not knowingly collect children’s data through our website. 

5.5 Your rights as a patient 

You have the rights set out in Section 12 (access, correction, erasure, restriction, portability, objection). 

Because your consultant is the controller of your medical record, the quickest route to exercise those rights is normally through your consultant – they can decide what they hold and what is appropriate to share. If you contact Medmin directly with a rights request, we will work with your consultant to respond, and we will tell you who we are forwarding your request to. 

If we hold information about you in our own right (for example, an enquiry you sent to Medmin’s contact form before you were referred to a specific consultant), you can come to us directly – see Section 2. 

5.6 How long we hold your information 

We keep patient information for as long as your consultant instructs us to keep it. Many consultants follow the NHS Records Management Code of Practice retention periods (typically a minimum of 8 years for adult records after the date of last contact, with longer periods for children’s records and for some specialties). For practical detail of the retention period applied to your record, please ask your consultant. Medmin’s own copies are deleted in line with the schedule in Section 11. 

6. If you are a website visitor or enquirer 

6.1 What we collect when you visit medmin.co.uk 

  • Information you submit through forms (for example, the contact form): your name, email address, phone number, the message you send and any context you provide about your practice or interest in our services. 
  • Technical information: IP address, device and browser type, operating system, the pages you visit, time on site, and how you arrived at our site (for example, a search or a referral). 
  • Cookies and similar technologies – please see our separate Cookie Policy at medmin.co.uk/cookie-policy. 

6.2 Why we use it 

  • To respond to enquiries you send us. 
  • To run, secure and improve our website (necessary cookies and security analytics). 
  • To measure how our content performs (analytics cookies, only with your consent). 
  • To follow up if you express interest in our services and have agreed to be contacted. 

6.3 Lawful basis 

  • Strictly necessary cookies and security: Article 6(1)(f) – legitimate interests. 
  • Analytics, marketing and other non-essential cookies: Article 6(1)(a) – your consent, given through our cookie banner. You can change your preferences at any time. 
  • Responding to your enquiry: Article 6(1)(b) – pre-contract steps at your request, or Article 6(1)(f) – legitimate interests. 

6.4 How long we keep it 

  • Visit and analytics data: kept in line with the cookie policy and the relevant tools’ default settings, generally not more than 14 months. 
  • Enquiry data: kept while we are in active conversation with you and for up to 24 months afterwards in case you re-contact us, unless you ask us to delete it sooner or you become a client (in which case Section 4 retention applies). 

7. If you are a marketing recipient or attended a Medmin event 

We send marketing – newsletters, event invitations, webinar follow-ups, occasional service updates – to consultants and other professionals who we believe may be interested in our services. 

7.1 How we contact you 

  • By email or LinkedIn, if you are a professional contact in a relevant role and we are following the soft opt-in rule under PECR (you are an existing or prospective business contact, and you can unsubscribe at any time). 
  • By post or phone, where appropriate to a business contact. 
  • Through events, webinars and surveys you have signed up for. 

7.2 Lawful basis 

Article 6(1)(f) – our legitimate interest in marketing our services to professional audiences, balanced against your interests. We do a Legitimate Interests Assessment for our key marketing activities. You can object to direct marketing at any time, and we will stop. 

7.3 How to opt out 

  • Click “unsubscribe” in any email. 
  • Email dpo@medmin.co.uk with “unsubscribe” in the subject line. 
  • Tell anyone at Medmin that you would prefer not to be contacted for marketing – we will record your preference. 

We do not sell, rent, or share marketing lists with other organisations. 

8. Sub-processors and partners 

To run our business and deliver our services we use a small number of carefully chosen third-party suppliers, each under a written contract that meets UK GDPR requirements. We use them only for the purposes set out in this notice and we keep our list under review. 

The categories we use include: 

Category  Purpose 
Cloud productivity and email  Email, document storage, collaboration 
Practice management software  Booking, clinic letters, records on the consultant’s instructions 
Billing and payment processing  Invoicing, taking patient and insurer payments 
Customer relationship management (CRM)  Managing consultant client relationships and marketing 
Telephony and call recording  Inbound and outbound calls, recordings 
Accounting and payroll  Bookkeeping, payroll, statutory filings 
Marketing automation and analytics  Newsletters, event sign-ups, website analytics 
AI, transcription and productivity tools  Drafting, summarising, transcription support 
IT security and backup  Anti-malware, backup, monitoring 
Professional advisers  Legal, accounting, indemnity, insurance 

 

9. How we protect your information 

We take the security of personal data seriously and have a layered set of measures in place: 

  • Access controls – staff and contractors only see the data they need for their role, with multi-factor authentication on key systems. 
  • Encryption – laptops, mobile devices and back-ups are encrypted; data in transit uses TLS. 
  • Confidentiality – every member of staff is bound by a written confidentiality obligation, refreshed through training. 
  • Training – all staff complete data protection and information governance training on induction and at least annually. 
  • Vendor management – sub-processors are -subject to due-diligence before engagement and contractually bound to UK GDPR-equivalent obligations. 
  • Incident response – we have a documented procedure for responding to suspected security incidents, including notifying the ICO within 72 hours of becoming aware of a notifiable breach and notifying affected individuals where the law requires it. 

No internet-based service can be made completely secure. If you suspect a security incident affecting your information, please contact us immediately on the details in Section 2. 

10. How long we keep your information 

We keep personal data only for as long as we need it. The table below sets out the principal periods we apply. Where we hold data on a consultant’s instructions (Section 5), the consultant’s retention period applies. 

Type of data  Typical retention period 
Patient data held on a consultant’s instructions  As instructed by the consultant – typically aligned to the NHS Records Management Code (minimum 8 years for adults after last contact; longer for children’s records and certain specialties) 
Consultant client records (active relationship)  Duration of the relationship plus 7 years (to align with HMRC and limitation periods) 
Billing, invoicing and tax records  6 years after the end of the relevant accounting period (HMRC) 
Anti-money-laundering and KYC records  5 years after the end of the relationship 
Website enquiries (no contract)  Up to 24 months from last contact 
Marketing data  Until you unsubscribe, plus a short suppression-list period to honour your preference 
Call recordings  12 months unless retained longer for an active complaint or dispute 
Website analytics  In line with our Cookie Policy and the analytics provider’s defaults (typically up to 14 months) 
Recruitment records (unsuccessful applicants)  6 months from the end of the recruitment process, unless you agree we can keep them longer 

 

After the retention period we securely delete or anonymise the data. We may keep limited information for longer where the law requires it, or where it is needed to defend a legal claim. 

11. Your rights 

Subject to UK GDPR, you have the following rights in respect of personal data we hold about you: 

  • Right to be informed – through this notice and any other information we provide. 
  • Right of access – to ask for a copy of the personal data we hold about you. 
  • Right to rectification – to ask us to correct information that is inaccurate or incomplete. 
  • Right to erasure – to ask us to delete personal data, in certain circumstances. 
  • Right to restrict processing – to ask us to limit how we use your data, in certain circumstances. 
  • Right to data portability – to receive certain data in a portable format, or have it transferred to another organisation. 
  • Right to object – including an absolute right to object to direct marketing. 
  • Rights related to automated decision-making – Medmin does not currently take decisions about you using solely automated means that produce legal or similarly significant effects. If this changes, we will update this notice and tell you. 

To exercise any of these rights, contact us using the details in Section 2. We will respond within one month, and we will tell you if we need longer (which we may, by up to two further months, for complex requests). We may need to verify your identity before we respond. 

There is normally no charge. We can refuse a request, or charge a reasonable fee, if it is manifestly unfounded or excessive – we will tell you why if that ever applies. 

If we hold your information as a processor on a consultant’s behalf (for example, your medical record), please see Section 5 for the recommended route to exercise your rights. 

12. Automated decision-making and use of AI 

We do not make decisions about consultants or patients using solely automated means. 

We do use AI-assisted tools to help our team work more efficiently – for example, drafting and summarising business correspondence, transcribing internal calls, and supporting marketing content creation. Where we use these tools: 

  • A member of our team always reviews and is responsible for the output. 
  • Suppliers of these tools are bound by data protection contracts and we do not allow personal data we control to be used to train third-party models without an appropriate basis. 
  • If we ever introduce AI in a way that affects how decisions are made about you, we will update this notice and explain it clearly. 

13. Changes to this notice 

We review this notice regularly and update it when our services or the law change. The version and “last updated” date are shown at the top. If we make material changes, we will draw them to your attention through our website, or directly where we have your contact details. 

14. Document control 

Item  Detail 
Owner  Warwick Hampden-Woodfall, CTO 
Approved by  Andrew Archibald, CEO 
Last reviewed  05/06/2026 
Next review  05/06/2027 
Version  2.0