Patient Privacy Notice

The Purpose of this privacy notice is to explain how Meliora Medical Group processes your personal data as a patient to fulfil its data protection responsibilities. The scope of this notice covers all related activities by the staff and contractors of Meliora Medical Group, referred to as MMG hereafter.

The Role of MMG in data protection terms is that of a data controller where it determines the purpose and use of personal data collected. Once received it becomes the responsibility of the data protection officer (DPO) to ensure it is processed in accordance with the latest UK data protection legislation and is contactable using . MMG is registered with the Information Commissioner’s Office (ICO).

The personal data processed by MMG will be basic contact information for the purposes of responding to general enquiries, making bookings and staying in touch once your treatment has finished. Due to the nature of the services on offer, it will also be necessary to collect and process health related data. If MMG is not given all the requested information, it may result in an incomplete service being provided.

MMG’s duty of confidentiality means that MMG staff will treat your personal data with due respect and in confidence. It is only disclosed to those that need to know it. MMG uses reasonable organisational and technical measures to ensure personal data is kept secure including the use of the Cliniko platform for bookings and storing your medical notes. MMG also expects the same duty of confidentiality of all third parties with whom it shares personal data, including sub-contractors.

The majority of processing takes place in the UK and the European Economic Area (EEA). For any transfers outside the EEA, for instance when your records are stored on the Cliniko platform, the receiving organisations are committed to the same standards of processing as expected by UK data protection laws.

MMG processes personal data against a lawful basis as described below:

  • To respond to your enquiries, to stay in touch with you after you have finished using our services and to maintain our records, we will do so in pursuit of our legitimate interests
  • To fulfil our contractual obligations to you as our patient. This includes the processing of special category data when it is necessary including for the purposes of preventive or occupational medicine, for the assessment of the working capacity of employees, and the management of health or social care of individuals.
  • To act in your vital interests if confronted with an emergency situation
  • When processing for a pre-defined purpose for which your consent has been sought and recorded prior to that processing commencing
  • To comply with our legal obligations where they apply

Please note you may withdraw your consent at any time by contacting the DPO although in some circumstances, this will impact the way we provide our services to you.

In all cases we will process your personal data in accordance with the principles of data protection as set out in the UK data protection legislation

MMG will share personal data, but only when necessary, with some or all of the following third parties:

  • Emergency services
  • The Inland Revenue (HMRC)
  • Solicitors appointed by MMG
  • An accountant appointed by MMG
  • Cliniko for booking and record keeping
  • Your health insurer in cases of insurance payments
  • Unspecified recipients but only when compelled to do so for legal reasons

Please note that Cliniko is a practice management system used extensively by health care professionals that is used for the purposes of bookings, processing medical records and running on-line consultations. You can view their privacy policy by visiting their website, or by clicking They are only a data processor for your patient data and are, in all aspects, bound by the UK GDPR.

On-line consultations with MMG are not normally recorded although it may be necessary to take still images during the consultation for the purposes of providing our services. If recording is beneficial, then you will be asked for your consent prior to recording.

MMG will process your personal data in the UK either on standard office equipment or using Cliniko (see above). Email is processed using a reputable web-based provider and mobile phone contacts are stored on both office IT equipment and mobile phones.

MMG follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:

  • Routine correspondence for casual enquiries that do not result in a booking will only be stored for no more than 52 weeks before deletion
  • Personal data, including health data, collected because of a booking, will be retained for 7 years after the last treatment is recorded
  • Contact data is stored for 12 months your treatment has ended, but we will consider a request from you to erase this information at any time
  • Financial records and invoices, which may include personal data, will be retained for 6 years after the end of the current tax year of processing
  • By exception, documentation that includes personal data may be retained by MMG beyond the schedule, but only for a specific purpose and only when MMG believes there is a legitimate interest or a legal obligation to do so.

At the end of the retention schedule MMG will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that MMG allows up to 3 months after the retention schedule to complete the action.

The UK General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:

  • Right to be informed as to how your personal data is being processed by us – this is done through this notice
  • Right to access your personal data held by MMG which is done by making a ‘Data Subject Access Request’ (DSAR) to the DPO
  • Right to rectification of your personal data if you believe MMG has collected it incorrectly or it needs to be updated
  • Right to erasure of your personal data for which MMG no longer has a legitimate purpose to process
  • Right to restrict processing under certain circumstances, during which time your personal data but will be out of operational use until the related matter is resolved
  • Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract
  • Right to object to MMG processing your personal data for which it does not have a legal or contractual obligation
  • Rights related to automated decision making and profiling (however MMG does not use these techniques in its decision making)

Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website:

Raising concerns, exercising rights or making queries about MMG’s processing of personal data can be done by contacting the privacy manager. Please be aware that we will need to determine your identity before responding fully, therefore, you may be asked for proof of ID or other material that, in context, will enable us to confirm your identity. Alternatively, if you have a complaint, you may contact the ICO directly, using the details provided above.



OK, where do I start?

Whether you are a School, Club or University, we’d love to hear about how we can help you, so please get in touch.

Return2Play is the trading name for the Sports Medicine service provided by Meliora Medical Group.

Other services include general medical services for schools and lifestyle medicine services. For more information, please visit the Meliora Medical Group website.