Search Jobs Contact Us Register

Privacy Policy

Clinical24 Staffing Limited is part of ICG Medical Group

Introduction

ICG Medical Group (“ICG Medical”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your data, and outlines your rights under global data protection laws. It applies across all ICG Medical brands and global operations, including:

United Kingdom – Republic of Ireland – United States – Canada – Mexico – South Africa – India – China – Japan – Australia – Philippines

This policy applies to all individuals engaging with us as candidates, clients, suppliers, website or app users. For region-specific rules and obligations, refer to the Regional Attestations Framework in the appendices.

1 – Who We Are

ICG Medical Group is a global provider of healthcare workforce solutions. While each of our brands may act as a data controller, this group-level policy governs the overarching data protection standards applied across all group entities.

Postal Address;
Suite 1, Wrest Park Business Centre
Capability House, Wrest Park, Silsoe
Bedfordshire, MK45 4HR
United Kingdom

2 – Scope of This Policy

This Privacy Policy applies when you:

  • Visit our websites or use our applications
  • Apply for or register interest in roles
  • Communicate with us via email, phone or in person
  • Are referred to us by a third party (with your permission)
  • Engage with us as a supplier, contractor or client

This policy does not apply to third-party services or platforms linked to our websites or applications.

3 – Types of Data We Collect

Depending on your interaction, we may collect:

  • Identity & Contact Data – Name, address, email, phone number
  • Professional Data – CV, qualifications, references, employment history
  • Compliance Data – Identity checks, background screening, licences, health records
  • Account Data – Usernames, passwords, log data
  • Financial Data – Payment information, tax references
  • Behavioural & Technical Data – Device information, IP, usage data
  • Sensitive Data – Health or criminal background (where required and legally justified)

4 – How We Collect Your Data

  • Directly from You – Via applications, forms, surveys, or direct contact
  • Automatically – Using cookies or analytics tools on websites and apps
  • Third Parties – Background screening services, referees, regulatory bodies
  • Referral – By others, with your prior consent

5 – Cookies and Tracking

We use cookies to:

  • Enable site functionality
  • Analyse usage behaviour
  • Customise user experience
  • Deliver targeted advertising

You may manage or disable cookies in your browser or using our cookie preference tool. See our full Cookie Policy for details.

6 – Lawful Use of Your Data

We use your personal data only when permitted by law. The lawful bases include:

Purpose

Data Types

Legal Basis

User verification and onboarding

Identity, Compliance

Contract

Regulatory and credential checks

Compliance

Legal obligation / Legitimate interest

Contract management and payment

Financial, Contact

Contract / Legal obligation

Analytics and service improvement

Technical, Usage

Legitimate interest

Marketing and communications

Contact

Consent / Legitimate interest

Legal reporting or fraud prevention

Any

Legal obligation / Vital interest / Legitimate interest

You may withdraw consent at any time.

7 – Sharing Your Data

We only share data when necessary and with appropriate safeguards in place. This includes sharing with:

  • Other ICG Medical brands providing related services
  • Third-party processors (e.g. payroll, IT, compliance services)
  • Clients for service fulfilment
  • Regulators, auditors and legal advisers
  • Authorities or acquiring companies where legally required

All sharing is governed by data processing agreements or equivalent safeguards.

8 – International Data Transfers

Your data may be transferred outside your jurisdiction. We apply:

  • UK/EU adequacy decisions
  • Standard contractual clauses (SCCs)
  • Government-approved safeguards where applicable (e.g. India, China)

For transfers from China and India, we meet local security assessments and certification rules, including approval pathways.

9 – Data Retention

Data is retained only for as long as necessary for:

  • Contractual and legal compliance
  • Operational support or audit purposes
  • Service improvement (in anonymised form)

Retention is governed by our internal policy. Secure deletion or anonymisation follows expiry of the relevant period.

10 – Data Security

We apply strong protections aligned with ISO/IEC 27001 principles, including:

  • Encryption
  • Role-based access controls
  • Intrusion detection and monitoring
  • Security training
  • Incident response protocols

If you suspect misuse or breach, please contact us immediately.

11 – Your Rights

Depending on your location, you may exercise:

  • Right of access
  • Right to correct inaccurate data
  • Right to erasure
  • Right to restrict processing
  • Right to object to certain uses (including profiling)
  • Right to data portability
  • Right to withdraw consent
  • Right to lodge complaints with your data protection authority

Contact DPO@icgmedical.co.uk to exercise your rights.

12 – Marketing Preferences

You can opt out of marketing:

  • By clicking ‘unsubscribe’ in emails
  • By contacting us directly
  • Via account settings on our platforms

We never sell your data.

13 – Policy Changes

This policy may be updated periodically. We will provide notice where material changes occur.

14 – Contact

Global Data Protection Officer
Email – DPO@icgmedical.co.uk
Post – Suite 1, Wrest Park Business Centre, Capability House, Wrest Park, Silsoe, Bedfordshire, MK45 4HR, United Kingdom

Appendix A – Asia-Pacific Compliance

This appendix outlines the additional obligations, safeguards, and operational controls applicable to personal data processed or transferred in or from the Asia-Pacific region, specifically: China, Japan, Australia, and India.

China – Personal Information Protection Law (PIPL) Compliance

ICG Medical Group acknowledges the extraterritorial scope of China’s PIPL and implements the following controls:

1. Compliance Audits

  • If processing personal data of more than 10 million individuals, ICG Medical undertakes formal compliance audits every two years, as required under Article 54 of PIPL.
  • Audit results are documented, and remediation actions (if applicable) are recorded and assigned to responsible parties.

2. Cross-Border Data Transfer Mechanisms

  • For any cross-border transfers of Chinese personal information, ICG applies one or more of the following legal mechanisms:
    • Security Assessment filed with the Cyberspace Administration of China (CAC) where processing meets the specified volume or critical data thresholds.
    • Standard Contracts issued by CAC and duly filed.
    • Certification by a Professional Institution designated by CAC.

3. Localisation and Data Mapping

  • All personal data collected within China is classified, inventoried, and mapped against risk categories, including whether it is “sensitive” or “critical information infrastructure-related”.
  • Where required by law, data localisation is respected, especially where data involves core state functions or public health.

4. Processor Liability and Contractual Terms

  • Contracts with Chinese data processors now incorporate Article 59 requirements:
    • Confidentiality, security safeguards, reporting obligations
    • Prohibition of unauthorised onward transfer
    • Joint liability terms, where applicable

5. Data Subject Rights (DSRs)

  • Chinese data subjects may request access, correction, deletion, portability, withdrawal of consent, and restriction.
  • Requests are actioned within 15 business days, with a multilingual support option.
     

Japan – Act on the Protection of Personal Information (APPI) Amendments (2025)

ICG Medical’s operations in Japan observe the following obligations under the revised APPI:

1. Use of Personal Data in AI Training

  • Personal data may be used without explicit consent for AI model training, provided:
    • The data is pseudonymised and cannot reasonably re-identify individuals
    • The purpose is stated transparently in the privacy notice
    • Individuals are offered a means to opt-out

2. Biometric and Children’s Data Protections

  • For biometric data (e.g. facial recognition, voice patterns) and children's data:
    • ICG ensures explicit opt-in consent
    • A data subject can demand suspension of use at any time
    • Risk assessments are undertaken before deployment of biometric systems

3. Data Breach Notification Rules for Certified Entities

  • Where ICG Medical is a certified business operator, breach notification to the Personal Information Protection Commission (PPC) is allowed within 30–60 days, based on severity, with preliminary reporting encouraged.
  • Non-certified entities must notify immediately within 5 days.

4. Enhanced Record-Keeping

  • A record of all processing activities is maintained in line with APPI Article 29-4.
  • Transfers to third parties are documented, with consent or lawful basis noted.

Australia – Privacy Act Reforms (Effective June 2025)

To align with the amended Australian Privacy Act and recommendations from the Attorney-General’s Department:

1. Introduction of Statutory Tort for Serious Invasions of Privacy

  • ICG Medical maintains a Privacy Impact Assessment (PIA) register to pre-screen activities that might pose a risk of serious privacy intrusion.
  • Employees and contractors are trained on how to handle high-risk data and avoid over-collection.

2. Strengthened Consent Requirements

  • Consent is defined and operationalised as:
    • Freely given – without pressure or negative consequences
    • Informed – clear understanding of what data is collected and for what purposes
    • Specific – for identified purposes, not bundled
    • Unambiguous – using affirmative opt-in mechanisms
  • Default consent is never presumed (no pre-ticked boxes or silence).

3. Penalty Framework (Effective July 2025)

  • Penalties apply for serious or repeated breaches:
    • AU$50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater
  • Serious breach definition includes:
    • Unauthorised access impacting over 5,000 individuals
    • Repeated failure to notify or mitigate data loss

4. Global Transfer and APP 8 Controls

  • Before transferring data outside Australia:
    • ICG must take reasonable steps to ensure overseas recipients comply with Australian Privacy Principles (APPs).
    • Where feasible, binding contractual clauses are used to ensure APP equivalence.
       

India – Digital Personal Data Protection Act (DPDP 2023), Implementing in 2025

ICG Medical aligns its Indian data practices with the 2023 DPDP Act, coming into enforcement in early 2025:

1. Consent and Purpose Limitation

  • All personal data processing is based on free, informed, specific, clear, and capable of withdrawal consent.
  • Purpose must be clearly stated and limited to what is necessary.

2. Consent Manager Integration

  • ICG interoperates with India’s authorised Consent Manager Platforms, allowing individuals to:
    • View past consents
    • Modify or revoke consents
    • Access logs of how their data was used

3. Cross-border Transfers

  • Personal data may only be transferred to countries approved by the Indian Government.
  • ICG maintains a log of data flows and ensures storage, access and transfer logs are tamper-proof.

4. Data Protection Board Compliance

  • ICG recognises the authority of the Data Protection Board of India, empowered to:
    • Impose penalties up to INR 250 crore (~£25 million) for breach
    • Conduct audits and issue binding directives

5. Children's Data and Grievance Redressal

  • Parental consent is required for processing data of individuals under 18.
  • ICG provides a grievance redressal mechanism, resolving queries within 7 working days.
     

Appendix B – European and UK Compliance

This appendix outlines the regulatory framework and operational requirements that apply to ICG Medical Group when processing personal data of individuals located in the European Union (EU) and the United Kingdom (UK). It addresses obligations under the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018.

These standards form the baseline of our global data protection model and are embedded across all entities.

1. Lawful Basis for Processing

ICG Medical ensures all personal data processing meets at least one lawful basis as outlined in Article 6 of the GDPR:

  • Consent – Freely given, informed, specific, and unambiguous
  • Contractual necessity – Where processing is required to enter or perform a contract
  • Legal obligation – To comply with a legal or statutory duty
  • Legitimate interests – Where our interest is balanced against individuals' rights
  • Vital interests – To protect life or health
  • Public interest – For tasks carried out in the public interest or by official authority

For special category data, an additional condition under Article 9 is required (e.g. employment law, public health, explicit consent).

A Legitimate Interests Assessment (LIA) is conducted where legitimate interest is the primary basis.

2. Data Subject Rights (DSRs)

Data subjects in the EU and UK are entitled to the full suite of rights under Articles 12–22 of the GDPR:

  • Right of access – To obtain a copy of their personal data
  • Right to rectification – To correct inaccurate or incomplete data
  • Right to erasure ('right to be forgotten') – Where data is no longer required
  • Right to restriction of processing – Temporarily halt processing under certain conditions
  • Right to data portability – To receive data in machine-readable format
  • Right to object – Including profiling and direct marketing
  • Right not to be subject to automated decisions – With legal or significant effects

DSRs are processed within one calendar month, extendable by two months where requests are complex. All requests are logged and responded to in compliance with Article 12.

Where we rely on automated profiling for matching candidates to roles or analysing engagement, we ensure:

  • A human review of outcomes
  • Transparent explanation of the logic involved
  • The ability to challenge or opt out

3. Record of Processing Activities (ROPA)

ICG Medical maintains a Group-wide Record of Processing Activities, in line with Article 30. The ROPA is updated quarterly and includes:

  • Purpose of processing
  • Categories of data and data subjects
  • Recipients of data
  • International data transfers and safeguards
  • Retention periods
  • Security measures implemented

Each ICG brand is responsible for maintaining a local ROPA and contributing to the global record.

4. Data Protection Impact Assessments (DPIAs)

A DPIA is conducted before initiating processing that may result in a high risk to the rights and freedoms of individuals, including:

  • Large-scale processing of special category data
  • Monitoring publicly accessible areas
  • Systematic profiling or scoring (e.g. behavioural analytics)

DPIAs are overseen by the DPO and include:

  • Purpose and necessity
  • Risk assessment
  • Mitigation measures
  • Consultation with the DPO or supervisory authority, where required

All DPIAs are recorded and retained as part of ICG’s audit trail.

5. International Data Transfers

ICG transfers personal data from the UK and EU to third countries only where appropriate safeguards are in place, including:

  • Adequacy decisions by the European Commission or UK Secretary of State
  • Standard Contractual Clauses (SCCs) issued by the EU or UK ICO
  • Binding Corporate Rules (BCRs) – under development for internal group transfers
  • Derogations under Article 49 (e.g. explicit consent, performance of contract)

A central Data Transfer Risk Assessment (TRA) process is maintained and updated annually or when transfer conditions materially change.

6. UK-specific Compliance Measures

UK Data Protection Act 2018 specific measures include:

  • Appropriate Policy Documents (APDs) – Maintained for processing of criminal conviction data under Schedule 1 conditions
  • Children’s data – Additional safeguards for data subjects under 13, including parental consent mechanisms
  • UK Representative – Where non-UK entities target UK residents, a UK representative is appointed under Article 27 UK GDPR
  • UK Addendum to SCCs – Appended where EU SCCs are used in UK-based transfers

UK-specific ICO guidance is monitored and integrated into operational policies and training.

7. Supervisory Authorities and Cooperation

ICG Medical identifies the following lead supervisory authorities:

  • UK – Information Commissioner’s Office (ICO)
  • EU – To be determined based on primary establishment (to be appointed via One-Stop-Shop mechanism)

Where required, ICG cooperates fully with:

  • Cross-border investigations
  • Data breach assessments
  • Data protection complaints and enforcement notices

Contact details for each regional authority are provided in the full Privacy Notice published on our platforms.
 

Appendix C – Americas Compliance

This appendix outlines ICG Medical Group’s compliance approach across the Americas, covering the United States, Canada, and Mexico. Each region has distinct privacy regimes requiring tailored contractual, operational and technical safeguards.

United States – Multi-State Privacy Law Framework (2025)

By the end of 2025, over 20 US states will enforce comprehensive privacy legislation, including California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. ICG Medical applies a harmonised, high-water mark approach across all US operations.

1. Core Principles Adopted Across All States

ICG honours the following core principles across all US jurisdictions:

  • Data minimisation and purpose limitation
  • Notice and transparency – Including specific disclosures for sensitive data uses
  • Opt-out rights for:
    • Sale or sharing of personal data
    • Targeted advertising
    • Profiling or automated decision-making with significant effects
  • Right of access, correction, deletion and portability

Privacy notices for US data subjects include:

  • Categories of data collected and shared
  • Retention durations
  • Contact details for opt-outs and appeals
     

2. California Privacy Rights Act (CPRA) Enhancements

In California, ICG also complies with the CPRA and guidance from the California Privacy Protection Agency (CPPA):

  • Sensitive Personal Information (SPI) – Separate notices provided for data such as:
    • Health data
    • Racial or ethnic origin
    • Biometric and precise geolocation data
    • Neural data, per 2025 expansion (e.g. EEG, brainwave analysis)
  • Automated Decision-Making (ADM)
    • Right to know meaningful information about logic involved

Right to opt out of profiling or algorithms producing legal or similarly significant effects

3. Contractual Requirements with Vendors ("Processors")

ICG’s Data Processing Agreements (DPAs) with US-based service providers meet state-mandated obligations by including:

  • Prohibition of secondary use of data
  • Flow-down obligations to subcontractors
  • Transparency rights enforcement
  • Regular audit or assessment rights

A central Vendor Risk Register tracks compliance across US operations.

Canada – PIPEDA and Bill C-27 (CPPA) Transition Readiness

ICG Medical operates under the Personal Information Protection and Electronic Documents Act (PIPEDA) and is preparing for the expected 2025 implementation of the Consumer Privacy Protection Act (CPPA), introduced via Bill C-27.

1. Consent and Transparency

  • Consent is:
    • Express or implied, depending on sensitivity and context
    • Accompanied by clear disclosures regarding purposes, use, and rights
  • Separate consents are obtained for:
    • Cross-border transfers
    • Use of personal information for analytics or training models
    • Processing of sensitive categories (health, biometric, racial, etc.)

2. Algorithmic Accountability

  • Under CPPA, individuals will have:
    • The right to explanation when subjected to decisions via automated processing
    • The right to challenge or opt-out in contexts involving significant impact
  • ICG maintains records of algorithms used in candidate filtering or service delivery, subject to regulatory inspection.

3. De-identified and Anonymised Data

  • Definitions under CPPA distinguish:
    • Anonymised data (irreversible and excluded from scope)
    • De-identified data (pseudonymised and still regulated)
  • ICG classifies datasets accordingly and applies technical and organisational safeguards aligned with CPPA rules.
     

4. Enforcement Preparedness

  • CPPA introduces an independent enforcement authority – the Personal Information and Data Protection Tribunal
  • ICG maintains:
    • Data breach logs and reporting processes
    • Internal privacy audit capabilities
    • Training programmes on evolving obligations
       

Mexico – Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)

ICG’s operations in Mexico observe compliance with LFPDPPP and its secondary regulations issued by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI).

1. Lawful Processing Principles

ICG adheres to the core LFPDPPP principles:

  • Legality, Consent, Information, Quality, Purpose, Loyalty, Proportionality, and Accountability
  • Privacy notices are delivered at the time of data collection and specify:
    • Purpose of collection
    • Transfers to third parties
    • Rights (ARCO: Access, Rectification, Cancellation, Opposition)

2. ARCO Rights Mechanism

  • Requests under ARCO are:
    • Acknowledged within 20 days
    • Fulfilled within 15 days thereafter
    • Delivered in Spanish and English, where appropriate
  • An appeals mechanism is built into the process

3. Cross-border Transfers

  • ICG signs mutual commitments (binding contracts) with international recipients to ensure equivalent protection
  • Mexico does not maintain an adequacy list – all transfers must include:
    • Purpose, safeguards, recipient identity, and consent (where applicable)

4. Breach Notification

  • ICG notifies data subjects of any security breaches that significantly impact economic or moral rights
  • The notice must include:
    • The nature of the incident & Actions taken
    • Recommendations for risk mitigation
    • Mechanism for additional queries
       

Appendix D – Africa and Middle East Compliance

This appendix outlines the regulatory requirements and operational measures adopted by ICG Medical Group to ensure compliance within South Africa, under the Protection of Personal Information Act (POPIA). It provides enforceable privacy protections for data subjects and imposes conditions for lawful processing.

South Africa – Protection of Personal Information Act (POPIA)

ICG Medical applies POPIA’s eight processing conditions as the foundation of its operations in South Africa, ensuring transparent, fair, and lawful data handling.

1. Conditions for Lawful Processing (Section 4–13)

ICG ensures that all personal data is:

  • Processed lawfully and reasonably – with clear, documented purposes
  • Collected directly from the data subject, unless lawful exceptions apply
  • Adequate, relevant and not excessive – per the principle of minimality
  • Accurate and up to date, with prompt correction on request
  • Stored securely and not retained longer than necessary

2. Purpose Specification and Processing Limitation

  • Personal information is only processed for:
    • Employment or recruitment purposes
    • Regulatory obligations (e.g. professional registrations, tax reporting)
    • Service delivery under client or supplier agreements
  • Reuse of data is explicitly prohibited, unless compatible with the original purpose or authorised by law

A Processing Limitation Register is maintained for high-risk categories (e.g. health, biometrics).

3. Objection and Withdrawal Rights (Section 11(3))

ICG ensures that:

  • Individuals may object to processing at any time, especially for:
    • Direct marketing
    • Profiling or behavioural analysis
  • An internal Form 1 process (as per Regulation 2) is available to initiate objection
  • Where objection is received, ICG ceases processing unless it has:
    • A legal obligation & A contractual requirement
    • A compelling legitimate interest (documented through a balancing test)

4. Consent and Justification Grounds

ICG relies on one of the following legal bases:

  • Consent – Clear, voluntary, and informed agreement
  • Performance of a contract – Processing necessary to fulfil contractual terms
  • Legal obligation – Such as reporting to the Health Professions Council of South Africa
  • Legitimate interest – Balanced against individual rights and documented accordingly

Consent is obtained:

  • Using affirmative actions (no pre-ticked boxes)
  • In writing for special personal information (e.g. race, health, religion, biometrics)

5. Cross-border Data Transfers (Section 72)

ICG transfers personal data outside of South Africa only where:

  • The receiving country provides an equivalent level of protection
  • The data subject has consented to the transfer
  • The transfer is necessary for contract fulfilment
  • Adequate binding agreements or model clauses are in place with the recipient

Each cross-border transfer is supported by a Transfer Assessment File to record the transfer basis, security measures, and justification.

6. Security Safeguards (Section 19–22)

ICG implements administrative, technical, and physical safeguards including:

  • Access controls and multi-factor authentication
  • Regular risk assessments
  • Data encryption at rest and in transit
  • Staff training and POPIA awareness programmes

In the event of a data breach:

  • The Information Regulator is notified as soon as reasonably possible
  • Affected individuals are informed of the breach, its likely impact, and steps taken to mitigate harm
  • All incidents are logged in the POPIA Security Incident Register

7. Information Officer Duties

An Information Officer (IO) is appointed for ICG’s South African operations. Responsibilities include:

  • Promoting internal compliance
  • Managing PAIA (Promotion of Access to Information Act) requests
  • Handling complaints and breach responses
  • Liaising with the Information Regulator

The IO is registered with the Regulator and contact details are made available in the group’s PAIA manual.

8. Data Subject Participation (Section 23–25)

ICG provides the right to:

  • Access personal information using Form 2
  • Request correction, deletion, or destruction using Form 3
  • Lodge complaints using the standard process

Responses to requests are issued within 21 business days, with reasons provided for any refusal (in accordance with PAIA exemptions).