Clinical24 Staffing Limited is part of ICG Medical Group
Introduction
ICG Medical Group (“ICG Medical”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your data, and outlines your rights under global data protection laws. It applies across all ICG Medical brands and global operations, including:
United Kingdom – Republic of Ireland – United States – Canada – Mexico – South Africa – India – China – Japan – Australia – Philippines
This policy applies to all individuals engaging with us as candidates, clients, suppliers, website or app users. For region-specific rules and obligations, refer to the Regional Attestations Framework in the appendices.
1 – Who We Are
ICG Medical Group is a global provider of healthcare workforce solutions. While each of our brands may act as a data controller, this group-level policy governs the overarching data protection standards applied across all group entities.
Postal Address;
Suite 1, Wrest Park Business Centre
Capability House, Wrest Park, Silsoe
Bedfordshire, MK45 4HR
United Kingdom
2 – Scope of This Policy
This Privacy Policy applies when you:
- Visit our websites or use our applications
- Apply for or register interest in roles
- Communicate with us via email, phone or in person
- Are referred to us by a third party (with your permission)
- Engage with us as a supplier, contractor or client
This policy does not apply to third-party services or platforms linked to our websites or applications.
3 – Types of Data We Collect
Depending on your interaction, we may collect:
- Identity & Contact Data – Name, address, email, phone number
- Professional Data – CV, qualifications, references, employment history
- Compliance Data – Identity checks, background screening, licences, health records
- Account Data – Usernames, passwords, log data
- Financial Data – Payment information, tax references
- Behavioural & Technical Data – Device information, IP, usage data
- Sensitive Data – Health or criminal background (where required and legally justified)
4 – How We Collect Your Data
- Directly from You – Via applications, forms, surveys, or direct contact
- Automatically – Using cookies or analytics tools on websites and apps
- Third Parties – Background screening services, referees, regulatory bodies
- Referral – By others, with your prior consent
5 – Cookies and Tracking
We use cookies to:
- Enable site functionality
- Analyse usage behaviour
- Customise user experience
- Deliver targeted advertising
You may manage or disable cookies in your browser or using our cookie preference tool. See our full Cookie Policy for details.
6 – Lawful Use of Your Data
We use your personal data only when permitted by law. The lawful bases include:
Purpose
|
Data Types
|
Legal Basis
|
User verification and onboarding
|
Identity, Compliance
|
Contract
|
Regulatory and credential checks
|
Compliance
|
Legal obligation / Legitimate interest
|
Contract management and payment
|
Financial, Contact
|
Contract / Legal obligation
|
Analytics and service improvement
|
Technical, Usage
|
Legitimate interest
|
Marketing and communications
|
Contact
|
Consent / Legitimate interest
|
Legal reporting or fraud prevention
|
Any
|
Legal obligation / Vital interest / Legitimate interest
|
You may withdraw consent at any time.
7 – Sharing Your Data
We only share data when necessary and with appropriate safeguards in place. This includes sharing with:
- Other ICG Medical brands providing related services
- Third-party processors (e.g. payroll, IT, compliance services)
- Clients for service fulfilment
- Regulators, auditors and legal advisers
- Authorities or acquiring companies where legally required
All sharing is governed by data processing agreements or equivalent safeguards.
8 – International Data Transfers
Your data may be transferred outside your jurisdiction. We apply:
- UK/EU adequacy decisions
- Standard contractual clauses (SCCs)
- Government-approved safeguards where applicable (e.g. India, China)
For transfers from China and India, we meet local security assessments and certification rules, including approval pathways.
9 – Data Retention
Data is retained only for as long as necessary for:
- Contractual and legal compliance
- Operational support or audit purposes
- Service improvement (in anonymised form)
Retention is governed by our internal policy. Secure deletion or anonymisation follows expiry of the relevant period.
10 – Data Security
We apply strong protections aligned with ISO/IEC 27001 principles, including:
- Encryption
- Role-based access controls
- Intrusion detection and monitoring
- Security training
- Incident response protocols
If you suspect misuse or breach, please contact us immediately.
11 – Your Rights
Depending on your location, you may exercise:
- Right of access
- Right to correct inaccurate data
- Right to erasure
- Right to restrict processing
- Right to object to certain uses (including profiling)
- Right to data portability
- Right to withdraw consent
- Right to lodge complaints with your data protection authority
Contact DPO@icgmedical.co.uk to exercise your rights.
12 – Marketing Preferences
You can opt out of marketing:
- By clicking ‘unsubscribe’ in emails
- By contacting us directly
- Via account settings on our platforms
We never sell your data.
13 – Policy Changes
This policy may be updated periodically. We will provide notice where material changes occur.
14 – Contact
Global Data Protection Officer
Email – DPO@icgmedical.co.uk
Post – Suite 1, Wrest Park Business Centre, Capability House, Wrest Park, Silsoe, Bedfordshire, MK45 4HR, United Kingdom
Appendix A – Asia-Pacific Compliance
This appendix outlines the additional obligations, safeguards, and operational controls applicable to personal data processed or transferred in or from the Asia-Pacific region, specifically: China, Japan, Australia, and India.
China – Personal Information Protection Law (PIPL) Compliance
ICG Medical Group acknowledges the extraterritorial scope of China’s PIPL and implements the following controls:
1. Compliance Audits
- If processing personal data of more than 10 million individuals, ICG Medical undertakes formal compliance audits every two years, as required under Article 54 of PIPL.
- Audit results are documented, and remediation actions (if applicable) are recorded and assigned to responsible parties.
2. Cross-Border Data Transfer Mechanisms
- For any cross-border transfers of Chinese personal information, ICG applies one or more of the following legal mechanisms:
- Security Assessment filed with the Cyberspace Administration of China (CAC) where processing meets the specified volume or critical data thresholds.
- Standard Contracts issued by CAC and duly filed.
- Certification by a Professional Institution designated by CAC.
3. Localisation and Data Mapping
- All personal data collected within China is classified, inventoried, and mapped against risk categories, including whether it is “sensitive” or “critical information infrastructure-related”.
- Where required by law, data localisation is respected, especially where data involves core state functions or public health.
4. Processor Liability and Contractual Terms
- Contracts with Chinese data processors now incorporate Article 59 requirements:
- Confidentiality, security safeguards, reporting obligations
- Prohibition of unauthorised onward transfer
- Joint liability terms, where applicable
5. Data Subject Rights (DSRs)
- Chinese data subjects may request access, correction, deletion, portability, withdrawal of consent, and restriction.
- Requests are actioned within 15 business days, with a multilingual support option.
Japan – Act on the Protection of Personal Information (APPI) Amendments (2025)
ICG Medical’s operations in Japan observe the following obligations under the revised APPI:
1. Use of Personal Data in AI Training
- Personal data may be used without explicit consent for AI model training, provided:
- The data is pseudonymised and cannot reasonably re-identify individuals
- The purpose is stated transparently in the privacy notice
- Individuals are offered a means to opt-out
2. Biometric and Children’s Data Protections
- For biometric data (e.g. facial recognition, voice patterns) and children's data:
- ICG ensures explicit opt-in consent
- A data subject can demand suspension of use at any time
- Risk assessments are undertaken before deployment of biometric systems
3. Data Breach Notification Rules for Certified Entities
- Where ICG Medical is a certified business operator, breach notification to the Personal Information Protection Commission (PPC) is allowed within 30–60 days, based on severity, with preliminary reporting encouraged.
- Non-certified entities must notify immediately within 5 days.
4. Enhanced Record-Keeping
- A record of all processing activities is maintained in line with APPI Article 29-4.
- Transfers to third parties are documented, with consent or lawful basis noted.
Australia – Privacy Act Reforms (Effective June 2025)
To align with the amended Australian Privacy Act and recommendations from the Attorney-General’s Department:
1. Introduction of Statutory Tort for Serious Invasions of Privacy
- ICG Medical maintains a Privacy Impact Assessment (PIA) register to pre-screen activities that might pose a risk of serious privacy intrusion.
- Employees and contractors are trained on how to handle high-risk data and avoid over-collection.
2. Strengthened Consent Requirements
- Consent is defined and operationalised as:
- Freely given – without pressure or negative consequences
- Informed – clear understanding of what data is collected and for what purposes
- Specific – for identified purposes, not bundled
- Unambiguous – using affirmative opt-in mechanisms
- Default consent is never presumed (no pre-ticked boxes or silence).
3. Penalty Framework (Effective July 2025)
- Penalties apply for serious or repeated breaches:
- AU$50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater
- Serious breach definition includes:
- Unauthorised access impacting over 5,000 individuals
- Repeated failure to notify or mitigate data loss
4. Global Transfer and APP 8 Controls
- Before transferring data outside Australia:
- ICG must take reasonable steps to ensure overseas recipients comply with Australian Privacy Principles (APPs).
- Where feasible, binding contractual clauses are used to ensure APP equivalence.
India – Digital Personal Data Protection Act (DPDP 2023), Implementing in 2025
ICG Medical aligns its Indian data practices with the 2023 DPDP Act, coming into enforcement in early 2025:
1. Consent and Purpose Limitation
- All personal data processing is based on free, informed, specific, clear, and capable of withdrawal consent.
- Purpose must be clearly stated and limited to what is necessary.
2. Consent Manager Integration
- ICG interoperates with India’s authorised Consent Manager Platforms, allowing individuals to:
- View past consents
- Modify or revoke consents
- Access logs of how their data was used
3. Cross-border Transfers
- Personal data may only be transferred to countries approved by the Indian Government.
- ICG maintains a log of data flows and ensures storage, access and transfer logs are tamper-proof.
4. Data Protection Board Compliance
- ICG recognises the authority of the Data Protection Board of India, empowered to:
- Impose penalties up to INR 250 crore (~£25 million) for breach
- Conduct audits and issue binding directives
5. Children's Data and Grievance Redressal
- Parental consent is required for processing data of individuals under 18.
- ICG provides a grievance redressal mechanism, resolving queries within 7 working days.
Appendix B – European and UK Compliance
This appendix outlines the regulatory framework and operational requirements that apply to ICG Medical Group when processing personal data of individuals located in the European Union (EU) and the United Kingdom (UK). It addresses obligations under the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018.
These standards form the baseline of our global data protection model and are embedded across all entities.
1. Lawful Basis for Processing
ICG Medical ensures all personal data processing meets at least one lawful basis as outlined in Article 6 of the GDPR:
- Consent – Freely given, informed, specific, and unambiguous
- Contractual necessity – Where processing is required to enter or perform a contract
- Legal obligation – To comply with a legal or statutory duty
- Legitimate interests – Where our interest is balanced against individuals' rights
- Vital interests – To protect life or health
- Public interest – For tasks carried out in the public interest or by official authority
For special category data, an additional condition under Article 9 is required (e.g. employment law, public health, explicit consent).
A Legitimate Interests Assessment (LIA) is conducted where legitimate interest is the primary basis.
2. Data Subject Rights (DSRs)
Data subjects in the EU and UK are entitled to the full suite of rights under Articles 12–22 of the GDPR:
- Right of access – To obtain a copy of their personal data
- Right to rectification – To correct inaccurate or incomplete data
- Right to erasure ('right to be forgotten') – Where data is no longer required
- Right to restriction of processing – Temporarily halt processing under certain conditions
- Right to data portability – To receive data in machine-readable format
- Right to object – Including profiling and direct marketing
- Right not to be subject to automated decisions – With legal or significant effects
DSRs are processed within one calendar month, extendable by two months where requests are complex. All requests are logged and responded to in compliance with Article 12.
Where we rely on automated profiling for matching candidates to roles or analysing engagement, we ensure:
- A human review of outcomes
- Transparent explanation of the logic involved
- The ability to challenge or opt out
3. Record of Processing Activities (ROPA)
ICG Medical maintains a Group-wide Record of Processing Activities, in line with Article 30. The ROPA is updated quarterly and includes:
- Purpose of processing
- Categories of data and data subjects
- Recipients of data
- International data transfers and safeguards
- Retention periods
- Security measures implemented
Each ICG brand is responsible for maintaining a local ROPA and contributing to the global record.
4. Data Protection Impact Assessments (DPIAs)
A DPIA is conducted before initiating processing that may result in a high risk to the rights and freedoms of individuals, including:
- Large-scale processing of special category data
- Monitoring publicly accessible areas
- Systematic profiling or scoring (e.g. behavioural analytics)
DPIAs are overseen by the DPO and include:
- Purpose and necessity
- Risk assessment
- Mitigation measures
- Consultation with the DPO or supervisory authority, where required
All DPIAs are recorded and retained as part of ICG’s audit trail.
5. International Data Transfers
ICG transfers personal data from the UK and EU to third countries only where appropriate safeguards are in place, including:
- Adequacy decisions by the European Commission or UK Secretary of State
- Standard Contractual Clauses (SCCs) issued by the EU or UK ICO
- Binding Corporate Rules (BCRs) – under development for internal group transfers
- Derogations under Article 49 (e.g. explicit consent, performance of contract)
A central Data Transfer Risk Assessment (TRA) process is maintained and updated annually or when transfer conditions materially change.
6. UK-specific Compliance Measures
UK Data Protection Act 2018 specific measures include:
- Appropriate Policy Documents (APDs) – Maintained for processing of criminal conviction data under Schedule 1 conditions
- Children’s data – Additional safeguards for data subjects under 13, including parental consent mechanisms
- UK Representative – Where non-UK entities target UK residents, a UK representative is appointed under Article 27 UK GDPR
- UK Addendum to SCCs – Appended where EU SCCs are used in UK-based transfers
UK-specific ICO guidance is monitored and integrated into operational policies and training.
7. Supervisory Authorities and Cooperation
ICG Medical identifies the following lead supervisory authorities:
- UK – Information Commissioner’s Office (ICO)
- EU – To be determined based on primary establishment (to be appointed via One-Stop-Shop mechanism)
Where required, ICG cooperates fully with:
- Cross-border investigations
- Data breach assessments
- Data protection complaints and enforcement notices
Contact details for each regional authority are provided in the full Privacy Notice published on our platforms.
Appendix C – Americas Compliance
This appendix outlines ICG Medical Group’s compliance approach across the Americas, covering the United States, Canada, and Mexico. Each region has distinct privacy regimes requiring tailored contractual, operational and technical safeguards.
United States – Multi-State Privacy Law Framework (2025)
By the end of 2025, over 20 US states will enforce comprehensive privacy legislation, including California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. ICG Medical applies a harmonised, high-water mark approach across all US operations.
1. Core Principles Adopted Across All States
ICG honours the following core principles across all US jurisdictions:
- Data minimisation and purpose limitation
- Notice and transparency – Including specific disclosures for sensitive data uses
- Opt-out rights for:
- Sale or sharing of personal data
- Targeted advertising
- Profiling or automated decision-making with significant effects
- Right of access, correction, deletion and portability
Privacy notices for US data subjects include:
- Categories of data collected and shared
- Retention durations
- Contact details for opt-outs and appeals
2. California Privacy Rights Act (CPRA) Enhancements
In California, ICG also complies with the CPRA and guidance from the California Privacy Protection Agency (CPPA):
- Sensitive Personal Information (SPI) – Separate notices provided for data such as:
- Health data
- Racial or ethnic origin
- Biometric and precise geolocation data
- Neural data, per 2025 expansion (e.g. EEG, brainwave analysis)
- Automated Decision-Making (ADM)
- Right to know meaningful information about logic involved
Right to opt out of profiling or algorithms producing legal or similarly significant effects
3. Contractual Requirements with Vendors ("Processors")
ICG’s Data Processing Agreements (DPAs) with US-based service providers meet state-mandated obligations by including:
- Prohibition of secondary use of data
- Flow-down obligations to subcontractors
- Transparency rights enforcement
- Regular audit or assessment rights
A central Vendor Risk Register tracks compliance across US operations.
Canada – PIPEDA and Bill C-27 (CPPA) Transition Readiness
ICG Medical operates under the Personal Information Protection and Electronic Documents Act (PIPEDA) and is preparing for the expected 2025 implementation of the Consumer Privacy Protection Act (CPPA), introduced via Bill C-27.
1. Consent and Transparency
- Consent is:
- Express or implied, depending on sensitivity and context
- Accompanied by clear disclosures regarding purposes, use, and rights
- Separate consents are obtained for:
- Cross-border transfers
- Use of personal information for analytics or training models
- Processing of sensitive categories (health, biometric, racial, etc.)
2. Algorithmic Accountability
- Under CPPA, individuals will have:
- The right to explanation when subjected to decisions via automated processing
- The right to challenge or opt-out in contexts involving significant impact
- ICG maintains records of algorithms used in candidate filtering or service delivery, subject to regulatory inspection.
3. De-identified and Anonymised Data
- Definitions under CPPA distinguish:
- Anonymised data (irreversible and excluded from scope)
- De-identified data (pseudonymised and still regulated)
- ICG classifies datasets accordingly and applies technical and organisational safeguards aligned with CPPA rules.
4. Enforcement Preparedness
- CPPA introduces an independent enforcement authority – the Personal Information and Data Protection Tribunal
- ICG maintains:
- Data breach logs and reporting processes
- Internal privacy audit capabilities
- Training programmes on evolving obligations
Mexico – Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
ICG’s operations in Mexico observe compliance with LFPDPPP and its secondary regulations issued by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI).
1. Lawful Processing Principles
ICG adheres to the core LFPDPPP principles:
- Legality, Consent, Information, Quality, Purpose, Loyalty, Proportionality, and Accountability
- Privacy notices are delivered at the time of data collection and specify:
- Purpose of collection
- Transfers to third parties
- Rights (ARCO: Access, Rectification, Cancellation, Opposition)
2. ARCO Rights Mechanism
- Requests under ARCO are:
- Acknowledged within 20 days
- Fulfilled within 15 days thereafter
- Delivered in Spanish and English, where appropriate
- An appeals mechanism is built into the process
3. Cross-border Transfers
- ICG signs mutual commitments (binding contracts) with international recipients to ensure equivalent protection
- Mexico does not maintain an adequacy list – all transfers must include:
- Purpose, safeguards, recipient identity, and consent (where applicable)
4. Breach Notification
- ICG notifies data subjects of any security breaches that significantly impact economic or moral rights
- The notice must include:
- The nature of the incident & Actions taken
- Recommendations for risk mitigation
- Mechanism for additional queries
Appendix D – Africa and Middle East Compliance
This appendix outlines the regulatory requirements and operational measures adopted by ICG Medical Group to ensure compliance within South Africa, under the Protection of Personal Information Act (POPIA). It provides enforceable privacy protections for data subjects and imposes conditions for lawful processing.
South Africa – Protection of Personal Information Act (POPIA)
ICG Medical applies POPIA’s eight processing conditions as the foundation of its operations in South Africa, ensuring transparent, fair, and lawful data handling.
1. Conditions for Lawful Processing (Section 4–13)
ICG ensures that all personal data is:
- Processed lawfully and reasonably – with clear, documented purposes
- Collected directly from the data subject, unless lawful exceptions apply
- Adequate, relevant and not excessive – per the principle of minimality
- Accurate and up to date, with prompt correction on request
- Stored securely and not retained longer than necessary
2. Purpose Specification and Processing Limitation
- Personal information is only processed for:
- Employment or recruitment purposes
- Regulatory obligations (e.g. professional registrations, tax reporting)
- Service delivery under client or supplier agreements
- Reuse of data is explicitly prohibited, unless compatible with the original purpose or authorised by law
A Processing Limitation Register is maintained for high-risk categories (e.g. health, biometrics).
3. Objection and Withdrawal Rights (Section 11(3))
ICG ensures that:
- Individuals may object to processing at any time, especially for:
- Direct marketing
- Profiling or behavioural analysis
- An internal Form 1 process (as per Regulation 2) is available to initiate objection
- Where objection is received, ICG ceases processing unless it has:
- A legal obligation & A contractual requirement
- A compelling legitimate interest (documented through a balancing test)
4. Consent and Justification Grounds
ICG relies on one of the following legal bases:
- Consent – Clear, voluntary, and informed agreement
- Performance of a contract – Processing necessary to fulfil contractual terms
- Legal obligation – Such as reporting to the Health Professions Council of South Africa
- Legitimate interest – Balanced against individual rights and documented accordingly
Consent is obtained:
- Using affirmative actions (no pre-ticked boxes)
- In writing for special personal information (e.g. race, health, religion, biometrics)
5. Cross-border Data Transfers (Section 72)
ICG transfers personal data outside of South Africa only where:
- The receiving country provides an equivalent level of protection
- The data subject has consented to the transfer
- The transfer is necessary for contract fulfilment
- Adequate binding agreements or model clauses are in place with the recipient
Each cross-border transfer is supported by a Transfer Assessment File to record the transfer basis, security measures, and justification.
6. Security Safeguards (Section 19–22)
ICG implements administrative, technical, and physical safeguards including:
- Access controls and multi-factor authentication
- Regular risk assessments
- Data encryption at rest and in transit
- Staff training and POPIA awareness programmes
In the event of a data breach:
- The Information Regulator is notified as soon as reasonably possible
- Affected individuals are informed of the breach, its likely impact, and steps taken to mitigate harm
- All incidents are logged in the POPIA Security Incident Register
7. Information Officer Duties
An Information Officer (IO) is appointed for ICG’s South African operations. Responsibilities include:
- Promoting internal compliance
- Managing PAIA (Promotion of Access to Information Act) requests
- Handling complaints and breach responses
- Liaising with the Information Regulator
The IO is registered with the Regulator and contact details are made available in the group’s PAIA manual.
8. Data Subject Participation (Section 23–25)
ICG provides the right to:
- Access personal information using Form 2
- Request correction, deletion, or destruction using Form 3
- Lodge complaints using the standard process
Responses to requests are issued within 21 business days, with reasons provided for any refusal (in accordance with PAIA exemptions).