ICG Medical

Privacy Policy

ICG Medical Group

Introduction

ICG Medical Group (“ICG Medical”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your data, and outlines your rights under global data protection laws. It applies across all ICG Medical brands and global operations, including:

United Kingdom – Republic of Ireland – United States – Canada – Mexico – South Africa – India – China – Japan – Australia – Philippines

This policy applies to all individuals engaging with us as candidates, clients, suppliers, website or app users. For region-specific rules and obligations, refer to the Regional Attestations Framework in the appendices.

1 – Who We Are

ICG Medical Group is a global provider of healthcare workforce solutions. While each of our brands may act as a data controller, this group-level policy governs the overarching data protection standards applied across all group entities.

Postal Address

Suite 1, Wrest Park Business Centre
Capability House, Wrest Park, Silsoe
Bedfordshire, MK45 4HR
United Kingdom

2 – Scope of This Policy

This Privacy Policy applies when you:

  • Visit our websites or use our applications
  • Apply for or register interest in roles
  • Communicate with us via email, phone or in person
  • Are referred to us by a third party (with your permission)
  • Engage with us as a supplier, contractor or client

This policy does not apply to third-party services or platforms linked to our websites or applications.

3 – Types of Data We Collect

Depending on your interaction, we may collect:

  • Identity & Contact Data – Name, address, email, phone number
  • Professional Data – CV, qualifications, references, employment history
  • Compliance Data – Identity checks, background screening, licences, health records
  • Account Data – Usernames, passwords, log data
  • Financial Data – Payment information, tax references
  • Behavioural & Technical Data – Device information, IP, usage data
  • Sensitive Data – Health or criminal background (where required and legally justified)

4 – How We Collect Your Data

  • Directly from You – Via applications, forms, surveys, or direct contact
  • Automatically – Using cookies or analytics tools on websites and apps
  • Third Parties – Background screening services, referees, regulatory bodies
  • Referral – By others, with your prior consent

5 – Cookies and Tracking

We use cookies to:

  • Enable site functionality
  • Analyse usage behaviour
  • Customise user experience
  • Deliver targeted advertising

You may manage or disable cookies in your browser or using our cookie preference tool. See our full Cookie Policy for details.

6 – Lawful Use of Your Data

We use your personal data only when permitted by law. The lawful bases include:

PurposeData TypesLegal Basis
User verification and onboardingIdentity, ComplianceContract
Regulatory and credential checksComplianceLegal obligation / Legitimate interest
Contract management and paymentFinancial, ContactContract / Legal obligation
Analytics and service improvementTechnical, UsageLegitimate interest
Marketing and communicationsContactConsent / Legitimate interest
Legal reporting or fraud preventionAnyLegal obligation / Vital interest / Legitimate interest

You may withdraw consent at any time.

7 – Sharing Your Data

We only share data when necessary and with appropriate safeguards in place. This includes sharing with:

  • Other ICG Medical brands providing related services
  • Third-party processors (e.g. payroll, IT, compliance services)
  • Clients for service fulfilment
  • Regulators, auditors and legal advisers
  • Authorities or acquiring companies where legally required

All sharing is governed by data processing agreements or equivalent safeguards.

8 – International Data Transfers

Your data may be transferred outside your jurisdiction. We apply:

  • UK/EU adequacy decisions
  • Standard contractual clauses (SCCs)
  • Government-approved safeguards where applicable (e.g. India, China)

For transfers from China and India, we meet local security assessments and certification rules, including approval pathways.

9 – Data Retention

Data is retained only for as long as necessary for:

  • Contractual and legal compliance
  • Operational support or audit purposes
  • Service improvement (in anonymised form)

Retention is governed by our internal policy. Secure deletion or anonymisation follows expiry of the relevant period.

10 – Data Security

We apply strong protections aligned with ISO/IEC 27001 principles, including:

  • Encryption
  • Role-based access controls
  • Intrusion detection and monitoring
  • Security training
  • Incident response protocols

If you suspect misuse or breach, please contact us immediately.

11 – Your Rights

Depending on your location, you may exercise:

  • Right of access
  • Right to correct inaccurate data
  • Right to erasure
  • Right to restrict processing
  • Right to object to certain uses (including profiling)
  • Right to data portability
  • Right to withdraw consent
  • Right to lodge complaints with your data protection authority

Contact DPO@icgmedical.co.uk to exercise your rights.

12 – Marketing Preferences

You can opt out of marketing:

  • By clicking ‘unsubscribe’ in emails
  • By contacting us directly
  • Via account settings on our platforms

We never sell your data.

13 – Policy Changes

This policy may be updated periodically. We will provide notice where material changes occur.

14 – Contact

Global Data Protection Officer

Email – DPO@icgmedical.co.uk

Post – Suite 1, Wrest Park Business Centre, Capability House, Wrest Park, Silsoe, Bedfordshire, MK45 4HR, United Kingdom

Appendices

Regional compliance information

Appendix A – Asia-Pacific Compliance

This appendix outlines additional obligations applicable to personal data processed in or from: China, Japan, Australia, and India.

China – Personal Information Protection Law (PIPL)

  1. Compliance Audits – Formal compliance audits every two years where processing exceeds 10 million individuals (Article 54 of PIPL).
  2. Cross-Border Transfer Mechanisms – Security Assessment with the Cyberspace Administration of China (CAC), Standard Contracts filed with CAC, or Certification by a CAC-designated institution.
  3. Localisation and Data Mapping – All personal data collected within China is classified and mapped against risk categories. Data localisation is respected where required.
  4. Processor Contracts – Article 59 requirements incorporated: confidentiality, security safeguards, reporting obligations, and prohibition of unauthorised onward transfer.
  5. Data Subject Rights – Access, correction, deletion, portability, consent withdrawal, and restriction. Actioned within 15 business days with multilingual support.

Japan – Act on the Protection of Personal Information (APPI)

  1. AI Training – Personal data may be used for AI model training if pseudonymised, purpose is stated transparently, and individuals are offered opt-out.
  2. Biometric and Children's Data – Explicit opt-in consent required; data subjects can demand suspension at any time; risk assessments required before biometric system deployment.
  3. Breach Notification – Notification to the Personal Information Protection Commission (PPC) within 30–60 days based on severity.
  4. Record-Keeping – Processing activities maintained per APPI Article 29-4, with transfers to third parties documented.

Australia – Privacy Act Reforms (Effective June 2025)

  1. Privacy Impact Assessments – PIA register maintained to pre-screen high-risk activities.
  2. Strengthened Consent – Freely given, informed, specific, and unambiguous. No pre-ticked boxes or presumed consent.
  3. Penalties – AU$50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater.
  4. APP 8 Controls – Overseas recipients must comply with Australian Privacy Principles before transfer.

India – Digital Personal Data Protection Act (DPDP 2023)

  1. Consent – Free, informed, specific, clear, and capable of withdrawal. Purpose must be clearly stated and limited.
  2. Consent Manager Integration – Interoperates with India's authorised Consent Manager Platforms for viewing, modifying, and revoking consents.
  3. Cross-border Transfers – Only to countries approved by the Indian Government, with tamper-proof data flow logs.
  4. Data Protection Board – Recognises board authority to impose penalties up to INR 250 crore (~£25 million).
  5. Children's Data – Parental consent required under 18. Grievance redressal within 7 working days.

Appendix B – European and UK Compliance

This appendix outlines requirements under the EU GDPR, UK GDPR, and the UK Data Protection Act 2018.

1. Lawful Basis for Processing (Article 6 GDPR)

  • Consent – Freely given, informed, specific, and unambiguous
  • Contractual necessity
  • Legal obligation
  • Legitimate interests (with LIA conducted)
  • Vital interests
  • Public interest

2. Data Subject Rights (Articles 12–22)

  • Right of access
  • Right to rectification
  • Right to erasure (‘right to be forgotten’)
  • Right to restriction of processing
  • Right to data portability
  • Right to object, including profiling
  • Right not to be subject to automated decisions with significant effects

Requests processed within one calendar month, extendable by two months.

3. Record of Processing Activities (ROPA)

Group-wide ROPA maintained in line with Article 30, updated quarterly, covering purpose, categories, recipients, transfers, retention, and security measures.

4. Data Protection Impact Assessments (DPIAs)

DPIAs conducted before high-risk processing: large-scale special category data, public monitoring, or systematic profiling. Overseen by DPO and recorded.

5. International Transfers

Transfers from UK and EU via adequacy decisions, SCCs, or BCRs. A central Data Transfer Risk Assessment (TRA) maintained and updated annually.

6. Supervisory Authorities

  • UK – Information Commissioner's Office (ICO)
  • EU – To be determined via One-Stop-Shop mechanism

Appendix C – Americas Compliance

Compliance approach across the United States, Canada, and Mexico.

United States – Multi-State Privacy Framework

Harmonised, high-water mark approach covering California (CPRA), Virginia, Colorado, Connecticut, Texas, and others.

  • Data minimisation and purpose limitation
  • Notice and transparency, including disclosures for sensitive data
  • Opt-out rights for sale/sharing of data, targeted advertising, and profiling
  • Rights of access, correction, deletion, and portability

Canada – PIPEDA / Bill C-27 (CPPA)

  • Express or implied consent depending on sensitivity; separate consents for cross-border transfers and analytics
  • Right to explanation and opt-out for automated decision-making with significant impact
  • Datasets classified as anonymised (out of scope) or de-identified (still regulated)

Mexico – LFPDPPP

  • Core principles: Legality, Consent, Information, Quality, Purpose, Loyalty, Proportionality, Accountability
  • ARCO rights: Access, Rectification, Cancellation, Opposition – acknowledged within 20 days, fulfilled within 15 days
  • Cross-border transfers require binding contracts with equivalent protection

Appendix D – Africa and Middle East Compliance

Requirements under South Africa's Protection of Personal Information Act (POPIA).

South Africa – POPIA

  1. Conditions for Lawful Processing – Data processed lawfully, collected directly from data subject where possible, adequate and not excessive, accurate, and stored securely.
  2. Purpose Specification – Processing only for employment, regulatory obligations, or service delivery. Reuse prohibited unless compatible or authorised by law.
  3. Objection Rights – Individuals may object at any time, especially for direct marketing or profiling. ICG ceases processing unless a legal obligation or compelling legitimate interest exists.
  4. Consent and Justification – Consent, contractual necessity, legal obligation, or legitimate interest. Written consent required for special personal information (race, health, religion, biometrics).
  5. Cross-border Transfers (Section 72) – Only where receiving country provides equivalent protection, data subject consented, or adequate binding agreements are in place.
  6. Security Safeguards (Sections 19–22) – Access controls, MFA, regular risk assessments, encryption, staff training. Breach notified to Information Regulator and affected individuals as soon as reasonably possible.
  7. Information Officer – Appointed, registered with the Regulator, responsible for compliance, PAIA requests, complaints, and breach responses.
  8. Data Subject Participation (Sections 23–25) – Access (Form 2), correction/deletion (Form 3), complaints. Responses issued within 21 business days.