MSI Recruitment is part of ICG Medical Group
Introduction
ICG Medical Group (“ICG Medical”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your data, and outlines your rights under global data protection laws. It applies across all ICG Medical brands and global operations, including:
United Kingdom – Republic of Ireland – United States – Canada – Mexico – South Africa – India – China – Japan – Australia – Philippines
This policy applies to all individuals engaging with us as candidates, clients, suppliers, website or app users. For region-specific rules and obligations, refer to the Regional Attestations Framework in the appendices.
1 – Who We Are
ICG Medical Group is a global provider of healthcare workforce solutions. While each of our brands may act as a data controller, this group-level policy governs the overarching data protection standards applied across all group entities.
Postal Address;
Suite 1, Wrest Park Business Centre
Capability House, Wrest Park, Silsoe
Bedfordshire, MK45 4HR
United Kingdom
2 – Scope of This Policy
This Privacy Policy applies when you:
Visit our websites or use our applications
Apply for or register interest in roles
Communicate with us via email, phone or in person
Are referred to us by a third party (with your permission)
Engage with us as a supplier, contractor or client
This policy does not apply to third-party services or platforms linked to our websites or applications.
3 – Types of Data We Collect
Depending on your interaction, we may collect:
Identity & Contact Data – Name, address, email, phone number
Professional Data – CV, qualifications, references, employment history
Compliance Data – Identity checks, background screening, licences, health records
Account Data – Usernames, passwords, log data
Financial Data – Payment information, tax references
Behavioural & Technical Data – Device information, IP, usage data
Sensitive Data – Health or criminal background (where required and legally justified)
4 – How We Collect Your Data
Directly from You – Via applications, forms, surveys, or direct contact
Automatically – Using cookies or analytics tools on websites and apps
Third Parties – Background screening services, referees, regulatory bodies
Referral – By others, with your prior consent
5 – Cookies and Tracking
We use cookies to:
Enable site functionality
Analyse usage behaviour
Customise user experience
Deliver targeted advertising
You may manage or disable cookies in your browser or using our cookie preference tool. See our full [Cookie Policy] for details.
6 – Lawful Use of Your Data
We use your personal data only when permitted by law. The lawful bases include:
| Purpose | Data Types | Legal Basis |
|---|---|---|
| User verification and onboarding | Identity, Compliance | Contract |
| Regulatory and credential checks | Compliance | Legal obligation / Legitimate interest |
| Contract management and payment | Financial, Contact | Contract / Legal obligation |
| Analytics and service improvement | Technical, Usage | Legitimate interest |
| Marketing and communications | Contact | Consent / Legitimate interest |
| Legal reporting or fraud prevention | Any | Legal obligation / Vital interest / Legitimate interest |
You may withdraw consent at any time.
7 – Sharing Your Data
We only share data when necessary and with appropriate safeguards in place. This includes sharing with:
Other ICG Medical brands providing related services
Third-party processors (e.g. payroll, IT, compliance services)
Clients for service fulfilment
Regulators, auditors and legal advisers
Authorities or acquiring companies where legally required
All sharing is governed by data processing agreements or equivalent safeguards.
8 – International Data Transfers
Your data may be transferred outside your jurisdiction. We apply:
UK/EU adequacy decisions
Standard contractual clauses (SCCs)
Government-approved safeguards where applicable (e.g. India, China)
For transfers from China and India, we meet local security assessments and certification rules, including approval pathways.
9 – Data Retention
Data is retained only for as long as necessary for:
Contractual and legal compliance
Operational support or audit purposes
Service improvement (in anonymised form)
Retention is governed by our internal policy. Secure deletion or anonymisation follows expiry of the relevant period.
10 – Data Security
We apply strong protections aligned with ISO/IEC 27001 principles, including:
Encryption
Role-based access controls
Intrusion detection and monitoring
Security training
Incident response protocols
If you suspect misuse or breach, please contact us immediately.
11 – Your Rights
Depending on your location, you may exercise:
Right of access
Right to correct inaccurate data
Right to erasure
Right to restrict processing
Right to object to certain uses (including profiling)
Right to data portability
Right to withdraw consent
Right to lodge complaints with your data protection authority
ContactDPO@icgmedical.co.ukto exercise your rights.
12 – Marketing Preferences
You can opt out of marketing:
By clicking ‘unsubscribe’ in emails
By contacting us directly
Via account settings on our platforms
We never sell your data.
13 – Policy Changes
This policy may be updated periodically. We will provide notice where material changes occur.
14 – Contact
Global Data Protection Officer
Email –DPO@icgmedical.co.uk
Post – Suite 1, Wrest Park Business Centre, Capability House, Wrest Park, Silsoe, Bedfordshire, MK45 4HR, United Kingdom
Appendix A – Asia-Pacific Compliance
This appendix outlines the additional obligations, safeguards, and operational controls applicable to personal data processed or transferred in or from the Asia-Pacific region, specifically: China, Japan, Australia, and India.
China – Personal Information Protection Law (PIPL) Compliance
ICG Medical Group acknowledges the extraterritorial scope of China’s PIPL and implements the following controls:
1. Compliance Audits
If processing personal data of more than 10 million individuals, ICG Medical undertakes formal compliance audits every two years, as required under Article 54 of PIPL.
Audit results are documented, and remediation actions (if applicable) are recorded and assigned to responsible parties.
2. Cross-Border Data Transfer Mechanisms
For any cross-border transfers of Chinese personal information, ICG applies one or more of the following legal mechanisms:
Security Assessment filed with the Cyberspace Administration of China (CAC) where processing meets the specified volume or critical data thresholds.
Standard Contracts issued by CAC and duly filed.
Certification by a Professional Institution designated by CAC.
3. Localisation and Data Mapping
All personal data collected within China is classified, inventoried, and mapped against risk categories, including whether it is “sensitive” or “critical information infrastructure-related”.
Where required by law, data localisation is respected, especially where data involves core state functions or public health.
4. Processor Liability and Contractual Terms
Contracts with Chinese data processors now incorporate Article 59 requirements:
Confidentiality, security safeguards, reporting obligations
Prohibition of unauthorised onward transfer
Joint liability terms, where applicable
5. Data Subject Rights (DSRs)
Chinese data subjects may request access, correction, deletion, portability, withdrawal of consent, and restriction.
Requests are actioned within 15 business days, with a multilingual support option.
Japan – Act on the Protection of Personal Information (APPI) Amendments (2025)
ICG Medical’s operations in Japan observe the following obligations under the revised APPI:
1. Use of Personal Data in AI Training
Personal data may be used without explicit consent for AI model training, provided:
The data is pseudonymised and cannot reasonably re-identify individuals
The purpose is stated transparently in the privacy notice
Individuals are offered a means to opt-out
2. Biometric and Children’s Data Protections
For biometric data (e.g. facial recognition, voice patterns) and children's data:
ICG ensures explicit opt-in consent
A data subject can demand suspension of use at any time
Risk assessments are undertaken before deployment of biometric systems
3. Data Breach Notification Rules for Certified Entities
Where ICG Medical is a certified business operator, breach notification to the Personal Information Protection Commission (PPC) is allowed within 30–60 days, based on severity, with preliminary reporting encouraged.
Non-certified entities must notify immediately within 5 days.
4. Enhanced Record-Keeping
A record of all processing activities is maintained in line with APPI Article 29-4.
Transfers to third parties are documented, with consent or lawful basis noted.
Australia – Privacy Act Reforms (Effective June 2025)
To align with the amended Australian Privacy Act and recommendations from the Attorney-General’s Department:
1. Introduction of Statutory Tort for Serious Invasions of Privacy
• ICG Medical maintains a Privacy Impact Assessment (PIA) register to pre-screen activities that might pose a risk of serious privacy intrusion.
• Employees and contractors are trained on how to handle high-risk data and avoid over-collection.
2. Strengthened Consent Requirements
Consent is defined and operationalised as:
Freely given – without pressure or negative consequences
Informed – clear understanding of what data is collected and for what purposes
Specific – for identified purposes, not bundled
Unambiguous – using affirmative opt-in mechanisms
Default consent is never presumed (no pre-ticked boxes or silence).
3. Penalty Framework (Effective July 2025)
Penalties apply for serious or repeated breaches:
AU$50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater
Serious breach definition includes:
Unauthorised access impacting over 5,000 individuals
Repeated failure to notify or mitigate data loss
4. Global Transfer and APP 8 Controls
Before transferring data outside Australia:
ICG must take reasonable steps to ensure overseas recipients comply with Australian Privacy Principles (APPs).
Where feasible, binding contractual clauses are used to ensure APP equivalence.
India – Digital Personal Data Protection Act (DPDP 2023), Implementing in 2025
ICG Medical aligns its Indian data practices with the 2023 DPDP Act, coming into enforcement in early 2025:
1. Consent and Purpose Limitation
All personal data processing is based on free, informed, specific, clear, and capable of withdrawal consent.
Purpose must be clearly stated and limited to what is necessary.
2. Consent Manager Integration
ICG interoperates with India’s authorised Consent Manager Platforms, allowing individuals to:
View past consents
Modify or revoke consents
Access logs of how their data was used
3. Cross-border Transfers
Personal data may only be transferred to countries approved by the Indian Government.
ICG maintains a log of data flows and ensures storage, access and transfer logs are tamper-proof.
4. Data Protection Board Compliance
ICG recognises the authority of the Data Protection Board of India, empowered to:
Impose penalties up to INR 250 crore (~£25 million) for breach
Conduct audits and issue binding directives
5. Children's Data and Grievance Redressal
Parental consent is required for processing data of individuals under 18.
ICG provides a grievance redressal mechanism, resolving queries within 7 working days.
Appendix B – European and UK Compliance
This appendix outlines the regulatory framework and operational requirements that apply to ICG Medical Group when processing personal data of individuals located in the European Union (EU) and the United Kingdom (UK). It addresses obligations under the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018.
These standards form the baseline of our global data protection model and are embedded across all entities.
1. Lawful Basis for Processing
ICG Medical ensures all personal data processing meets at least one lawful basis as outlined in Article 6 of the GDPR:
Consent – Freely given, informed, specific, and unambiguous
Contractual necessity – Where processing is required to enter or perform a contract
Legal obligation – To comply with a legal or statutory duty
Legitimate interests – Where our interest is balanced against individuals' rights
Vital interests – To protect life or health
Public interest – For tasks carried out in the public interest or by official authority
For special category data, an additional condition under Article 9 is required (e.g. employment law, public health, explicit consent).
A Legitimate Interests Assessment (LIA) is conducted where legitimate interest is the primary basis.
2. Data Subject Rights (DSRs)
Data subjects in the EU and UK are entitled to the full suite of rights under Articles 12–22 of the GDPR:
Right of access – To obtain a copy of their personal data
Right to rectification – To correct inaccurate or incomplete data
Right to erasure ('right to be forgotten') – Where data is no longer required
Right to restriction of processing – Temporarily halt processing under certain conditions
Right to data portability – To receive data in machine-readable format
Right to object – Including profiling and direct marketing
Right not to be subject to automated decisions – With legal or significant effects
DSRs are processed within one calendar month, extendable by two months where requests are complex. All requests are logged and responded to in compliance with Article 12.
Where we rely on automated profiling for matching candidates to roles or analysing engagement, we ensure:
A human review of outcomes
Transparent explanation of the logic involved
The ability to challenge or opt out
3. Record of Processing Activities (ROPA)
ICG Medical maintains a Group-wide Record of Processing Activities, in line with Article 30. The ROPA is updated quarterly and includes:
Purpose of processing
Categories of data and data subjects
Recipients of data
International data transfers and safeguards
Retention periods
Security measures implemented
Each ICG brand is responsible for maintaining a local ROPA and contributing to the global record.
4. Data Protection Impact Assessments (DPIAs)
A DPIA is conducted before initiating processing that may result in a high risk to the rights and freedoms of individuals, including:
• Large-scale processing of special category data
• Monitoring publicly accessible areas
• Systematic profiling or scoring (e.g. behavioural analytics)
DPIAs are overseen by the DPO and include:
Purpose and necessity
Risk assessment
Mitigation measures
Consultation with the DPO or supervisory authority, where required
All DPIAs are recorded and retained as part of ICG’s audit trail.
5. International Data Transfers
ICG transfers personal data from the UK and EU to third countries only where appropriate safeguards are in place, including:
Adequacy decisions by the European Commission or UK Secretary of State
Standard Contractual Clauses (SCCs) issued by the EU or UK ICO
Binding Corporate Rules (BCRs) – under development for internal group transfers
Derogations under Article 49 (e.g. explicit consent, performance of contract)
A central Data Transfer Risk Assessment (TRA) process is maintained and updated annually or when transfer conditions materially change.
6. UK-specific Compliance Measures
UK Data Protection Act 2018 specific measures include:
Appropriate Policy Documents (APDs) – Maintained for processing of criminal conviction data under Schedule 1 conditions
Children’s data – Additional safeguards for data subjects under 13, including parental consent mechanisms
UK Representative – Where non-UK entities target UK residents, a UK representative is appointed under Article 27 UK GDPR
UK Addendum to SCCs – Appended where EU SCCs are used in UK-based transfers
UK-specific ICO guidance is monitored and integrated into operational policies and training.
7. Supervisory Authorities and Cooperation
ICG Medical identifies the following lead supervisory authorities:
UK – Information Commissioner’s Office (ICO)
EU – To be determined based on primary establishment (to be appointed via One-Stop-Shop mechanism)
Where required, ICG cooperates fully with:
Cross-border investigations
Data breach assessments
Data protection complaints and enforcement notices
Contact details for each regional authority are provided in the full Privacy Notice published on our platforms.
Appendix C – Americas Compliance
This appendix outlines ICG Medical Group’s compliance approach across the Americas, covering the United States, Canada, and Mexico. Each region has distinct privacy regimes requiring tailored contractual, operational and technical safeguards.
United States – Multi-State Privacy Law Framework (2025)
By the end of 2025, over 20 US states will enforce comprehensive privacy legislation, including California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. ICG Medical applies a harmonised, high-water mark approach across all US operations.
1. Core Principles Adopted Across All States
ICG honours the following core principles across all US jurisdictions:
Data minimisation and purpose limitation
Notice and transparency – Including specific disclosures for sensitive data uses
Opt-out rights for:
Sale or sharing of personal data
Targeted advertising
Profiling or automated decision-making with significant effects
Right of access, correction, deletion and portability
Privacy notices for US data subjects include:
Categories of data collected and shared
Retention durations
Contact details for opt-outs and appeals
2. California Privacy Rights Act (CPRA) Enhancements
In California, ICG also complies with the CPRA and guidance from the California Privacy Protection Agency (CPPA):
Sensitive Personal Information (SPI) – Separate notices provided for data such as:
Health data
Racial or ethnic origin
Biometric and precise geolocation data
Neural data, per 2025 expansion (e.g. EEG, brainwave analysis)
Automated Decision-Making (ADM)
Right to know meaningful information about logic involved
Right to opt out of profiling or algorithms producing legal or similarly significant effects
3. Contractual Requirements with Vendors ("Processors")
ICG’s Data Processing Agreements (DPAs) with US-based service providers meet state-mandated obligations by including:
Prohibition of secondary use of data
Flow-down obligations to subcontractors
Transparency rights enforcement
Regular audit or assessment rights
A central Vendor Risk Register tracks compliance across US operations.
Canada – PIPEDA and Bill C-27 (CPPA) Transition Readiness
ICG Medical operates under the Personal Information Protection and Electronic Documents Act (PIPEDA) and is preparing for the expected 2025 implementation of the Consumer Privacy Protection Act (CPPA), introduced via Bill C-27.
1. Consent and Transparency
Consent is:
Express or implied, depending on sensitivity and context
Accompanied by clear disclosures regarding purposes, use, and rights
Separate consents are obtained for:
Cross-border transfers
Use of personal information for analytics or training models
Processing of sensitive categories (health, biometric, racial, etc.)
2. Algorithmic Accountability
Under CPPA, individuals will have:
The right to explanation when subjected to decisions via automated processing
The right to challenge or opt-out in contexts involving significant impact
ICG maintains records of algorithms used in candidate filtering or service delivery, subject to regulatory inspection.
3. De-identified and Anonymised Data
Definitions under CPPA distinguish:
Anonymised data (irreversible and excluded from scope)
De-identified data (pseudonymised and still regulated)
ICG classifies datasets accordingly and applies technical and organisational safeguards aligned with CPPA rules.
4. Enforcement Preparedness
CPPA introduces an independent enforcement authority – the Personal Information and Data Protection Tribunal
ICG maintains:
Data breach logs and reporting processes
Internal privacy audit capabilities
Training programmes on evolving obligations
Mexico – Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
ICG’s operations in Mexico observe compliance with LFPDPPP and its secondary regulations issued by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI).
1. Lawful Processing Principles
ICG adheres to the core LFPDPPP principles:
Legality, Consent, Information, Quality, Purpose, Loyalty, Proportionality, and Accountability
Privacy notices are delivered at the time of data collection and specify:
Purpose of collection
Transfers to third parties
Rights (ARCO: Access, Rectification, Cancellation, Opposition)
2. ARCO Rights Mechanism
Requests under ARCO are:
Acknowledged within 20 days
Fulfilled within 15 days thereafter
Delivered in Spanish and English, where appropriate
An appeals mechanism is built into the process
3. Cross-border Transfers
ICG signs mutual commitments (binding contracts) with international recipients to ensure equivalent protection
Mexico does not maintain an adequacy list – all transfers must include:
Purpose, safeguards, recipient identity, and consent (where applicable)
4. Breach Notification
ICG notifies data subjects of any security breaches that significantly impact economic or moral rights
The notice must include:
The nature of the incident & Actions taken
Recommendations for risk mitigation
Mechanism for additional queries
Appendix D – Africa and Middle East Compliance
This appendix outlines the regulatory requirements and operational measures adopted by ICG Medical Group to ensure compliance within South Africa, under the Protection of Personal Information Act (POPIA). It provides enforceable privacy protections for data subjects and imposes conditions for lawful processing.
South Africa – Protection of Personal Information Act (POPIA)
ICG Medical applies POPIA’s eight processing conditions as the foundation of its operations in South Africa, ensuring transparent, fair, and lawful data handling.
1. Conditions for Lawful Processing (Section 4–13)
ICG ensures that all personal data is:
Processed lawfully and reasonably – with clear, documented purposes
Collected directly from the data subject, unless lawful exceptions apply
Adequate, relevant and not excessive – per the principle of minimality
Accurate and up to date, with prompt correction on request
Stored securely and not retained longer than necessary
2. Purpose Specification and Processing Limitation
Personal information is only processed for:
Employment or recruitment purposes
Regulatory obligations (e.g. professional registrations, tax reporting)
Service delivery under client or supplier agreements
Reuse of data is explicitly prohibited, unless compatible with the original purpose or authorised by law
A Processing Limitation Register is maintained for high-risk categories (e.g. health, biometrics).
3. Objection and Withdrawal Rights (Section 11(3))
ICG ensures that:
Individuals may object to processing at any time, especially for:
Direct marketing
Profiling or behavioural analysis
An internal Form 1 process (as per Regulation 2) is available to initiate objection
Where objection is received, ICG ceases processing unless it has:
A legal obligation & A contractual requirement
A compelling legitimate interest (documented through a balancing test)
4. Consent and Justification Grounds
ICG relies on one of the following legal bases:
Consent – Clear, voluntary, and informed agreement
Performance of a contract – Processing necessary to fulfil contractual terms
Legal obligation – Such as reporting to the Health Professions Council of South Africa
Legitimate interest – Balanced against individual rights and documented accordingly
Consent is obtained:
Using affirmative actions (no pre-ticked boxes)
In writing for special personal information (e.g. race, health, religion, biometrics)
5. Cross-border Data Transfers (Section 72)
ICG transfers personal data outside of South Africa only where:
The receiving country provides an equivalent level of protection
The data subject has consented to the transfer
The transfer is necessary for contract fulfilment
Adequate binding agreements or model clauses are in place with the recipient
Each cross-border transfer is supported by a Transfer Assessment File to record the transfer basis, security measures, and justification.
6. Security Safeguards (Section 19–22)
ICG implements administrative, technical, and physical safeguards including:
Access controls and multi-factor authentication
Regular risk assessments
Data encryption at rest and in transit
Staff training and POPIA awareness programmes
In the event of a data breach:
The Information Regulator is notified as soon as reasonably possible
Affected individuals are informed of the breach, its likely impact, and steps taken to mitigate harm
All incidents are logged in the POPIA Security Incident Register
7. Information Officer Duties
An Information Officer (IO) is appointed for ICG’s South African operations. Responsibilities include:
Promoting internal compliance
Managing PAIA (Promotion of Access to Information Act) requests
Handling complaints and breach responses
Liaising with the Information Regulator
The IO is registered with the Regulator and contact details are made available in the group’s PAIA manual.
8. Data Subject Participation (Section 23–25)
ICG provides the right to:
Access personal information using Form 2
Request correction, deletion, or destruction using Form 3
Lodge complaints using the standard process
Responses to requests are issued within 21 business days, with reasons provided for any refusal (in accordance with PAIA exemptions).
