Privacy Policy
Healthcare First Ltd (“Healthcare First”, “we”, “us”, “our”) is committed to safeguarding your personal information and respecting your privacy. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Notice explains:
  • What personal information we collect about you.
  • How and why we use it.
  • Who we share it with.
  • How long we keep it.
  • Your rights under data protection law.
  • It applies to information you provide to us when registering with us as a candidate, engaging us as a client, working for us, or visiting our website.
1. Controller
Healthcare First Ltd is the data controller of your personal data.
Contact details: Healthcare First, Ltd Adelphi Court, 1–3 East Street, Epsom, Surrey, KT17 1BB Email: dpo@healthcare-first.co.uk Phone: 0333 207 0430
You have the right to complain to the Information Commissioner’s Office (ICO) (www.ico.org.uk). However, we encourage you to contact us first so we can resolve your concerns quickly.
2. What data we collect
We may collect and process the following categories of personal data, depending on our relationship with you:
  • Identity Data: name, title, date of birth, gender, photograph.
  • Contact Data: address, email, phone number.
  • Employment & Recruitment Data: CV, work history, qualifications, references, professional skills, interview notes.
  • Right to Work Data: passport/visa, proof of eligibility to work in the UK.
  • Financial Data: bank details, payroll records, invoices, tax information.
  • Criminal Record Data: Disclosure and Barring Service (DBS) checks.
  • Health Data (special category): occupational health questionnaires, immunisation status, fitness-to-work certificates.
  • Emergency Contact Data: next of kin details.
  • Communications Data: preferences for receiving information or marketing.
  • Website / Technical Data: IP address, cookies, browsing behaviour (if using our website).
We only collect what we need to provide services, comply with the law, or manage our business effectively.
3. Lawful bases for processing
We will only use your personal data when the law allows us to. The main lawful bases we rely on are:
  • Contract – to perform our contract with you (e.g. placing you in work, paying wages, providing recruitment services).
  • Legal obligation – to comply with the law (e.g. verifying right to work, payroll, tax, safeguarding, regulatory compliance).
  • Legitimate interests – to run our business effectively, match candidates with opportunities, maintain client/candidate records, and protect our business interests. We balance these interests against your rights.
  • Consent – only where required (e.g. for marketing communications).
We do not use consent as a basis for processing employment/recruitment data
4. How we collect your data
  • Directly from you: via forms, registration, phone, email, or during interviews.
  • Automatically: through website cookies/technical tracking.
  • Third parties: referees, clients, background check providers, Companies House, publicly available sources, and social media where relevant.
5. How we use your data
We use your data to:
  • Assess suitability for roles and process applications.
  • Verify identity, right to work, and professional background.
  • Conduct DBS and occupational health checks.
  • Arrange contracts, payroll, and payments.
  • Communicate with you about opportunities, training, compliance, or work assignments.
  • Maintain business records and comply with legal requirements.
  • Provide services to clients who may employ or contract you.
We will not use your data for unrelated purposes without your knowledge and a lawful basis.
6. Sharing your data
We may share your personal data with:
  • Clients / potential employers as part of the recruitment process.
  • Payroll, pension, and finance providers for payment and compliance.
  • Background check and occupational health providers (DBS, right-to-work, fitness-to-work).
  • Regulators and authorities where required by law.
  • Service providers who support our IT, website, and administration (under contract and confidentiality).
We will never sell your personal data.
7. International transfers
We do not routinely transfer personal data outside the UK/EEA. If it becomes necessary, we will ensure an adequate level of protection is in place, using ICO-approved safeguards such as:
  • The UK International Data Transfer Agreement (IDTA) or
  • The Addendum to EU Standard Contractual Clauses (SCCs).
8. Data security
We apply appropriate technical and organisational measures to protect your data, including access controls, encryption, and staff training. Only authorised personnel can access your data, and they are bound by confidentiality.
In the event of a data breach, we will notify you and the ICO where legally required.
9. Data retention
We keep personal data only as long as necessary to fulfil the purposes collected and to meet legal, tax, and regulatory requirements. Examples:
  • Recruitment/candidate data – up to 6 years after last contact or assignment.
  • Payroll/tax records – 6 years to comply with HMRC.
  • DBS/occupational health data – retained only as long as required by law or client contracts.
You can request our full retention schedule at any time.
10. Your rights
  • Under data protection law, you have the right to:
  • Access your personal data (“subject access request”).
  • Request correction or deletion of your data.
  • Object to or restrict certain processing (e.g. legitimate interests, direct marketing).
  • Request data portability (structured, machine-readable copy).
  • Withdraw consent (where processing is based on consent, e.g. marketing).
  • Lodge a complaint with the ICO.
To exercise your rights, contact dpo@healthcare-first.co.uk.
11. Updates to this notice
We may update this Privacy Notice from time to time. The most recent version will always be available on our website.