Privacy Policy

MedPure is committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It applies to all employees, workers, contractors, candidates and individuals at clients or potential clients of ours.

MedPure is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice applies to current and former employees, workers, contractors, candidates and individuals at clients or potential clients of ours in respect of whom we hold personal data. This notice does not form part of any contract of employment, a contract to provide services or any other contract. We may update this notice at any time.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way
  2. Collected only for valid purposes which we have clearly explained to you and not used in any way that is incompatible with those purposes
  3. Relevant to the purposes we have told you about and limited only to those purposes
  4. Accurate and kept up to date
  5. Kept only as long as necessary for the purposes we have told you about
  6. Kept securely

The kind of information we may hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection.

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

  • Personal contact details (name, title, addresses, telephone numbers, email)
  • Date of birth
  • Gender
  • Marital status and dependants
  • Next of kin and emergency contact information
  • National Insurance number
  • Bank account details, payroll records and tax status information
  • Salary, annual leave, pension and benefits information
  • Start date(s) of job roles
  • Location of employment or workplace
  • Copy of identity documents (passport, driving licence, utility bills)
  • Recruitment information (CVs, references, right-to-work documentation)
  • Employment records (job titles, history, working hours, training, memberships)
  • Salary / payments history
  • Performance information
  • Disciplinary and grievance information
  • CCTV footage and other electronic data (telephone recordings, email usage, internet usage, swipe-card records)
  • Information about your use of our information and communications systems
  • Photographs

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your health relevant to your work (medical conditions, sickness records)
  • Information about criminal convictions and offences (in appropriate roles / recruitment)

How may your personal information be collected?

We may collect personal information about employees, workers, contractors, candidates and individuals at clients or potential clients of ours in a number of different ways, including:

  • Through our application and recruitment process, directly from you
  • From employment agencies, background-check providers or referees
  • From third parties (e.g. previous employers, credit/reference agencies)
  • From publicly available sources (e.g. LinkedIn, job boards)
  • During the course of your work or contractual relationship with us

How we may use information about you

We will only use your personal information when the law allows us to. Most commonly, we may use your personal information in the following circumstances:

  1. Where we are taking steps at your request prior to entering into a contract
  2. Where we need to perform a contract which we have entered into with you
  3. Where we need to comply with a legal obligation
  4. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

We may also use your personal information in the following less common situations:

  • Where it is necessary to protect the vital interests of you or another person
  • Where it is needed in the public interest or for official purposes

Situations in which we may process your personal information

We may need the categories of data listed above for the reasons set out. The list below shows examples of such processing (depending on the role and circumstances):

  • Making decisions about recruitment or appointment
  • Determining terms of engagement / contract
  • Checking you are legally entitled to work in the UK
  • Payroll, tax, National Insurance contributions
  • Providing benefits, pensions and related services
  • Administering contractual obligations
  • Business management, planning, accounting and auditing
  • Performance reviews, promotions, training
  • Contacting you about roles, services or assignments
  • Credit checks (where required)
  • Grievance, disciplinary or legal processes
  • Termination arrangements
  • Health, safety, absence, fitness to work
  • Fraud prevention, security, IT systems monitoring
  • Equal opportunities monitoring
  • Data analytics (e.g. retention / attrition analysis)

Some processing may rely on multiple lawful bases at once.

If you fail to provide certain personal information when requested, we may be unable to perform contractual obligations (e.g. paying you or providing benefits) or comply with legal obligations (e.g. health and safety).

If we need to use your personal information for a purpose different from that for which it was collected, we will notify you and explain the legal basis for the new processing.

How we may use special categories of personal information

“Special categories” of sensitive personal data require extra protection. We may process special categories of personal information in these cases:

  • To carry out our legal obligations or exercise rights in employment law
  • For equal opportunity monitoring or pension scheme administration
  • To assess fitness to work or provide workplace adjustments
  • With your explicit written consent (in limited circumstances)
  • Where necessary for legal claims or to protect someone’s vital interests

We will handle such data with additional safeguards and confidentiality.

Our obligations as an employer

We may use special categories of personal information in the following ways:

  • Absence management, leave, sickness, family leave
  • Health, disability status for adjustments or support
  • Equal opportunities monitoring (race, religion, gender, orientation)

We do not require you to consent to these processing activities where lawful employment obligations exist.

Information about criminal convictions

We may only process criminal conviction data where permitted by law. This generally occurs when necessary for job roles or legal obligations. We will ensure appropriate safeguards are in place.

Automated decision-making

We do not make decisions about you based solely on automated processing, including profiling, that have a significant effect on you.

If we ever introduce automated decision-making, we will inform you and put in place rights to request a human review.

Data sharing

We may share your personal information with third parties, including:

  • Payroll, pension and benefits providers
  • IT and data hosting / security providers
  • Recruitment, background check, and compliance partners
  • Third parties in a business sale or restructuring
  • Regulators and governmental bodies (where required)

All third parties must respect the security of your data and act under strict confidentiality and contractual terms.

We may share with other entities in our group for business administration, compliance and restructuring.

International transfers

We may transfer your data outside the UK (for example to India). Since the EU adequacy regime does not apply automatically to UK outbound transfers now, we ensure appropriate safeguards such as:

  • UK-approved International Data Transfer Agreements (IDTAs)
  • UK Addendum to Standard Contractual Clauses

These ensure your data continues to receive adequate protection.

Data security

We have implemented appropriate technical and organisational measures to protect your information from accidental loss, unauthorised access or disclosure, alteration, or destruction.
Access is restricted to those who need it. Third parties processing your data do so only under our instructions and confidentiality requirements.

We have procedures for detecting, reporting, and investigating personal data breaches. Where legally required, we will notify you and the Information Commissioner’s Office (ICO) of a breach.

Data retention

We retain your personal information only as long as necessary to fulfil the purposes for which it was collected, including legal, accounting or reporting needs.

We determine retention periods based on the nature of data, risk, legal requirements and business need.

Where possible, we anonymise or securely delete data when no longer needed.

Rights of access, correction, erasure, and restriction

Your duty to inform us of changes

Please keep us informed if your personal information changes while working with us.

Your rights in connection with personal information

You have the right to:

  • Request access to data we hold about you (data subject access request)
  • Request correction of inaccurate or incomplete data
  • Request erasure (delete) where no lawful basis exists
  • Object to processing based on legitimate interests
  • Request restriction of processing
  • Request transfer (portability) of your data
  • Withdraw consent (where that was the basis for processing)

To exercise any of these rights, please contact our Data Protection Officer (details below). We will ask you to verify your identity first.

You will not normally have to pay a fee, unless your request is clearly unfounded or excessive.

Right to withdraw consent

Where you have given consent for specific processing (e.g. marketing), you have the right to withdraw it at any time. Once we receive your withdrawal, we will cease processing on that basis unless we have another lawful basis to continue.

 

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this policy. If you have any questions, or wish to make a request, please contact:

Data Protection Officer
MedPure Ltd

compliance@medpure.co.uk
Harman House, 1 George Street, Uxbridge, UB8 1QQ

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (https://ico.org.uk/make-a-complaint/).

How can we help
Your rights
Come and say hello

Harman House, 1 George St.,
Uxbridge UB8 1QQ

© 2026 MedPure. All rights reserved