Effective Date: 1st July 2024
Last Updated: 21st Nov 2025

1. Introduction

1.1 This Privacy Policy explains how Obsidian Healthcare Recruitment Ltd (“Obsidian Healthcare,” “we,” “us,” or “our”) collects, processes, stores, and uses personal data in connection with the operation of our healthcare recruitment business within the United Kingdom.

1.2 Obsidian Healthcare provides recruitment and staffing services, including temporary, fixed-term, and permanent placements across NHS Trusts, private hospitals, residential care, community services, and specialist healthcare settings, alongside payroll, compliance, registration, onboarding, and Portal-based services.

1.3 This Policy applies to all individuals whose personal data we process, including candidates, agency workers, employees, clients, suppliers, third-party contractors, and Portal users (“Data Subjects”).

1.4 We process all personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable UK laws and statutory guidelines.

1.5 This Policy should be read together with our Data Retention Policy and Candidate Portal Terms. Continued use of our services or Portal constitutes acceptance of this Privacy Policy.

2. Data Controller

2.1 The Data Controller responsible for the processing of personal data is:

Obsidian Healthcare Recruitment Ltd
Company Number: 13026849
Registered Office:
4 Minster Court, Tuscam Way, Camberley, Surrey, GU15 3YY, United Kingdom

2.2 Our Data Protection Officer (DPO) can be contacted at:
Email: gdpr@obsidianhealthcarerecruitment.com
Telephone: 0208 068 7099
Postal Address: 4 Minster Court, Tuscam Way, Camberley, Surrey, GU15 3YY, United Kingdom

2.3 The DPO is the main contact for all Data Subject Rights requests, complaints, and data-protection-related enquiries.

3. Personal Data We Collect

We may collect and process the following categories of data:

3.1 Identity and Contact Data

Name, date of birth, gender, address, phone number, email, next-of-kin information, DBS documents, passport, and driving licence.

3.2 Professional and Employment Data

CVs, qualifications, training records, employment history, professional registrations (NMC, HCPC, GPhC), references, competency evidence, and compliance documentation.

3.3 Compliance and Vetting Data

Enhanced DBS checks, right-to-work documentation, occupational health information, immunisation records, fitness to practise information, and safeguarding-related disclosures.

3.4 Financial Data

Bank details, timesheets, payroll information, tax details, invoices, and payment records.

3.5 Special Category Data

Health data, criminal-record information, and other sensitive information required by law or for safeguarding, recruitment, and employment purposes.

3.6 Portal & Online Usage Data

Login information, IP addresses, device details, session logs, portal activity, cookies, and analytics.

4. Sources of Personal Data

We collect data from:

4.1 You directly — through forms, phone calls, WhatsApp, email, or Portal submissions.
4.2 Third parties — references, DBS, the NMC, HCPC, GPhC, occupational health providers, training bodies, background-check vendors.
4.3 Automated systems — cookies, session monitoring, analytics, security logs.

5. How We Use Your Data (Purposes of Processing)

We process data for the following purposes:

5.1 Registration, onboarding, and Portal access.
5.2 Recruitment, work placements, rostering, and shift scheduling.
5.3 Compliance checks — DBS, right-to-work, professional registration, training.
5.4 Payroll, tax compliance, and remuneration processing.
5.5 Communications relating to work, shifts, compliance, or contracts.
5.6 Quality assurance, auditing, and record-keeping.
5.7 Risk management, fraud prevention, safeguarding, and eligibility checks.
5.8 Service improvement, analytics, and Portal optimisation.
5.9 Marketing or referral communications, where consent is obtained.

6. Lawful Basis for Processing

We rely on:

6.1 Contractual necessity — to provide recruitment and employment services.
6.2 Legal obligation — including DBS checks, right-to-work, payroll, tax, and safeguarding laws.
6.3 Legitimate interests — including recruitment efficiency, workforce management, and compliance.
6.4 Consent — for optional marketing, cookies, or automated profiling.

7. Automated Processing and Portal Functions

7.1 Our Portal may use automated tools to match candidates with shifts and roles.
7.2 Automated processes support decision-making but do not replace human oversight.
7.3 You have the right to object to automated decisions that significantly affect you.

8. Data Retention

8.1 Candidate and worker data is retained for a minimum of 2 years after last activity unless law requires longer.
8.2 Payroll and tax records — retained according to HMRC requirements.
8.3 Compliance records — retained according to NHS, CQC, and statutory obligations.
8.4 Portal logs and analytics — retained for security and audit purposes.
8.5 Data is securely deleted or anonymised once retention periods expire.

9. Data Sharing

We may share data with:

9.1 Clients — for placement, compliance, and workforce management (where contractually required).
9.2 Statutory bodies — DBS, NMC, HCPC, GPhC, HMRC, police, safeguarding authorities.
9.3 External service providers — payroll, IT, occupational health, DBS services, portal tech.
9.4 Business transactions — where legally required as part of mergers or acquisitions.
9.5 Legal and regulatory authorities — to prevent fraud, misconduct, or meet legal obligations.

We never sell personal data and never share data for marketing without consent.

10. Security Measures

10.1 We use encryption, secure servers, MFA/2FA, access controls, and monitoring.
10.2 Physical data is kept in secure, access-controlled environments.
10.3 Staff receive GDPR and confidentiality training.

11. Special Category Data

11.1 Health and criminal-record data is processed only when required by law or safeguarding.
11.2 Access is restricted to authorised personnel.
11.3 This data is never used beyond recruitment, compliance, and legal purposes.

12. Your Data Protection Rights

You have the right to:

12.1 Access your data
12.2 Correct inaccurate data
12.3 Request deletion (subject to legal limits)
12.4 Restrict processing
12.5 Object to processing
12.6 Data portability
12.7 Withdraw consent
12.8 Complain to the ICO at ico.org.uk

13. Cookies and Tracking

13.1 We use cookies for authentication, security, and analytics.
13.2 Non-essential cookies require consent.
13.3 Cookie preferences can be managed through your browser.

14. Transfers Outside the UK

14.1 Personal data may be transferred outside the UK only where adequate safeguards exist, including Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms.

15. Updates to This Policy

15.1 We may update this Policy to reflect changes in law or operations.
15.2 Material changes will be notified via email or Portal.
15.3 Continued use of our services constitutes acceptance of the updated Policy.

16. Contact Details

For data protection queries or to exercise your rights:

Data Protection Officer
Obsidian Healthcare Recruitment Ltd
4 Minster Court, Tuscam Way, Camberley, Surrey, GU15 3YY, United Kingdom
Email: gdpr@obsidianhealthcarerecruitment.com
Telephone: 0208 068 7099