Data Protection Policy

Health Primary LTD

Data Protection Policy 

Health Primary LTD, hereinafter referred to as “Us, We, Ours, Company, Employer, HPL” is a Occupational Health and Safety consultancy, and staff business registered in the United Kingdom, and operating website www.healthprimaryltd.co.uk 

 

General data

We record all video meetings, phone calls, collect and hold CVs. 

 

Personal Identifiable Information (PII)

We retain copies of ID, proof of addresses, and personal profiles of candidates and employees.  

The General Data Protection Regulation (GDPR) came into force on 25th May 2018, and with it, the most significant change in data protection legislation since the Data Protection Act of 1998.

We have a dedicated team of technical, legal and marketing experts, who ensure we operate in full compliance with GDPR and without interruption or alteration to the services we offer.

Dempsey K. Mork, our Director of Operations and a Certified GDPR Practitioner, heads up the team and has compiled a list of the most common questions we’ve been receiving from our recruitment clients, and employees.

 

What steps do we take to ensure GDPR compliance?

We have a dedicated GDPR team in place, taking great care to that we comply with all areas of the new legislation, without compromising or interrupting our service, and offering candidates, and employees complete flexibility and transparency about how their data is used.

 

How does GDPR affect my access to Health Primary LTD services?

Complying with GDPR shouldn’t have any impact on the services which we provide to you. We are able to process the personal data supplied to us by job seekers who seek employment through, and with us. 

 

How long do we retain for?

We retain data for 30 days after a candidate completes the full screening process, and for 12 months, in the case of after termination.

However, we delete all data of anyone who wishes to have their personal data deleted within 48 hours of receipt of a request to delete.

 

What procedures do we have in place to delete data when required to do so?

To request data deletion, simply send your email to hrdesk@healthprimaryltd.co.uk, and we will fulfil your request to delete Personally Identifiable Information (PII) from all of our back end systems within 48 hours.

 

If a candidate requests removal of their data to one of our external recruiters, what action is required by customers that have downloaded their details?

Because recruiters are acting as data controllers, they should have independently obtained a legal basis for processing candidate information. As such, there is no requirement for us to notify our recruitment clients that a candidate has been deleted from our systems.

 

In which geographic region is our data stored?

All of our data centres are in the European Economic Area (EEA). While we use third parties as part of our technology ecosystem, we ensure they are compliant with all current legislation and that information is subject to security levels governed by the EEA regulations.

As this is a borderless world, if a request is made to delete Personal Identifiable Information (PII), we will use out best efforts to track the foot print of the data, and confirm deletion in 48 hours.

 

How do we ensure data is secure when stored or while being transported?

All personal data is transported under secure certificates, and is encrypted during transport and at rest.

 

What is the incident management process in the case of a data breach?

We have a full incident management process which takes into account the requirements of GDPR, including the report of said breach to the data subject, the Data Protection Officer (DPO) and the Information Commissioner’s Office (ICO).

 

What monitoring and prevention do we have in place against potential attacks?

All staff including external recruiters are required to delete data from all systems weekly. We have a range of security processes and software in place to protect user information. This includes but is not limited to Distributed Denial Of Service (DDoS) and Intrusion Detection Systems (IDS), as well as best practices around data security, data segregation and access controls.

 

How is access to our data controlled, and who has access to our data?

Access to Personally Identifiable Information (PII) data is limited to those who absolutely require it in order to provide the services outlined in our Terms. This is typically limited to system owners, and employees of ours.

 

What support can be given to deal with a data subject access request?

As we handle any candidate information on behalf of candidates and we work as data controllers in our own right, any Subject Access Request (SAR) would also need to be authorised by the data subject directly.

 

What amendments did you make to service agreements, terms of engagement or any other data protection agreement arising from the new GDPR?

We have updated our Terms and Conditions to clarify the relationship between you and our terms  

 

In addition to our website terms, how to we notify candidates and clients of our data protection terms?

We notify candidates and clients of our data protection terms by affixing the below signature to our email correspondence: -

“We comply fully with the Data protection Act of 2018 (DPA), and UK General Data Protection Regulation (UK GDPR)hereinafter referred to as (“the Act”).The privacy notice on our website outlines how we may process, store and disclose personal information collected about individuals, including candidates, agency / temporary workers, job applicants, employees and business contacts. Candidate names, email addresses, phone numbers and CVs “the Data” are retained until after 30 days after the screening process has been completed, with home addresses, bank details, and personal identifiable data “the Data” will be retained for 30 days after employment termination date. 

All video interviews are recorded and recordings “the Data” is stored for 30 days. If you request that your data “the Data” is deleted, we will confirm that it has been deleted pursuant to “the Act” within 48 hours. We do not sell, trade, swap, or transfer any data outside of the United Kingdom. By acting on any email messages, or by continuing employment, you are confirming, accepting, and agreeing to this notice, and to the terms of business posted on our website to which this domain is pointed. We cloud record all calls between you and our staff for training and lead generation purposes.  The information contained in or attached to, this e-mail, is intended solely for the use of the addressee, and may contain confidential and/or legally privileged information. If you are not the intended recipient, you are not authorised to copy it or use it for any purpose. If you have received a message in error please notify the sender immediately by reply e-mail, and delete the message from your system. Job applicants must be able to pass basic DBS check, and must possess or acquire CIPD level 5, in addition to ISO 9001 quality management certification for employment. The views or opinions presented in this e-mail do not necessarily represent those of our Director(s). We reserve the right to act in any and all capacities interchangeably, agency, employment business, direct employer pursuant to the Employment Act 1996 without notice”.  

©Copyright. 2026 Health Primary LTD, England and Wales company registration number 15375010. All rights reserved.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.