Privacy Policy

China – Personal Information Protection Law (PIPL) Compliance

ICG Medical Group acknowledges the extraterritorial scope of China's PIPL and implements the following controls:

1. Compliance Audits

   If processing personal data of more than 10 million individuals, ICG Medical undertakes formal compliance audits every two years, as required under Article 54 of PIPL. Audit results are documented, and remediation actions (if applicable) are recorded and assigned to responsible parties.

2. Cross-Border Data Transfer Mechanisms

   For any cross-border transfers of Chinese personal information, ICG applies one or more of the following legal mechanisms: Security Assessment filed with the Cyberspace Administration of China (CAC) where processing meets the specified volume or critical data thresholds; Standard Contracts issued by CAC and duly filed; Certification by a Professional Institution designated by CAC.

3. Localisation and Data Mapping

   All personal data collected within China is classified, inventoried, and mapped against risk categories. Where required by law, data localisation is respected, especially where data involves core state functions or public health.

4. Processor Liability and Contractual Terms

   Contracts with Chinese data processors incorporate Article 59 requirements: confidentiality, security safeguards, reporting obligations, prohibition of unauthorised onward transfer, and joint liability terms where applicable.

5. Data Subject Rights (DSRs)

   Chinese data subjects may request access, correction, deletion, portability, withdrawal of consent, and restriction. Requests are actioned within 15 business days, with a multilingual support option.

Japan – Act on the Protection of Personal Information (APPI) Amendments (2025)

1. Use of Personal Data in AI Training

   Personal data may be used without explicit consent for AI model training, provided the data is pseudonymised and cannot reasonably re-identify individuals, the purpose is stated transparently, and individuals are offered a means to opt-out.

2. Biometric and Children's Data Protections

   For biometric data and children's data, ICG ensures explicit opt-in consent and risk assessments before deployment of biometric systems.

3. Data Breach Notification Rules for Certified Entities

   Where ICG Medical is a certified business operator, breach notification to the Personal Information Protection Commission (PPC) is allowed within 30–60 days based on severity.

4. Enhanced Record-Keeping

   A record of all processing activities is maintained in line with APPI Article 29-4. Transfers to third parties are documented, with consent or lawful basis noted.

Australia – Privacy Act Reforms (Effective June 2025)

1. Introduction of Statutory Tort for Serious Invasions of Privacy

   ICG Medical maintains a Privacy Impact Assessment (PIA) register to pre-screen activities that might pose a risk of serious privacy intrusion.

2. Strengthened Consent Requirements

   Consent is defined as freely given, informed, specific, and unambiguous using affirmative opt-in mechanisms. Default consent is never presumed.

3. Penalty Framework (Effective July 2025)

   Penalties apply for serious or repeated breaches: AU$50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater.

4. Global Transfer and APP 8 Controls

   Before transferring data outside Australia, ICG must take reasonable steps to ensure overseas recipients comply with Australian Privacy Principles (APPs).

India – Digital Personal Data Protection Act (DPDP 2023), Implementing in 2025

1. Consent and Purpose Limitation

   All personal data processing is based on free, informed, specific, clear, and capable of withdrawal consent. Purpose must be clearly stated and limited to what is necessary.

2. Consent Manager Integration

   ICG interoperates with India's authorised Consent Manager Platforms, allowing individuals to view, modify, or revoke consents and access logs of how their data was used.

3. Cross-border Transfers

   Personal data may only be transferred to countries approved by the Indian Government. ICG maintains tamper-proof logs of data flows.

4. Data Protection Board Compliance

   ICG recognises the authority of the Data Protection Board of India, empowered to impose penalties up to INR 250 crore (~£25 million) for breach.

5. Children's Data and Grievance Redressal

   Parental consent is required for processing data of individuals under 18. ICG provides a grievance redressal mechanism, resolving queries within 7 working days.

1. Lawful Basis for Processing

ICG Medical ensures all personal data processing meets at least one lawful basis as outlined in Article 6 of the GDPR: Consent; Contractual necessity; Legal obligation; Legitimate interests; Vital interests; Public interest. For special category data, an additional condition under Article 9 is required. A Legitimate Interests Assessment (LIA) is conducted where legitimate interest is the primary basis.

2. Data Subject Rights (DSRs)

Data subjects in the EU and UK are entitled to the full suite of rights under Articles 12–22 of the GDPR, including right of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decisions. DSRs are processed within one calendar month, extendable by two months where requests are complex.

3. Record of Processing Activities (ROPA)

ICG Medical maintains a Group-wide Record of Processing Activities in line with Article 30. The ROPA is updated quarterly and includes purpose of processing, categories of data and data subjects, recipients, international transfers and safeguards, retention periods, and security measures.

4. Data Protection Impact Assessments (DPIAs)

A DPIA is conducted before initiating processing that may result in a high risk to the rights and freedoms of individuals. DPIAs are overseen by the DPO and include purpose and necessity assessment, risk assessment, mitigation measures, and consultation with the DPO or supervisory authority where required.

5. International Data Transfers

ICG transfers personal data from the UK and EU to third countries only where appropriate safeguards are in place, including adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or derogations under Article 49.

6. UK-specific Compliance Measures

UK Data Protection Act 2018 specific measures include Appropriate Policy Documents (APDs) for processing of criminal conviction data, additional safeguards for children's data, a UK Representative where non-UK entities target UK residents, and the UK Addendum to SCCs appended where EU SCCs are used.

7. Supervisory Authorities and Cooperation

ICG Medical's lead supervisory authority in the UK is the Information Commissioner's Office (ICO). ICG cooperates fully with cross-border investigations, data breach assessments, and data protection complaints and enforcement notices.

United States – Multi-State Privacy Law Framework (2025)

By the end of 2025, over 20 US states will enforce comprehensive privacy legislation. ICG Medical applies a harmonised, high-water mark approach across all US operations.

1. Core Principles Adopted Across All States

   ICG honours data minimisation, purpose limitation, notice and transparency, opt-out rights for sale or sharing of personal data, targeted advertising, and profiling. Rights of access, correction, deletion and portability are upheld.

2. California Privacy Rights Act (CPRA) Enhancements

   Separate notices are provided for Sensitive Personal Information (SPI) such as health data, racial or ethnic origin, biometric and precise geolocation data, and neural data per 2025 expansion. Automated Decision-Making rights include the right to know meaningful information about logic involved and to opt out of profiling.

3. Contractual Requirements with Vendors

   ICG's Data Processing Agreements (DPAs) with US-based service providers include prohibition of secondary use of data, flow-down obligations to subcontractors, transparency rights enforcement, and regular audit or assessment rights.

Canada – PIPEDA and Bill C-27 (CPPA) Transition Readiness

1. Consent and Transparency

   Consent is express or implied depending on sensitivity and context. Separate consents are obtained for cross-border transfers, use for analytics or training models, and processing of sensitive categories.

2. Algorithmic Accountability

   Under CPPA, individuals will have the right to explanation when subjected to automated processing decisions and the right to challenge or opt-out. ICG maintains records of algorithms used in candidate filtering.

3. De-identified and Anonymised Data

   ICG classifies datasets as either anonymised (irreversible and excluded from scope) or de-identified (pseudonymised and still regulated), applying appropriate safeguards accordingly.

4. Enforcement Preparedness

   ICG maintains data breach logs and reporting processes, internal privacy audit capabilities, and training programmes on evolving obligations.

Mexico – Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)

1. Lawful Processing Principles

   ICG adheres to the core LFPDPPP principles: Legality, Consent, Information, Quality, Purpose, Loyalty, Proportionality, and Accountability.

2. ARCO Rights Mechanism

   Requests under ARCO (Access, Rectification, Cancellation, Opposition) are acknowledged within 20 days and fulfilled within 15 days thereafter, delivered in Spanish and English where appropriate.

3. Cross-border Transfers

   ICG signs mutual commitments with international recipients to ensure equivalent protection. All transfers include purpose, safeguards, recipient identity, and consent where applicable.

4. Breach Notification

   ICG notifies data subjects of any security breaches that significantly impact economic or moral rights, including the nature of the incident, actions taken, and recommendations for risk mitigation.

1. Conditions for Lawful Processing (Section 4–13)

ICG ensures that all personal data is processed lawfully and reasonably with clear, documented purposes; collected directly from the data subject unless lawful exceptions apply; adequate, relevant and not excessive; accurate and up to date; and stored securely and not retained longer than necessary.

2. Purpose Specification and Processing Limitation

Personal information is only processed for employment or recruitment purposes, regulatory obligations, or service delivery under client or supplier agreements. Reuse of data is explicitly prohibited unless compatible with the original purpose or authorised by law.

3. Objection and Withdrawal Rights (Section 11(3))

Individuals may object to processing at any time, especially for direct marketing and profiling or behavioural analysis. An internal Form 1 process is available to initiate objection.

4. Consent and Justification Grounds

ICG relies on one of the following legal bases: Consent; Performance of a contract; Legal obligation; or Legitimate interest. Consent is obtained using affirmative actions and in writing for special personal information.

5. Cross-border Data Transfers (Section 72)

ICG transfers personal data outside of South Africa only where the receiving country provides equivalent protection, the data subject has consented, the transfer is necessary for contract fulfilment, or adequate binding agreements are in place.

6. Security Safeguards (Section 19–22)

ICG implements administrative, technical, and physical safeguards including access controls and multi-factor authentication, regular risk assessments, data encryption at rest and in transit, and staff training and POPIA awareness programmes.

7. Information Officer Duties

An Information Officer (IO) is appointed for ICG's South African operations, responsible for promoting internal compliance, managing PAIA requests, handling complaints and breach responses, and liaising with the Information Regulator.

8. Data Subject Participation (Section 23–25)

ICG provides the right to access personal information using Form 2, request correction, deletion, or destruction using Form 3, and lodge complaints using the standard process. Responses are issued within 21 business days.