Bibi Healthcare Limited

Last Updated: March 2026  |  Version 1.4

1.  Introduction

Bibi Healthcare Limited (“we”, “us”, or “our”) is committed to protecting and respecting the privacy of all individuals whose personal data we process. This Privacy Policy explains how we collect, use, store, share, and protect personal information relating to:

  • Staff, workers, contractors, and job applicants (“Staff Data”)
  • Visitors to our website and individuals who contact us online (“Website User Data”)

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation. We are registered with the Information Commissioner’s Office (ICO) as a data controller.

By using our website or entering into an employment or engagement relationship with us, you acknowledge that your personal data will be handled as described in this policy.

2.  Who We Are

Bibi Healthcare Limited is a healthcare staffing and care services company registered in England and Wales. For the purposes of data protection law, we are the data controller of your personal information.

Registered Address: 18a King Street, Blackburn, Lancashire BB2 2DH

Email: info@bibihealthcare.co.uk

Telephone: 01254 482424

If you have any questions about how we use your personal data, or wish to exercise your rights, please contact us using the details above.

3.  Personal Data We Collect About Staff

As an employer and sponsor of overseas workers, we collect and process a range of personal data about our staff, workers, and job applicants. This may include:

3.1  Identity and Contact Information

  • Full name, date of birth, national insurance number
  • Home address, email address, telephone number
  • Emergency contact details
  • Photograph (where required for ID purposes)

3.2  Employment and Recruitment Information

  • CV, application forms, interview notes, and references
  • Job title, department, start date, contract type
  • Right to work documentation (passports, visas, biometric residence permits)
  • DBS (Disclosure and Barring Service) check results
  • Professional registration details (e.g., NMC, SSSC pin numbers)
  • Training records, qualifications, and competency assessments
  • Sickness and absence records
  • Performance reviews, disciplinary and grievance records
  • Payroll, salary, pension, and bank details

3.3  Immigration and Visa Data

  • Passport details, visa documentation, Certificate of Sponsorship (CoS) information
  • Immigration Health Charge (IHC) payment records
  • Home Office correspondence relating to sponsored workers

3.4  Special Category Data

In some circumstances we may need to process special category data, including:

  • Health and medical information (e.g., for occupational health, sickness management, or reasonable adjustments)
  • Criminal records information obtained through DBS checks

We will only process this data where there is a lawful basis and appropriate safeguards are in place.

4.  Personal Data We Collect About Website Users

When you visit our website or interact with us online, we may collect the following information:

  • Name and contact details if you complete an enquiry or contact form
  • Email address if you subscribe to communications from us
  • Information submitted when applying for a vacancy online
  • Technical data including IP address, browser type, device type, and pages visited
  • Cookie data and usage analytics (see our Cookie Policy for further details)

We do not collect sensitive personal data from website users unless you voluntarily provide it (for example, in a job application).

5.  How We Use Your Personal Data

5.1  Staff

We use staff personal data for the following purposes:

  • To manage the recruitment and onboarding process
  • To verify your right to work in the United Kingdom
  • To fulfil our obligations as a Home Office licensed sponsor
  • To administer payroll, pension contributions, and employee benefits
  • To manage performance, training, and professional development
  • To comply with health and safety legislation
  • To carry out DBS checks and professional registration verifications
  • To maintain accurate employment records
  • To deal with disciplinary matters, grievances, and legal claims
  • To claim reimbursement of Immigration Health Charges where applicable
  • To meet our legal, regulatory, and reporting obligations

5.2  Website Users

We use website user data for the following purposes:

  • To respond to your enquiries and provide information about our services
  • To process job applications submitted via our website
  • To improve our website and user experience
  • To send marketing communications where you have given consent
  • To comply with legal obligations

6.  Legal Basis for Processing

We rely on the following lawful bases under UK GDPR to process your personal data:

Contract: Processing is necessary to perform our contract of employment or engagement with you, or to take steps at your request before entering into a contract.

Legal Obligation: Processing is necessary to comply with our legal obligations, including employment law, immigration law, health and safety, and tax legislation.

Legitimate Interests: Processing is necessary for our legitimate business interests, provided these are not overridden by your rights and interests.

Consent: Where we rely on your consent (e.g., for marketing communications), you may withdraw it at any time.

Vital Interests: In rare circumstances, we may process data to protect your vital interests or those of another person.

For special category data, we rely on additional conditions including processing necessary for employment law obligations, health and safety, and occupational medicine.

7.  Sharing Your Personal Data

We do not sell your personal data. We may share your data with trusted third parties in the following circumstances:

  • Government bodies and regulators, including the Home Office, HMRC, and the ICO
  • The Disclosure and Barring Service (DBS) for criminal record checks
  • Payroll and pension providers
  • Occupational health providers
  • IT service providers and cloud storage providers
  • Legal advisors and professional consultants
  • Care Quality Commission (CQC) or equivalent regulatory bodies
  • Prospective employers or agencies where references are requested

All third parties with whom we share data are required to handle your information securely and in accordance with applicable data protection legislation. Where we transfer data outside the UK, we ensure appropriate safeguards are in place.

8.  How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our general retention periods are:

Recruitment records (unsuccessful applicants): 6 months from the end of the recruitment process.

Employment records: 6 years after the end of employment.

Payroll and financial records: 6 years as required by HMRC.

DBS check records: 6 months after the recruitment decision.

Immigration and right to work documents: 2 years after employment ends, or as required by the Home Office.

Website enquiry data: 12 months from receipt, unless ongoing correspondence is required.

At the end of the relevant retention period, personal data will be securely deleted or anonymised.

9.  Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

  • Secure access controls and password-protected systems
  • Encryption of sensitive data in transit and at rest
  • Regular staff training on data protection and information security
  • Restricted access to personal data on a need-to-know basis
  • Regular review of our data protection practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform affected individuals without undue delay.

10.  Your Data Protection Rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of Access: You may request a copy of the personal data we hold about you (a Subject Access Request).

Right to Rectification: You may ask us to correct inaccurate or incomplete data.

Right to Erasure: You may ask us to delete your data in certain circumstances (the “right to be forgotten”).

Right to Restriction: You may ask us to restrict the processing of your data in certain circumstances.

Right to Data Portability: You may request that we transfer your data to another organisation in a structured, commonly used format.

Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.

Rights re Automated Decisions: You have the right not to be subject to decisions made solely by automated processing that significantly affect you.

To exercise any of these rights, please contact us at the details provided in Section 2. We will respond within one calendar month. There is generally no charge for exercising your rights, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

11.  Cookies and Website Tracking

Our website uses cookies and similar tracking technologies to improve your browsing experience and analyse website traffic. Cookies are small text files placed on your device when you visit our website.

We use the following types of cookies:

  • Strictly necessary cookies: Essential for the website to function correctly.
  • Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics).
  • Preference cookies: Remember your settings and preferences for future visits.

When you first visit our website, you will be asked to consent to the use of non-essential cookies. You can withdraw your consent or manage your cookie preferences at any time through your browser settings or our cookie consent tool.

12.  Recruitment Services – Provision of Temporary Workers (Schedule 3)

This section sets out the particulars of processing carried out by Bibi Healthcare Limited (the “Supplier”) in connection with the provision of Recruitment Services UK, as required by Schedule 3 of our data processing agreements with client companies and customers (“Company” and “Customer”).

12.1  Purpose of the Transfer

The transfer and processing of personal data under this section is carried out to the extent necessary for Bibi Healthcare Limited to provide recruitment and temporary worker placement services to Company and Customer, and to ensure compliance with all applicable laws and regulations, including employment law, immigration law, and health and safety legislation.

12.2  Nature of Processing

In providing temporary worker placement services, Bibi Healthcare Limited will process all applicable categories of personal data, including Special Category Data and Criminal Offence Data (where applicable), for the following purposes:

  • Sourcing, vetting, and placing temporary workers with Company and Customer
  • Conducting pre-employment checks including identity verification, right to work checks, DBS checks, and professional registration verification
  • Managing and administering worker assignments, timesheets, and associated payroll processing
  • Fulfilling obligations under employment law, including IR35, AWR (Agency Workers Regulations), and the Working Time Regulations
  • Complying with immigration law requirements including Skilled Worker and Health and Care Worker visa sponsorship obligations
  • Meeting health and safety obligations relevant to the placement of workers in care environments
  • Sharing relevant worker information with Company and Customer to the extent required for the safe and lawful performance of work assignments

12.3  Categories of Personal Data Processed

In connection with the provision of recruitment and temporary staffing services, the following categories of data may be processed:

  • Personal Data: Name, contact details, employment history, qualifications, right to work documentation, payroll and financial information, and assignment records.
  • Special Category Data: Health data (including occupational health assessments and fit-to-work records), and data relating to racial or ethnic origin where required for monitoring or compliance purposes.
  • Criminal Offence Data: Where applicable, criminal records information obtained through DBS checks in accordance with the Rehabilitation of Offenders Act 1974 and applicable guidance for roles working with vulnerable adults and children.

12.4  Data Subjects

The data subjects whose personal data is processed under this section include temporary workers, agency workers, and candidates placed or under consideration for placement with Company and Customer.

12.5  Lawful Basis and Safeguards

Processing of standard personal data under this section is carried out on the basis of contract performance and legal obligation. Where Special Category Data is processed, we rely on the conditions set out in Schedule 1 of the Data Protection Act 2018, including processing necessary for employment law obligations and for reasons of substantial public interest in the context of health and social care. Processing of Criminal Offence Data is conducted under the authority of applicable law and sector-specific guidance governing regulated activities involving vulnerable adults.

All data transfers to Company and Customer are made only to the extent necessary for the performance of the services and are subject to appropriate contractual safeguards, including data processing agreements which incorporate obligations equivalent to those required under UK GDPR.

13.  Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to read their privacy notices. This policy applies solely to information collected by Bibi Healthcare Limited.

14.  Children’s Privacy

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with their personal data without parental consent, please contact us and we will take steps to delete it.

15.  Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The most current version will always be published on our website with the updated date shown at the top of the document.

Where changes are material, we will notify staff directly and make the updated policy clearly available on our internal systems.

16.  How to Raise a Concern or Complaint

If you have any concerns about how we handle your personal data, please contact us in the first instance using the details in Section 2. We will investigate and respond promptly.

If you are not satisfied with our response, or if you believe we are processing your data in breach of data protection law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk

Telephone: 0303 123 1113

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Bibi Healthcare Limited  |  Privacy Policy  |  Version 1.4  |  March 2026

This document should be reviewed annually or following any significant change in data processing activities.