Privacy policy

Vitality is part of the Discovery Group of companies and is owned by Discovery Limited, a financial services firm based in South Africa.

Vitality Corporate Services Limited, is an authorised intermediary of Vitality Health Limited, (“VitalityHealth”) Vitality Life Limited (“VitalityLife”) and (“VitalityInvest”) (together the “Vitality group”, “We” and “Us”) and arranges and administers products provided by VitalityHealth, VitalityLife and VitalityInvest. Vitality Corporate Services Limited is the data controller for the management of interactions between Us and You; VitalityHealth and VitalityLife and VitalityInvest respectively are the data controllers for the personal data and special category data that You or Your representative provide to Us (depending on the product You purchase).

Vitality is listed as a data controller with the Information Commissioner under the following registration numbers;

Vitality Corporate Services Limited:  Z105153X

Vitality Health Limited:  Z8752490

Vitality Life Limited:  ZA110112

VitalityHealth holds ISO 27001 certification, confirming that We have implemented industry standard security measures to ensure the secure management of Your personal data. This includes appropriate physical, organisational and technical measures to safeguard Your information. We regularly review these measures and where appropriate, We strengthen and enhance those measures. In particular We have implemented end-to-end encryption.

Whenever We send Your personal data to You, We will ensure appropriate security is applied to prevent unauthorised access to Your personal data or interception of Your personal data by anyone not authorised to have it.

If You wish to send any of Your personal data to Us, We strongly recommend You do not send it by open email. Instead, You should select a safe method to provide Your personal data to Us such as recorded post.

Personal data You give to Us

You may give Us information about You when You request a quote, purchase a plan or our products and/or use our services. For example:

• If You apply for a quote or plan with Us;
• If You enter into a contract with Us for the purchase of one of our products or the provision of services, and when You use those services;
• If You register and use our member websites and apps;
• If You submit a query to Us, for example by email, telephone or social media, (including where You reference Us in a public social media post); and
• If You participate in any marketing activity such as entering a competition, or promotion, or survey.

When You provide personal data to Us about someone else on their behalf

When giving Us information about a family member or another person, You confirm that they have appointed You to act on their behalf including giving You consent to instruct Us to process their personal data, to receive this data protection notice on their behalf and to inform them about the way in which We will process their personal data.

Personal data We receive about You from other external sources

We may receive information about You from other people in order to deliver our products and services to You. This could include (but is not limited to):

• Information from analytics providers;
• Information from search information providers;
• Information from credit reference agencies;
• When You are named in an application form or as a dependant under an individual or corporate plan;
• When we carry out credit checks in order to process an application or claim (where We may carry out credit checks);
• When We obtain medical reports; or
• Where We liaise with Your family, employer, health professional or other treatment or benefit provider.

Information We create from Your personal data

We will create some information with Your personal data internally, for example:

• When We assign You a member ID;
• When We create a Vitality status based on Your interactions with Us; and
• When We assign You a plan number.

We will always ensure that any personal data We receive has been collected lawfully and fairly in accordance with Your rights under the relevant data privacy laws. Where appropriate We will ask for Your consent for the specific use of Your personal data. For the use of Your health or medical information We will ask for Your explicit consent.

Where We are using the personal data that You provide to Us or that has been provided to Us by Your representative, broker or financial adviser for the purpose of setting up and administering Your plan, We will not seek Your consent for this purpose. This is because the personal data You provide to enable You to purchase the plan will legitimately be used by Us to do what You have requested. Your rights and the protection of Your personal data are not in any way hindered by this approach.

Personal information We hold about You

The information We hold about You may include:

• Your name, address, contact details and Your next of kin;
• Your health and medical history and current health and or fitness status;
• Details about any contact We have had with You such as providing quotes;
• Details of the services You have received, claims You have made or treatment You have received;
• Feedback that You give to Us regarding the services We have provided or about services provided by another organisation or medical specialist; and
• Recordings of telephone calls between You and Us.

How We use children’s personal data

We do not collect or use children’s personal data except when that information is provided by an adult who has purchased a plan that also covers or is for the benefit of a child. When a claim is made and a child is the subject of that claim, We will only collect as much information about that child as is necessary for the administration of the claim and for the provision of medical services. We do not use children’s information for any marketing activity.

The security of and appropriate use and disclosure of Your health and medical information is of paramount importance to Vitality. We will only disclose Your health or medical information to those people or bodies who are involved in Your care or treatment or in the provision of services to You.

Vitality will only collect and use sufficient medical information to enable Us to deliver the services You purchase from Us.

The Vitality group of companies will process personal medical and health data provided by You and/or by Your representative as part of Your application for Your plan.

If we collect Your personal medical and health data, We will use this data for the following purposes:

• To provide You with a quote

In the application form all the information We collect is measured against key rating factors to allow Us to produce a quote via an automated calculation and in order to provide an indicative premium based on risk profile amounts. In the event of higher than normal cover amount We manually calculate the amount.

Should You choose to proceed after being given an initial quote We obtain additional information, and also capture Your medical history in order to calculate the actual premium and identify any additional conditions or exclusions that need to be applied to the plan. Where necessary, and with Your consent, We may use information provided by healthcare professionals (Your GP or a specialist health provider We ask You to visit) to gain further information on Your medical health to ensure the cover given is adequate and any necessary exclusions are identified.

• For underwriting

Underwriting third parties based in the European Economic Area, through automated processes, assist with assessing risk based on Your personal and medical risk profile as provided in Your application. Manual underwriting may be performed in either the UK or South Africa by Our underwriters using Your risk profile, applying exclusions, identifying non-disclosures, and reviewing additional medical information received from either our own medical collection specialists or a medical third party.

• To set up and administer Your plan

To carry out essential business processes such as auditing, business planning, accounting and delivering Our products and services. The servicing administration may be performed in the UK or South Africa, with other essential business processes such as auditing, business development and finance being fulfilled in the UK. This ensures We are able to make and manage customer payments, premium collections and attend to customer queries.

• To renew or continue Your plan annually

Unless You tell Us otherwise We will renew or continue Your plan and adjust Your premium and coverage amount according to the terms of Your plan. We will continue to use the data You have previously provided Us.

• To manage and administer Your claims

For life insurance and investment claims, Our assessors, based in the UK and South Africa, review Your plan and personal and medical details in order to assess Your claim. We may share Your information with Our approved partners where this is reasonably required to help deal with Your claim.

For health insurance claims, the majority of Our claims invoices are processed electronically. However, for invoices that fall out of this process for any reason We have a team of invoice administrators in India. The invoice processors match the invoice to the claims information We hold on Our claims admin system to ensure the invoice is eligible to pay.

• To communicate with You

We will communicate with You via email, post, telephone, SMS text and social media depending on Your communication preferences and/or the methods You have chosen.

• For compliance

To ensure We are compliant with legal and regulatory obligations, We will use Your data, this will include reviewing calls between You and Us. This also helps Us to train our staff and to improve performance.

• To carry out data modelling, profiling or statistical analysis

We will use data modelling, profiling and statistical analysis of our customer base for future campaigns and cross sell opportunities and to improve the products, services or features We may offer You now or in the future in order to meet Your needs.

• To monitor Your health and fitness activity

To enable Us to provide You with benefits relevant to Your Vitality status.

Processing claims – How We obtain and share medical reports

In the event of a claim We may require medical reports from Your GP. Such a report will only be requested with Your consent and will be in compliance with the Access to Medical Reports Act 1988 (‘AMRA’). The information requested from Your GP will be limited to only the information relevant to Your claim. You have the right to request to see the GP’s report and to request any amendments be made by the GP where You consider the data to be inaccurate. The GP may agree to this upon his/her discretion. You will be informed about the AMRA process at the time We request Your consent to enable Us to ask Your GP for a report.

You can access the Access to Medical Reports Act 1988 at: www.legislation.gov.uk/ukpga/1988/28/contents.

How We obtain medical reports and share medical reports

We may have to give some information about Your plan and about Your health or medical status to those involved in Your treatment or care, (and/or Your representative if You have consented to Us doing this). Any such disclosure will be done confidentially unless You specifically instruct Us otherwise.

Processing claims - general

If the claimant is aged 13 or over We will address any correspondence to the claimant in order to protect their right to confidentiality. The planholder/principal member will be informed only that a claim has been made and the value of the payment We have made; no details about the medical condition or treatment provided will be disclosed to them. If the claimant wishes to waive their right to confidentiality they should inform Us at the time the claim is made.

If You have another insurance plan that covers the same costs that You are claiming from Us, then We may also disclose Your relevant personal data to that other insurer so that We can ensure We only pay our proportion of the claim.

Your information, and that of others also covered by the plan, may be disclosed to other parties (for example other insurance companies) with a view to preventing fraudulent or improper claims.

When collecting data for a group plan the Group Secretary/Administrator is responsible for ensuring that employees covered by the plan are aware of their rights for Vitality to use their personal and health data.

As a Group Secretary/Administrator:

You will ensure that the members to be covered on the plan are advised where they can view Vitality’s full Privacy Policy (online at vitality.co.uk/privacy), to ensure they are aware of the way in which Vitality will use their personal and health data and the rights available to them under UK Privacy Law.

When You provide any of Vitality’s products and services to Your employees and provide their personal and health information to Vitality to enable Us to set up the plan for those individuals, You acknowledge that You are acting on their behalf in the provision of that information about them to Us.

You also acknowledge that it is Your responsibility to ensure they have given You their explicit consent to the provision of their health and medical information to Us.

Storing and using Your employees data

We treat personal, health and medical data collected for group plans in the same way as we treat individual plans and this is detailed throughout the rest of the Privacy Policy.

Disclosure for regulatory or legal purposes

Vitality will only share Your personal data with other companies or organisations where there is a legitimate reason for doing so. For example We are obligated to provide information to specific Government departments such as HM Revenue and Customs and to regulatory bodies who govern our activity such as the Prudential Regulation Authority, Financial Conduct Authority and the Financial Ombudsman Service.

Sharing Your personal data with Your authorised representative

If You have appointed an insurance or financial adviser, We may send them copies of correspondence relating to the plan and any renewal documentation. We may disclose information to them if You have made a claim although no medical information will be provided without Your consent.

Please be sure to tell Us if You authorise a new representative so that We are able to only send Your personal data to the right representative so that we send Your personal data to the right person.

Our use of other companies to provide our products and services to You

To assist Us in the provision of administration, services or benefits for Your plan and any claims You make, We use other companies who work under contracts with Us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services We provide to You.

We need to advise You that as part of the application process we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders.

Some of the companies who work under contracts with Us are located in countries outside of the European Economic Area. Where this is the case We transfer Your personal data to them on terms that are approved by the Information Commissioner. This is to ensure the appropriate security for Your information, both in the transfer stage and when it is processed, and that Your rights and confidentiality are protected in the same way as they would be if Your personal data was processed in the UK.

Please click here to see the list of other companies who assist Us in the provision of administration services.

Sharing Your personal data with benefit providers

The Vitality group’s products are designed to enable You to accrue points related to Your fitness and this in turn enables You to access a number of rewards and benefits. The exchange of Your personal data, health and medical information will only occur with Your consent and only with the benefit providers You choose to engage with.

The full list of benefit and reward providers can be found here.

Sharing Your personal data with our re-insurers

Re-insurance is insurance that is purchased by an insurance company. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons.

We may need to share Your personal health or medical data provided by you with our re-insurers in order for them to do the following:

• to analyse key demographic information;
• to analyse patterns of claims by customers and their claims experiences;
• to analyse the risk they are reinsuring and to set a price for the re-insurance with Vitality;
• to determine the validity of a claim; and
• to set approval limits for claims and underwriting.

Retaining Your personal and health information

Vitality will normally only keep Your personal data for as long as necessary to provide You with the services You’ve chosen and to ensure We meet our regulatory obligations. This means that We will normally hold Your plan information and the personal data We have collected during the term of the plan for seven years after your plan has finished.

At the end of this time period We will fully anonymise all personal data that identifies You or could be used to identify You. We will also ensure that any of the suppliers who have processed Your personal data throughout the term of Your plan delete Your personal data from their systems.

The General Data Protection Regulation and the Data Protection Act 2018 makes provision for a number of rights under which You are entitled to make a claim. Vitality is committed to ensuring You are given access to these rights and will ensure that this is done appropriately and in compliance with privacy law.

Data subject access requests

• Under the General Data Protection Regulation You have the right to ask Vitality to confirm whether or not Your personal data is being processed, and, where it is being processed, to be provided with access to Your personal data and the following information:
• The purpose(s) of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipient to whom Your personal data has been or will be disclosed, in particular recipients in different countries or international organisations;
• Where possible, the period for which the personal data will be stored, or, if this is not possible, the criteria used to determine the storage period;
• Where Your personal data is not collected from You, any available information about the sources of such information; and
• The details of any automated decision-making or profiling being done on Your personal data, meaningful information about the logic involved, and the consequences of such processing for You.

Where Your personal data is transferred to a third country or to an international organisation You have the right to be informed how appropriate safeguards have been used to transfer Your personal information.

If You request it Vitality will provide You with a copy of Your personal data undergoing processing by Us. Where You make a request by email the information will also be provided by email unless You request otherwise.

If You require access to Your personal data that We have disclosed to a company, and that company is also a data controller, You will need to ask them directly to provide Your personal data.

Portability of personal data

You have the right to receive personal data about You that You have provided to Vitality in a structured, commonly used electronic format. You also have the right to transmit that personal data to a different data controller company and, if it is technically feasible, Vitality will try to transmit Your personal data to such other data controller company. Please note that this attempt may be restricted due to the incompatibility of the various customer record keeping databases.

Withdrawing Your consent

Where We rely upon Your consent to process your personal data, You have the right to withdraw Your consent at any time. From the time that We receive such withdrawal of consent Vitality will stop all processing of Your personal data relating to the consent.

Your right to be forgotten

You have the right to ask Vitality to erase Your personal data without undue delay and Vitality is obliged to do this where one of the following grounds applies:

• Your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
• You withdraw consent on which the processing is based and where there is no other legal ground for the processing;
• You object to the processing and there are no overriding legitimate grounds for the processing or Your personal data has been unlawfully processed; or
• Your personal data must be erased to comply with a legal obligation.

The right to be forgotten shall not apply to the extent that processing is necessary in order to:

• Exercise the right of freedom of expression and information;
• Comply with a legal obligation that requires processing in the United Kingdom; or
• Establish, exercise or defend a legal claim.

Rectification

You have the right to ask Vitality to rectify any personal data about You without undue delay. Taking into account the purposes of the processing, You have the right to have incomplete personal data completed, including by providing a supplementary information statement.

Restriction on processing

In specified circumstances You have the right to restrict the processing of Your personal data. These are:

• You contest the accuracy of Your personal data held by Vitality and restrict the processing to enable Vitality to verify the accuracy;
• You request restricted processing of Your personal data instead of erasing it because You believe it to be unlawful processing;
• Vitality no longer requires Your personal data for its processing purposes but You require it to establish, exercise or defend a legal claim; or
• Where You object to the use of Your personal data for profiling or marketing purposes, and our legitimate grounds for this processing does not override Your rights.

Where Vitality applies restrictions on processing Your personal data, apart from storage, the establishment or exercise of legal defence, or the protection of the rights of another individual, Vitality shall seek Your consent prior to restarting any processing of the restricted personal data.

You have the right to object to automated decision making and profiling

You have the right to object to automated decision making where the outcome may have a legal or other significant impact on You. This means that You have the right to request that an appropriate member of Vitality staff reviews the outcome of the automated decision making and conducts this process manually, unless You have previously given Your consent to automated processing.

For example, You may have given Your consent to the annual renewal of Your plan. We conduct a number of profiling exercises, mostly to ensure We are able to offer You the most favourable terms. We profile our customer base to ensure premiums are kept low and to minimise restrictions on the conditions We insure or will cover in the case of a claim. These profiling purposes are entirely legitimate and aimed at ensuring We treat all of our customers fairly.

We constantly review our range of products as We want to provide the most innovative and relevant insurance and investment options to our customers. We are continually negotiating with market leading benefit providers, that We want You to take advantage of, so We would like to keep You informed about all of these exciting new products and services available to You.

You have the right to object to the use of Your personal data for marketing purposes and Vitality is obligated to ensure marketing information is not sent to You if You assert this right.

If You do give Us Your permission to send marketing information to You We will provide You with the opportunity to change Your mind every time.

When You purchase a product from Vitality You will be provided with access to the Member Zone where You can manage Your marketing preferences and choose Your preferred method of receiving information about our products, services and the benefits at any time.

We use Your email address to identify You on digital platforms, such as Google, Facebook or Twitter, to provide targeted advertising, We will use the email address of existing customers to exclude them from new business advertising. We will also use Your information to build a profile of the type of customers We wish to target, and may share Your email address with digital platforms This will help Us identify potential customers like You, whilst excluding You from that particular advertising.

We will use cookies to assist Us in tailoring how We advertise Our services to You when You visit third party websites and social media channels. This is known as ‘retargeting’, ‘remarketing’ or ‘behavioural advertising’. When You visit certain pages on Our websites, a cookie will be downloaded onto Your computer which will enable Us to tailor advertisements that would appear on third party websites and social media channels. To find out more about Our cookie policy, please go to vitality.co.uk/accessibility/cookies.

We want all of our members to be happy with the way their personal data and health or medical information has been processed by Us. If You are unhappy about the way We have managed Your personal data We would like to know about this. We are constantly striving to ensure We do the right thing, and We would like to be able to put things right.

You’ll find the contact details for our complaints teams at: vitality.co.uk/legal/complaints.

However, if You are still dissatisfied You have the right to contact the Information Commissioner, who regulates compliance with Data Protection regulation and laws at: ico.org.uk.

You can also call the ICO on 0303 123 1113 or 01625 545 745 or You can write to them at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

If You have any queries in respect of Your Data Protection rights or the way Your personal data is processed by Vitality please call Us, email Us at: data.protection@vitality.co.uk or write to Us at:

Data Protection Officer
Vitality
70 Gracechurch Street
London
EC3V 0XL