Vitality values its customers and staffs trust and recognises that the safety and lawful use of everyone’s personal data is key to retaining that trust and confidence. Vitality needs to collect, store, share and use personal data about past, current and prospective customers, and staff to enable it to meet its requirements in the provision of innovative products and services and for employment purposes.
This Privacy Notice has been prepared to be as comprehensive as possible but is not and exhaustive list of every aspect of our collection and use of personal information. We would be happy to provide any further information or explanation about our practices.
If you have any general queries about this policy, please contact our Data Protection Officer at data.protection@Vitality.co.uk or you can write to the Group Head of Data Protection, Vitality, 5th Floor East, Eighty Strand London WC2R 0DT.
Name: The Group Head of Data Protection
Address: Vitality, 5th Floor East, Eighty Strand, London WC2R 0DT
This Privacy Notice was last updated on August 2023.
Please make anyone whose personal information you have provided to us aware of this Privacy Notice. You must make sure any information you supply about anyone else is accurate and that they’ve agreed to their information being supplied.
Under this notice, ‘we’, and ‘Vitality’ refers to all businesses within the Vitality Group and the term ‘plan’ refers to all insurance and non-insurance products such as investment and the healthy workplace programme.
Vitality will only use your personal information in accordance with this Notice, its Data Protection Policy setting out the principles, rules, and guidelines its staff need to follow when processing your personal data, and relevant data protection laws including the UK General Data Protection Regulation, Data Protection Act 2018, and any reiteration of relevant legislations (“DP Laws”).
Our Data Protection registration number are:
- Vitality Corporate Services (including VitalityCar) Z105153X
- Vitality Health Limited Z8752490
- Vitality Life Limited ZA110112
- Vitality Healthy Workplace Limited ZA455278
Our Data Protection Officer is the Group Head of Data Protection and can be contacted at data.protection@Vitality.co.uk.
Under data protection law, we need a lawful basis to collect and use your personal data. The law allows for six ways to process personal data. Only the following five are relevant to the types of processing that we carry out. This includes information that is processed based on:
- A person’s consent (for example, if you consent to receive our direct marketing information)
- A contractual relationship (for example, to provide you with goods or services that you have purchased from us, such as Life, Health, or Car Insurance). This include obtaining quotes from us.
- Complying with a legal obligation (for example to process for Tax purposes, or carrying out anti-money laundering checks and fraud detection or employment obligations)
- Protecting an individual’s vital interests (for example, to ensure the safety of staff and visitors to our premises or medical emergencies)
- The legitimate interests of Vitality, you as an individual, or wider benefits to society (please see below for more information).
For insurance purposes an exemption applies for the processing of special category data (health/medical data) for the purposes of Insurance under Schedule 1, Part 2 section 20(1) of the Data Protection Act 2018.
Personal data may be legally collected and used if it is necessary for a legitimate interest of Vitality using the data, if its use is fair, and if it does not adversely impact the rights and freedoms of the individual concerned.
When we use your personal information, we will always consider if it is fair and balanced to do so. We will balance your rights and our legitimate interests to ensure that we use your personal information responsibly and in ways that are not unduly intrusive or unfair and it could be reasonably expected.
If you would like more information on our use of legitimate interests, or to change our use of your personal data in this manner, please get in touch with us by contacting our Data Protection Officer at Data.protection@Vitality.co.uk.
We want to ensure you remain in control of your personal data and that you understand your legal rights. You have the right to:
- Know whether we hold your personal data and if we do how that information is handled.
- Have a copy (not documents) of the personal data that we hold about you (known as a ‘Data Subject Access Request’/DSAR).
- Have inaccurate or incomplete personal data updated or amended.
- Have your personal data erased (conditional right)
- Restrict processing e.g., we can hold but not use whilst we investigate the accuracy (conditional right).
- Obtain and re-used your personal data across different services (conditional right)
- Object to your personal data being used for marketing (absolute right) but conditional for other matters or
- Cease automated decision-making including profiling where it has legal or similar effect.
Please note your rights over your personal data depend on which legal basis is being relied upon by Vitality. Not all the rights above are absolute and may only apply in certain circumstances and, although we will always try to respond to any instructions you give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
More detailed information on each right is given in ‘Making and Information Request’ which includes access to children’s data and deceases persons data.
The simplest way to submit a DSAR is to contact us by email at DSAR@Vitality.co.uk. Alternatively, you can email data.protection@Vitality.co.uk or write to the Data Protection Officer, Vitality, 5th Floor East, Eighty Strand, London WC2R 0DT.
Please note you may be asked to provide proof of identification or additional information to allow us to identify you.
Should you have a question about how we use your data or this Privacy Notice you can contact our Data Protection Officer via email at Data.Protection@Vitality.co.uk
If you have a complaint about how we have used your personal data, then in the first instance you should contact our Complaints team who can be contacted here.
If your complaint relates to delays in service, claims decisions or technical issues e.g., access problems, but is not related to your personal data, then these matters will not be reviewed by the Data Protection Officer. However if you are unhappy about the response to your complaint regarding the use of your personal data this can be escalated to the Data Protection Officer via email at Data.Protection@Vitality.co.uk or by writing to the Data Protection Officer, Vitality, 5th Floor East, Eighty Strand, London WC2R 0DT.
If you remain unhappy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office (ICO) which regulates and enforces data protection law in the UK. The ICO cannot issue compensation. Their contact details are:
Office Wycliffe House,
Tel: 0303 123 1113 or 01625 545 745
Or visit: https://ico.org.uk/make-a-complaint/
To manage and provide our products and services, prevent fraud, and comply with legal and regulatory requirements we may need to share your information with a third party.
We will disclose your personal information to third parties if we are under a duty to disclose or share your personal data to comply with any legal obligation; or to enforce or apply our Terms and Conditions of Use and other agreements; or to protect the rights, property or safety of Vitality, our Members, or others.
We will never sell or rent your information to any third-party.
Our auditors (for management information purposes). Appointed in accordance with our statutory obligations under Financial Conduct Authority obligations.
Our Regulators. To comply with our statutory obligations, we may share your personal data with our Regulators, where necessary. Our Regulators are:
- Information Commissioner’s Office (ICO)
- Financial Conduct Authority (FCA)
- Prudential Regulation Authority (PRA)
- Financial Ombudsman Service (FOS)
Government Departments: such as HM Revenue and Customs for tax and fraud purposes.
Law Enforcement: conduct further investigations with law enforcement to facilitate the prevention and detection of fraud or crime. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons.
Fraud prevention and detection: In certain circumstances, where we suspect fraudulent behaviour, we will carry out checks with fraud prevention agencies and databases. We also conduct searches with publicly available sources of information including internet searches and social media searches.
If we suspect fraudulent behaviour, we may not offer you insurance, we may void your policy or we may not be able to accept your claim. We investigate potentially fraudulent claims and where appropriate, we will use surveillance to assist our investigations. We appoint fraud investigation and surveillance suppliers to conduct these investigations on our behalf.
We will keep a record of individuals and any associated investigations to prevent and detect future fraud or money laundering.
Fraud prevention agencies and databases: When we check your details against fraud prevention agencies and databases, we will use a range of databases and agencies including other insurers' databases. If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies, fraud databases and other insurers. Law enforcement agencies may access and use this information. We access and use the information recorded by fraud prevention agencies or fraud databases to prevent fraud and money laundering. These checks are done to identify, predict, investigate, and evaluate potentially fraudulent behaviour.
We use the following fraud prevention agencies and databases:
- CIFAS National Fraud Database CUE (Claims and Underwriting Exchange)
- IFB (Insurance Fraud Bureau)
- IFIG (Insurance Fraud Investigators Group)
- IFED (Insurance Fraud Enforcement Agency)
- IFR (Insurance Fraud Register)
- NFIB (National Fraud Intelligence Bureau)
- NCA (National Crime Agency)
- OFSI (Office of Financial Sanctions Implementation)
Re-Insurers: We may need to share your personal health or medical data provided by you with our re-insurers for them to do the following:
- To analyse key demographic information.
- To analyse patterns of claims by customers and their claims experiences.
- To analyse the risk, they are reinsuring and to set a price for the re-insurance with Vitality.
- To determine the validity of a claim; and
- To set approval limits for claims and underwriting
Your authorised representative (Broker/Advisor): If you have appointed an insurance or financial adviser, we may send them copies of correspondence relating to the plan and any renewal documentation. We may disclose information to them if you have made a claim although no medical information will be provided without your consent.
Please be sure to tell us if you authorise a new representative so that we can update the system and only send your personal data to the right representative. Any changes may not be immediate.
Credit Reference Agencies: As part of the application process, we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders. Credit checks are automated decision making but permitted as necessary for entering or performance with a contract between the individual and Data Controller.
To assist us in the provision of administration, services or benefits for your plan and any claims you make, we use other companies who work under contracts with us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services we provide to you and complies with DP Laws.
Sharing your personal data with benefit providers: The Vitality group’s products are designed to enable you to accrue points related to your fitness and this in turn enables you to access several rewards and benefits. The exchange of your personal data, health and medical information will only occur with your consent, where relevant or because you directly engage that service and only with the benefit providers you choose to engage with. The full list of benefit and reward providers can be found here.
We have detailed our Third-Party Suppliers that we may share your information within the links above. Some of the companies are in countries outside of the United Kingdom and the European Economic Area. Where this is the case, we transfer your personal data to them on terms that are permitted within the law.
This is to ensure the appropriate security for your information, both in the transfer stage and when it is processed, and that your rights and confidentiality are protected in the same way as they would be if your personal data was processed in the UK.
Vitality cares about the integrity, availability, and confidentiality of your personal data. However, we cannot guarantee that unauthorised third parties will never be able to defeat our security measures or use your personal data for an improper purpose.
Vitality maintains commercially reasonable and appropriate technical and organisational measures designed to secure Customer Data against unauthorised and unlawful loss, access, or disclosure. Vitality maintains physical, electronic, and procedural safeguards in compliance with applicable privacy laws to protect Customer Data, including, but not limited to:
(a) The maintenance of appropriate safeguards to restrict access to Customer Data to the employees, agents, licensors, or service providers of Vitality who need that information to carry out Vitality’s obligations.
(b) Procedures and practices for the safe transmission or transportation of the Customer Data.
(c) The maintenance of appropriate safeguards to prevent the unauthorized access of the Customer Data; and
(d) Procedures and practices for the safe disposal of Customer Data. Vitality provides insurance and investment products and services to its customers uniformly, and all appropriate and then current technical and organisational measures apply to Vitality’s entire customer base for those same services.
Customers must understand that the technical and organisational measures are subject to technical progress, development, and improvements for the protection of Personal Information and Vitality reserves the right to update the technical and organisational security measures provided the technical and organisational security measures will not materially decrease.
Vitality’s preference is that data we collect from you is stored in the UK/EU (European Union). Where your data is transferred and stored outside the UK/EU we will take all steps reasonably necessary to ensure that any data processor we use provides an adequate level of protection for your data.
The transmission of information via the Internet, unfortunately, is not completely secure, and any transmission from you to us is at your own risk. Once we have received your information, we will use strict procedures and security features to help prevent unauthorised access.
We only keep your personal information for as long as is necessary in line with the purposes for which we collected your information. We have set out in our general retention schedule in the sections below however in certain circumstances it will be necessary for us to keep your information for longer, for example when we are required to due to legal obligations or to defend or manage legal claims.
If you get a quote from us for insurance but do not take up the plan, we will normally keep your information for up to 13 months from the expiry date of the quote.
In most cases, we will keep your information for 7 years from the expiry date of the plan or from the settlement/closure of the claim, whichever is the latter. This is applicable if you get a quote from us and you buy the plan, if you have a plan with us, if you make a claim under one of our plans (including if you are a third-party claimant) or if you are a witness to an event giving rise to a claim under one of our plans. This is so that we can administer the contract of insurance and handle claims made against the plan.
It is of utmost importance to ensure that data is always protected and available for operational purposes. In the event, there is data loss due to unforeseen circumstances backup is an effective mechanism to assist business with the recovery of the data required for day-to-day operations. Our retention period for system back-ups is 5 years.
Fraud or Misrepresentation
In any instances where we suspect, detect, or investigate fraud or money laundering we will retain the data for at least 5 years and this will supersede any lesser retention period.
Depending upon your relationship with Vitality we will collect:
- Contact details
- Date of Birth
- Gender Medical/health data
- Claims data
- Payment details
- Payment transactions
- Information about what you are insuring provided by you, directly or via the company who sold you the plan.
- Your experience selling life and Health Insurance (Brokers/Advisors)
- Course enrolment details (Brokers/Advisors)
We also collect the following information for VitalityCar:
- County court judgements
- Homeowner status
- Marital Status
- Driving licence details
- Residency Status
- Images and video from dash camera footage
- Other information about the company who should you the plan Recent quote for insurance
- Your insurance history
- Claims details
- History of fraud
- Indicators of fraudulent behaviour
- Investigations into fraud
- Your credit history and score
- Information from the electoral register
- Additional information, from third parties, to assist us in assessing your insurance risk. Some information is publicly available such as census data
- Information regarding your vehicle form HPI Ltd
- Motoring criminal convictions and offences
- Health information including medical conditions and associated restrictions on your driving licence