Privacy Notice
Data Protection Notice
Vitality values its customers trust and recognises that the safety and lawful use of everyone’s personal data is key to retaining that trust and confidence. Vitality needs to collect, store, share and use personal data about past, current and prospective customers to enable it to meet its requirements in the provision of innovative products and services.
Vitality takes compliance with privacy laws and regulation very seriously. We take appropriate measures including training our staff about our data protection obligations to protect your personal data and your legal rights. We have implemented effective policies and procedures and security measures to ensure we protect your personal data.
Our contact details
If you have any questions about our Privacy Notice or the information we hold about you then please contact:
Name: The Group Head of Data Protection
Address: 70 Gracechurch Street, 4th Floor, London, EC3V 0HR
Changes to this Privacy Notice
We reserve the right to update this Privacy Notice from time to time. Such changes may be necessary, for example, due to changes or developments in data protection laws, privacy best practice or the introduction of new technologies. You should check our website periodically to view the most up-to-date Privacy Notice. This Privacy Notice was last updated on September 2021.
Who we are
Vitality is part of the Discovery Group of companies and is owned by Discovery Limited, a financial services firm based in South Africa. Vitality is based in the United Kingdom and to find out more about who the Vitality Group is, please see www.vitality.co.uk/legal for the most up to date information.
This Privacy Notice covers all of the businesses within the Vitality Group.
To help you we have set out the meaning of certain words and terms used in this section as well as for our products and services.
Please make anyone whose personal information you have provided to us aware of this Privacy Notice. You must make sure any information you supply about anyone else is accurate and that they’ve agreed to their information being supplied.
How we use your information
If you have a plan with us or you are considering getting a plan with us, we collect information about you and any joint plan owners when you get:
- a quote for insurance, when you buy or renew a plan from us, when you amend or cancel your plan or when you make a claim under your plan;
- an investment plan from us, when you buy or amend an investment plan from us, when you withdraw funds or cancel your plan.
If you are a beneficiary under the plan, we collect information about you when you make a claim under the plan.
If you are a witness to an event giving rise to a claim, we collect your information to help us handle the claim.
We only collect information that is relevant and necessary for us to provide the product and to handle claims made under a plan.
If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud and to establish facts in the event of a complaint.
What type of information do we collect?
- Personal information provided by you and anyone named on the plan, directly or via the company who sold you the plan:
- Contact details
- Date of birth
- Occupation
- Gender
- Financial information provided by you, directly or via the company who sold you the plan:
- Payment details
- Transactions and payments made for your plan
- VitalityCar: Details of County Court Judgements CCJs) and bankruptcy.
- Sensitive information provided by you, directly or via the company who sold you the plan:
- Health information including medical conditions and your doctor/hospital details
- Information about what you are insuring provided by you, directly or via the company who sold you the plan.
- Motoring criminal convictions and offences (VitalityCar)
- Health information including medical conditions and associated restrictions on your driving licence (VitalityCar).
- VitalityCar:
• Homeowner Status
• Marital Status
• Driving Licence details
• Residency Status
• Driving behaviour
• Images and videos from dash camera footage
• Other information about you provided by the company who sold you the plan
• Information about your insurance history provided by you, directly or via the company who sold you the plan:
- Recent quotes for insurance
- Your insurance history
- Claims details
• Information relating to fraudulent or potentially fraudulent activity provided by fraud agencies and databases or collected from publicly available sources of information:
- History of fraud
- Indicators of fraudulent behaviour
- Investigations into fraud
• Your credit information provided by credit reference agencies:
- Your credit history and score
- Information on the electoral register
• In addition to the information above, we also collect information from third parties, to assist us in assessing your insurance risk. Some of this information is publically available such as census data. We also collect information regarding your vehicle from HPI Ltd.
Why we use your information
The information we collect may be used by us, our employees and third party insurers and/or service providers who are acting under our instruction, for the reasons detailed below. We must always have a lawful basis for processing your information.
When we process your sensitive personal information, we must always have an additional lawful basis.
For each reason for processing your information, we have set out our lawful basis:
How we share your information
In order to sell, manage and provide our products and services, prevent fraud and comply with legal and regulatory requirements, we may need to share your information with third parties, including:
Our re-insurers (excluding VitalityInvest or VitalityCar)
Re-insurance is insurance that is purchased by an insurance company. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons.
We may need to share your personal health or medical data provided by you with our re-insurers in order for them to do the following:
- to analyse key demographic information;
- to analyse patterns of claims by customers and their claims experiences;
- to analyse the risk they are reinsuring and to set a price for the re-insurance with Vitality;
- to determine the validity of a claim; and
- to set approval limits for claims and underwriting.
Our auditors (for management information purposes)
Vitality will only share your personal data with other companies or organisations where there is a legitimate reason for doing so. For example we are obligated to provide information to specific Government departments such as HM Revenue and Customs and to regulatory bodies who govern our activity such as:
- Information Commissioner’s Office (ICO)
- Financial Conduct Authority (FCA)
- Prudential Regulation Authority (PRA)
- Financial Ombudsman Service (FOS)
We may also share your personal data where we conduct further investigations with law enforcement and fraud prevention agencies and databases, our regulators (such as the FCA, PRA and ICO) as well as other insurers, to facilitate the prevention and detection of fraud or crime.
Fraud prevention agencies
Crime prevention agencies, including the police
Sharing your personal data with your authorised representative
If you have appointed an insurance or financial adviser, we may send them copies of correspondence relating to the plan and any renewal documentation. We may disclose information to them if you have made a claim although no medical information will be provided without your consent.
Please be sure to tell us if you authorise a new representative so that we are able to only send your personal data to the right representative so that we send your personal data to the right person.
Our use of other companies to provide our products and services to you.
To assist us in the provision of administration, services or benefits for your plan and any claims you make, we use other companies who work under contracts with us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services we provide to you.
We need to advise you that as part of the application process we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders.
Some of the companies who work under contract with us are located in countries outside of the United Kingdom and the European Economic Area. Where this is the case we transfer your personal data to them on terms that are approved by the Information Commissioner. This is to ensure the appropriate security for your information, both in the transfer stage and when it is processed, and that your rights and confidentiality are protected in the same way as they would be if your personal data was processed in the UK.
Sharing your personal data with benefit providers
The Vitality group’s products are designed to enable you to accrue points related to your fitness and this in turn enables you to access a number of rewards and benefits. The exchange of your personal data, health and medical information will only occur with your consent and only with the benefit providers you choose to engage with.
The full list of benefit and reward providers can be found here.
Marketing
We will carry out direct marketing for customers of this product and other products and services that are managed by the Vitality Group where you have consented. Members can manage their preferences through their Member Zone.
You’ll get communications or emails about your plan or any changes to that plan as we have a statutory obligation to do so.
If your relationship with Vitality ends you should amend your preferences first as they will still be active. However you can contact data.protection@Vitality.co.uk if necessary to request amendment to your preferences retrospectively. We have one month in which to process these requests.
International Transfers
We have detailed third parties that we may share your information with in the ‘How we share your information’ section. Some of these third parties may be in countries outside of the United Kingdom (UK) or the European Economic Area (EEA).
Under data protection law, when personal information is being transferred outside the UK, we as data controller, are under an obligation to ensure that such transfers are performed in a manner that ensures that your personal information is adequately protected.
In the event that we transfer your personal information outside of the UK, we will always put in place adequate safeguards to ensure that your personal information is protected. Adequate safeguards may include placing contractual obligations on the third party that we are transferring your information to.
How long we keep your information for
We only keep your personal information for as long as is necessary in line with the purposes for which we collected your information. We have set out in our general retention schedule below however in certain circumstances it will be necessary for us to keep your information for longer, for example when we are required to due to legal obligations or to defend or manage legal claims.
If you get a quote from us for insurance but do not take up the plan, we will keep your information for up to 13 months from the expiry date of the quote. This is to support customers returning in the near future and to prevent and detect fraud.
In most cases, we will keep your information for 7 years from the expiry date of the plan or from the settlement/closure of the claim, whichever is the latter. This is applicable if you get a quote from us and you buy the plan, if you have a plan with us, if you make a claim under one of our plans (including if you are a third party claimant) or if you are a witness to an event giving rise to a claim under one of our plans. This is so that we can administer the contract of insurance and handle claims made against the plan.
It is of utmost importance to ensure that data is always protected and available for operational purposes. In the event, there is data loss due to unforeseen circumstances backup is an effective mechanism to assist business with the recovery of the data required for day-to-day operations. Our retention period for system back-ups is 5 years.
If we suspect, detect or investigate fraud or money laundering, information will be held on a case by case basis for up to 7 years. We also provide a retention guide in the table under “Why we use your information?”
Your rights
The UK GDPR provides the following rights for individuals:
- Right to be informed: to be informed about the collection and use of your personal data e.g. the purpose of processing your personal data, our retention periods for that personal data, and who it will be shared with. This information can be found in our Privacy Notice. We have one month to respond to a request.
- Right of Access: the right to access and receive a copy of your personal data. Request can be made verbally or in writing. Information is provided in an accessible, concise and intelligible format (not a machine-readable format). Information identifying a third party may be removed. We must respond without delay and within one month of receipt of the request but may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
- Right to Rectification: The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. However this is not an absolute right. If you provide false information this may not be corrected as it is not inaccurate. We have one month to respond to a request. We have one calendar month to respond to a request.
- Right to Erasure: (“the right to be forgotten”). Individuals can make a request for erasure verbally or in writing. The right is not absolute and only applies in certain circumstances. In many case we have a legal obligation to retain that data for 7 years even when the relationship no longer exists, which is because we are regulated by the Financial Conduct Authority. Information may be erased from our production ‘live’ systems however backup information will be retained for 5 years as part of our business continuity planning. We have one calendar month to respond to a request.
- Right to Restriction: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. An individual can make a request for restriction verbally or in writing. We have one calendar month to respond to a request.
- Right to Portability: The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a controller. The information should be provided in a structured, commonly used and machine-readable format. We have one calendar month to respond to a request.
- Right to object to processing: The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. You have an absolute right to stop your data being used for direct marketing, but in some cases you may still receive marketing material that is in production at the time of your request is processed. However in other cases where the right to object applies we may be able to continue processing if we can show that we have a compelling reason for doing so. For example in notifying you of changes to your plan where you may be disadvantaged. An individual can make an objection verbally or in writing. We have one calendar month to respond to an objection.
In some cases, we will be unable to comply with your request as a result of our own legal or regulatory requirements but we will always respond to your request and if we cannot comply, we will explain why.
If you would like to know more about your rights, you can find out more information on the ICO’s website.
How to complain about a Data Protection issue
If you have concerns about how we are handling your personal data then these can be raised with the Group Head of Data Protection, even if you have already dealt with our Complaints Team.
We will contact you if we require any more information to help us respond, otherwise we will respond within one month. This is in accordance with the Information Commissioners guidance.
If you are still unhappy then you can complain to the Information Commissioners Office (ICO). The ICO’s address:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Information Commissioners Office
We will always ask you to raise any concerns you have about how we handle your data with our Data Protection Officer first, but if you are still unhappy then you can contact the Information Commissioners Office:
Information Commissioners Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Tel: 0303 123 1113 (local rate) or
01625 545 745 (National rate)
https://ico.org.uk/make-a-complaint/