Data Protection Notice
Vitality values its customers trust and recognises that the safety and lawful use of everyone’s personal data is key to retaining that trust and confidence. Vitality needs to collect, store, share and use personal data about past, current and prospective customers to enable it to meet its requirements in the provision of innovative products and services.
Vitality takes compliance with privacy laws and regulation very seriously. We take appropriate measures including training our staff about our data protection obligations to protect Your personal data and Your legal rights. We have implemented effective policies and procedures and security measures to ensure We protect Your personal data.
Vitality is part of the Discovery Group of companies and is owned by Discovery Limited, a financial services firm based in South Africa.
Vitality Corporate Services Limited, is an authorised intermediary of Vitality Health Limited, (“VitalityHealth”) Vitality Life Limited (“VitalityLife”) and (“VitalityInvest”) (together the “Vitality group”, “We” and “Us”) and arranges and administers products provided by VitalityHealth, VitalityLife and VitalityInvest. Vitality Corporate Services Limited is the data controller for the management of interactions between Us and You; VitalityHealth and VitalityLife and VitalityInvest respectively are the data controllers for the personal data and special category data that You or Your representative provide to Us (depending on the product You purchase).
Vitality is listed as a data controller with the Information Commissioner under the following registration numbers;
Vitality Corporate Services Limited: Z105153X
Vitality Health Limited: Z8752490
Vitality Life Limited: ZA110112
VitalityHealth holds ISO 27001 certification, confirming that We have implemented industry standard security measures to ensure the secure management of Your personal data. This includes appropriate physical, organisational and technical measures to safeguard Your information. We regularly review these measures and where appropriate, We strengthen and enhance those measures. In particular We have implemented end-to-end encryption.
Whenever We send Your personal data to You, We will ensure appropriate security is applied to prevent unauthorised access to Your personal data or interception of Your personal data by anyone not authorised to have it.
If You wish to send any of Your personal data to Us, We strongly recommend You do not send it by open email. Instead, You should select a safe method to provide Your personal data to Us such as recorded post.
Personal data You give to Us
You may give Us information about You when You request a quote, purchase a plan or our products and/or use our services. For example:
- If You apply for a quote or plan with Us;
- If You enter into a contract with Us for the purchase of one of our products or the provision of services, and when You use those services;
- If You register and use our member websites and apps;
- If You submit a query to Us, for example by email, telephone or social media, (including where You reference Us in a public social media post); and
- If You participate in any marketing activity such as entering a competition, or promotion, or survey.
When You provide personal data to Us about someone else on their behalf
When giving Us information about a family member or another person, You confirm that they have appointed You to act on their behalf including giving You consent to instruct Us to process their personal data, to receive this data protection notice on their behalf and to inform them about the way in which We will process their personal data.
Personal data We receive about You from other external sources
We may receive information about You from other people in order to deliver our products and services to You. This could include (but is not limited to):
- Information from analytics providers;
- Information from search information providers;
- Information from credit reference agencies;
- When You are named in an application form or as a dependant under an individual or corporate plan;
- When we carry out credit checks in order to process an application or claim (where We may carry out credit checks);
- When We obtain medical reports; or
- Where We liaise with Your family, employer, health professional or other treatment or benefit provider.
Information We create from Your personal data
We will create some information with Your personal data internally, for example:
- When We assign You a member ID;
- When We create a Vitality status based on Your interactions with Us; and
- When We assign You a plan number.
We will always ensure that any personal data We receive has been collected lawfully and fairly in accordance with Your rights under the relevant data privacy laws. Where appropriate We will ask for Your consent for the specific use of Your personal data. For the use of Your health or medical information We will ask for Your explicit consent.
Where We are using the personal data that You provide to Us or that has been provided to Us by Your representative, broker or financial adviser for the purpose of setting up and administering Your plan, We will not seek Your consent for this purpose. This is because the personal data You provide to enable You to purchase the plan will legitimately be used by Us to do what You have requested. Your rights and the protection of Your personal data are not in any way hindered by this approach.
Personal information We hold about You
The information We hold about You may include:
- Your name, address, contact details and Your next of kin;
- Your health and medical history and current health and or fitness status;
- Details about any contact We have had with You such as providing quotes;
- Details of the services You have received, claims You have made or treatment You have received;
- Feedback that You give to Us regarding the services We have provided or about services provided by another organisation or medical specialist; and
- Recordings of telephone calls between You and Us.
We do not collect or use children’s personal data except when that information is provided by an adult who has purchased a plan that also covers or is for the benefit of a child. When a claim is made and a child is the subject of that claim, We will only collect as much information about that child as is necessary for the administration of the claim and for the provision of medical services. We do not use children’s information for any marketing activity.
The security of and appropriate use and disclosure of Your health and medical information is of paramount importance to Vitality. We will only disclose Your health or medical information to those people or bodies who are involved in Your care or treatment or in the provision of services to You.
Vitality will only collect and use sufficient medical information to enable Us to deliver the services You purchase from Us.
The Vitality group of companies will process personal medical and health data provided by You and/or by Your representative as part of Your application for Your plan.
If we collect Your personal medical and health data, We will use this data for the following purposes:
- To provide You with a quote
In the application form all the information We collect is measured against key rating factors to allow Us to produce a quote via an automated calculation and in order to provide an indicative premium based on risk profile amounts. In the event of higher than normal cover amount We manually calculate the amount.
Should You choose to proceed after being given an initial quote We obtain additional information, and also capture Your medical history in order to calculate the actual premium and identify any additional conditions or exclusions that need to be applied to the plan. Where necessary, and with Your consent, We may use information provided by healthcare professionals (Your GP or a specialist health provider We ask You to visit) to gain further information on Your medical health to ensure the cover given is adequate and any necessary exclusions are identified.
- For underwriting
Underwriting third parties based in the European Economic Area, through automated processes, assist with assessing risk based on Your personal and medical risk profile as provided in Your application. Manual underwriting may be performed in either the UK or South Africa by Our underwriters using Your risk profile, applying exclusions, identifying non-disclosures, and reviewing additional medical information received from either our own medical collection specialists or a medical third party.
- To set up and administer Your plan
To carry out essential business processes such as auditing, business planning, accounting and delivering Our products and services. The servicing administration may be performed in the UK or South Africa, with other essential business processes such as auditing, business development and finance being fulfilled in the UK. This ensures We are able to make and manage customer payments, premium collections and attend to customer queries.
- To renew or continue Your plan annually
Unless You tell Us otherwise We will renew or continue Your plan and adjust Your premium and coverage amount according to the terms of Your plan. We will continue to use the data You have previously provided Us.
- To manage and administer Your claims
For life insurance and investment claims, Our assessors, based in the UK and South Africa, review Your plan and personal and medical details in order to assess Your claim. We may share Your information with Our approved partners where this is reasonably required to help deal with Your claim.
For health insurance claims, the majority of Our claims invoices are processed electronically. However, for invoices that fall out of this process for any reason We have a team of invoice administrators in India. The invoice processors match the invoice to the claims information We hold on Our claims admin system to ensure the invoice is eligible to pay.
- To communicate with You
We will communicate with You via email, post, telephone, SMS text and social media depending on Your communication preferences and/or the methods You have chosen.
- For compliance
To ensure We are compliant with legal and regulatory obligations, We will use Your data, this will include reviewing calls between You and Us. This also helps Us to train our staff and to improve performance.
- To carry out data modelling, profiling or statistical analysis
We will use data modelling, profiling and statistical analysis of our customer base for future campaigns and cross sell opportunities and to improve the products, services or features We may offer You now or in the future in order to meet Your needs.
- To monitor Your health and fitness activity
To enable Us to provide You with benefits relevant to Your Vitality status.
Processing claims – How We obtain and share medical reportsIn the event of a claim We may require medical reports from Your GP. Such a report will only be requested with Your consent and will be in compliance with the Access to Medical Reports Act 1988 (‘AMRA’). The information requested from Your GP will be limited to only the information relevant to Your claim. You have the right to request to see the GP’s report and to request any amendments be made by the GP where You consider the data to be inaccurate. The GP may agree to this upon his/her discretion. You will be informed about the AMRA process at the time We request Your consent to enable Us to ask Your GP for a report.
You can access the Access to Medical Reports Act 1988 at: www.legislation.gov.uk/ukpga/1988/28/contents.
How We obtain medical reports and share medical reports
We may have to give some information about Your plan and about Your health or medical status to those involved in Your treatment or care, (and/or Your representative if You have consented to Us doing this). Any such disclosure will be done confidentially unless You specifically instruct Us otherwise.
Processing claims - general
If the claimant is aged 13 or over We will address any correspondence to the claimant in order to protect their right to confidentiality. The planholder/principal member will be informed only that a claim has been made and the value of the payment We have made; no details about the medical condition or treatment provided will be disclosed to them. If the claimant wishes to waive their right to confidentiality they should inform Us at the time the claim is made.
If You have another insurance plan that covers the same costs that You are claiming from Us, then We may also disclose Your relevant personal data to that other insurer so that We can ensure We only pay our proportion of the claim.
Your information, and that of others also covered by the plan, may be disclosed to other parties (for example other insurance companies) with a view to preventing fraudulent or improper claims.
When collecting data for a group plan the Group Secretary/Administrator is responsible for ensuring that employees covered by the plan are aware of their rights for Vitality to use their personal and health data.
As a Group Secretary/Administrator:
When You provide any of Vitality’s products and services to Your employees and provide their personal and health information to Vitality to enable Us to set up the plan for those individuals, You acknowledge that You are acting on their behalf in the provision of that information about them to Us.
Storing and using Your employees data
The General Data Protection Regulation and the Data Protection Act 2018 makes provision for a number of rights under which You are entitled to make a claim. Vitality is committed to ensuring You are given access to these rights and will ensure that this is done appropriately and in compliance with privacy law.
Data subject access requests
- Under the General Data Protection Regulation You have the right to ask Vitality to confirm whether or not Your personal data is being processed, and, where it is being processed, to be provided with access to Your personal data and the following information:
- The purpose(s) of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipient to whom Your personal data has been or will be disclosed, in particular recipients in different countries or international organisations;
- Where possible, the period for which the personal data will be stored, or, if this is not possible, the criteria used to determine the storage period;
- Where Your personal data is not collected from You, any available information about the sources of such information; and
- The details of any automated decision-making or profiling being done on Your personal data, meaningful information about the logic involved, and the consequences of such processing for You.
Where Your personal data is transferred to a third country or to an international organisation You have the right to be informed how appropriate safeguards have been used to transfer Your personal information.
If You request it Vitality will provide You with a copy of Your personal data undergoing processing by Us. Where You make a request by email the information will also be provided by email unless You request otherwise.
If You require access to Your personal data that We have disclosed to a company, and that company is also a data controller, You will need to ask them directly to provide Your personal data.
Portability of personal data
You have the right to receive personal data about You that You have provided to Vitality in a structured, commonly used electronic format. You also have the right to transmit that personal data to a different data controller company and, if it is technically feasible, Vitality will try to transmit Your personal data to such other data controller company. Please note that this attempt may be restricted due to the incompatibility of the various customer record keeping databases.
Withdrawing Your consent
Where We rely upon Your consent to process your personal data, You have the right to withdraw Your consent at any time. From the time that We receive such withdrawal of consent Vitality will stop all processing of Your personal data relating to the consent.
Your right to be forgotten
You have the right to ask Vitality to erase Your personal data without undue delay and Vitality is obliged to do this where one of the following grounds applies:
- Your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- You withdraw consent on which the processing is based and where there is no other legal ground for the processing;
- You object to the processing and there are no overriding legitimate grounds for the processing or Your personal data has been unlawfully processed; or
- Your personal data must be erased to comply with a legal obligation.
The right to be forgotten shall not apply to the extent that processing is necessary in order to:
- Exercise the right of freedom of expression and information;
- Comply with a legal obligation that requires processing in the United Kingdom; or
- Establish, exercise or defend a legal claim.
You have the right to ask Vitality to rectify any personal data about You without undue delay. Taking into account the purposes of the processing, You have the right to have incomplete personal data completed, including by providing a supplementary information statement.
Restriction on processing
In specified circumstances You have the right to restrict the processing of Your personal data. These are:
- You contest the accuracy of Your personal data held by Vitality and restrict the processing to enable Vitality to verify the accuracy;
- You request restricted processing of Your personal data instead of erasing it because You believe it to be unlawful processing;
- Vitality no longer requires Your personal data for its processing purposes but You require it to establish, exercise or defend a legal claim; or
- Where You object to the use of Your personal data for profiling or marketing purposes, and our legitimate grounds for this processing does not override Your rights.
Where Vitality applies restrictions on processing Your personal data, apart from storage, the establishment or exercise of legal defence, or the protection of the rights of another individual, Vitality shall seek Your consent prior to restarting any processing of the restricted personal data.
You have the right to object to automated decision making and profiling
You have the right to object to automated decision making where the outcome may have a legal or other significant impact on You. This means that You have the right to request that an appropriate member of Vitality staff reviews the outcome of the automated decision making and conducts this process manually, unless You have previously given Your consent to automated processing.
For example, You may have given Your consent to the annual renewal of Your plan. We conduct a number of profiling exercises, mostly to ensure We are able to offer You the most favourable terms. We profile our customer base to ensure premiums are kept low and to minimise restrictions on the conditions We insure or will cover in the case of a claim. These profiling purposes are entirely legitimate and aimed at ensuring We treat all of our customers fairly.
We constantly review our range of products as We want to provide the most innovative and relevant insurance and investment options to our customers. We are continually negotiating with market leading benefit providers, that We want You to take advantage of, so We would like to keep You informed about all of these exciting new products and services available to You.
You have the right to object to the use of Your personal data for marketing purposes and Vitality is obligated to ensure marketing information is not sent to You if You assert this right.
If You do give Us Your permission to send marketing information to You We will provide You with the opportunity to change Your mind every time.
When You purchase a product from Vitality You will be provided with access to the Member Zone where You can manage Your marketing preferences and choose Your preferred method of receiving information about our products, services and the benefits at any time.
We use Your email address to identify You on digital platforms, such as Google, Facebook or Twitter, to provide targeted advertising, We will use the email address of existing customers to exclude them from new business advertising. We will also use Your information to build a profile of the type of customers We wish to target, and may share Your email address with digital platforms This will help Us identify potential customers like You, whilst excluding You from that particular advertising.
We want all of our members to be happy with the way their personal data and health or medical information has been processed by Us. If You are unhappy about the way We have managed Your personal data We would like to know about this. We are constantly striving to ensure We do the right thing, and We would like to be able to put things right.
You’ll find the contact details for our complaints teams at: vitality.co.uk/legal/complaints.
However, if You are still dissatisfied You have the right to contact the Information Commissioner, who regulates compliance with Data Protection regulation and laws at: ico.org.uk.
You can also call the ICO on 0303 123 1113 or 01625 545 745 or You can write to them at:
Information Commissioner's Office
Data Protection Officer
70 Gracechurch Street