To help you we have set out here the meaning of certain words and terms used in this section as well as for our products and services.
Who Vitality are
Vitality Corporate services Limited is an authorised intermediary of Vitality Health Limited (“VitalityHealth”), Vitality Life Limited (“VitalityLife”) and (“VitalityInvest”), and Vitality Healthy Workplace Limited. Together Vitality arranges and administers products provided by VitalityHealth, VitalityLife, VitalityInvest and Vitality Healthy Workplace Limited. Vitality Corporate Services Limited is the data controller for the management of interactions between us and you: VitalityHealth, VitalityLife, and Vitality Healthy Workplace Limited are the data controllers for the personal data and special category data that you or your representative provide to us.
The definition of a vendor as a data processor depends on their role and how much control they possess over the personal data. Vitality’s position as Data Controller is set out in our Terms and Conditions and for this reason we do not enter into Data Processing Agreement as we are not a data processor for those clients.
As data controller, Vitality is responsible for protecting the rights of the data subject, and Vitality controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used. In short, it is Vitality who decides:
- to collect the personal data and has the legal basis for doing so;
- which items of personal data to collect;
- to modify the data;
- the purpose or purposes the data are to be used for;
- whether to share the data, and if so, with whom;
- how long to retain the data.
To find out how we handle your employee’s data please refer to the relevant privacy notice which provides information to your employees on:
- How we use their information
- What type of information do we collect?
- How we share their information
- International Transfers
- How long we keep their information for
- Their rights
- How to contact us
How we use your personal information
We only collect information that is relevant and necessary for us to provide the services and to provide you with rewards, discounts, offers or other benefits.
If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud.
What type of information do we collect?
- Personal information provided by you or your employer:
- Contact details
- Date of birth
- Joining date
- Reporting classifications (e.g. which department you are in)
- Your employee ID Number, and
- Leave data (if relevant)
- Activation code, and
- Vitality Health/Life number (if applicable)
- Questionnaires (about your health and wellbeing)
- Devices and wearable’s
- Personal data collected from your Nuffield Health account will include your:
- Nuffield Health member ID
- Mobile number
- Email address (if available);
- Data of birth
- Post Code; and
- an authorisation token allocated to you.
- Financial information provided by you, directly or via the company who sold you the plan:
- Payment details
- Transactions and payments made for your plan
- Sensitive information provided by you, directly or via the company who sold you the plan:
- Health information including medical conditions and your doctor/hospital details
|Why do we use your information||Our lawful bases for processing||Our legitimate business interest, where applicable|
|To administer and manage your plan
|To handle claims made against an insurance plan
|To resolve any complaints you may have
|To recover any debt that you owe to us
|To prevent, detect and investigate fraud or money laundering
|For management information purposes and internal analysis of products and services
|For training purposes to improve your customer experience
Fraud prevention and detection
Applying for a quote, holding an insurance plan with us and making a claim: In certain circumstances, where we suspect fraudulent behaviour, we will carry out checks with fraud prevention agencies and databases. We also conduct searches with publicly available sources of information including internet searches and social media searches.
If we suspect fraudulent behaviour, we may not offer you insurance, we may void your plan or we may not be able to accept your claim. We investigate potentially fraudulent claims and where appropriate, we will use surveillance to assist our investigation. We appoint fraud investigation and surveillance suppliers to conduct these investigations on our behalf.
We will keep a record of individuals and any associated investigations to prevent and detect future fraud or money laundering.
Fraud prevention agencies and databases: When we check your details against fraud prevention agencies and databases, we will use a range of databases and agencies including other insurers' databases. If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies, fraud databases and other insurers. Law enforcement agencies may access and use this information.
We access and use the information recorded by fraud prevention agencies or fraud databases to prevent fraud and money laundering. These checks are done to identify, predict, investigate and evaluate potentially fraudulent behaviour.
We use the following fraud prevention agencies and databases:
- CIFAS (National Fraud Database)
- CUE (Claims and Underwriting Exchange)
- IFB (Insurance Fraud Bureau)
- IFIG (Insurance Fraud Investigators Group)
- IFED (Insurance Fraud Enforcement Agency)
- IFR (Insurance Fraud Register)
- NFIB (National Fraud Intelligence Bureau)
- NCA (National Crime Agency)
- OFSI (Office of Financial Sanctions Implementation)
Offering an insurance plan and pricing: We ask you a series of questions when you obtain a quote for insurance from us. This is so we can understand the insurance risk that we are being asked to consider and make an underwriting assessment and decision. The information you provide along with other information helps us to decide whether we can offer you a quote and the price you will need to pay for insurance.
We use lots of factors to assess whether we can provide insurance cover, the price of your plan and any other terms of your plan. These factors include, but are not limited to, your age, your health/lifestyle, your geographical location, claims history, the past performance of the insurance product, etc.
Based on this information, an automated decision will be produced on acceptability of cover, the price you will need to pay for your plan and any other terms we need to apply.
How we share your information
Under data protection law, when personal information is being transferred outside the EEA, we as data controller, are under an obligation to ensure that such transfers are performed in a manner that ensures that your personal information is adequately protected.
In the event that we transfer your personal information outside of the EEA, we will always put in place adequate safeguards to ensure that your personal information is protected. Adequate safeguards may include placing contractual obligations on the third party that we are transferring your information to or ensuring that the third party is certified to the EU-US Privacy Shield Framework, if we are making transfers to third parties located in the United States.
How long we keep your information for
In most cases, we will keep your information for 7 years from the expiry date of your entitlement to Healthy Workplace access ends, after which it will be deleted or anonymised.
If we suspect, detect or investigate fraud or money laundering, information will be held on a case by case basis for up to 7 years.
How to contact us
In the first instance we would ask that you notify us of any concerns you have about how we handle your data but if you are still unhappy then you can contact the Information Commissioners Office here.