Search
Log in
Privacy Policy for Business or Corporate and Vitality at Work Clients
Our business and corporate healthcare plans aim to make it easier for your employees to get healthier and reward them when they do. The business and corporate healthcare plans are an annual insurance contract which means that the premiums, benefits, terms and conditions can change at each annual renewal date.
To help you we have set out here the meaning of certain words and terms used in this section as well as for our products and services.
Please make anyone whose personal information you have provided to us aware of this Privacy Policy. You must make sure any information you supply about anyone else is accurate and that they’ve agreed to their information being supplied.
To help you we have set out here the meaning of certain words and terms used in this section as well as for our products and services.
Please make anyone whose personal information you have provided to us aware of this Privacy Policy. You must make sure any information you supply about anyone else is accurate and that they’ve agreed to their information being supplied.
Privacy Policy for Business or Corporate healthcare plans
Who Vitality are
Vitality is part of the discovery Group of companies and is owned by Discovery limited, a financial services firm based in South Africa.
Vitality Corporate services Limited is an authorised intermediary of Vitality Health Limited (“VitalityHealth”), Vitality Life Limited (“VitalityLife”) and (“VitalityInvest”), and Vitality Healthy Workplace Limited. Together Vitality arranges and administers products provided by VitalityHealth, VitalityLife, VitalityInvest and Vitality Healthy Workplace Limited. Vitality Corporate Services Limited is the data controller for the management of interactions between us and you: VitalityHealth, VitalityLife, and Vitality Healthy Workplace Limited are the data controllers for the personal data and special category data that you or your representative provide to us.
Vitality Corporate services Limited is an authorised intermediary of Vitality Health Limited (“VitalityHealth”), Vitality Life Limited (“VitalityLife”) and (“VitalityInvest”), and Vitality Healthy Workplace Limited. Together Vitality arranges and administers products provided by VitalityHealth, VitalityLife, VitalityInvest and Vitality Healthy Workplace Limited. Vitality Corporate Services Limited is the data controller for the management of interactions between us and you: VitalityHealth, VitalityLife, and Vitality Healthy Workplace Limited are the data controllers for the personal data and special category data that you or your representative provide to us.
Data Controller
One of the key elements in the General Data Protection Regulation and the Data Protection Act 2018 is accountability. Firms are responsible for, and must be able to demonstrate compliance, with data protection laws. However, compliance means different things for the data controller and the data processor. So, it’s imperative that firms are able to determine their own role, and the role of their vendors, to fully understand their legal obligations.
The definition of a vendor as a data processor depends on their role and how much control they possess over the personal data. Vitality’s position as Data Controller is set out in our Terms and Conditions and for this reason we do not enter into Data Processing Agreement as we are not a data processor for those clients.
As data controller, Vitality is responsible for protecting the rights of the data subject, and Vitality controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used. In short, it is Vitality who decides:
To find out how we handle your employee’s data please refer to the relevant privacy notice which provides information to your employees on:
The definition of a vendor as a data processor depends on their role and how much control they possess over the personal data. Vitality’s position as Data Controller is set out in our Terms and Conditions and for this reason we do not enter into Data Processing Agreement as we are not a data processor for those clients.
As data controller, Vitality is responsible for protecting the rights of the data subject, and Vitality controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used. In short, it is Vitality who decides:
- to collect the personal data and has the legal basis for doing so;
- which items of personal data to collect;
- to modify the data;
- the purpose or purposes the data are to be used for;
- whether to share the data, and if so, with whom;
- how long to retain the data.
To find out how we handle your employee’s data please refer to the relevant privacy notice which provides information to your employees on:
- How we use their information
- What type of information do we collect?
- How we share their information
- Marketing
- International Transfers
- How long we keep their information for
- Their rights
- How to contact us
- Changes to this Privacy Policy.
Privacy policy for Vitality at Work Healthy Workplace plans provided by Vitality Healthy Workplace Limited.
How we use your personal information
If you have a service with us or you are considering getting a service with us, we collect information about you to keep your profile up-to-date where you have an account with us or our strategic partner Nuffield Health.
We only collect information that is relevant and necessary for us to provide the services and to provide you with rewards, discounts, offers or other benefits.
If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud.
We only collect information that is relevant and necessary for us to provide the services and to provide you with rewards, discounts, offers or other benefits.
If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud.
What type of information do we collect?
Personal information provided by you or your employer:
- Name
- Address
- Contact details
- Date of birth
- Joining date
- Reporting classifications (e.g. which department you are in)
- Leave data (if relevant)
- Your employee ID Number, and
- Activation code, and
- Vitality Health/Life number (if applicable)
- Questionnaires (about your health and wellbeing)
- Devices and wearable’s.
- Nuffield Health member ID
- Mobile number
- Email address (if available);
- Data of birth
- Post Code; and
- An authorisation token allocated to you.
- Payment details
- Transactions and payments made for your plan.
- Health information including medical conditions and your doctor/hospital details.
| Why do we use your information | Our lawful bases for processing | Our legitimate business interest, where applicable | Indicative retention period |
|---|---|---|---|
| To provide you with a quote. Assessing your application for insurance and, if we can, the price and other terms we can offer. | Personal Information:
|
To price our products based on your insurance risk and to set policy acceptance parameters to determine when we want to insure certain risks | 13 months if no other Vitality relationship exists. |
To administer and manage your plan
|
Personal Information:
|
|
7 years from end of the last active policy across Vitality Group as per standards. |
To handle claims made against an insurance plan
|
Personal Information:
|
|
7 years from end of the last active policy across Vitality Group as per standards. |
To resolve any complaints you may have
|
Personal Information:
|
|
3 years from date of closure. 5 years for investment complaints. |
To recover any debt that you owe to us
|
Personal Information:
|
|
7 years after debt recovered or end of policy whichever is longer. |
To prevent, detect and investigate fraud or money laundering
|
Personal Information:
|
|
Civil cases & criminal cases: 6 years
On sentence 3 years after length of sentence. |
For management information purposes and internal analysis of products and services
|
Personal Information:
|
|
7 years after which personal data removed. |
For training purposes to improve your customer experience
|
Personal Information:
|
|
Call recordings 3 years. |
Fraud prevention and detection
Applying for a quote, holding an insurance plan with us and making a claim: In certain circumstances, where we suspect fraudulent behaviour, we will carry out checks with fraud prevention agencies and databases. We also conduct searches with publicly available sources of information including internet searches and social media searches.
If we suspect fraudulent behaviour, we may not offer you insurance, we may void your plan or we may not be able to accept your claim. We investigate potentially fraudulent claims and where appropriate, we will use surveillance to assist our investigation. We appoint fraud investigation and surveillance suppliers to conduct these investigations on our behalf.
We will keep a record of individuals and any associated investigations to prevent and detect future fraud or money laundering.
Fraud prevention agencies and databases: When we check your details against fraud prevention agencies and databases, we will use a range of databases and agencies including other insurers' databases. If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies, fraud databases and other insurers. Law enforcement agencies may access and use this information.
We access and use the information recorded by fraud prevention agencies or fraud databases to prevent fraud and money laundering. These checks are done to identify, predict, investigate and evaluate potentially fraudulent behaviour.
We use the following fraud prevention agencies and databases:
- CIFAS (National Fraud Database)
- CUE (Claims and Underwriting Exchange)
- IFB (Insurance Fraud Bureau)
- IFIG (Insurance Fraud Investigators Group)
- IFED (Insurance Fraud Enforcement Agency)
- IFR (Insurance Fraud Register)
- NFIB (National Fraud Intelligence Bureau)
- NCA (National Crime Agency)
- OFSI (Office of Financial Sanctions Implementation)
- LexisNexis
Automated Decisions
Some of our reasons for processing will involve automated decision making. These decisions are set out below. You have a right to obtain human intervention for any of our automated decisions. If you object to an automated decision, we may not be able to offer you an insurance quotation or renewal.
Offering an insurance plan and pricing: We ask you a series of questions when you obtain a quote for insurance from us. This is so we can understand the insurance risk that we are being asked to consider and make an underwriting assessment and decision. The information you provide along with other information helps us to decide whether we can offer you a quote and the price you will need to pay for insurance.
We use lots of factors to assess whether we can provide insurance cover, the price of your plan and any other terms of your plan. These factors include, but are not limited to, your age, your health/lifestyle, your geographical location, claims history, the past performance of the insurance product, etc.
Based on this information, an automated decision will be produced on acceptability of cover, the price you will need to pay for your plan and any other terms we need to apply.
Offering an insurance plan and pricing: We ask you a series of questions when you obtain a quote for insurance from us. This is so we can understand the insurance risk that we are being asked to consider and make an underwriting assessment and decision. The information you provide along with other information helps us to decide whether we can offer you a quote and the price you will need to pay for insurance.
We use lots of factors to assess whether we can provide insurance cover, the price of your plan and any other terms of your plan. These factors include, but are not limited to, your age, your health/lifestyle, your geographical location, claims history, the past performance of the insurance product, etc.
Based on this information, an automated decision will be produced on acceptability of cover, the price you will need to pay for your plan and any other terms we need to apply.
How we share your information
In order to sell, manage and provide our products and services, prevent fraud and comply with legal and regulatory requirements, we may need to share your information with third parties, including:
Our re-insurers
Re-insurance is insurance that is purchased by an insurance company. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons.
We may need to share your personal health or medical data provided by you with our re-insurers in order for them to do the following:
Our auditors (for management information purposes)
Vitality will only share your personal data with other companies or organisations where there is a legitimate reason for doing so. For example we are obligated to provide information to specific Government departments such as HM Revenue and Customs and to regulatory bodies who govern our activity such as:
We may also share your personal data where we conduct further investigations with law enforcement and fraud prevention agencies and databases, our regulators (such as the FCA, PRA and ICO) as well as other insurers, to facilitate the prevention and detection of fraud or crime.
Fraud prevention agencies
Crime prevention agencies, including the police
Sharing your personal data with your authorised representative
If you have appointed an insurance or financial adviser, we may send them copies of correspondence relating to the plan and any renewal documentation. We may disclose information to them if you have made a claim although no medical information will be provided without your consent.
Please be sure to tell us if you authorise a new representative so that we are able to only send your personal data to the right representative so that we send your personal data to the right person.
Our use of other companies to provide our products and services to you
To assist us in the provision of administration, services or benefits for your plan and any claims you make, we use other companies who work under contracts with us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services we provide to you.
We need to advise you that as part of the application process we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders.
Some of the companies who work under contracts with us are located in countries outside of the European Economic Area. Where this is the case we transfer your personal data to them on terms that are approved by the Information Commissioner. This is to ensure the appropriate security for your information, both in the transfer stage and when it is processed, and that your rights and confidentiality are protected in the same way as they would be if your personal data was processed in the UK.
Please click here to see the list of other companies who assist us in the provision of administration services.
Sharing your personal data with benefit providers
The Vitality group’s products are designed to enable you to accrue points related to your fitness and this in turn enables you to access a number of rewards and benefits. The exchange of your personal data, health and medical information will only occur with your consent and only with the benefit providers you choose to engage with.
The full list of benefit and reward providers can be found here.
Vitality Group
Our re-insurers
Re-insurance is insurance that is purchased by an insurance company. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons.
We may need to share your personal health or medical data provided by you with our re-insurers in order for them to do the following:
- to analyse key demographic information;
- to analyse patterns of claims by customers and their claims experiences;
- to analyse the risk they are reinsuring and to set a price for the re-insurance with Vitality;
- to determine the validity of a claim; and
- to set approval limits for claims and underwriting.
Our auditors (for management information purposes)
Vitality will only share your personal data with other companies or organisations where there is a legitimate reason for doing so. For example we are obligated to provide information to specific Government departments such as HM Revenue and Customs and to regulatory bodies who govern our activity such as:
- Information Commissioner’s Office (ICO)
- Financial Conduct Authority (FCA)
- Prudential Regulation Authority (PRA)
- Financial Ombudsman Service (FOS)
We may also share your personal data where we conduct further investigations with law enforcement and fraud prevention agencies and databases, our regulators (such as the FCA, PRA and ICO) as well as other insurers, to facilitate the prevention and detection of fraud or crime.
Fraud prevention agencies
Crime prevention agencies, including the police
Sharing your personal data with your authorised representative
If you have appointed an insurance or financial adviser, we may send them copies of correspondence relating to the plan and any renewal documentation. We may disclose information to them if you have made a claim although no medical information will be provided without your consent.
Please be sure to tell us if you authorise a new representative so that we are able to only send your personal data to the right representative so that we send your personal data to the right person.
Our use of other companies to provide our products and services to you
To assist us in the provision of administration, services or benefits for your plan and any claims you make, we use other companies who work under contracts with us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services we provide to you.
We need to advise you that as part of the application process we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders.
Some of the companies who work under contracts with us are located in countries outside of the European Economic Area. Where this is the case we transfer your personal data to them on terms that are approved by the Information Commissioner. This is to ensure the appropriate security for your information, both in the transfer stage and when it is processed, and that your rights and confidentiality are protected in the same way as they would be if your personal data was processed in the UK.
Please click here to see the list of other companies who assist us in the provision of administration services.
Sharing your personal data with benefit providers
The Vitality group’s products are designed to enable you to accrue points related to your fitness and this in turn enables you to access a number of rewards and benefits. The exchange of your personal data, health and medical information will only occur with your consent and only with the benefit providers you choose to engage with.
The full list of benefit and reward providers can be found here.
Vitality Group
Marketing
Your personal data may be used by Vitality and Nuffield Health to ensure the marketing it sends you is relevant and tailored to you.
International Transfers
We have detailed third parties that we share your information with in the ‘How we share your information’ section. Some of these third parties may be in countries outside of the European Economic Area (EEA).
Under data protection law, when personal information is being transferred outside the EEA, we as data controller, are under an obligation to ensure that such transfers are performed in a manner that ensures that your personal information is adequately protected.
In the event that we transfer your personal information outside of the EEA, we will always put in place adequate safeguards to ensure that your personal information is protected. Adequate safeguards may include placing contractual obligations on the third party that we are transferring your information to or ensuring that the third party is certified to the EU-US Privacy Shield Framework, if we are making transfers to third parties located in the United States.
Under data protection law, when personal information is being transferred outside the EEA, we as data controller, are under an obligation to ensure that such transfers are performed in a manner that ensures that your personal information is adequately protected.
In the event that we transfer your personal information outside of the EEA, we will always put in place adequate safeguards to ensure that your personal information is protected. Adequate safeguards may include placing contractual obligations on the third party that we are transferring your information to or ensuring that the third party is certified to the EU-US Privacy Shield Framework, if we are making transfers to third parties located in the United States.
How long we keep your information for
We only keep your information for as long as is necessary in line with the purposes for which we collected your information. We have set out in our general retention schedule below however in certain circumstances it will be necessary for us to keep your information for longer, for example when we are required to due to legal obligations or to defend or manage legal claims.
In most cases, we will keep your information for 7 years from the expiry date of your entitlement to Healthy Workplace access ends, after which it will be deleted or anonymised.
If we suspect, detect or investigate fraud or money laundering, information will be held on a case by case basis for up to 7 years.
In most cases, we will keep your information for 7 years from the expiry date of your entitlement to Healthy Workplace access ends, after which it will be deleted or anonymised.
If we suspect, detect or investigate fraud or money laundering, information will be held on a case by case basis for up to 7 years.
Your rights
Data protection laws give you certain rights. For details of your data protection rights rights please click here.
How to contact us
We have appointed a Data Protection Officer who is responsible for overseeing how we handle your information. If you have any questions about our Privacy Policy or the information we hold about you, please contact them here.
In the first instance we would ask that you notify us of any concerns you have about how we handle your data but if you are still unhappy then you can contact the Information Commissioners Office here.
In the first instance we would ask that you notify us of any concerns you have about how we handle your data but if you are still unhappy then you can contact the Information Commissioners Office here.
Changes to this Privacy Policy
We reserve the right to update this Privacy Policy from time to time. Such changes may be necessary, for example, due to changes or developments in data protection laws, privacy best practice or the introduction of new technologies. You should check our website periodically to view the most up-to-date Privacy Policy. This Privacy Policy was last updated on 29/07/2019.