Privacy Policy for Healthy Workplace customers

If you have a service with us or you are considering getting a service with us, we collect information about you to keep your profile up-to-date whether you have an account with us and/or our strategic partner Nuffield Health.

We only collect information that is relevant and necessary for us to provide the services and to provide you with rewards, discounts, offers or other benefits.

If you contact us by telephone, we may record calls for training and monitoring purposes to help us improve our service and to detect and prevent fraud.

• Personal information provided by you or your employer:
  - Name
  - Address
  - Contact details
  - Date of birth
  - Joining date
  - Reporting classifications (e.g. which department you are in)
  - Your employee ID Number, and
  - Leave data (if relevant)
  - Activation code, and
  - Vitality Health/Life number (if applicable)
  - Questionnaires (about your health and wellbeing)
  - Devices and wearable technology
• Personal data collected from your Nuffield Health account will include your:
  - Nuffield Health member ID
  - Mobile number
  - Email address
  - Date of birth
  - Post Code; and
  - an authorisation token allocated to you.
• Sensitive information provided by you, directly or via our strategic partner:
  - Health information including medical conditions and your doctor/hospital details

Why do we use your information	Our lawful bases for processing	Our legitimate business interest, where applicable
To administer and manage your programme Administering your profile Managing your programme Arranging the renewal, cancellation or lapse pf your programme	Personal Information: Entering into and the performance of a contract Legitimate interest Sensitive Information: Establish, exercise or defend our legal rights Substantial public interest	To monitor delivery of services.
To resolve any complaints you may have Register complaints Manage and resolve complaints	Personal Information: Entering into and the performance of a contract Legitimate interest Sensitive Information: Establish, exercise or defend our legal rights Substantial public interest	To investigate and resolve any complaints made.
To prevent, detect and investigate fraud or money laundering Investigating suspicious of fraud and money laundering Prosecuting	Personal Information: Legitimate interest Sensitive Information: Substantial public interest - preventing of detecting unlawful acts	To prevent fraud and money laundering.
For management information purposes and internal analysis of products and services Provision of anonymous data to client e.g. number of people using the programme	Personal Information: Legitimate interest Sensitive Information: Substantial public interest	To monitor our business performance and maintain appropriate company records To develop, manage and improve our products and services
For training purposes to improve your customer experience Assessing customer experiences Developing and improving our customer experience	Personal Information:  Legitimate interest Sensitive Information:  Substantial public interest-insurance	To improve the service we provide to customers.

In certain circumstances, where we suspect fraudulent behaviour, we will carry out checks with fraud prevention agencies and databases. We also conduct searches with publicly available sources of information including internet searches and social media searches.

If we suspect fraudulent behaviour, we may not offer you access to our programme and may void your profile. We investigate potentially fraudulent activities and where appropriate, we will use surveillance to assist our investigation. We appoint fraud investigation and surveillance suppliers to conduct these investigations on our behalf.

We will keep a record of individuals and any associated investigations to prevent and detect future fraud or money laundering

In order to sell, manage and provide our products and services, prevent fraud and comply with legal and regulatory requirements, we may need to share your information with third parties, including:

• Our auditors (for management information purposes)
  
  Vitality will only share your personal data with other companies or organisations where there is a legitimate reason for doing so. For example we are obligated to provide information to specific Government departments such as HM Revenue and Customs and to regulatory bodies who govern our activity such as:
  
   - Information Commissioner’s Office (ICO)
   - Financial Conduct Authority (FCA)
   - Prudential Regulation Authority (PRA)
   - Financial Ombudsman Service (FOS)
  
  We may also share your personal data where we conduct further investigations with law enforcement and fraud prevention agencies and databases, our regulators (suchas the FCA, PRA and ICO) as well as other insurers, to facilitate the prevention and detection of fraud or crime.
  
  
• Fraud prevention agencies
  
  
• Crime prevention agencies, including the police
  
  
• Our use of other companies to provide our products and services to you
  
  To assist us in the provision of administration, services or benefits for you, we use other companies who work under contracts with us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services we provide to you.
  
  We need to advise you that as part of the application process we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders.
  
  Some of the companies who work under contracts with us are located in countries outside of the European Economic Area. Where this is the case we transfer your personal data to them on terms that are approved by the Information Commissioner. This is to ensure the appropriate security for your information, both in the transfer stage and when it is processed, and that your rights and confidentiality are protected in the same way as they would be if your personal data was processed in the UK.
  
  Please click here to see the list of other companies who assist us in the provision of administration services.
  
  
• Sharing your personal data with benefit providers
  
  The Vitality group’s products are designed to enable you to accrue points related to your fitness and this in turn enables you to access a number of rewards and benefits. The exchange of your personal data, health and medical information will only occur with your consent and only with the benefit providers you choose to engage with.
  
  The full list of benefit and reward providers can be found here.
  
  
• Vitality Group

Your personal data may be used by Vitality and Nuffield Health to ensure the marketing it sends you is relevant and tailored to you.

We have detailed third parties that we share your information with in the ‘How we share your information’ section. Some of these third parties may be in countries outside of the European Economic Area (EEA).

Under data protection law, when personal information is being transferred outside the EEA, we as data controller, are under an obligation to ensure that such transfers are performed in a manner that ensures that your personal information is adequately protected.

In the event that we transfer your personal information outside of the EEA, we will always put in place adequate safeguards to ensure that your personal information is protected.

Adequate safeguards may include placing contractual obligations on the third party that we are transferring your information to or ensuring that the third party is certified to the EU-US Privacy Shield Framework, if we are making transfers to third parties located in the United States.

We only keep your information for as long as is necessary in line with the purposes for which we collected your information. We have set out in our general retention schedule below however in certain circumstances it will be necessary for us to keep your information for longer, for example when we are required to due to legal obligations or to defend or manage legal claims.

In most cases, we will keep your information for 7 years from the expiry date of your entitlement to Healthy Workplace access ends, after which it will be deleted or anonymised.

If we suspect, detect or investigate fraud or money laundering, information will be held on a case by case basis for up to 7 years.

Data protection laws give you certain rights. For details of your data protection rights rights please click here.

We have appointed a Data Protection Officer who is responsible for overseeing how we handle your information. If you have any questions about our Privacy Policy or the information we hold about you, please contact them here.

In the first instance we would ask that you notify us of any concerns you have about how we handle your data but if you are still unhappy then you can contact the Information Commissioners Office here.

We reserve the right to update this Privacy Policy from time to time. Such changes may be necessary, for example, due to changes or developments in data protection laws, privacy best practice or the introduction of new technologies. You should check our website periodically to view the most up-to-date Privacy Policy. This Privacy Policy was last updated on 14th October 2019.