1. Who we are
UK Health Insurance which is a trading name of Healthnet Services Ltd which is authorised and regulated by the Financial Conduct Authority (‘FCA’), registration number 312313.
UK Health Insurance is registered as a data controller on the Data Protection Register held by the Information Commissioner’s Office (‘ICO’), registration number Z829892X.
2. Where do we collect personal information from?
2.1 Information you give us
We collect personal information directly from you when you:
• ask for a quote.
• contact us by telephone, fax, email or post to make a general enquiry about insurance.
• and when we administer your policy
2.2 Information we collect about you
We collect personal information from several external sources including:
- directly from the main policyholder or member under whose policy you are covered
- Group Secretaries for Group Schemes
- other third parties such as:
- a family member or other representative if you are incapacitated or unable to provide information relevant to your policy
- companies who provide consumer classification for marketing purposes
- Insurers who have been unable to assist you
- Lead generation companies and introducers
2.3 Non personal information we collect
Technical, usage and profile information which tells us how people are using our website may be automatically collected and aggregated by website analytics providers. This is done anonymously, and we cannot identify you personally. We call this ‘non-personal information’. We gather non-personal information from devices you use to connect to our website, such as computers and mobile phones, using cookies and other internet tracking software.
Non-personal information may be used to learn about online behaviour in order to improve our website and marketing messages and to provide a better brand experience. We may share non-personal information with third parties for research or statistical purposes but only when there is a legal data sharing agreement that clearly stipulates an agreed, limited purpose and which precludes any use for commercial gain.
3. What information do we collect?
The information we collect depends on the product or service you are interested in. For example, if you ask us for a quote, we will ask you for identity and contact information. If you take out a policy through us, we will ask for financial information to pass on to the insurer for them to collect premiums.
In certain circumstances we may ask for more sensitive personal information about you such as information about your physical or mental health so we can provide a more personal quote or assisting in administering your policy. This is called ‘special category’ information.
Please see below for a more detailed summary of personal information we may collect.
|Type of personal information||Description|
|Identity||Name, address, date of birth|
|Contact||Phone number(s), email address|
|Financial||Bank account, credit card or debit card details, earnings|
|Lifestyle (this would be special category data)||Occupation, smoking and drinking habits, sports activities|
|Health (this would be special category data)||Information about physical and mental health|
|Technical||IP address, browser, operating system, network, device(s)|
|Usage||Pages visited, exit page, time spent, number of visits, searches carried out|
|Profile||Age group, gender, language, location|
|Marketing||Cookies, marketing preferences|
4. How do we use personal information?
The main reason we collect personal information is so we can provide you with the health insurance cover you or your employer has purchased and to make sure we help the provider administer it correctly and efficiently. However, there are several other reasons why we use personal information, and this is explained more in detail below.
4.1 The legal basis for processing personal information
Your privacy is protected by data protection law which says we are only allowed to use personal information if we have a legal basis for doing so. We have explained below the main reasons why we process personal information and the legal basis we rely on.
• To provide an insurance quote and to assist the insurance provider in administering an insurance policy and associated services. This includes sending information to a customer about their policy. In these circumstances, if the personal information we need is not given to us, we will be unable to provide a quote or offer a policy.
• We have a regulatory duty to process personal information. For example, the Financial Conduct Authority and the Information Commissioner’s Office require us to keep customer records.
• So we can establish, exercise, or defend our legal rights. For example, if we have a legal claim brought against us or we want to pursue our own legal claim or rights.
• For reasons of substantial public interest, such as investigating and preventing fraud.
• Where a customer has agreed we can use personal information (‘consent’). This can be by providing information about other products and services that might be of interest. If we ask for consent, we will explain why it is needed.
• Where we have a legitimate business need to use personal information as long as it does not interfere with a customer’s information rights and freedoms and does not cause any harm. We also have a legal exemption that allows us to process special category information as an essential part of providing and administering an insurance policy.
Here is a list of the ways we may use your personal information and our legal basis for processing:
|What we use personal information for||Personal information we process may include, but not be limited, to||Legal basis for processing personal information|
|Providing you with a health insurance quote or quotes for other life and protection products||Identity, contact, lifestyle (special category) and health (special category) information.||Performance of a contract with you Substantial public interest – In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 20 of the DPA 2018. This relates to the processing of special category data for insurance purposes.|
|To assist the providers in setting up and administering your policy including, but not limited to:|
• helping to set up your policy and sending you information about it.
• collecting information to assist the providers to make policy alterations as requested by the policyholder.
• sending you renewal terms;
• assisting in the cancellation your policy if you or the insurer asks us to;
• collecting financial information to pass on to the insurer for them to collect premiums.
|Identity, contact, lifestyle (special category), financial and health (special category) information.||Performance of a contract with you Substantial public interest – In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 20 of the DPA 2018. This relates to the processing of special category data for insurance purposes.|
|Investigating and responding to complaints.||Identity, contact, lifestyle (special category), financial and health (special category) information.||Necessary for our legitimate interests (to prevent fraud). Substantial public interest – In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 20 of the DPA 2018. This relates to the processing of special category data for insurance purposes.|
|Providing improved customer service quality, training and security (for example, by reviewing recorded phone calls)||Identity, contact, lifestyle (special category), financial and health (special category) information.||Necessary to comply with a legal obligation. Substantial public interest – In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 20 of the DPA 2018. This relates to the processing of special category data for insurance purposes.|
|Using data analytics to improve our website, products and services, marketing, customer relationships and experiences||Technical, usage and profile information.||Necessary for our legitimate interests (to help define types of customers interested in our products and services, keep our website updated and relevant, develop our business and inform our marketing strategy).|
|Running the business in an efficient and proper way, including, but not limited to:|
• operational planning.
• keeping accounting records.
• analysing and managing the financial position.
• developing our products and services; and
• responding to internal and external audit requirements. We use measures to secure our systems and ensure they can operate effectively.
|Identity, contact, lifestyle (special category), financial, health (special category) and technical information.||Necessary to comply with a legal obligation.|
Necessary for our legitimate interests (to understand, monitor and develop the performance of the business, keep records and protect our systems).
Substantial public interest – In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 20 of the DPA 2018. This relates to the processing of special category data for insurance purposes.
|Making suggestions and recommendations about other health insurance products and services that may be of interest.||Identity, contact and marketing information.||We will only use personal information if we have your consent.|
5. Who do we share information with?
We will not sell, distribute, or lease any data to third parties or any other organisations to use for their own commercial purposes unless we have your permission or are required to do so by law. In order to provide our products and services, personal information may be shared with third parties who, for example, assist in our business administration or the prevention and detection of fraud. These third parties might include:
a) Insurance providers. We need to pass your information on to obtain quotations and set up policies on your behalf, and also to deal with any subsequent queries you may have with them and your renewals.
b) A relative or guardian acting on your behalf where you are incapacitated or unable to act for yourself, or other people or organisations associated with you such as your insurance provider or lawyer.
c) A named alternative contact (such as a relative or advisor) that you have appointed to speak to us on your behalf and who is authorised, by you, to discuss all aspects of your policy with us and can make changes on your behalf.
d) The underwriter and the reinsurer who provides your insurance cover.
e) Suppliers and providers of goods or services we make available to you.
f) Regulatory bodies such as the Financial Conduct Authority or the Information Commissioner’s Office.
g) The Financial Ombudsman Service if a complaint is made through it.
h) Other insurance companies, NHS fraud teams, the General Medical Council, the police and any law enforcement agencies and organisations that maintain anti-fraud databases where necessary for the prevention or detection of crime.
The extent of personal information we disclose will be limited to that which is necessary for the third party to carry out its purpose and we will not pass personal information, including special category information, to any third party if it is not needed.
We will not pass personal information, including special category information, to a third party that has been appointed by you if we do not believe it is in your best interests without checking with you first. We will also disclose personal information to third parties:
a) if we sell or buy any business or assets, in which case we will only disclose information to the extent such disclosure is required as part of the sale or purchase.
b) if the assets of UKHI, either in whole or in part, are acquired by a third party, in which case information held by UKHI will be transferred, as an asset, to the third-party purchaser.
6. How do we process your information?
Steps are taken to ensure the data we hold is accurate, kept up to date and not kept for longer than is necessary. Measures are taken to safeguard against unauthorised or unlawful processing and accidental loss or destruction or damage to the data.
From time to time, it may be necessary to process data outside of the European Economic Area (EEA). We will take all reasonable steps to ensure any organisation used to process data in these situations provides appropriate guarantees in respect of its technical and organisational security measures and that the transfer and processing of data complies with all relevant data protection and privacy laws.
Cookies are files containing small amounts of information which are downloaded to the device you use when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies do lots of different and useful jobs, such as remembering your preferences and generally improving your online experience.
We never store your personal details in cookies. If you want to block cookies, you can turn them off in your browser settings, but the quality of your online experience will be reduced.
7.1 Force24 Cookies & Tracking
Our organisation utilises Force24’s marketing automation platform.
Force24 cookies are first party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:
They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.
f24_autoId – This is a temporary identifier on a local machine or phone browser that helps us track anonymous information to be later married up with f24_personid. If this is left anonymous it will be deleted after 6 months. Non-essential, first party, 10 years, persistent.
f24_personId – This is an ID generated per individual contact in the Force24 system to be able to track behaviour and form submissions into the Force24 system from outside sources per user. This is used for personalisation and ability to segment decisions for further communications. Non-essential, first party, 10 years, persistent.
The information stored by Force24 cookies remains anonymous until:
- Our website is visited via clicking from an email or SMS message, sent via the Force24 platform and cookies are accepted on the website.
- A user of the website completes a form containing email address from either our website or our Force24 landing pages.
The Force24 cookies will remain on a device for 10 years unless they are deleted.
We also use similar technologies including tracking pixels and link tracking to monitor your viewing activities
Device & browser type and open statistics – all emails have a tracking pixel (a tiny invisible image) with a query string in the URL. Within the URL we have user details to identify who opened an email for statistical purposes.
Link Tracking – all links within emails and SMS messages sent from the Force24 platform contain a unique tracking reference, this reference help us identify who clicked an email for statistical purposes.
8. How long do we keep personal information for?
We only keep personal information for as long as it is reasonably necessary, but it will depend on what information we hold, why we hold it and what our wider regulatory obligations are.
If there is a dispute or legal action, or there are extenuating circumstances, we may be required to keep personal information for longer.
9. What are your rights?
You have a number of rights in respect of the way we process your personal information which are outlined below. If we cannot do what you ask, we will explain why – it is usually because of a legal or regulatory issue.
9.1 The right to access your personal information
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. There will not usually be a charge for sending you this information which will be sent to you in writing.
9.2 The right to rectification
We take reasonable steps to make sure personal information we hold is accurate and complete. However, if you believe the information we hold about you is factually incorrect, you can ask us to amend it.
9.3 The right to erasure
In certain circumstances, you can ask us to erase your personal information – for example if is no longer needed or if you withdraw your consent. However, this must be balanced against the consequences of erasure and there may be legal reasons why we cannot comply.
9.4 Right to restriction of processing
In certain circumstances, you can ask us to stop using your personal information – for example if you think the personal information we hold may be inaccurate or you think we no longer need to process it.
9.5 Right to data portability
In certain circumstances, you can ask us to transfer personal information you have provided to us to another third party of your choice.
9.6 Right to object to direct marketing
You can ask us to stop sending marketing messages at any time by contacting the Data Protection Officer.
9.7 Right not to be subject to automated-decision making:
Some of our decisions are made automatically by using third party (Provider) systems that adopt automatic calculations based on personal information parameters rather than an employee making those decisions.
We make automated decisions when deciding your premium. When you ask us for a quote, your premium is automatically calculated based on your age as well as the breadth of policy cover you have chosen and this is generally fixed.
9.8 The right to withdraw consent:
Where we have asked for, and you have given, your consent for us to use your personal information, you have
the right to withdraw your consent.
9.9 The right to make a complaint
You can complain to the ICO if you object to the way we use your personal information. More information can be found on the ICO website at https://ico.org.uk.
The Data Protection Officer
UK Health Insurance, County Gates House, 300 Poole Road, Poole, Dorset, BH12 1AZ.
Email: [email protected]