GDPR Data Privacy notice for members
The Gwent Hospitals Workmen’s and Contributory Fund t/a Plutus Health are committed to protecting your data, respecting your privacy and complying with data protection legislation and the General Data Protection Regulation (GDPR). Plutus Health is a data controller. This means that we are responsible for deciding how we hold and use personal information about you.
This statement sets out how and why we are processing the information we have on you. It also explains your rights as a data subject.
This policy and any other documents referred to, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller – A controller determines the purposes and means of processing personal data.
Data processor – A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Categories of data: Personal data and special categories of personal data
Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Special categories personal data – The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Our commitment to you
Our aim in processing your data is to successfully deliver our service to you with an appropriate level of data sharing whilst recognising the need to protect your fundamental rights to privacy.
Plutus Health is committed to:-
- Protecting the confidentiality, integrity and availability of the information it collects, stores, transfers and processes in accordance with the GDPR, and to meet its legal requirements and contractual obligations.
- Explaining why it needs personal information and only asking for the personal information it needs.
- Processing data only in a manner that is compatible with the specified, explicit and lawful purposes.
- Maintaining the accuracy and completeness of data.
- Only sharing personal information with other organisations as necessary, where the person concerned has given their consent to share their personal data, or where another legal basis of sharing the data overrides the need to give consent.
- Ensuring the individual can make requests in relation to their data subject rights.
- Not keeping personal information for longer than necessary or as required by legislation.
- Investigating and reporting data breaches and suspected breaches, and to being open and honest when things have gone wrong.
- Assessing its information security controls annually.
- Applying the above standards to its supply chain and delivery partners.
- Keeping data in a form that permits identification of individuals no longer than necessary for the purposes for which the personal data is processed, in accordance with the Plutus Health data record.
- Applying appropriate technological and organisational controls to ensure the security of personal data.
In order to meet its commitment, Plutus Health operates technical, physical and procedural controls to maintain the confidentiality, integrity and availability of information. Plutus Health maintains an information security policy which provides further details regarding the minimum standards of control to which it operates.
What are your rights?
At Plutus Health we recognise that your data is important to you and therefore we are committed to supporting you with your data protection rights. Within legal and regulatory constraints, you have the right to:
- Have information about how your information is being processed
- Request a copy of your data at any time (commonly known as a data subject access request)
- Port (move/transfer) your data to an alternative service provider
- Have your data rectified or corrected if it is factually inaccurate
- Be forgotten or have your data erased
- Restrict the processing of your data, in certain circumstances
- Object to the processing of your data, in certain circumstances
- Appropriate decision making
Right to withdraw consent
You have the right to withdraw your consent to specific processing at any time. Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis to do so in law.
How to contact us about your data or your data rights
If you wish to contact us about your data, or if you require any further information in addition to what is included in this privacy notice, please contact Martin Ricketts, Senior Manager, Plutus Health, 60 Newport Road, Cardiff CF24 0YG
Telephone: 01633 266152
How to make a complaint about the way your data is being processed
At Plutus Health we make every endeavour to protect your data. In the event that you are not happy with the manner in which we process your data, you may wish to make a complaint. In the first instance, please contact the Senior Manager in writing providing your contact details and the nature of your complaint.
If you are not happy with the response you receive you may also wish to contact the UK data protection regulator, the Information Commissioner, whose contact details are available at https://ico.org.uk
How and why we process your personal data
We will only process your personal information for the purpose for which we collected it i.e. the fulfilment of contracts of insurance. If we need to use your information for an unrelated purpose we will contact you and we will explain the legal basis that allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with our obligations in the case of criminal investigation.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time.
Our legal basis for processing your personal data
- Personal data (article 6 of GDPR)
- Special categories of personal data (article 9 of GDPR)
Our lawful basis for processing your personal data:
- Consent of the data subject
- Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Necessary for our legitimate interests
Our lawful basis for processing your special categories of data:
- Health data with the explicit consent of the data subject
- Processing necessary for the performance of a contract with the data subject
- Necessary for our legitimate interests
The purpose of processing your personal data
Plutus Health processes your personal data in order to;
- To provide Contracts of Health Cash Plan insurance
- To provide Personal Accident insurance cover
- To provide you with information regarding our range of products and services in order to optimise your customer experience
- To collect monies due under the policy
- To process claims against your policy
- To collate statistical analysis of the Plutus Health database
- To maintain our own accounts and records
- To inform individuals of news, events or activities
The categories of personal data concerned
With reference to the categories of personal data described in the definitions section, we process the following categories of your data:
- Personal data, including
- Name and address
- Job title
- Employers details
- Age and date of birth
- Contact information including telephone and email address
- Payment details, bank sort code & account number
- Claims records
- Special categories of data – we also collect sensitive personal data concerning health matters from you, or about you
Who has provided us with your data?
If you are a direct customer your data will have been provided directly by you, your representative or health professional. You may give us information about you by filling in paper application forms, on line application forms on our website, or by corresponding with us by letter, phone, email or otherwise
If you are a corporate client, or an employee of a corporate client, then the corporate client may have provided the data.
Will we share your data with anyone?
At Plutus Health we only work with trusted suppliers who have agreed to treat your information as respectfully as we do and in accordance with the requirements of the GDPR and only for the purpose of administering your policy or providing you with information.
In order to provide you with up to date information about our products and services we may share your data with emailing partners, public relations agencies or data profiling companies.
How long will we keep your data for?
We will keep your data for marketing purposes until your consent is withdrawn or the data is refreshed.
All contractual documentation and your electronic membership record are retained for seven years after the cessation of the contract. Claims records are retained normally for seven years or until the data is refreshed.
Will we use your data to make automated decisions?
What happens if you fail to provide personal information?
You are under no statutory or contractual requirement or obligation to provide us with your personal data. If you fail to provide certain necessary personal information we may not be able to meet our expected level of customer service or fulfil our contract with you
Transfer of Data Abroad
We do not transfer personal data outside of the EEA
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.