Punter Southall Health & Protection Limited, trading as Punter Southall Health & Protection, and all companies in the PS Group involved in providing services to our clients (we or us) are committed to protecting and respecting your privacy. [Currently, under the Data Protection Act 1998 (“DPA”), and] from 25 May 2018 under the General Data Protection Regulation as implemented into UK law (“GDPR”), we are required to provide you with certain information about what data we hold about you and any family members or other dependants (“Dependants”) that you or they provide, and how we use it.
The technical bit
We hold and process personal data about you in our capacity as a controller, in order to advise our clients on setting up protection, healthcare and other employee benefits related schemes and wellbeing programmes, arranging insurance cover and other benefits with insurers and other benefits providers, and administering or assisting in the administration and ongoing management of such schemes and programmes. We may obtain this information direct from you, or sometimes, if you are a Dependant of an employee of our client, from that employee, from our client, or from trade or professional associations of which you are a member, or other third parties. If you provide information relating to your Dependants, you must provide a copy of this notice to them, or otherwise ensure that they are fully aware of its terms. Our contact details are set out below.
Our Data Protection Officer is Richard Garmon-Jones whose contact details are set out below.
Our client will have determined the legal basis it has to process your personal data and that of any Dependants and provide or arrange for its provision to us in order for us to provide the services mentioned above. In addition to any other legal basis for our use of your personal data, for most personal data, our basis for using personal data will also be that it is also necessary for the legitimate interests of our client in obtaining advice on and setting up and running protection, healthcare and other employee benefits schemes and wellbeing programmes, our legitimate interests in advising our client on such schemes and programmes, and arranging and administering such schemes and programmes, and insurers’ and other benefits providers’ interests in providing such schemes and programmes. These benefits schemes and programmes are intended to benefit you and your Dependants, and other employees and their Dependants of our client. The provision of your and, where appropriate, their personal data is needed for you and them to be able to receive benefits under the Scheme/programme.
In some cases, insurers and other benefits providers may require information about your health and/or that of your Dependants in order to consider an application to provide cover/benefits, or to make that cover/those benefits available to you/your Dependants. In addition to any other legal basis our client may have to process that data, where (as is often the case, the relevant benefits are provided to you/your Dependants and secured by insurance), the legal basis for their, our and any insurer’s use of that data will usually be that it is necessary for reasons of substantial public interest and subject to appropriate protections. This is because the UK Government recognises that it is generally in the public interest for employers to provide insurance-supported health, protection and wellbeing and other benefits. In the limited circumstances where the benefits are not secured by insurance, or the provision of the information does not fall within the substantial public interest justification mentioned above, and no other legal basis is available, the legal basis of our processing will be your explicit consent.
Where necessary, documentation that you/your Dependants need to complete to provide that information will include a provision where you/they can indicate that consent. If you do not consent to the provision of that data, we will be unable to provide the information to the relevant insurer/benefit provider, and that insurer/benefit provider may not be willing to provide the cover in respect of which the information about your/their health is sought. You may withdraw that consent at any time by notifying us via our contact details below. This may mean, however, that the insurers/benefits providers will no longer be willing to provide the affected benefits.
What data we hold and how we use it
Click on the links that relate to you below to see what personal data we process about you. The information we will or may process about you is:
We will use your personal data to advise our client on protection, healthcare and other employee benefit schemes and wellbeing programmes, arranging such schemes with insurers and other benefits providers, and managing and administering such schemes and programmes. In order to do this, we have to provide that information to the insurers and other benefits providers with whom we deal, to enable them to consider whether they are willing to provide the cover/benefits requested and, if so, on what terms. Those insurers and benefit providers will receive your data as independent controllers, and will be responsible for processing your data in accordance with the DPA or the GDPR. They will have their own privacy notices and documentation setting out how and why they process your personal data. A full list of the insurers and other benefits providers we currently deal with can be found here.
We may provide the service to our client through any member company of the PS Group. In such case, they will act as controllers and will comply with the terms of our agreement with our client and this privacy notice.
In particular, Risk Policy Administration Limited (“RPA”) will provide some wellbeing services and manage the Gladis and Portal systems through which data relating to protection, health and other employee benefit schemes and wellbeing programmes, including your personal data, is obtained from you or your employer, and communicated to insurers and benefits providers. Some service providers who provide to us the infrastructure to enable us to provide the Services, may have access to your personal data as our processors under the terms of agreements that limit the use of your data to that necessary to provide services to us, and contain other mandatory protections for your data. It is our intention, wherever possible, to avoid transferring your personal data outside the European Economic Area, but if it is, Model Clauses or other mechanisms approved by the European Commission or the Information Commissioner’s Office (the UK data protection regulator (“ICO”)) will be put in place. On your request, to our contact details below, we will provide you with a copy of the relevant Agreement or details of the other mechanism.
We may also occasionally share your data with our legal and other professional service providers, when necessary to obtain appropriate advice.
We, RPA and other companies in the PS Group may create, use and provide to our customers and other third parties non-personalised, aggregated statistical, trend and risk analyses (“Statistical Data”) from the information provided to us, but that Statistical Data will not identify our customer or contain any of your or any other individual’s personal data. We do not carry out any automated individual decision-making using your personal data.
We will only keep your personal data for as long as we need to in order to fulfil the purposes for which it was collected, and as set out in this privacy notice, and for as long as we are required to keep it by law or regulatory requirements, or need to keep it for the establishment, exercise or defence of legal claims.
You have the following rights which can be exercised by contacting us via the contact details set out below:
• To access personal data held about you, and where our processing is based on your consent, to have that data transferred to another controller, where technically feasible.;
• To request the rectification or completion of personal data which are inaccurate or incomplete;
• In certain circumstances, to restrict or object to the processing of your personal data or to request its erasure;
• To lodge a complaint with the ICO.
You can obtain further information about your rights from the Information Commissioner’s Office at www.ico.org.uk or via their telephone helpline (0303 123 1113).
The personal data we hold about you is used to arrange and manage a protection, health and/or other employee benefit scheme, and/or a wellbeing programme for our client, and for this purpose, we may from time to time request further information from you. If you fail to provide such information, or request that the personal data we already hold is erased or restricted, this may affect your benefits under the scheme/programme or our ability to manage them.
If you need or want to contact us, or our Data Protection Officer, our respective contact details are set out below.
Punter Southall Health & Protection
Richard Garmon-Jones, Data Protection Officer
Punter Southall Group