1. Introduction
This Privacy Policy explains in detail the types of personal data we may collect about you when you interact with us. It also
explains how we will store and handle that data and keep it safe. It also contains information on your rights in relation
to your personal data and on how to contact us and our supervisory authorities in the event that you have a complaint.

We will keep our Privacy Policy up to date and notify you of any significant changes to the way we process data.

2. Who we are
This Privacy Policy is issued by Health Shield Friendly Society. The address of Health Shield’s registered office is:

Electra Way
Crewe Business Park

Health Shield Friendly Society Limited is authorised by the Prudential Regulation Authority and regulated by the Financial
Conduct Authority and the Prudential Regulation Authority, with reference number 205304. It is registered with
the Information Commissioners Office with number Z5477523.

The Health Shield Friendly Society has two direct subsidiaries which it owns and controls and details of which can be found
on our website at This Policy explains how data is processed across the Society and its subsidiaries,
collectively “the Society”.

3. How and why we use your personal data?

  • Administer your product or service, including setting up and confirming the product or service (which may involve liaising with
    third party suppliers who provide included services) and providing information about any future changes and renewal
    information to you.
  • Set up and collect premiums through Direct Debit or payroll deduction.
  • Verify and pay claims (including liaising with you and service providers, where necessary).
  • Undertake health assessment questionnaires on-line to provide you and your employer with a picture of your overall health
    that can be used to assist your employer in meeting their occupational health responsibilities.
  • Undertake health assessments face-to-face to provide you with a picture of your overall health.
  • Provide a cancer screening service that allows you to independently undertake simple tests for the purposes of providing an
    indication, based on the presence of certain markers, of the presence of specific cancers.
  • Investigating and responding to complaints (including liaising with relevant parties to obtain all the required information).
  • Investigate any potential fraudulent activity.
  • Combine anonymously with that of other members for the purpose of valuation and pricing of our products and services.
  • Notify you of our new products and services (including identifying other products that may be suitable for you).

4. Reasons we can collect and use your personal information

Health Shield Friendly Society and Medex Protect Ltd

We rely on legitimate interest as the lawful basis on which we collect and use your personal data.
Our legitimate interests arise as the processing of your personal data is necessary to enable us to set up and administer our
products and services, including the payment of claims.

This includes the processing of personal sensitive data, such as data relating to your health, which we may collect when requesting
pre-existing conditions prior to set up of a product and when we assess a claim for payment.

It also includes processing your personal data for the purposes of identifying products and services that may be relevant to you
(known as ‘profiling’) and for aggregated analysis to improve our products and services. Where we undertake electronic marketing
(under the Privacy and Electronic Communications Regulation) we will collect your explicit consent to do.

We have considered the impact of our data processing on you and have concluded that the purpose of our processing is likely to
be within your legitimate interests and expectations when purchasing our products and services and will not harm your rights and
interests. If you have any concerns about the way that we process data then you have a number of rights available to you, as
explained in this Privacy Policy.

Prevent Ltd trading as Health Shield

When you complete a health questionnaire we obtain your consent in order to process your personal and sensitive data.
We will obtain further consent from you before we share any health related reports with your employer.

When you undertake a health assessment with our practitioners we will ask you to complete a self-assessment questionnaire
for which we will request your consent for processing.

When you undertake a cancer screening test we will ask you for your consent to process the data and provide you with the

5. What sort of personal data do we collect and why?

In the course of setting up, providing and administering our products and services we may collect the following
personal information when you provide it to us:

  • Basic personal details such as your title, name, address, e-mail address, telephone number, date of birth and employer.
  • Basic personal details regarding your partner and dependants (if they are to be covered under the policy) including title,
    name and date of birth.
  • Bank account details to collect premiums by Direct Debit and to pay claims by bank transfer.
  • Health information, including pre-existing medical conditions or information submitted as part of the claims process, such as
    copies of receipts for treatments.
  • Information about your lifestyle and employment history.
  • Marketing preferences for any future communications.

If you pay for a product or service via your employer’s payroll, we may also collect:

  • Your payroll number or another unique identifier. We may still hold National Insurance numbers as unique identifiers for some members of existing policies, but are working with companies where this is the case to replace these with other unique identifiers.

Where a policy or service is arranged by your employer, or an Intermediary acting on their behalf, we will receive
personal data in order to set up the policy or service, including:

  • Basic personal details such as your name, data of birth and payroll number (or other unique identifier).
  • Basic personal details for your partner and dependants (if they are to be covered under the policy) including name, date of
    birth and gender.

Even where a policy or service is arranged by your employer, all claims will be submitted directly by you to us in
writing or via our on-line portals (rather than via your employer) and we may collect the following additional
personal information:

  • Bank account details to pay claims by bank transfer.
  • Health information, including pre-existing medical conditions or information submitted as part of the claims process, such as
    copies of receipts for treatments.
  • Marketing preferences for any communications that we may wish to share with you.

We also obtain personal data from other sources as follows:

  • When we contact employed representatives (e.g. HR managers) of actual or prospective clients, or their appointed agents,
    for the setting up and administration of products, we may collect basic contact details.
  • When you contact our customer care, claims or sales team we retain a record of the communication (whether by post, telephone, email, chat or social media).
  • To deliver the best possible on-line experience, we may collect technical information about your visits to our websites and any resources you access through use of analytical and statistical tools we have that monitor details of your visits including, but not limited to, traffic data, location data, weblogs and other communication data but this data will not identify you personally.
    An example of such data would include the type of internet browser or the type of computer you are using, or the domain name
    of the website from which you linked to our site. We use ‘cookie’ technology and IP addresses to obtain information from on-line visitors to provide them with the best possible personalised online experience. Learn more about how we use cookies.
  • Information from service providers, health practitioners and medical professionals in order to verify claims as part of our work
    to detect and prevent criminal activity.
  • Entering or replying to competitions, customer surveys and questionnaires during which we may collect your basic contact
    details and comments, views and opinions on our service.
  • When you visit our stand at events and exhibitions.
  • When you create an account on the Members’ Area of the Health Shield website we collect basic personal details in order to
    identify your account and administer secure access.

6. How can you prevent the use of your personal data for direct marketing?

We understand that individuals may not wish to receive marketing information. There are several ways you can stop direct marketing communications from us:


  • Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails.
  • If you have logged onto the Members’ Area of the Health Shield website, visit the ‘My Account’ area and change your
  • In our apps, you can manage your preferences and opt out from one or all of the different push notifications by selecting or deselecting the relevant options in the ‘Settings’ section.
  • Write to the Data Protection Officer at Health Shield Friendly Society, Electra Way, Crewe, Cheshire, CW1 6HS, or email .

7. How do we protect your personal data?

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed
in an unauthorised way.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your
information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator
of any data security breach which has the potential to impact on your rights and freedoms.

8. How long do we retain your personal data?

As a data controller, we only hold your data for as long as is necessary to provide our products and services. However, in some
cases we are required to retain your personal data for legal and regulatory purposes. In meeting those purposes we will only
retain the minimum level of personal data which is necessary.

We will retain personal data:

  • For 7 years (6 years as required by Financial Conduct Authority complaints-handling rules and the Limitation Act 1980
    with the addition of a further year, as claims can be submitted 12 months after membership ends).
  • Bank accounts details and details of any pre-existing medical conditions will be deleted 2 years after your membership ends.
  • For Prevent Ltd, medical records will be retained for 8 years in line with The Records Management Code of Practice for
    Health and Social Care 2016 produced by the Information Governance Alliance in 2016.

9. Who do we share your personal data with?

In the course of administering your products and services, we share personal data with a limited number of third parties. This includes:

  • To provide the benefits and services for which you have applied.
  • To verify your identity and check your details.
  • To authorise payments and any other transactions.
  • To underwrite certain products offered by the Society, this may include personal data, such as health and medical conditions
    for claims processed under your plan.
  • To provide marketing activity on behalf of the Society.
  • The provision of our information and technology support and maintenance. By virtue of their role our IT providers may have
    access to your data in limited circumstances, as determined in our contract with them.
  • The provision of specialist services: Actuarial Services, for valuation purposes; and the provision of Internal Audit, who
    independently assess our performance.
  • To share your reports with your employer (if you consent for us to so).

In doing so and to keep your data safe and protect your privacy:

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the exact purposes we specify in our contract with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

We will share personal information with law enforcement or other authorities if required by applicable law.

10. Do we transfer your information out of Europe?

Our office and all our staff are based in the United Kingdom and all our personal data is stored locally, or on data servers in the United Kingdom.

If in future we should need to engage a third party which operates outside of Europe for the provision of services, then we
would ensure that an equivalent degree of protection is provided by implementing appropriate technical measures and legal

11. What are your rights over your personal data?

  • Fair processing of information and transparency over how we use your use personal information.
  • Access to your personal information and to certain other supplementary information that this
  • Privacy Policy is already designed to address.
  • Require us to correct any mistakes in your information which we hold.
  • Require the erasure of personal information concerning you in certain situations.
  • Object at any time to processing of personal data concerning you for direct marketing.
  • Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly
    affect you.
  • Object in certain other situations to our continued processing of your personal data.
  • Otherwise restrict our processing of your personal data in certain circumstances.

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individual’s rights under the General Data Protection Regulation .

12. How to contact us

Please contact us if you have any questions about this Privacy Policy or the information we hold about you.

You can email our Data Protection Officer at , call or write to us at:

The Data Protection Officer
Electra Way
Telephone: 01270 588555

13. How to complain

We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your information. If you
are not happy with our response then please contact our data regulator, the ICO, at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Telephone: 0303 123 1113

14. Do you need extra help?

If you would like this Privacy Policy in another format (for example: audio, large print or braille) please contact us (see ’12. How to contact us’ above).

We use cookies to give you the best experience on our website. You can change your cookie settings at any time. Otherwise, carry on browsing.