PROTECTING YOUR PRIVACY
Health Shield Friendly Society Ltd is committed to protecting its Members’ right to privacy. We appreciate the importance and confidentiality of the personal information that you disclose to us when applying to join the Society, make a claim or visit our website and we take great care to fulfil our responsibilities under the Data Protection Act 1998.
This policy is designed to help you understand how and why we collect personal information, what it is used for, how it is stored, how long it is kept for and how it is disposed of and what your rights are under the Data Protection Act.
Who we are
In this document, ‘we’ and ‘us’ mean Health Shield Friendly Society Ltd and we act in the capacity of registered Data Controller.
Our Data Protection Register number is Z5477523 and the full register can be found here.
Information that relates to a living individual who can be identified either directly or by combining it with information from other sources is known as personal data.
Sensitive personal data
For the purposes of how we use your information, sensitive personal data is defined as information which relates to your physical or mental health. The full definition of sensitive personal data may be obtained from the Information Commissioner’s Office website.
WHAT INFORMATION DO WE HOLD ABOUT YOU?
The personal data we collect about you is obtained from what you tell us on your application form, from an intermediary (or broker) or from your employer when you join the Society. It may also be taken from the Members’ Area on our website or from your claim form when you submit a claim.
We typically record your name, date of birth, address, telephone number and email address.
If you pay your contributions via your employer, we may also record your payroll number or other unique reference number.
If you pay all or some of your membership contributions to us by Direct Debit, we keep the bank details you supply.
If you have chosen to receive your claims payments by direct transfer, we also keep the bank details you have provided for that purpose.
Sensitive personal data
The sensitive personal data we collect about you is obtained from the claim forms you submit and any supporting information you send to us. We may also obtain information from the practitioners that you use or ask you to complete a Health Declaration Form when you join the Society to provide us with additional information regarding any pre-existing medical conditions.
We keep the paper copies of your claim forms securely both during and after processing. We also retain electronic records of your claims in our computer system attached to your membership file.
PERSONAL DATA OBTAINED FROM OTHER SOURCES
If we acquire your information from a third party (e.g. an intermediary or your employer), we expect them to operate in accordance with the Data Protection Act. If we acquire your information in this way, you will have already submitted your personal data to them and specifically given permission for them to pass it onto us.
HOW DO WE USE YOUR INFORMATION?
The personal data and sensitive personal data we collect are used for the administration of your membership, collecting your subscription payments and for processing your claims.
We may also use the information collected to notify you about our news, products, services and special offers. If you do not wish to receive this type of communication, you can opt out by contacting us at the address below.
We use recordings of telephone conversations for quality control purposes and during the investigation of complaints and financial crime.
We may combine some of your data anonymously with that of other members for valuation or statistical purposes.
DATA PROTECTION CHECKS
Whenever you contact Health Shield by telephone in regard to your membership or making a claim, we will ask you to provide three items of personal information to confirm your identity before we can discuss any details. This is to confirm that we are speaking to either the member themselves or to someone who has been authorised to act on their behalf.
If you are unable to provide this information or we cannot confirm your identity, we may only be able to give limited or generalised advice in response to your query.
HOW DO WE KEEP YOUR INFORMATION SECURE?
The information we hold about you electronically is stored in a secure database to which there is restricted access. The database is regularly backed up by our IT Department and a duplicate of the database is held off-site by a partner company.
The information we hold about you in manual filing systems is kept securely in locked drawers and cupboards when it is being worked on and it is later stored in secure archives at Head Office.
Any paperwork that is no longer required is shredded on-site by a document management company.
SHARING YOUR INFORMATION WITH OTHERS
If your membership is connected to your employment we may share basic details with your employer or another authorised intermediary to enable day-to-day administration of the policy.
We will never share any information relating to your claims, health or wellbeing with your employer or an intermediary without your explicit consent to do so.
We do not share your personal or sensitive personal data with anyone else except as required by the law, our regulator, or under strictly controlled arrangements with appropriate organisations for the purpose of detection and prevention of financial crime.
You can obtain basic information from the Health Shield website without disclosing any personal data. To access information specific to your membership you must log into the secure Members’ Area using your membership number or registered email address and a password known only to you.
We strongly advise that you keep your password secret to prevent unauthorised access to any private information.
You should be aware that you are responsible for how our websites are used when your membership number, password or any other information which helps to identify you is used to gain access to secure areas of the website.
If you think that your membership number, password or any other information which helps to identify you has been lost, stolen or is being misused, please contact us at the address given below.
Cookies are small files that are copied to your computer from the Health Shield website that are used to assist in the completion of online forms. No information is sent to us or any other person or organisation. Members can set their computer browser to reject cookies but this will prevent the assisted completion of forms.
Applying and claiming online
Any information you submit during the course of an online application or claim is transmitted and stored securely. It is not stored on our website and is not accessible by anyone else.
Telephone calls and emails
We record and monitor all telephone calls and emails coming into or going out of our Head Office and you will be reminded of this if you call us. Telephone calls are recorded for training and quality purposes and to help us improve our products and services for you. Access to telephone call recordings is restricted and they are stored securely.
You should also be aware that email communication is not completely secure and can pose risks beyond the Society’s reasonable control. As a result, Health Shield cannot accept any responsibility for any errors, omissions or losses that may occur when communicating via email.
We have a number of physical safeguards in place to ensure that your personal data is held securely and to reduce the risk of it being duplicated, stolen, destroyed or misused.
Our Head Office is protected by a security company who carry out regular patrols and fire and intruder alarm systems linked to the emergency services.
An electronic key-card system and digital door locks also control access to the buildings and to archive facilities.
Closed-circuit television (CCTV) is also employed at our Head Office for security. Access to the CCTV system is restricted and we do not routinely share any recorded images, sound or video with any third party. However, we may choose to share such recordings with the Police or other authorised security organisations if we believe it necessary to detect or prevent crime against our staff, premises or assets or those of other innocent third parties.
All personal data held on computer is protected from theft and cyberattack by standard IT protocols including the use of anti-virus software, firewalls and email security software.
Access to personal data held in our databases is strictly controlled by necessity. For example, the Finance Department cannot access the areas of the database that are used for processing claims.
We also have our own power supply to prevent personal data held on computer being corrupted by power cuts or surges from the mains supply.
Health Shield is a member of the Health Insurance Counter Fraud Group UK and we share intelligence with other members of the group where fraudulent activity has been confirmed. The Health Insurance Counter Fraud Group UK is an industry initiative to prevent and detect fraud within healthcare and the insurance industry.
If fraud is detected, we may share certain information with other third parties who have a legitimate interest (e.g. the Police, the Insurance Fraud Bureau and NHS Protect) or if we have a legal or moral obligation to do so.
HOW LONG DO WE KEEP YOUR DATA?
We will only keep your data for as long as it is required either to administer your membership or as otherwise demanded by legal or regulatory requirements. Typically we will retain your data for six years after it was last used.
The paper copies of your claim forms and associated documents are retained for up to 12 months before being securely destroyed on-site. Information stored electronically is routinely destroyed when our legal and regulatory obligations have expired.
WHAT ARE YOUR DATA PROTECTION RIGHTS?
Under the Data Protection Act you have the right to ask for a copy of some or all of the information we hold about you. If you wish to make such a request you should write to the address given below. There may be a small charge for providing this information.
You can ask for any information we hold about you which you believe to be incorrect to be put right.
You can also change your preferences to stop us from sending you information about other products or services.
OTHER INFORMATION WE COLLECT
If you register a partner or dependent child to your membership we will, during the normal day-to-day operation of your membership, collect their personal and sensitive personal data. By supplying their data you give implied consent for us to use it in the same way as we use yours.
We treat the information you supply to us with the same care and respect as we do your data and we process it according to the same controls.
HOW TO CONTACT US
If you have any questions about how we collect and use your personal information or wish to see a record of your personal information to check, correct, update or delete it, please contact:
Health Shield Friendly Society Ltd
Crewe Business Park
Telephone: 01270 588555
UPDATES TO THIS POLICY
THE DATA PROTECTION PRINCIPLES
All of our policies and procedures comply with the eight data protection principles established within the Data Protection Act. These are:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.