Westfield Health’s Privacy Promise:
“Westfield Health” are committed to protecting the privacy of our users and customers whilst improving people’s quality of life by enabling them to make healthier choices.
When it comes to health and wellness, we know that one size doesn’t fit all, so we’re committed to helping people eat well, move more, sleep better, think clearer and feel great.
We’re dedicated to a smarter approach to health, and have formed partnerships with outstanding organisations, which enable us to develop market leading insight, expertise and technology.
We believe in being open and up front with users and customers and have developed our Privacy Promise, a quick and simple summary explaining how we manage, share and look after your information.
Our Privacy Promise
We promise to collect, process, store and share your data safely and securely:
- You’re always in control: Your privacy will be respected at all times and we will put you in control of your privacy with easy-to-use tools and clear choices.
- We work transparently: We will be transparent about the data we collect and how use that data so that you can make fully informed choices and decisions.
- We operate securely: We will protect the data that you entrust to us via appropriate security measures and controls. We’ll also ensure through the contracts we have in place, that other businesses we work with are just as careful with your data.
- For your benefit: When we do process your data, we will use it to benefit you and to make your experience better and to improve our products and services.
Who we are
1. Who are Westfield Health?
1.1. “Westfield Health” (referred to in this policy as “we”, “us” or “our”) is a trading name of:
Westfield Contributory Health Scheme Ltd
60 Charter Row
Registered company number: 0303523
ICO registration number: Z5678949
Westfield Health & Wellbeing Ltd
60 Charter Row
Registered company number: 9871093
ICO registration number: ZA153170
Westfield Employment Services Ltd
60 Charter Row
Registered company number: 09870326
ICO registration number: ZA153161
Bolton and District Hospital Saturday Council
Trading as UK Healthcare
60 Charter Row
Registered company number: 00518573
ICO registration number: Z5979687
The Working Health Company Limited
43 High Street
Registered company number: 03848209
ICO registration number: ZA356526
2. Our Data Protection Team
2.1. “Westfield Health” have a Data Protection Officer, who can be contacted in the following ways should you have any questions, complaints or feedback about your privacy:
What personal data we collect and how we use it
3. What data we need and why we need it:
This section tells you what personal data we may collect from you and why we need it when you use our services and what other personal data we may receive from other sources.
3.1. When you register for our services, you may provide us with:
- Your personal details, including your title, name, postal and billing addresses, email addresses, phone numbers, title and date of birth;
- Your payment details;
- Information in relation to your health, including any pre-existing medical conditions;
- Details in relation to your partner, friends or dependents for the purposes of adding them to your plan/policy or in order to create their own. Where customers have provided information about another person the customer should ensure that they have their approval to do so.
3.2. When you contact us, or we contact you or you take part in promotions, competitions, surveys or questionnaires about our services, we may collect:
- Personal data you provide about yourself anytime you contact us about our services (for example, your name, username and contact details), including by phone, email or post or when you speak with us via social media.
- Details of the emails and other digital communications we send to you that you open, including any links in them that you click on.
- Information collected using cookies stored on your device(s) about the use of our online services.
- Your feedback and contributions to customer surveys and questionnaires.
3.3. We will record, and monitor telephone calls made to and from Westfield Health’s sales and customer service teams. We do this in order to continuously improve our service to customers and for training purposes. This will also include the recording and monitoring of Special Category Data; such as data relating to health and medical conditions. We do not record the segment of telephone calls where any form of payment is being made.
3.4. Special Category Data such as Medical and Health information will be processed using our substantial public interest, under the purpose of Insurance.
4. Marketing & Market Research
Here we explain the choices you have when it comes to receiving marketing communications and being invited to take part in market research.
4.1. We will send you relevant offers and news about our products and services in a number of ways including by email, but only if you have previously agreed to receive these marketing communications.
4.2. When you register with us we will ask if you would like to receive marketing communications, and you can change your marketing choices online via our marketing preference centre, in My Westfield, over the phone or in writing at any time.
4.3. We also like to hear your views to help us to improve our services, so we may contact you to invite you to take part in market research, called Westfield Insiders. You always have the choice about whether to take part in our market research.
5. Understanding our Customers
5.1. We may make use of profiling to produce more relevant and tailored communications by having a deeper understanding of your interests, behaviours and personal preferences. This information helps us provide a better experience for our customers.
5.2. Profiling can help us target our resources more effectively through gaining an insight into the background of our customers and helping us to build relationships that are appropriate to their interests.
5.3. To do this we may use additional external sources of data to increase and enhance the information we hold about you. This may include obtaining details of changes of address, date of birth, telephone numbers and other contact details, information related to your consumption and demographic data generated through software tools such as Cameo or Acorn.
5.4. If you have any questions in relation to how your information is processed, then please contact us using the information in point 13.
6. Processing your data using our Legitimate Interests
We have a number of lawful reasons that we can use (or ‘process’) your personal data. One of these lawful reasons is called ‘legitimate interests’.
Broadly speaking legitimate interests means that we can process your personal information if:
- We have a genuine and legitimate reason and we are not harming any of your rights and interests.
The following are some examples of when and why we would use this approach during our normal course of business:
6.1. To improve and enhance our services: When we do process your data, we will use it to benefit you and to make your experience better and to improve our products and services.
6.2. Your best interest: Processing your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
6.3. Personalisation: Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our customers.
6.4. Analytics: To process your personal data for the purposes of customer analysis, assessment, profiling and direct marketing, on a personalised or aggregated basis, to help us with our services and to provide you with the most relevant information as long as this does not harm any of your rights and interests.
6.5. Research: To determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you.
6.6. Due Diligence: We may need to conduct investigations on existing customers, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.
6.7. Direct Marketing: We may send postal marketing. We will also make sure our postal marketing is relevant for you and tailored to your interests. You also have the right to opt-out of receiving this information at anytime.
6.8. When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Sharing your personal data
7. Third Parties
7.1. In order to provide you with our services, we only share your data with 3rd parties and other organisations within the Westfield Health Group, in the following circumstances:
- To fulfil your order;
- To provide the benefits and services for which you have applied;
- To verify your identity;
- Authorising debit/credit card payments and any other transactions authorised by the customer;
- To manage and maintain the accuracy of your records;
- To manage the underwriting and/or claims handling procedures (inclusive of your dependents claims) this may include Special Category Data, such as health and medical conditions for all claims processed under your plan;
- To prevent and detect fraud. This will include the recording and monitoring of Special Category data, such as health and medical conditions for all claims processed under your plan;
- To handle complaints and improve customer service; and
- To administer marketing on behalf of Westfield Health.
7.2. We may also disclose information to third parties or individuals when obliged to by law, for purposes of national security, taxation and criminal investigations.
7.3. We’ll never make your personal data available to anyone outside Westfield Health for them to use for their own marketing purposes without your prior consent.
8. Your data outside Europe
8.1. The EEA is the European Economic Area, which consists of the EU Member States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA we have to tell you.
8.2. Limited personal data that we collect from you may be transferred to and processed in a destination outside of the EEA. In these circumstances, your personal data will only be transferred on one of the following bases:
- The country that we send the data is approved by the European Commission as providing an adequate level of protection for personal information; or
- The recipient has agreed with us standard contractual clauses (SCC’s) approved by the European Commission, obliging the recipient to safeguard the personal information; or
- There exists another situation where the transfer is permitted under applicable data protection legislation (for example, where a third party recipient of personal data in the United States has registered for the EU-US Privacy Shield).
Limited situations where your personal data may be transferred outside the EEA are as follows:
Purpose of Processing: Event administration.
Nature of the Data: Name and contact details.
3rd Party: Eventbrite, Inc. t/a “Eventbrite”
Appropriate and Suitable Safeguard: EU-US Privacy Shield
8.3. To find out more about how your personal data is protected when it is transferred outside the EEA (and if you wish to obtain a copy of the appropriate and suitable safeguards), please contact our Data Protection Officer using the details above.
9. How we look after your data
We will protect the data that you entrust to us via appropriate security measures and controls. We’ll also ensure through the contracts we have in place, that other businesses we work with are just as careful with your data.
9.1. We will always take appropriate technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
9.2. The Westfield Health website is encrypted and secure.
9.3. We will continually test, audit and monitor our compliance with Information Security standards and relevant Data Protection regulations.
Retention of data
10. How long we hold your data
10.1. We will keep your personal data for a number of purposes, as necessary to allow us to carry out our business. Your information will be kept securely for up to 6 years following the date you cease to remain an active customer, after which time it will be archived, deleted or anonymised. In some cases for the purposes of processing your existing or future claims and for underwriting purposes, we may keep personal information for longer. Where we, at present, cannot technically erase the data we will ensure this is securely archived with restricted access.
What can I do?
11. Your rights
11.1. Right to be Informed: We will always be transparent in the way we use your personal data. You will be fully informed about the processing through relevant privacy notices.
11.2. Right to Access: You have a right to request access to the personal data that we hold about you and this should be provided to you. If you would like to request a copy of your personal data, please contact our Data Protection Officer via point 13.
11.3. Right to rectification: We want to make sure that the personal data we hold about you is accurate and up to date. If any of your details are incorrect, please let us know and we will amend them. You can also visit the “My Westfield” section of the website and update your details at any time.
11.4. Right to erasure: You have the right to have your data ‘erased’ in the following situations:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
- When you withdraw consent.
- When you object to the processing and there is no overriding legitimate interest for continuing the processing.
- When the personal data was unlawfully processed.
- When the personal data has to be erased in order to comply with a legal obligation.
If you would like to request erasure of your personal data, please contact our Data Protection Officer via point 13. Please note that each request will be reviewed on a case by case basis and where we have a lawful reason to retain the data or where exceptions exist within our retention policy, then it may not be erased.
11.5. Right to restrict processing: You have the right to restrict processing in certain situations such as:
- Where you contest the accuracy of your personal data, we will restrict the processing until you have verified the accuracy of your personal data.
- Where you have objected to processing and we are considering whether Westfield Health’s legitimate grounds override your legitimate grounds.
- When processing is unlawful and you oppose erasure and request restriction instead.
- Where Westfield Health no longer need the personal data but you require the data to establish, exercise or defend a legal claim.
11.6. Right to data portability: You have the right to data portability in certain situations. You have the right to obtain and reuse your personal data for your own purposes via a machine-readable format, such as a .CSV file. If you would like to request portability of your personal data, please contact our Data Protection Officer via point 13, this only applies:
- To personal data that you have provided to us;
- Where the processing is based on your consent or for the performance of a contract; and
- When processing is carried out by automated means.
11.7. Right to object: You have the right to object to the processing of your personal data in the following circumstances:
- Direct marketing (including profiling). Remember you can opt out at any time from marketing communications via our Marketing Preferences, available in “My Westfield”; and
- Where the processing is based on legitimate interests;
- Processing for purposes of scientific/historical research and statistics.
11.8. Rights in relation to automated decisions making including profiling: You have the right to not be subject to a decision when it is based on automated processing. If you have any questions in relation to how your information is processed in this way, then please contact our Data Protection Officer using the information in point 13.
12. The Regulator
12.1. If you feel that “Westfield Health” has not upheld your rights, we ask that you contact our Data Protection Officer whose details can be found in point 2.1 so that we can try and help.
12.2. If you are not satisfied with our response, or believe we are not processing your data in accordance with the law you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Their details are supplied below: