This notice outlines your rights as a member or customer of Welsh Hospitals & Health Services Association (WHA), or as a visitor to our website, under General Data Protection Regulation (GDPR).

This privacy notice tells members and customers of WHA what to expect when WHA processes your personal information, which will include collecting, using, retaining and disclosing your personal information.

Personal information is information that (on its own or together with other information) identifies you and is about you. This includes what you tell us about yourself and what we learn by having you as a member or customer.

Who we are

WHA is a Healthcare Cash Plan provider. WHA is a trading name of Welsh Hospitals & Health Services Association, which is registered at 60 Newport Road, Cardiff CF24 OYG.

When we refer to WHA (or to ‘we’, ‘us’, or ‘our’), we mean Welsh Hospitals & Health Services Association.

To ensure that we process your personal information fairly and lawfully, this notice informs you:

  • Why we need your personal information;
  • How it will be used;
  • With whom it will be shared; and
  • What rights you have in relation to the personal information we collect.

Within this notice we describe instances where WHA is the ‘data controller’ (the organisation who decides what personal information is collected and how it is used).

There may be situations where WHA processes data on the instructions of another organisation (known as acting as a ‘data processor’), but in those circumstances our use of data would be governed by that organisation.

Our commitment to your privacy

WHA recognises the importance of protecting personal and confidential information in all that we do and takes care to meet our legal duties. WHA puts in place all reasonable technical, security and procedural controls required to protect your personal information for the whole of its life, in whatever format we hold that information.

How the law protects you

Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. This includes sharing it outside of WHA.

The reasons why WHA may process your personal information are:

  • To fulfil a contract we have with you;
  • When it is in our legitimate interest;
  • When it is our legal duty; or
  • When you consent to it.

If you have given us your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact us using the details set out at the end of this privacy notice.

A legitimate interest is when we have a business or commercial reason to use your information, but this must not be outweighed by your rights or freedoms.

What types of personal information do we process?

We process personal information to enable WHA to support the provision of our services to members and customers, to maintain our own accounts and to promote our services. We do not make decisions about you using automated means. Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention.

The types of personal information we use include:

  • Personal details such as names, addresses, telephone numbers, dates of birth, marital status; *
  • Your relationship to other individuals on your WHA membership;*
  • Employment and work details for individuals who pay for membership through their salary or pension;*
  • Financial details, including payments to WHA by members and customers and payments made by WHA for services provided to members;*
  • Details of how you use our website, and where you have accessed it from;
  • Details of when you contact us and when we contact you (including telephone calls and copies of written communications such as emails or letters);
  • Details of which WHA products you have purchased;
  • Any consents which you have given us in relation to the processing of your information;*
  • Physical or mental health details in relation to requests by members for access to our services or when you make a claim.* Such information requires special protection by law – we will always explain what information we require and why it is needed when collecting this information. It will always be processed and stored securely. Further information about situations where we will process your health information and our reasons for doing so are set out below in the section ‘How we use your personal data’.

Where do we collect your personal data from?

We may collect your personal information from the following sources:

  • When you apply for our products and services either on-line via our website or completing an application form.
  • When you join via another policyholder on their policy.
  • From your employer who is providing WHA Healthcare cash plan for you and they have authorisation to share your data with us.
  • When you communicate with us via telephone or e-mail
  • When you make a claim.

Cookies

For more information on how we use cookies please see our website cookie policy

How we use your personal data.

Below is a list of the ways that we may use your personal information and which of the reasons we rely on to do so.

How we may use your personal information

Where applicable our legitimate interests

Reasons we rely on for processing

To ascertain suitability for membership and on what basis

To administer payments relating to membership.

 

Fulfilling contracts.

To process your benefit claims.

 

Fulfilling contracts.

To communicate with you about your membership or WHA products you have purchased.

To manage our relationship with you.

To conduct analysis and research activities to improve and develop our products and services.

To analyse our advertising activity.

To create anonymised pen portraits for marketing purposes.

Keeping our records up to date.

Determining which of our products may be of interest to you and informing you about them.

Defining audiences to market our products to.

Seeking your consent when we need it to contact you.

Being efficient about how we fulfil our legal and contractual duties.

Ensuring that our organisation is run properly and efficiently.

Our legitimate interests.

To manage how we work with other companies that provide services to us and our members or customers.

Being efficient about how we fulfil our legal and contractual duties.

Ensuring that our organisation is run properly and efficiently.

Our legitimate interests.

To detect, investigate, report and seek to prevent financial crime.

To manage risk for WHA and our members or customers.

To comply with regulations that apply to us.

 

Our legal duty.

To run WHA in an efficient and proper manner. This includes managing our financial position, business capability, planning, communications, corporate governance and audit.

Complying with best practice and regulations that apply to WHA.

Being efficient about how we fulfil our legal and contractual duties.

Ensuring that our organisation is run properly and efficiently.

Our legitimate interests.

To exercise our rights as set out in agreements or contracts.

Being efficient about how we fulfil our legal and contractual duties.

Fulfilling contracts.

Our legal duty.

Our legitimate interests.

To respond to complaints and seek to resolve them.

Ensuring that our organisation is run properly and efficiently.

To provide good customer service.

To resolve any disputes, complaints or issues as early as possible.

Our legitimate interests.


The types of personal sensitive information we use include:

Type of personal sensitive information

Processing activity

Reasons we rely on for processing health information

Pre-Existing Medical Condition.

To establish whether the benefit would be covered on the policy when joining.

Explicit consent.

Medical Conditions.

To establish whether you would be covered on the new policy or when changing policy or increasing your cover.

Explicit consent.

Medical information is required to support: Hospital In-patient or Specialist Consultation claims.

To allow us to assess and process benefit claim for Hospital In-patient or Specialist Consultation in line with policy documents issued at the time of joining.

Explicit consent.

Further information from the relevant practitioner or hospital.

In some instances, following consent given by you we would contact the practitioner/hospital to obtain further information in order for us to assess and process benefit claim to establish eligibility for payment.

Explicit consent.


If you choose not to provide personal information

We will need to collect certain personal information by law, or under the terms of a contract we have with you. Such items are marked with an asterisk in the section above titled ‘What types of personal information do we process’.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot provide you with services under your membership. We will notify you if your choice not to give personal information to us would result in a delay or prevent us from meeting our obligations.

Who we share your personal information with

WHA may share your data with regulatory bodies when it is a legal requirement to do so for the purpose of monitoring and enforcing our compliance, organisations include:

  • Financial Ombudsman Service;
  • Information Commissioners Office;
  • Fraud prevention agencies.

We may also share aspects of your information on occasion with organisations to enable continuity of service, these include:

  • Organisations that introduce you to us;
  • IT Support.

We may also share aspects of your information with organisations who provide us with advice or business services such as auditors, consultants, solicitors and/or insurers (to enable us to run WHA efficiently).

In the usual course of our business, we may use other third-party organisations known as ‘data processors’ under data protection law to support the essential delivery of our services. These organisations process your personal information on our behalf.

These types of organisations are:

  • Mailing, email, SMS messaging, and/or print fulfilment organisations (to enable us to communicate with you efficiently);
  • Providers of records management services such as secure disposal suppliers, and IT storage providers (to enable us to secure data efficiently);
  • Providers of IT systems or services (to enable us to run WHA efficiently);
  • Market researchers (to help us to improve the services we offer);
  • Companies you ask us to share your personal information with (upon request).

When we share your information with our approved third-party providers, our contractual relationship with them prevents them from using your information for any other purpose outside of our instructions to them. They may use their own third-party data processors but are always required to meet the same legal requirements as WHA does.

WHA will never share or sell your information to external companies for their own marketing purposes.

Where is your data stored?

All of your data is located in the UK.

Marketing

We may use your personal information to tell you about relevant products offered by WHA. This is what we mean when we talk about ‘marketing’.

We can only use your personal information to send you marketing messages if we either have your consent or a ‘legitimate interest’. Legitimate interest is when we have a business reason to use your information for marketing purposes (which will not unfairly go against your rights and freedoms). In other words, we will not market to you based on legitimate interest if you have told us that you do not want to receive such marketing or are registered on a preference services list.·

We have a legitimate interest to:

  • Send you the WHA magazine/newsletter by post;
  • Send you marketing messages about WHA by post;
  • Contact you via telephone to welcome you to WHA, or to discuss your membership if you decide to leave WHA; and
  • Send you marketing messages by email about products offered by WHA which are similar to those which you have already purchased from us (if you have provided us with an email address).

We will ask for your explicit consent to send you any other marketing messages.

You can withdraw your consent or ask us to stop sending you any marketing messages at any time. ·If you want to do so, please contact us by:

  • Calling our Customer Service Team on 029 2048 5461;
  • E-mail us at mail@whahealthcare.co.uk;
  • Write to us at WHA, 60 Newport Road, Cardiff CF24 OYG;
  • Following the unsubscribe link on the relevant email.

How long we keep your personal information?

We will keep your personal information for as long as you are a member or customer of WHA.

After you stop being a member or customer, we may keep your personal information for up to 8 years for one of these reasons:

  • To respond to questions or complaints;
  • To defend any claims;
  • To show that we treated you fairly; and/or
  • To maintain records according to legal requirements and documented business need.

We may keep your personal information for longer than 8 years if we cannot delete it for legal, regulatory or technical reasons. In these circumstances, we will make sure that your privacy is protected and only use it for legal or regulatory purposes.

Your rights

Under data protection law, you have a number of different rights relating to the use of your personal information. In order to exercise your rights under data protection law, we will need to verify your identity for your security. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the ICO website. If you choose to exercise any of your rights, you can do so by:

  • Writing to us at WHA, 60 Newport Road, Cardiff CF24 OYG;
  • Calling our Customer Service Team on 029 2048 5461;
  • E-mailing us at mail@whadirect.co.uk.

Once we have received your request, we will respond within 30 days.

Your rights

What this involves

What our obligations are

A right of access

This is a right to obtain access to your personal data and various supplementary information.

We must provide you with a copy or your personal information and the other supplementary information without undue delay and in any event within 1 month of receipt of your request;

We cannot charge you for doing so save in specific circumstances (such as where you request further copies of your personal information).

A right to have personal data rectified

This is a right to have your personal information rectified if it is inaccurate or incomplete.

We must rectify any inaccurate or incomplete information without undue delay and in any event within 1 month of receipt of your request;

If we have disclosed your personal information to others, we must (subject to certain exceptions) contact the recipients to inform them, that your personal information requires rectification.

A right to erasure

This is a right to have your personal information deleted or removed.

This right only applies in certain circumstances (such as where we no longer need the personal information for the purposes for which it was collected).

We have the right to refuse to delete or remove your personal data in certain circumstances.

If this right applies, we must delete or remove your personal information without undue delay and in any event within 1 month of receipt of your request;

If we have disclosed your personal information to others, we must (subject to certain exceptions) contact then recipients to inform them that your personal information must be erased.

A right to data portability

This is a right to obtain and re-use your personal information for your own purposes;

It includes a right to ask that your personal information is transferred to another organisation (where technically feasible).

This right only applies in certain limited circumstances.

If this right applies, we must provide your personal information to you in a structured, commonly used and machine reasonable form;

Again, we must act without undue delay and in any event within 1 month of receipt of your request;

We cannot charge you for this service.

A right to object

This is a right to object to the use of your personal information.

The right applies in certain specific circumstances only.

You can use this right to challenge our use of your personal information based on our legitimate interests;

You can also use this right to object to use of your personal information for direct marketing.

If you object to us using your personal information for direct marketing, we must stop using your personal information in this way as soon as we receive your request.

If you object to other uses of your personal information, whether we have to stop using your personal information will depend on the particular circumstances.

A right to object to automated decision making

This is a right not to be subject to a decision which is made solely on the basis of automated processing of your personal information where the decision in question will have a legal impact on you or a similarly significant effect.

Where such a decision is made, you must be informed of that fact as soon as reasonably practicable;

You then have 21 days from receipt of the notification to request that the decision is reconsidered or that a decision is made that is not based solely on automated processing;

Your request must be complied with within 21 days.

A right to restrict processing

This is a right to ‘block’ or suppress processing of your personal information.

This right applies in various circumstances, including where you contest the accuracy of your information.

If we are required to restrict our processing of your personal information, we will be able to store it but not otherwise use it.

We may only retain enough information about you to ensure that the restriction is respected in future.

If we have disclosed your personal information to others, we must (subject to certain exceptions) contact them to tell them about the restriction on use.


Your right to complain

If we are unable to deal with a complaint to your satisfaction or if you are unhappy with the way we are using your personal data, you can complain to the Information Commissioner’s Office (ICO) by:

Changes to this privacy notice

We regularly review our privacy notice and we will place any updates on the WHA Website. The notice was last updated in November 2018.

Contacting us

When you contact us, we will need to verify your identity for your security. Verifying identity is an important way of safeguarding against criminal activities including the prevention of illicit access to your information.

If we are unable to validate your identity, we may ask you to provide further evidence so that we can access your information.

Questions about this privacy notice

If you have any questions about this privacy notice or our processing of information, if you wish to raise a complaint on how we have handled your personal information, or if you wish to exercise any of the rights set out in this privacy notice, please contact us by:

  • Writing to WHA 60 Newport Road, Cardiff CF24 OYG;
  • Calling our Customer Service Team on 029 2048 5461;
  • E-mail us at mail@whadirect.co.uk.