This notice outlines your rights as a member or customer of WHA Healthcare (Welsh Hospitals & Health Services Association), or as a visitor to our website, under General Data Protection Regulation (GDPR).
This privacy notice tells members and customers of WHA what to expect when WHA processes your personal information, which will include collecting, using, retaining and disclosing your personal information.
Personal information is information that (on its own or together with other information) identifies you and is about you. This includes what you tell us about yourself and what we learn by having you as a member or customer.
Who we are
WHA Healthcare is a Healthcare Cash Plan provider. WHA Healthcare is a trading name of Welsh Hospitals & Health Services Association, which is registered at WHA Healthcare, WHA House, Greenwood Close, Cardiff Gate Business Park, Cardiff, CF23 8RD.
When we refer to WHA (or to ‘we’, ‘us’, or ‘our’), we mean Welsh Hospitals & Health Services Association.
To ensure that we process your personal information fairly and lawfully, this notice informs you:
Within this notice we describe instances where WHA is the ‘data controller’ (the organisation who decides what personal information is collected and how it is used).
There may be situations where WHA processes data on the instructions of another organisation (known as acting as a ‘data processor’), but in those circumstances our use of data would be governed by that organisation.
Our commitment to your privacy
WHA recognises the importance of protecting personal and confidential information in all that we do and takes care to meet our legal duties. WHA puts in place all reasonable technical, security and procedural controls required to protect your personal information for the whole of its life, in whatever format we hold that information.
How the law protects you
Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. This includes sharing it outside of WHA.
The reasons why WHA may process your personal information are:
If you have given us your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact us using the details set out at the end of this privacy notice.
A legitimate interest is when we have a business or commercial reason to use your information, but this must not be outweighed by your rights or freedoms.
What types of personal information do we process?
We process personal information to enable WHA to support the provision of our services to members and customers, to maintain our own accounts and to promote our services. We do not make decisions about you using automated means. Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention.
The types of personal information we use include:
Where do we collect your personal data from?
We may collect your personal information from the following sources:
Cookies
For more information on how we use cookies please see our website cookie policy
How we use your personal data.
Below is a list of the ways that we may use your personal information and which of the reasons we rely on to do so.
How we may use your personal information | Where applicable our legitimate interests | Reasons we rely on for processing |
To ascertain suitability for membership and on what basis To administer payments relating to membership. |
| Fulfilling contracts. |
To process your benefit claims. |
| Fulfilling contracts. |
To communicate with you about your membership or WHA products you have purchased. To manage our relationship with you. To conduct analysis and research activities to improve and develop our products and services. To analyse our advertising activity. To create anonymised pen portraits for marketing purposes. | Keeping our records up to date. Determining which of our products may be of interest to you and informing you about them. Defining audiences to market our products to. Seeking your consent when we need it to contact you. Being efficient about how we fulfil our legal and contractual duties. Ensuring that our organisation is run properly and efficiently. | Our legitimate interests. |
To manage how we work with other companies that provide services to us and our members or customers. | Being efficient about how we fulfil our legal and contractual duties. Ensuring that our organisation is run properly and efficiently. | Our legitimate interests. |
To detect, investigate, report and seek to prevent financial crime. To manage risk for WHA and our members or customers. To comply with regulations that apply to us. |
| Our legal duty. |
To run WHA in an efficient and proper manner. This includes managing our financial position, business capability, planning, communications, corporate governance and audit. | Complying with best practice and regulations that apply to WHA. Being efficient about how we fulfil our legal and contractual duties. Ensuring that our organisation is run properly and efficiently. | Our legitimate interests. |
To exercise our rights as set out in agreements or contracts. | Being efficient about how we fulfil our legal and contractual duties. | Fulfilling contracts. Our legal duty. Our legitimate interests. |
To respond to complaints and seek to resolve them. | Ensuring that our organisation is run properly and efficiently. To provide good customer service. To resolve any disputes, complaints or issues as early as possible. | Our legitimate interests. |
The types of personal sensitive information we use include:
Type of personal sensitive information | Processing activity | Reasons we rely on for processing health information |
Pre-Existing Medical Condition. | To establish whether the benefit would be covered on the policy when joining. | Explicit consent. |
Medical Conditions. | To establish whether you would be covered on the new policy or when changing policy or increasing your cover. | Explicit consent. |
Medical information is required to support: Hospital In-patient or Specialist Consultation claims. | To allow us to assess and process benefit claim for Hospital In-patient or Specialist Consultation in line with policy documents issued at the time of joining. | Explicit consent. |
Further information from the relevant practitioner or hospital. | In some instances, following consent given by you we would contact the practitioner/hospital to obtain further information in order for us to assess and process benefit claim to establish eligibility for payment. | Explicit consent. |
If you choose not to provide personal information
We will need to collect certain personal information by law, or under the terms of a contract we have with you. Such items are marked with an asterisk in the section above titled ‘What types of personal information do we process’.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot provide you with services under your membership. We will notify you if your choice not to give personal information to us would result in a delay or prevent us from meeting our obligations.
Who we share your personal information with
WHA may share your data with regulatory bodies when it is a legal requirement to do so for the purpose of monitoring and enforcing our compliance, organisations include:
We may also share aspects of your information on occasion with organisations to enable continuity of service, these include:
We may also share aspects of your information with organisations who provide us with advice or business services such as auditors, consultants, solicitors and/or insurers (to enable us to run WHA efficiently).
In the usual course of our business, we may use other third-party organisations known as ‘data processors’ under data protection law to support the essential delivery of our services. These organisations process your personal information on our behalf.
These types of organisations are:
When we share your information with our approved third-party providers, our contractual relationship with them prevents them from using your information for any other purpose outside of our instructions to them. They may use their own third-party data processors but are always required to meet the same legal requirements as WHA does.
WHA will never share or sell your information to external companies for their own marketing purposes.
Where is your data stored?
All of your data is located in the UK.
Marketing
We may use your personal information to tell you about relevant products offered by WHA. This is what we mean when we talk about ‘marketing’.
We can only use your personal information to send you marketing messages if we either have your consent or a ‘legitimate interest’. Legitimate interest is when we have a business reason to use your information for marketing purposes (which will not unfairly go against your rights and freedoms). In other words, we will not market to you based on legitimate interest if you have told us that you do not want to receive such marketing or are registered on a preference services list.·
We have a legitimate interest to:
We will ask for your explicit consent to send you any other marketing messages.
You can withdraw your consent or ask us to stop sending you any marketing messages at any time. ·If you want to do so, please contact us by:
How long we keep your personal information?
We will keep your personal information for as long as you are a member or customer of WHA.
After you stop being a member or customer, we may keep your personal information for up to 8 years for one of these reasons:
We may keep your personal information for longer than 8 years if we cannot delete it for legal, regulatory or technical reasons. In these circumstances, we will make sure that your privacy is protected and only use it for legal or regulatory purposes.
Your rights
Under data protection law, you have a number of different rights relating to the use of your personal information. In order to exercise your rights under data protection law, we will need to verify your identity for your security. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the ICO website. If you choose to exercise any of your rights, you can do so by:
Once we have received your request, we will respond within 30 days.
Your rights | What this involves | What our obligations are |
A right of access | This is a right to obtain access to your personal data and various supplementary information. | We must provide you with a copy or your personal information and the other supplementary information without undue delay and in any event within 1 month of receipt of your request; We cannot charge you for doing so save in specific circumstances (such as where you request further copies of your personal information). |
A right to have personal data rectified | This is a right to have your personal information rectified if it is inaccurate or incomplete. | We must rectify any inaccurate or incomplete information without undue delay and in any event within 1 month of receipt of your request; If we have disclosed your personal information to others, we must (subject to certain exceptions) contact the recipients to inform them, that your personal information requires rectification. |
A right to erasure | This is a right to have your personal information deleted or removed. This right only applies in certain circumstances (such as where we no longer need the personal information for the purposes for which it was collected). We have the right to refuse to delete or remove your personal data in certain circumstances. | If this right applies, we must delete or remove your personal information without undue delay and in any event within 1 month of receipt of your request; If we have disclosed your personal information to others, we must (subject to certain exceptions) contact then recipients to inform them that your personal information must be erased. |
A right to data portability | This is a right to obtain and re-use your personal information for your own purposes; It includes a right to ask that your personal information is transferred to another organisation (where technically feasible). This right only applies in certain limited circumstances. | If this right applies, we must provide your personal information to you in a structured, commonly used and machine reasonable form; Again, we must act without undue delay and in any event within 1 month of receipt of your request; We cannot charge you for this service. |
A right to object | This is a right to object to the use of your personal information. The right applies in certain specific circumstances only. You can use this right to challenge our use of your personal information based on our legitimate interests; You can also use this right to object to use of your personal information for direct marketing. | If you object to us using your personal information for direct marketing, we must stop using your personal information in this way as soon as we receive your request. If you object to other uses of your personal information, whether we have to stop using your personal information will depend on the particular circumstances. |
A right to object to automated decision making | This is a right not to be subject to a decision which is made solely on the basis of automated processing of your personal information where the decision in question will have a legal impact on you or a similarly significant effect. | Where such a decision is made, you must be informed of that fact as soon as reasonably practicable; You then have 21 days from receipt of the notification to request that the decision is reconsidered or that a decision is made that is not based solely on automated processing; Your request must be complied with within 21 days. |
A right to restrict processing | This is a right to ‘block’ or suppress processing of your personal information. This right applies in various circumstances, including where you contest the accuracy of your information. | If we are required to restrict our processing of your personal information, we will be able to store it but not otherwise use it. We may only retain enough information about you to ensure that the restriction is respected in future. If we have disclosed your personal information to others, we must (subject to certain exceptions) contact them to tell them about the restriction on use. |
Your right to complain
If we are unable to deal with a complaint to your satisfaction or if you are unhappy with the way we are using your personal data, you can complain to the Information Commissioner’s Office (ICO) by:
Changes to this privacy notice
We regularly review our privacy notice and we will place any updates on the WHA Website. The notice was last updated in November 2018.
Contacting us
When you contact us, we will need to verify your identity for your security. Verifying identity is an important way of safeguarding against criminal activities including the prevention of illicit access to your information.
If we are unable to validate your identity, we may ask you to provide further evidence so that we can access your information.
Questions about this privacy notice
If you have any questions about this privacy notice or our processing of information, if you wish to raise a complaint on how we have handled your personal information, or if you wish to exercise any of the rights set out in this privacy notice, please contact us by:
WHA Healthcare, WHA House, Greenwood Close, Cardiff Gate Business Park, Cardiff, CF23 8RD