Privacy Policy
At HSF Health Plan, we understand the importance of protecting your privacy. This policy is designed to explain what information we may collect about you, how we may use it, and the steps we take to ensure that it is kept secure. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.
We are committed to transparency and take the protection of your privacy and confidentiality very seriously. You have the right to know how your personal data is used, and we are committed to using it only for the purposes you intended. We will never share your information with unauthorised third parties and will always maintain the confidentiality of the data you entrust to us.
Our policy complies with the EU General Data Protection Regulation (GDPR) and UK GDPR. The law requires us to tell you about your rights and our obligations to you regarding the processing and control of your personal data.
Who we are
This is the privacy notice of HSF Health Plan Limited. In this document, “we”, “our”, or “us” refers to HSF Health Plan Limited.
We are company number 30869 and our registered offices are at 24 Upper Ground, London, SE1 9PD. In Ireland, our company number is 904935 and the registered office is at 5 Westgate Business Park, Kilrush Road, Ennis, Co Clare Ireland.
We are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority in the UK. In Ireland, we are regulated by the Central Bank of Ireland for Code of Conduct business rules, with the Department of Health and Children and The Health Insurance Authority in Ireland. Founded 1873 Incorporated 1890. We are the trading company of The Hospital Saturday Fund, a Registered Charity in the UK No 1123381 and in Ireland Registered Charity No 20104528.
How is your personal data collected and the data we collect?
- Personal details The personal details we collect are your personal and contact details including title, name, address, date of birth, email address, telephone numbers, PPS number, employers name and payroll number (if applicable). We also collect the name and date of birth of your partner and any dependents (if applicable).
- Medical details The medical details we collect are any conditions or illnesses you, your partner and any dependants may have had (or have) and the date any of the symptoms began.
- Payment details The payment details we collect are Direct Debit or Credit Card information. Direct Debit or Credit Card information will be used for automatic payments to be made from the account you provide.
If you fail to provide personal data
If you do not provide information, we may not be able to:- provide requested services to you;
- to continue to provide and/or renew existing products or services.
We may collect information from:
- The main policyholder if you are a dependant under a family policy.
- Your employer, if you are covered by a policy your employer is funding.
- Brokers and other agents (this may be your broker if you have one, or your employer's broker if they have one).
How we use your personal data
- verify your identity for security purposes
- sell products to you
- provide you with our services
- provide you with suggestions and advice on products, services and how to obtain the most from using our website
- To improve and enhance our services When we do process your data, we will use it to benefit you and to make your experience better and to improve our products and services.
- Your best interest Processing your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
- Personalisation Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our customers.
- Research To determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you.
- Due Diligence We may need to conduct investigations on existing customers, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.
Information sharing
- Organisations that pay premiums on your behalf in line with the policy contract.
- Service providers and partners who provide IT and system administration services, and support services.
- Professional advisers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
- Organisations to provide the benefits and services for which you have applied and to assist with the continuity and provision of benefits.
- HM Revenue & Customs UK or the Revenue Commissioners in Ireland, regulators, and other authorities who require reporting of processing activities in certain circumstances.
- Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
- The Financial Ombudsman Service and regulatory authorities such as the Financial Conduct Authority, the Information Commissioner’s Office (UK), the Data Protection Commissioner’s Office (Ireland), and the Prudential Regulation Authority.
International transfers
The disclosure of personal information to the affiliates and other third parties set out above may involve the transfer of data outside the EU, EEA or states that are considered ‘adequate’. Where we need to engage a third party which operates outside of Europe those considered ‘adequate’ for the provision of services, then we would ensure that an equivalent degree of protection is provided by implementing appropriate technical measures and legal safeguards and standard contractual clauses as required by the legislation.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data retention
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In line with our current retention policy, we retain policyholders’ personal data for at least 6 years but no more than 7 years after the health plan policy has ceased.Your legal rights
- Right to be informed We will always be transparent in the way we use your personal data. You will be fully informed about the processing through relevant privacy notices.
- Right to Access You have the right to request a copy of all information about you held by us. Please note that we are not obliged to take proactive steps to discover that a subject access has been made. If we cannot view a subject access request without paying a fee or signing up to a service, we will not respond to the request.
- Data Portability You have the right to exercise your right to data portability in certain circumstances.
- Right to Object or to Restrict Processing You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. Please note our policy is to only keep personal information for as long as is reasonably required for the purpose(s) for which it was collected. We are required to keep certain transactional records – which does include personal information – for more extended periods to meet legal, regulatory, tax or accounting needs. We are also required to retain an accurate record of dealings with us for at least six years after your last interaction with us, so we can respond to any complaints or challenges you or others might raise later.
- Right to Rectification We want to make sure that the personal data we hold about you is accurate and up to date. If any of your details are incorrect, please let us know and we will amend them. When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
- Right to Erasure You have the right to have your data ‘erased’ in the following situations:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
- When you withdraw consent.
- When you object to the processing and there is no overriding legitimate interest for continuing the processing.
- When the personal data was unlawfully processed.
Data protection contacts
Compliance with the law
Our privacy policy has been compiled so as to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you. However, ultimately it is your choice as to whether you wish to use our website.