Your trust is important to us. At Medicash Health Benefits Limited (Medicash) we are committed to giving you a personal service that meets your needs, at the same time as protecting your privacy. This policy explains how we collect, store and handle your personal data.
Personal data is any information that may be used to identify a living individual, including but not limited to, a first and last name, a home or other physical address and an email address or other contact information, whether at work or at home.
1) How we obtain your personal data:
- Information provided directly by you for the administration and running of your policy
- Information provided by your employer or intermediary in relation to your policy
- Information provided by you when enquiring about our products and services
- Information we get from other sources
2) How we use your personal data
3) How we share your data
4) How long we keep information about you
5) Your rights
6) Important information
Information provided directly by you for the administration and running of your policy
In order to provide you with a policy, and administer that policy, we require some personal information about you. This information may be provided via your application form, an online application or over the telephone and include your name, address, date of birth, gender, email address and either direct debit and credit mandate instructions or a payroll deduction authorisation. Where you are adding your partner or children to the policy we will also collect similar information for them. By providing your partner’s gender you are indirectly supplying information regarding your sexual orientation, this is classed as sensitive information under the UK General Data Protection Regulation (UK GDPR). You must have their explicit consent when supplying information about them to us.
We will use the information provided by you to manage or administer your policy and to process and pay any claims you submit. We may also keep information contained in any correspondence you have with us via post or email. Please note, calls to Medicash are recorded.
We may obtain sensitive medical information directly from you or your treatment provider. The provision of this data is subject to you giving us your explicit consent to do so, either via your claim form, online claim or claim via our App. If appropriate we may ask you to complete an ‘Access to Medical Records Permissions Form’ to give us limited access to your medical records via your GP or Specialist Consultant. If you do not provide your consent we may be unable to process your claim.
Information we might hold about you includes:
Your employment details. If you pay your contributions through your employer, we may be provided with your payroll number, National Insurance number or other unique reference by your employer, or if you have provided this information to us in the past.
Credentials. We may collect passwords and similar security information, which will be used for authentication and account access.
Payment data. We collect data necessary to process your payments and pay your claims. This information may include your bank account number, sort code and the name of the account holder.
Our App and web services. We collect data from your device, connectivity and configuration. It includes the operating system running on your device and your Medicash App usage, which is used to help analyse patterns when developing future versions. All App and web service communications including user verification, password recovery and claims notification will be sent by email only.
“My Medicash” app usage. The My Medicash app may collect personal information related to your policy. Financial information may also be collected to process payments and pay your claims. This information may include your bank account number, sort code and the name of the account holder.
Contact Preferences. We collect data about how you would like to interact with Medicash including postal and email preferences and marketing options. Your preferred method will be used for all policy correspondence and claims.
Call Recordings. We record all telephone calls made and received. This is for audit, training and quality assurance purposes. Call recordings may include personal information used to authenticate you for security purposes. If a payment is being made by debit or credit card, the call is transferred to a non-recorded line.
The provision of this personal data is essential for us to be able to collect payments and administer your policy and pay claims, including verifying your identity when you contact us to discuss your plan. The legal basis for us holding your data is for the performance of a contract and to meet our regulatory requirements (legal obligation).
Information provided via your employer or intermediary in relation to your policy
Where your policy is being paid for by your employer or has been arranged through an intermediary such as an insurance broker, your employer or intermediary will have provided your personal data to us. This information will include your name, address, date of birth, gender, employment details, such as the name of your employer and may include your payroll number, National Insurance number (or other unique reference). It may also include your work email address. Where you are also including your partner or children on your policy we will also collect similar information for them. By providing your partner’s gender you are indirectly supplying information regarding your sexual orientation, this is classed as sensitive information under the UK General Data Protection Regulation (UK GDPR). You must have their explicit consent when supplying their information to us via your employer or intermediary.
We will use the information provided by you in order to manage or administer your policy and to process and pay any claims you submit. The provision of this personal data by your employer or intermediary is essential for us to be able to collect payments, pay claims and administer your policy including verifying your identity when you contact us to discuss your plan. The legal basis for us holding your data is for the performance of a contract and to meet our regulatory requirements (legal obligation).
In addition to this you may also provide information to us over the course of your policy, such as when you make a claim, or to update your contact details or payment data as set out in the ‘Information provided by you for the administration and running of your policy’ section above. Information provided by you when enquiring about our products and services.
When you enquire about our products and services, either on an individual basis, or on behalf of your organisation via our website, over the phone or at an event, we will collect some basic details from you. This may include your name, address, the company you work for, email address and telephone number.
Where you are enquiring at a trade show or other business to business event, your data may be provided to Medicash via the organiser or their representative. Where this happens, you will have provided your consent for this information to be shared with us when you completed your registration for the event. Alternatively, this information may have been collated from a business card passed to an employee or representative of Medicash.
We will only process your personal information for the purposes of legitimate interest and will hold your data for no longer than is necessary. We will never share any data collected in this manner with a third party. You have the right to opt-out at any time by phone, via our website or through the links on any emails we send to you.
Information we get from other sources
We may use legal public sources to obtain information about you, for example to verify your identity. We also occasionally source personal data via a third party for marketing purposes. This information which could include your name, address, email and other contact details, as relevant to us, will only be obtained from reputable third-party companies that operate in accordance with the UK General Data Protection Regulation (UK GDPR). You will already have submitted your personal data to these companies and specifically given them permission to allow them to pass this information to other companies.
Where your personal data has been obtained via a third party for marketing purposes, we will contact you within 30 days to inform you that we have your data. This data will be processed under the legal basis of legitimate interest and you can opt-out at any time by phone, via our website or through the links on any emails we send to you.
As the data controller we use your personal data to manage and administer your policy, or to keep you informed about our products and services.
We may use the information that we collect to improve our products or personalise our services. We will also use your data to communicate with you, for example providing you with your policy welcome pack, notification of claims received and their progress or changes to your policy. In addition, where you have given appropriate permission we may communicate with you from time to time regarding our other products and services or offers that we are running.
How we store your data
We undertake at all times to protect your personal data, including any health and financial details, in a manner which is consistent with the requirements of the UK General Data Protection Regulation (UK GDPR). We will also take all reasonable security measures to protect your personal data in storage. All of the data that we process is stored on servers located inside the European Economic Area (EEA) and we will never transfer your data outside of the EEA without your permission.
Information about cookies and web access
We will keep information about you confidential and will only disclose your information with other third parties with your express consent, with the exception of the following categories:
- Insurance companies, regulatory authorities and other fraud prevention agencies for the purposes of fraud prevention and to comply with any legal and regulatory issues and disclosures;
- Any mailing or printing agents, contractors and advisors that provide a service to us or act as our agents on the understanding that they keep the information confidential and comply with the UK General Data Protection Regulation (UK GDPR);
- Any legal or crime prevention agencies and/or to satisfy any regulatory request if we have a duty to do so or if the law allows us to do so.
Medicash employs third parties to provide some of the benefits and ancillary services on our plans, as well as to perform specific functions on our behalf including hosting services and off-site back-ups. As a result, some providers do have indirect access to some of your personal data in order to deliver a service to us and you.
Sharing data with your employer or intermediary
If your policy is administered through your employer or an authorised intermediary, your basic details will be available to them in order to manage and administer your policy. We reserve the right to share information relating to your individual claims, or your state of health, with either your employer or intermediary, in cases of fraud.
We keep information in line with the retention policy of our organisation. These retention periods are in line with the length of time we need to keep your personal information in order to manage and administer your policy and handle any claims. They also take into account our need to meet any legal, statutory and regulatory obligations. These reasons can vary from one piece of information to the next. In all cases our need to use your personal information will be regularly reassessed and information which is no longer required will be disposed of confidentially.
Right of access
The UK General Data Protection Regulation (UK GDPR) grants you the right to access particular personal data that we hold about you via a Subject Access Request. Such information will be provided in an encrypted electronic format for you to review if your request was sent by email. If you submitted your request by post, we will send you a copy by recorded delivery.
Right to Rectification
You have the right of correction for any inaccurate personal data we hold about you without undue delay.
Right of Erasure and Right to Object
Where possible we will accommodate your request to have any data relating to you erased, or to stop processing it in the manner requested in your objection request. Please note that certain pieces of information will be required to be retained in line with our retention policy as detailed previously in the ‘How long do we keep information about you?’ section.
Should you exercise your right to object we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or for the establishment, exercise or defence of legal claims, such as fraud.
Right to Data Portability
You have the right to receive the personal data that you, your employer or intermediary has provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us.
Invoking your rights
If you would like to invoke any of the above rights, please write to:
The Data Protection Officer, Medicash, One Derby Square, Liverpool L2 1AB
Accuracy of information
In order to provide the highest levels of customer service, we need to keep personal data about you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information that we obtain. You can help us by informing us of these changes when they occur.
The latest version of this Policy can always be found at www.medicash.org/privacy-policy
If you have a complaint
If you have a complaint regarding the use of your personal data or sensitive information, then please contact us by writing to:
The Data Protection Officer, Medicash, One Derby Square, Liverpool L2 1AB
We will do our best to help you, but if your complaint is not resolved to your satisfaction you can make a formal complaint to the Information Commissioner’s Office (ICO).