1. Introduction
At Howden Employee Benefits & Wellbeing Ltd (“HEBW”, “we”, “us”, “our”) we need to collect and process personal data from or about individuals (“you”, “your”) in order to provide our health, benefits and wellbeing broking and consultancy services. This Privacy Notice applies to you in the event we have collected personal data from or about you in our role as a data controller. It explains when, why and how we collect and process your personal data, the third parties with which we may share your personal data, what your rights are in the event we hold your personal data, and how you can enforce these rights.
We may amend this Privacy Notice from time to time in order to reflect any changes in how we process personal data, or to satisfy any new requirements under applicable data protection laws. If we make any significant changes, we will let you know directly.
This version of the Privacy Notice was published in October 2023
2. Definitions
To be clear on what we mean in this Privacy Notice:
- “personal data” is any information that can be used to identify a living individual;
- “sensitive personal data” is personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, health data, sex life or sexual orientation;
- “data controller” means an organisation that decides how and why to collect personal data;
- “the Howden Group” is Howden Group Holdings Limited and any company or organisation in which Howden Group Holdings Limited holds significant share capital.
You can find out more information about the other companies in the Howden Group by visiting www.howdengroupholdings.com; and
- “third-party” is someone who isn’t you, us, or a company in the Howden Group.
3. Who does this Privacy Notice relate to?
This Privacy Notice relates to the following types of individuals, where we hold your personal data:
- Individuals who are prospective, current or former clients, including their representatives, for example those with power of attorney;
- Other individuals named on policies, joint policy holders, beneficiaries or dependents;
- Employees of our corporate clients who we liaise with, or who are covered under a policy;
- Members of a trade or professional association;
- Visitors to our websites;
- Individuals who contact us with a query, concern or complaint; and
- Individuals who we contact for marketing purposes.
There are other types of individuals who this Privacy Notice does not relate to, for example our employees and sub-contractors (including prospective and former employees and sub-contractors) and service suppliers. If you are one of these individuals and would like further information, please contact us using the details shown under Section 14.
4. Who are we?
We are part of the Howden Group, and are registered in England under company number 02248238. Our registered office address is at One Creechurch Place, London EC3A 5AF, and we are regulated in the UK by the Financial Conduct Authority (FCA) under reference number 312841 (you can view a full list of our current trading names and Appointed Representatives at any time by visiting https://register.fca.org.uk). We are also registered with the Information Commissioner’s Office (ICO) under registration Z7272727, and our designated Data Protection Officer (DPO) can be contacted using the contact details set out at the end of this Privacy Notice.
5. When and how we collect this personal data
We may collect personal data from, or about, you at different times and through different channels depending on our relationship with you, for example if:
- You request a quotation from us, either directly or via an intermediary;
- You purchase, change or cancel a policy through us;
- You are covered under, or named on, a policy that has been taken out by your employer;
- We receive notification of a claim that is made against you, or that you bring against one of our policyholders;
- You are a client of a business that we acquire;
- You contact us in writing or speak to us on the phone;
- You visit one of our stands at a show or trade fair;
- You give permission to other companies to share your information with us;
- Your information is publicly available and we have a legitimate reasons to use it; and
- We are provided with your personal data by third parties such as anti-fraud and crime-prevention agencies, credit reference and vetting agencies, and other data providers.
6. What personal data do we collect?
Depending on your relationship with us, we may hold the following types of personal data about you:
- Identity and contact data: for example, your name, gender, date of birth, postal address, job title, telephone number and e-mail address;
- Policy information: for example, your policy number, details of your coverage, premiums due, relationship to the policyholder (if applicable) and previous claims history;
- Payment and account data: for example, your bank account details, credit/debit card details where you are the payer of a premium;
- Location data: for example, your residential, work or IP address, and in the event of a claim, where the incident occurred;
- Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations.
- Information we obtain from other sources: including credit agencies, antifraud and other financial crime prevention agencies;
- Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with third-party adjudicator services;
- Internet data: for example, information such as your IP address that may be collected by cookies and other online technologies such as Google Analytics when you visit a Howden Group website, and which may in turn be made available to us; and
- Sensitive personal data: for example health-related data or ethnicity data, but only in restricted circumstances as explained under Section 8.
7. The lawful ways we use personal data
We collect and process personal data for the following lawful reasons:
- To enter into or perform a contract with you: for example, where you are an individual policyholder we need to process your personal data in order to provide you with a quotation (should you request one), or to arrange cover, manage any claims which arise with your policy, answer any queries you may have, action your requests and manage your renewal(s);
- To comply with a legal obligation: for example the rules set by our regulator the Financial Conduct Authority (FCA), to fulfil your data rights under data privacy laws, handle complaints about our services, and to comply with other legal requirements such as preventing money laundering and other financial crimes;
- For our legitimate business interests: for example, to arrange and administer cover where your employer is our client, to respond to third party claimants, to maintain accurate records in our systems, to monitor and improve our products and services through the use of analytics, to demonstrate compliance with applicable regulations, to undertake some marketing activities, and to facilitate internal management reporting activities across our businesses. Where we rely on this lawful reason, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to us relying on this lawful reason (if applicable) to process your personal data. Further information on this right is provided under Section 13;
- With your consent: for example, if you consent to us contacting you for marketing purposes. You can withdraw your consent at any time (to the extent we are relying on it) by using the contact details set out under Section 14; and
- To protect vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others.
8. The lawful ways we use sensitive personal data
We only collect sensitive personal data from or about you where this is necessary for us to:
- Advise, arrange or administer an insurance policy or claim arising from one;
- Establish, exercise or defend a legal claim;
- Safeguard vulnerable individuals; or
- Where we have obtained your explicit consent.
9. Who we share personal data with
Below are the categories of third parties that we may share your personal data with, but only where we have a legitimate reason to do so:
- Other Howden Group companies and our Appointed Representatives;
- Business partners, brokers, intermediaries, suppliers and agents involved in delivering our products and services to you;
- Insurers/providers, and those acting on their behalf, for example claims experts;
- Credit reference, credit scoring and fraud prevention agencies;
- Debt collection agencies;
- Law enforcement, government bodies, courts, tax authorities and our regulators;
- Service providers who help us manage our IT and back office systems, or who provide platforms to us that we then use or make available to you;
- Marketing fulfilment, webinar and customer satisfaction service providers, acting on our behalf in facilitating online events, providing marketing communications and capturing feedback from our customers on our service levels;
- Any third party where disclosure is required to comply with legal or regulatory requirements;
- Your employer where applicable, for example in circumstances where we are required to confirm details of any policy exclusion communicated to us by a provider; and
- Potential purchasers of our businesses.
10. Sharing data within the Howden Group
As stated in Section 9, we may share personal data with other companies within the wider Howden Group for the following purposes:
- To receive administrative support from those companies, such as the receipt of IT, HR, Finance and Compliance services;
- So that these companies can provide market insight to providers on a confidential basis, but only where personal data has been aggregated or anonymised; and
- So that we can offer you services that may be available from another company in the Howden Group, but only if permitted under electronic marketing laws.
We will only share the minimum amount of personal data required to achieve these purposes, ensuring that we have a lawful basis to share personal data and that any processing undertaken on our behalf is governed by a data processing agreement.
11. International data transfers
Some of the third parties that we work with may be based outside of the UK. Where we need to transfer personal data overseas to deliver our services or for other legitimate reasons (for example where legally required), and in the event the overseas country is not considered to provide an adequate level of protection under UK data protection law, then we shall ensure that a formal and enforceable set of standard contractual clauses is, or has been, entered into between us and the overseas recipient. You can ask us for more information on this by using the contact details set out under Section 14.
12. Retaining and destroying personal data
We retain personal data about you in order to provide any services that you may request from us, to meet a number of legal and regulatory record-keeping requirements, as well as to support our own legitimate business interests. In most cases we will retain your personal data for 7 years following the end of our relationship with you in order to ensure we can sufficiently handle any disputes, claims or complaints that may arise in connection with the relationship. In some cases we may need to retain your personal data for longer than this period, for example if a relevant insurance policy allows for a longer claim notification window, and in some cases we shall only retain your personal data for a shorter period, for example if you ask us to provide you with a quote but then choose not to proceed. You can request further information on these retention periods by using the contact details set out under Section 14.
13. Your data rights
Data protection laws give you rights relating to your personal data. Should you wish to enforce a right (generally at no cost to you), or make a data protection complaint, please use the contact details set out under Section 14. We aim to provide a final response within one month of receiving a request, unless the request is particularly complex in which case we will let you know when we expect to complete it by:
Access
You have a right to request a copy of the personal data that we hold on you, along with meaningful information on how it is used and who we share it with, however there are some instances where we may not be able to provide you with some or all of the information we hold. Where this is the case we will explain to you why when we respond to your request, unless the relevant laws or regulations prevent us from doing so.
Rectification
You have a right to ask us to correct inaccurate or incomplete personal data that we hold about you. We will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.
Erasure
You can request that we delete your personal data in certain circumstances, for example if we no longer need the personal data for the purpose(s) for which we collected it. We will either confirm to you that this has been done, or if we are unable to delete it due to a compelling overriding reason we will let you know why.
Should you submit a request or complaint to us and remain unhappy with our response, you may raise a complaint directly with the UK supervisory authority whose contact details can be found at www.ico.org.uk.
14. Our contact details
The primary point of contact for all issues arising from this Privacy Notice, including requests to exercise your rights or to contact our DPO, are as follows:
- By e-mail: dpo@howden-insurance.co.uk
- By post: FAO The Data Protection Officer, Howden UK & Ireland, Ageas House, The Square, Gloucester Business Park, Brockworth, Gloucester, GL3 4ZP, UK.
Restrict processing
You can ask us to restrict the processing of your personal data in certain circumstances. If you do so, we will either confirm that this has been done, or if we are unable to do so, we will let you know why.
Data portability
In certain circumstances you have the right to request that your personal data be transferred to yourself or a nominated third party in a common, machine readable format. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.
Object to direct marketing
You can object to receive direct marketing from us, and this right is absolute. You can do this by simply clicking on the unsubscribe link in any email you receive from us or alternatively getting in touch with us.
Object to our legitimate interests
Where we process your personal data to achieve a legitimate business interest of ours, for example those described under Section 7, you have the right to challenge this. If you do so, we will either confirm to you that the processing has stopped, or explain why we believe our interest in the relevant activity outweighs your interest.
Object to automated decision-making
You have the right to object to decisions made about you using your personal data and undertaken by purely automated means. If you do so, we will arrange for someone to assess the automated decision and confirm the outcome of this assessment to you.