Benenden Health App - Privacy Notice

This Privacy Notice tells members and users of the Benenden Health App (“the App”) and associated services including Mental Health, Physiotherapy, Treatment and Diagnostics, and My Benenden online (which can be accessed via the App) what to expect when Benenden Health collects, uses, retains, and discloses your personal information when interacting with us through use of the Benenden Health App. Personal information is information that (on its own or together with other information) identifies you and is about you. This includes what you tell us about yourself and what we learn by having you as a member or user of the App.

The services available through the App will vary depending upon whether you are a Benenden Healthcare Member, Benenden Healthcare Lite User or another person entitled to use the App. Full details of the services available can be found in the App Terms of Use.

This notice was updated May 2022.

Who we are

‘Benenden Health’ is a trading name of The Benenden Healthcare Society Ltd. When we refer to Benenden Health (or to ‘we,’ ‘us,’ or ‘our’), we mean:

The Benenden Healthcare Society Ltd;
and/or its subsidiary Benenden Wellbeing Ltd (also trading as Benenden Health);
and/or its subsidiary The Benenden Charitable Trust;

all of which are registered at Holgate Park Drive, York, YO26 4GG.

This Privacy Notice only relates to processing of your personal information when you use the App. Information about how your personal information is processed as a Benenden Health member or Benenden Healthcare Lite user, when you use the Benenden Health website or contact Benenden Health, is available in Benenden Health’s main Privacy Notice.

To ensure that we process your personal information fairly and lawfully, this notice informs you:

Why we need your personal information;
How it will be used;
With whom it will be shared; and
What rights you have in relation to the personal information we collect.

The notice describes instances when Benenden Health is the data controller, (the organisation who decides what personal information is collected and how it is used). Additionally, this notice explains where we direct or commission the processing of personal information by third parties either as data controllers or on our behalf to provide services or improve our offering to you.

Benenden Health is the data controller of data collected to administer the Benenden Health Mobile App and data provided to Benenden Health throughout the course of you being a member or a Benenden Healthcare Lite user.

Our commitment to your privacy

Benenden Health recognises the importance of protecting personal and confidential information in all that we do. We take care to meet our legal duties, and we put in place all reasonable technical, security and procedural controls required to protect your personal information for the whole of its life, in whatever format we hold that information in.

How the law protects you

Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. This includes sharing it outside of Benenden Health. The reasons why we may process your personal information are:

To fulfil a contract we have with you;
When it is our legal duty;
When it is in our legitimate interest; or
When you consent to it

A legitimate interest is when we have a business or commercial reason to use your information, but this must not unfairly go against your rights or freedoms. If we rely on our legitimate interest, we will tell you what that is.

Below is a list of the ways that we may use your personal information, and which of the reasons we rely on to do so. This is also where we tell you what our legitimate interests are. For further information in relation to the marketing that we undertake, please see the ‘Marketing’ section below.

WHAT WE USE YOUR PERSONAL INFORMATION FOR	OUR REASON(S) FOR PROCESSING	OUR LEGITIMATE INTERESTS (WHERE APPLICABLE)
To manage our relationship with you, and communicate with you To respond to complaints and seek to resolve them To provide you with services offered to Benenden Health members or users	Fulfilling contracts Our legal duty Our legitimate interests	Keeping our records up to date Complying with regulations that apply to us Being efficient about how we fulfil our legal and contractual duties
To develop and carry out marketing activities To conduct analysis and research activities to improve and develop our products and services To analyse the reaction to our advertising activity (including website activity) To create anonymised look-alike audiences for marketing purposes	Our legitimate interests Your consent	Understanding which of our products and services may interest you and telling you about them Defining audiences to market our products to Recording your consent when we need it to contact you
To manage how we work with other companies that provide services to us and our customers To administer payments for our services	Fulfilling contracts Our legitimate interests	Being efficient about how we fulfil our legal and contractual duties
To detect, investigate, report and seek to prevent financial crime To manage risk for us and our members and users To comply with regulations that apply to us To run our business in an efficient and proper way. This includes managing our financial position, business capability, planning, communications, corporate governance and audit	Our legal duty Our legitimate interests	Developing and improving how we deal with financial crime Complying with regulations that apply to us Being efficient about how we fulfil our legal and contractual duties

What types of personal information do we handle?

We process personal information to enable us to run Benenden Health, to support the provision of services to members and users, to maintain our own accounts and to promote our services.

The types of personal information we use include:

Personal details (such as names, addresses, telephone numbers, dates of birth);
The relationship between individuals on the same membership or connected to the same user;
Financial details (including payments to Benenden Health by members, users, customers, and payments made by Benenden Health for services provided to members or users);
Details of how you use our App;
Details of which Benenden Health products you have purchased or have access to;
Any consents which you have given us in relation to the processing of your information;
Physical or mental health details in relation to requests by members or users for access to our services. Information relating to your health is special category data and such information requires special protection by law – we will always explain what information we require and why it is needed when collecting this information. It will always be processed and stored securely;
Details of your use of services offered by Benenden Health.

Where we collect personal information from

We may collect your personal information from the following sources:

Personal information you give to us:

When you download and use the App;
As a user of Benenden Healthcare Lite;
As a member of Benenden Health;
In member, user or customer surveys or any other research activity we may conduct with you;
When you use our services;
When you update your membership information using our website www.benenden.co.uk.

Personal information provided to us by third party providers of App services:

When you use the services provided by third parties, they will send us summary information regarding your use of those services.

If you choose not to give personal information

We may need to collect personal information by law, or under the terms of a contract we have with you. The use of the App is optional (Benenden Healthcare Lite users must use the App to access all services available under Benenden Healthcare Lite), and your membership or access to such of the Benenden Healthcare Lite services as are available outside of the App can continue to be administered in accordance with the main Benenden Health Privacy Notice.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot provide you with our services. We will notify you if your choice not to give personal information to us would result in a delay or prevent us from meeting our obligations.

Any personal information that is optional will be clearly marked at the point of collection.

Who we share your personal information with

We may share your personal information between Benenden Healthcare Society Ltd, Benenden Charitable Trust, and Benenden Wellbeing Ltd for these reasons:

Assisting in verifying your identity;
Assessing risks;
Understanding your requirements;
Developing, testing, researching and improving products and services;
Marketing products and services we believe may be appropriate to you;
Training and business analysis;
Legal and regulatory compliance;
Preventing or detecting financial crime;
Complaints handling; or
Improving customer service

The following services are provided by third party organisations who collect and use personal information in order to provide those services to you:

For Benenden Healthcare:

24/7 GP Helpline.
24/7 Mental Health Helpline and Mental Health Support.
Care Planning and Social Care Advice.
Physiotherapy.
Medical Diagnostics and Medical Treatment.
Cancer Support.
Wellbeing Hub.

For Benenden Healthcare Lite:

GP Consultation Service.
Emotional Wellbeing Helpline.
Physio Wizard.®
Wellbeing Hub.

The providers of the services listed above are independent data controllers under data protection law and you should consult the relevant privacy notices for details on the personal data that they process when providing these services. This also means that they have a separate responsibility to protect your personal information and will keep you informed about how your personal information will be used.

Your personal information will only be shared with third party organisations when required (for example for legal obligations or regulatory requirements, in respect of the products and/or services you request as a member or user of Benenden Health or user of Benenden Healthcare Lite).
These types of organisations are:

Healthcare organisations we work with to provide the services offered by Benenden Health;
HM Revenue & Customs, our regulators and other authorities, including fraud prevention agencies (where required or permitted by law)

In the usual course of our business, we may use other third-party organisations known as ‘data processors’ under data protection law to support the essential delivery of our services. These organisations process your personal information on our behalf.

These types of organisations are:

Mailing, email, SMS messaging, and/or print fulfilment organisations (to enable us to communicate with you efficiently);
Providers of business services such as auditors, consultants, solicitors and/or insurers (to enable us to run Benenden Health efficiently);
Providers of records management services such as secure disposal suppliers, and IT storage providers (to enable us to secure data efficiently);
Providers of IT systems or services (to enable us to run Benenden Health efficiently);
Market researchers (to help us to improve the services we offer);
Companies you ask us to share your personal information with (upon request)

When we share your information with our approved third-party providers, our contractual relationship with them prevents them from using your information for any other purpose outside of our instructions to them. They may use their own third party data processors, but are always required to meet the same legal requirements as Benenden Health does.

Benenden Health will never sell your information or share it with external companies for their own marketing purposes.

Sending personal information outside of the UK

The UK GDPR and DPA 2018 hold the UK to high standards of data protection. If we transfer information outside of the UK, we will make sure that it is protected to these standards.
We will only send your personal information to countries outside of the UK to:

Follow your instructions;
Comply with a legal duty; or
Work with other third party organisations (as detailed above) who we use to help provide our services to you

We will always use one or more of these safeguards:

Transfer it to a country with privacy laws that give the same protection as the UK;
Make use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), where suitable, to facilitate the transfer of personal and special category data between ourselves and an international organisation

How long we keep your personal information

When you access services via the App, your membership or user record is updated to reflect your use of services. We will keep your personal information for as long as you are a member of Benenden Health or Benenden Healthcare Lite user.

After you stop being a member or Benenden Healthcare Lite user:

We may keep your personal information for up to 8 years for one of these reasons:

- To respond to questions or complaints;
- To show that we treated you fairly, or;
- To maintain records according to legal requirements and documented business need.
We may keep your personal information for longer than 8 years if we cannot delete it for legal, regulatory or technical reasons. In these circumstances, we will make sure that your privacy is protected and only use it for legal or regulatory purposes.

Your rights

All users of the App can exercise their rights under data protection laws. This section explains how to contact Benenden Health to exercise any of the rights available to you.

In order to exercise your rights under data protection law, we will need to verify your identity for your security.

You can contact us by emailing data.protection@benenden.co.uk, writing to Data Protection Officer, The Benenden Healthcare Society Ltd, Holgate Park Drive, York, YO26 4GG or telephoning our main customer service telephone helpline on 0800 414 8100.

How to get a copy of your personal information

You can request a copy of your personal information, as well as why we have that personal information, who has access to that personal information and where we got that personal information from at any time. Once we have received your request, we will respond within 1 month.

Letting us know if your personal information needs updating

You have the right to question any information we hold on you that you think is wrong, out of date or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it.

If you need to update your contact details, you can do so by contacting us using the details above.

If you want us to stop using your personal information

You have the right to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if there is no need for us to keep it. This is known as the ‘right to object’ and the ‘right to erasure’ (or ‘right to be forgotten’).

We may be able to restrict the use of your personal information so that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.

You can ask us to restrict the use of your personal information if:

It is not accurate;
It has been used unlawfully but you don’t want us to delete it;
It is not relevant any more, but you want us to keep it for use in legal claims; or
You have already asked us to stop using your personal information but you are waiting for us to assess your request and confirm whether we are permitted to continue using the personal information under data protection law

If you want to object to how we use your personal information, or ask us to restrict how we use it, please contact us using the details above.

If you want us to erase your personal information

If you feel that we should no longer be using your personal information, or that we are illegally using your data, you can request that we erase the personal information we hold on you. When we receive your request, we will confirm whether the personal information has been deleted or tell you the reason why it cannot be deleted. There may be legal reasons why we need to keep your personal information.

If you want to request that we erase your personal information, please contact us using the details above.

Obtaining your personal information in a portable format

You have the right to get copies of your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information to other organisations. To request this, please contact us using the details above.

Your right to complain

If you are not satisfied with our response or believe that we are not processing your personal information in accordance with the law, you can complain to the Information Commissioner’s Office (ICO) by emailing casework@ico.org.uk or telephoning 0303 123 1113. Additional contact methods are detailed on the ICO website.

Contacting us

If you contact us

When you contact us, we will need to verify your identity for your security. Verifying identity is an important way of safeguarding against criminal activities including the prevention of illicit access to your information.

If we are unable to validate your identity, we may ask you to provide further evidence so that we can access your information.

Freedom of Information

Benenden Health and its subsidiaries are not governed by the Freedom of Information Act as neither Benenden Health nor any of its subsidiaries are a public authority.

How to contact our Data Protection Officer

If you have any questions about this privacy notice or our processing of information, if you wish to raise a complaint on how we have handled your personal information, or if you wish to exercise any of the rights set out in this privacy notice, please contact our Data Protection Officer by emailing data.protection@benenden.co.uk or writing to: Data Protection Officer, The Benenden Healthcare Society Ltd, Holgate Park Drive, York, YO26 4GG.