Health Assured Limited (“Health Assured”) is committed to protecting your privacy by ensuring that any personal data is collected and used lawfully and transparently. When delivering our professional services we are the Data Controller of the personal data that you supply to us.
This Privacy Notice explains:
- Who we are
- Personal data we collect
- Our legal basis for processing
- Who we may share information with and why
- Where we may transfer data to
- How we keep information secure and deal with security incidents
- How long we may keep your data for
- Your data privacy rights
- How to contact our DPO and the ICO
Who is Health Assured?
Health Assured specialises in the provision of Employee Assistance Programme (EAP) services and health and wellbeing support to employers and employees across the UK and Ireland. As we deal with highly sensitive and confidential health data; we are committed to ensuring that the handling, processing, and collection of data is fully compliant with all relevant data protection legislation.
Personal data we collect
The type and frequency of any personal data collected will always depend on how our website and services are used. If you do not wish to provide us with certain categories of personal data, you may not be able to use our services in their entirety.
Personal Data provided to us:
Data for our services, such as counselling and advisory is provided by you to us directly when contacting the service. If another person such as a manager refers you to us this must always be with your consent. For occupational health services, your employer will provide us with your data in order to arrange the services and you will provide additional data during the later assessment.
We use electronic contact forms and chat facilities across our websites. These forms will prompt users to input basic contact details so we can generate service quotes, provide newsletter updates and respond to enquiries. You may also provide data to us when registering for an event, using our services, applying for a vacancy or when corresponding with us by phone, email, letter or social media.
It is important that the personal data we hold about you is accurate and current. You should keep us informed if your personal data changes during your relationship with us.
Personal Data collected by us:
Where you ask us to provide services, we may be required to process additional categories of personal data relating to you or other parties to ensure the professional delivery of our services. We may also collect additional data from you as part of our recruitment process, during your employment or when you visit our offices via CCTV. We may also ask to verify your identity in limited circumstances by providing valid photographic identification.
Personal Data from other sources:
We may receive information about you and/or your company from specific third parties such as business partners, sub-contractors, advertising networks, analytics providers, hosting providers and search information providers. Health Assured also receives referrals from other clients and purchases marketing lists from external companies.
Special Categories of Data:
There may be instances where we need to process special category data provided by you or other users of our services during the lifetime of our service. Special category data is a more sensitive type of data which reveals insights about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation which is usually processed in connection with our employee assistance programs and occupational health services. We may also process data that relates to criminal and/or civil offences as well as child data in some very limited circumstances. Sensitive data collection will only take place where it is applicable to the provision of the services that we are contracted to provide. The fundamental rights of the data subjects are always assessed to ensure that the processing is fair, transparent and lawful.
When you visit our website, a record of your device’s IP address is retained which is used anonymously in order to determine website and page visitors.
A voluntary survey may be accessible on our website portal to provide feedback on the services for quality and reporting purposes. No identifying information is collected such as name or email address, the survey collects responses anonymously which are used to communicate service satisfaction with your employer if agreed.
For more information on how we use online identifiers or cookies please visit our cookies policy.
My Healthy Advantage App
During registration with the Health Assured App (My Healthy Advantage), we collect your name, gender, phone number (if provided), date of birth and email address. This will enable Health Assured to administer the My Healthy Advantage app.
The My Healthy Advantage app also allows users to submit additional data through the Enquiry Form or Live Chat functions. This will be sent directly to Health Assured for the purpose of administering the requested services. This data is collected for the purpose of providing the services and will then be securely stored in our CRM and retained in line with our retention policy.
To ensure functionality and user administration the organisation that provides you with access to Health Assured’s app (such as your employer) and the app developer, have access to limited app usage data. This allows them to see your registration details in order to confirm that the intended users are able to access the resource. Neither will be able to see how you have used the app or what content has been accessed.
My Healthy Advantage does not use tracking software to collect data about the users or their online actions. The information contained in the ‘Health Trackers’ feature of the app (i.e. user’s steps, sleep, weight etc.) is retrieved from Apple Health application for iOS and Google Fit for Android devices and displayed within My Healthy Advantage, on the Health Hub & Health tracker screens. Users must give the device permission before the app can access this data from the Apple Health or Google Fit.
Other permissions required in order to access certain features are:
- permission to send the user push notifications
- permission to access camera, camera roll and saved pictures to upload a profile picture to the app
- permission to access the camera for biometric login.
Our legal basis for processing
Before processing any personal data, we ensure that at least one lawful basis under GDPR is met. We will not disclose personal data for any purpose other than what the data was originally collected for; unless there is an overriding legal basis that enables this processing.
We may collect, hold, use and disclose the information collected to compile statistical data and to maintain our database; to develop or improve our website; respond to any queries; notify you of any upcoming marketing, training or other events that we think may be of interest to you; provide you with publications; manage quality control and compliance issues; manage systems administration; provide you or your organisation with advice; notify you about important changes or developments to our services; contact you for your views on our services or to determine the suitability for employment.
We may also process your personal data in the following circumstances:
To Perform Our Service Under the Contract:
We process information in order to support and maintain our existing or potential contractual relationships under the lawful basis ‘performance of a contract’. We may process personal data in order to provide various supporting client services, take payments and to make improvements to our website. We may record calls made to our staff members including internal, inbound or outbound calls. Occupational health calls may be recorded for training and quality purposes. Calls made directly to our EAP support helpline service are not audio recorded. The lawful basis which we often rely on to process data for the duration of servicing on your account and for the decision to enter an initial or any subsequent contract is under our ‘legitimate interests’. Ensuring our administrative and IT systems are secure and robust against unauthorised access also falls under this basis.
For Fraud Prevention:
Due to the products we offer to companies, we also have a ‘legal obligation’ to validate the status of companies we work with which may involve identifying and verifying individual data subjects as part of our ‘legitimate interests’ to safeguard against criminal or fraudulent activities. We also need to ensure that VAT and premium tax is paid.
To Defend Legal Issues:
We have a ‘legitimate interest’ to process data which may assist us in connection with the establishment, exercise or defence of legal claims.
To Process Sensitive Data:
In some cases, where the processing is deemed high risk or highly sensitive, we may ask for your ‘consent’ before we undertake the processing. For example, if another person such as a manager refers you to us this must always be with consent, such as our occupational health services. Where consent is used as the lawful basis for the processing, you will be entitled to withdraw that consent at any time as well as exercise your data privacy rights.
When Processing Children’s data:
The GDPR calls for special protection of children’s personal data and we will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16. Systems have been introduced to verify individuals’ ages. Where consent is withdrawn action will be taken to cease the processing.
When you apply for a vacancy:
You provide several pieces of data to us directly during the recruitment exercise. In some cases, and to facilitate our ‘Legitimate Interests’ we will collect data about you from third parties, such as employment agencies and former employers when gathering references or credit reference agencies. Should you be successful in your job application, we will gather further information from you, for example, your bank details and next of kin details, once your employment begins. We have a legal obligation to ensure you have a right to work in the UK and make reasonable adjustments for you if you have a disability. The ongoing lawful basis we rely on to process your data will be under our legal obligations or legitimate interests which may include assessments made on salary.
For Marketing Purposes:
Occasionally, we may contact you for marketing, advertising and promotional purposes to provide information about our services, as set out below:
For service users: Health Assured may use personal details for sending you information and updates in regard to similar services or campaigns you have engaged with.
For users of My Healthy Advantage App: App users may be contacted and provided with content relevant to our app services, such as wellbeing articles and videos.
For businesses: As part of our business-to-business sales strategy we may contact companies and individuals of companies about our products and services. For example, we may send newsletters and other marketing communications relating to our business which may be of interest to you.
To do this, we rely on our shared ‘legitimate interests’ in doing business together. This lawful basis also applies to any purchased data we may use from our various lead sources and when we share your data across our group databases. We do not sell your data to any third parties.
Health Assured is one of several companies within The Peninsula Group. There may be occasions where several divisions in the group are involved in the delivery of the services you are contracted to receive. On occasion, we may share data with our affiliated divisions under our ‘legitimate interests’ to enhance the delivery of any services you have. Please refer to the footer of this page for details on the identity of our other group divisions.
You can opt out of group marketing by emailing us at:
For more detailed information on our lead sources please visit the respective company privacy notices below to learn more about their individual data acquisition and handling practices. You can also opt out of updates and marketing by clicking on the unsubscribe button at the footer of our email communications.
· 118 Data Resource Limited:https://www.118information.co.uk/Home/PrivacyPolicy
Data Sharing and International Transfers
Health Assured will not share your personal data with any third parties without your consent. Health Assured do, however, collect anonymised usage information and statistics for the purposes of monitoring app and web site use. This helps us develop our service and show utilisation to the contract holder.
Where applicable to the services being provided, and where we have obtained your consent, we may share identifiable information that indicates that you have registered to use the service to your organisation’s wellbeing team.
For further information please see our Confidentiality Statement.
Personal data will only be disclosed on a confidential basis to external service providers so that they can provide services such as financial, technological or administrative assistance. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.
Any transfers taking place outside the EEA are only permitted with the provision of an Adequacy decision, Standard Contractual Clauses (SCC’s) or any other lawful transfer mechanism. Where necessary, we may need to share data with external organisations such as law enforcement, regulatory bodies, fraud prevention agencies, partners or advisors. Before any data is shared, we ensure that all technical and organisational controls are firmly in place and a data protection impact assessment is undertaken, where applicable, if the sharing or transfer is considered high risk.
Data Storage and Security
We have a dedicated Information Security team who are in place to offer protection across all our networks and IT assets to assist with data security and data loss prevention. All our systems are robustly secured, and we are ISO27001 and ‘Cyber Essentials Plus’ certified.
We also have a specialised Incident Response Team on hand to respond quickly to any data related issues including the prevention and detection of cyber criminals.
Data from clients in the EEA is stored in the EEA. Our clients and service user’s data is stored on servers based within the UK and under its jurisdiction. As a company we promote a ‘paperless’ culture where possible.
All employees who handle personal and business data are fully trained to ensure that the data is processed in line with the General Data Protection Regulations 2018 (GDPR) as well as The Data Protection Act 2018 (DPA 2018).
You can read more about our technical and organisational measures in our GDPR Compliance Statement.
We are committed to taking a practical approach in line with legal, contractual, and commercial requirements when dealing with the ownership, retention and disposal of information relating to our business activities. Health Assured will only keep data for as long as necessary unless there is an overriding legal ground which warrants the retention.
We will typically keep data concerning your account for at least seven years from the date you end your contract with us. Some data may be deleted before or after this time depending on the category of that data in line with our commercial legitimate interests and retention schedule.
Due to some of the work we do, Occupational Health records may need to be retained for reasons such as optimising future healthcare, assessment of employee’s circumstances, legal claims, occupational disease investigations and audit purposes. Health Surveillance and the Control of Asbestos at Work regulations (COSHH) requires firms to retain records relating to risk assessments and personal health data for up to 50 years after individuals leave a post.
When we no longer need to retain the data, steps are taken to ensure that it is deleted securely in line with our Data Disposal Policy. Our Data Retention and Data Disposal policies are available upon request.
Your Data Privacy Rights
All data subjects have individual rights. On a case by case basis, you may have the following rights in relation to your personal data processed by Heath Assured:
- The right to be informed about how your personal data is collected and used
- The right to request access to a copy of any personal data that we hold about you
- The right to rectify personal data we may hold which is identified as incorrect or misleading
- The right to erasure of any personal data; also known as ‘the right to be forgotten’
- The right to restrict further processing of your personal data
- The right to data portability where technology allows us to send personal data onto a new controller
- The right to object to the processing or certain processing activities
- Rights in relation to automated decision-making including profiling.
All of our individual rights requests are dealt with in house and we do not outsource our GDPR data handling to any external party. This is so we can ensure full client and service user confidentiality is maintained.
As an organisation we do not operate any automated decision-making systems. Please be aware that the rights listed in this section only apply to individuals and cannot be used to request data relating to business entities.
Queries and Complaints
Our Group Data Protection officer welcomes communication around our policies and practices and they can be directly contacted on the details below, which are also publicly available on the ICO register. You can also write to us at Health Assured, The Peninsula, Victoria Place, Manchester, M4 4FB.
GDPR Oversight Team: firstname.lastname@example.org
If you’re not satisfied with our response, or believe we’re not processing your personal data in accordance with the law, you can approach the UK regulator for further guidance at www.ico.org.uk/concerns
This version was last updated and reviewed July 2022.
We regularly review and monitor regulatory guidance for any industry changes which may impact our business operations or your rights and freedoms.
In this privacy notice, “personal data” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier.
We are legally known as Health Assured Limited, and our registered office is at The Peninsula, Victoria Place, Manchester, M4 4FB, United Kingdom.
We are registered in England and Wales under company number: 6314620
ICO Registration Number: Z1491596
We form part of a larger group of undertakings known as ‘The Peninsula Group’. Other Companies that sit within our Group of companies within the global group:
Croner (UK), Croner-I (UK), Croner Taxwise (UK), Bright HR (UK), Peninsula Business Services (UK), Peninsula Employment Services (Ireland), Graphite HRM (Ireland), Employsure (Australia), Employsure (New Zealand), Peninsula Business Services (Canada).
Copyright © Health Assured Limited 2022