Last updated: 23 Aug 2023
1. Introduction
This Privacy Policy explains how we use Personal Information which we collect about individuals in relation to our group protection products.
We take the security of your Personal Information very seriously. We use a combination of technical, organisational and physical security measures to protect your Personal Information in line with our obligations under data protection law. Our employees receive training to help us comply with data protection law and safeguard your privacy.
This Privacy Policy is issued on behalf of the Aviva group companies within the United Kingdom. When we mention "Aviva", "we", "us" or "our", what we mean is the relevant company in the Aviva group that processes your Personal Information.
Each Aviva group company that processes your Personal Information is responsible for looking after it in accordance with this Privacy Policy. The Aviva group company that provides the policy will be the main company responsible for your Personal Information, known as the controller. Please check the documentation that we provide to you for details of the specific Aviva company acting as controller of your Personal Information. If you are unsure, please contact us. We may share your Personal Information with other companies in the Aviva group in accordance with this Privacy Policy.
We have separate privacy notices for our different types of products, so if you have a number of Aviva products you may need to review more than one privacy notice. We may also supplement this Privacy Policy with additional privacy notices tailored to our specific relationships with you where this is useful to provide you with a full picture of how we collect and use your Personal Information. This Privacy Policy supplements – but doesn’t override – them.
Most of the Personal Information we collect relates to the member and/or their family covered under a policy taken out by the member’s employer. We may also ask for Personal Information about other individuals if we need it. For example, if the policy is written under trust we will ask for details about the trustee and beneficiaries.
If you provide us with Personal Information about someone else, including if you are an employer providing Personal Information about your employees or someone else, we’ll assume that you have their permission, where required. We’ll process Personal Information about such individuals according to this Privacy Policy so it may be helpful to show them this Privacy Policy and if they have any concerns please contact us.
2. Personal Information We Collect and How it is Used
Sources of Personal Information
We obtain Personal Information directly from your employer at application stage and from you at application and claims stage if required. At claims stage, we can accept information about the claim from you, your next of kin, your legal representative or another relative. Where the policy is under trust we may receive Personal Information from appointed trustees.
We may also obtain Personal Information from third parties, including the following:
- Insurance brokers or financial advisers;
- Third parties involved in the relevant insurance policy or claim, including other insurers, legal advisers, brokers and advisers;
- Healthcare providers and medical practitioners;
- Service providers in relation to the relevant insurance policy or claim, including medical experts and in limited circumstances, private investigators;
- Aviva group companies who may provide information in relation to other products you hold, previous claims, policies or quotes;
- Data brokers, e.g. Experian and LexisNexis;
- Financial crime detection agencies, databases and sanctions lists, including the Insurance Fraud Bureau;
- Government agencies and regulatory bodies, including the police, the courts, the Department for Work and Pensions (DWP), Companies House, the National Health Service (NHS) and HM Revenue & Customs (HMRC);
- Regulators who regulate how we operate, including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Information Commissioner’s Office (ICO), and Financial Ombudsman Service (FOS);
- Third parties that help us maintain the accuracy of our data, e.g. by identifying individuals who are deceased, updating contact details for individuals who have moved;
- Third party suppliers, including auditors, legal advisers and other professional service firms, and sanctions-checking service providers;
- Publicly available sources, including the Office for National Statistics (e.g. census data) and other data made available under the Open Government Licence internet searches, news articles, online marketplaces and social media sites, apps and networks (e.g. Twitter, Facebook and Instagram);
- Third parties in connection with any acquisition of a business by us.
Types of Personal Information collected
The Personal Information we hold and process includes:
Information provided by you or third parties, including:
- General data – includes your name, date of birth, marital status, country of residence/citizenship and your relationships to other people;
- Contact data – includes your address, telephone number and e-mail address;
- Identification data – includes government issued identification numbers, e.g. your NHS number and other identifiers, e.g. usernames and social media identifiers;
- Appearance and behavioural data – includes your gender, age, general interests, how often and where you travel, descriptive data, e.g. your height and weight, demographic data and behavioural data, e.g. your purchase history.
- Health and lifestyle data – includes details of your Body Mass Index, whether you do or have ever smoked or used tobacco products, details regarding alcohol consumption. For further information see Sensitive Personal Information;
- Product data – includes information about quotes, policies, schemes and claims, and any other information relevant to your product, including policy and claim histories;
- Claims data – if a claim is made under an insurance policy, this includes information about the claim collected from you, your next of kin or another relative, your legal representative or other relevant third parties;
- Fraud and sanctions related data – includes information obtained as a result of our investigations, e.g. carrying out checks of publicly available sources such as newspapers and social media sites and information obtained from checks of fraud databases and sanctions lists such as relationships/close associations with politically exposed persons;
- Employment-related data – includes your employment status, job title, salary, and employment and history;
- Financial data – includes bank account details, details of income, tax bands and liabilities, assets and liabilities e.g. information on shareholdings and loans;
- Vulnerability data – information about health, life events, resilience and capability that helps us identify if you might have additional support requirements in order that we can better meet your needs;
- Telephone recordings and online chat transcripts – information obtained during recordings of telephone calls or online chats with our representatives and call centres;
- Communication preferences and customer feedback – includes communication preferences, responses to surveys, complaints and details of your customer experience.
Information provided by third parties, including:
- Accurate contact data, e.g. where you have moved address, changed your telephone number or started using a new email address and not yet advised Aviva. This data may be used to ensure that we have a complete understanding of your product holding and to provide you with communications about your products. It will not be used for direct marketing purposes unless it was collected by the third party expressly for that purpose and always in accordance with data protection law.
Information collected from your devices, including:
- Mobile device number, device type, operating system, browser, MAC address, IP address, location and account activity obtained through our use of cookies. You can find more about our use of cookies in our Cookie Policy.
Information already held by Aviva, including:
- If you hold another Aviva policy in your own right, data relating to other Aviva policies – e.g. quote, policy and claim histories relating to other existing Aviva policies or products or those you may have applied for or held in the past, and contact details where you may have advised Aviva about a change on one product, but not another;
- Modelled data that has been developed by Aviva using data that it already holds.
Information inferred from your Personal Information, including:
- Vulnerability data – information about health, life events, resilience and capability that helps us identify if you might have additional support requirements in order that we can better meet your needs;
- Fraud and sanctions-related data – includes information obtained as a result of our investigations, e.g. carrying out checks of publicly available sources, such as newspapers and social media sites and checks of fraud databases and sanctions lists.
Children’s data:
- We collect data about children in some circumstances e.g. where they are eligible for a child’s critical illness claim or where they are beneficiaries of a policy in trust.
Sensitive Personal Information
Sometimes we will request or receive Personal Information that is sensitive and we call this “Sensitive Personal Information”. This is information relating to your health, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership. It also covers criminal offence data, including information about criminal activity, allegations (including those unproven), investigations, proceedings and penalties. For example, to investigate a claim made under a critical illness or income protection policy, we’ll need to ask you to provide details of your health condition. We know how sensitive this data is, so protecting it is a top priority. The types of Sensitive Personal Information we hold and process where relevant includes:
- Health data – includes details of existing and previous physical or mental health conditions, health status, test results, medical diagnoses and treatment given, prescriptions and personal habits (e.g. smoking or consumption of alcohol);
- Criminal data – includes details of convictions, e.g. in relation to fraud;
- Other sensitive data – in limited circumstances we may process other Sensitive Personal Information. For example, we may process information relating to your religious beliefs where relevant to your preferences regarding medical treatment.
Uses of Personal Information
The main purposes for which we use Personal Information are to:
- Communicate with you and other individuals;
- Make assessments and take decisions, including whether to provide you with our products and services and on what terms;
- Provide our products and services, including insurance administration, making changes where requested or necessary, managing renewal, claims assessment, settlement and dispute resolution and the provision of our apps and other technologies, e.g. DigiCare+ Workplace;
- Manage relationships with third parties, e.g. brokers and service providers.
- Prevent, detect and investigate fraud and other crime, including by carrying out fraud, sanctions and anti-money laundering checks. For further information see Fraud and Other Financial Crime;
- Improve our products and services, provide staff training and maintain information security, including by recording and monitoring telephone and online calls and screen sharing sessions;
- Conduct customer insight analysis, market research and focus groups, including customer segmentation, gathering customer feedback, creating promotional materials and customer satisfaction surveys;
- Help us better understand our customers and improve our customer engagement;
- Carry out data analysis, including to ensure data accuracy and quality and for insurance risk modelling and product and pricing refinement. For further information see Profiling and Data Analysis;
- Manage complaints, including to allow us to respond to any current complaints, or challenges you or others might raise later, for internal training and monitoring purposes and to help us to improve our complaints handling processes. We may be obliged to forward details about your complaints, including your Personal Information, to the appropriate authorities, e.g. the relevant ombudsman;
- Manage feedback and queries, and handle requests to exercise data subject rights. For further information see Data Rights;
- Manage our business operations, including by carrying out internal audits, quality assurance and training, financial analysis and accounting, producing management information, and performing administrative activities in connection with the services we provide;
- Manage commercial risk, including by taking out and maintaining appropriate insurance and reinsurance;
- Comply with applicable legal, regulatory and professional obligations, including cooperating with regulatory bodies e.g. the FCA, PRA, ICO and government authorities, to comply with law enforcement and to manage legal claims;
- Identify and support customers requiring additional support, to help us better meet your needs and to comply with regulatory guidance about how we meet your needs. Sometimes you or a third party may tell us that you have additional support requirements, and in other cases we may infer this from your Personal Information and our interactions with you;
- Establish, enforce and defend our legal rights or those of third parties, including enforcing our terms and conditions, pursuing available remedies and limiting our damages;
- Carry out activities that are in the public interest, e.g. we may need to use Personal Information to carry out anti-money laundering checks;
- Buy, sell, transfer or dispose of any part of our business;
- Archiving, scientific or historical research or statistical purposes.
Lawful Bases for uses of Personal Information
We are committed to collecting and using Personal Information in accordance with applicable data protection laws. By law, we must have a legal justification, known as a lawful basis, in order to use your Personal Information for the purposes described in this Privacy Policy. Depending upon the purpose, our lawful basis will be one of the following:
- Performance of a contract – to arrange, underwrite or manage our products, or handle claims in accordance with their terms;
- Compliance with a legal obligation – to meet responsibilities we have to our regulators, tax officials, law enforcement, or other legal responsibilities;
- Legitimate interests – to operate and improve our products and services and keep people informed about our products and services or for any other purposes we identify as appropriate to our business needs, or those business needs of a third party;
- Consent – where we have obtained appropriate consents to collect or use your Personal Information for a particular purpose.
Where we rely on legitimate interests as our lawful basis, we are required to carry out a balancing test to ensure that our interests, or those of a third party, do not override the rights and freedoms that you have as an individual. The outcome of this balancing test will determine whether we can use your Personal Information for the purposes described in this Privacy Policy. Where we rely on the lawful basis of legitimate interests, the interests being relied upon will usually be:
- To further our business and commercial activities and objectives, or those of a third party, e.g. to provide our products and services and produce management information on our performance and the performance of third parties;
- To provide cover to you under a group policy where your employer is the policyholder;
- To provide you with helpful information relating to your products and about useful tools for managing and engaging with your products. These are not marketing communications;
- To comply with our legal and regulatory obligations, guidelines, standards and codes of conduct, e.g. background checks or the prevention, detection and investigation of financial crime or fraud;
- To improve and develop our business, products and services, or those of a third party, e.g. to ensure the accuracy of customer data and to develop our pricing and risk methods and models;
- To retain policy records for a period of time in order to ensure we have appropriate records in place in respect of any future claims that may be insured by us;
- To safeguard our business, shareholders, employees and customers, or those of a third party, e.g. maintaining the security of our IT network and information, enforcing claims, including debt collection;
- To facilitate the purchase, sale, transfer or disposal of any part of our business; and
- To analyse and assess competition in the market for our products services, e.g. by carrying out market research.
Our lawful bases for the use of Personal Information:
| Purpose | Lawful Basis for Personal Information Processing |
|---|---|
| Communicating with you and others including complaints handling | Performance of a contract |
| Identifying customers requiring additional support | Compliance with a legal obligation |
| Providing and administering a policy | Performance of a contract |
| Risk assessment including underwriting | Performance of a contract |
| Managing third party relationships e.g. brokers | Performance of a contract |
| Claims assessment and management of claims | Performance of a contract |
| Financial or other crime, fraud and credit checks | Performance of a contract |
Compliance with legal or regulatory obligations | Compliance with a legal obligation |
| Establish, enforce or defend legal rights | Compliance with a legal obligation |
| Improving quality, training and security | Legitimate interests |
| Managing our business operations e.g. accounts, financial analysis, internal audit | Compliance with a legal obligation |
| Data analysis (including modelling) | Legitimate interests |
| Applying for or claiming on our insurance | Legitimate interests |
| Customer insight analysis, campaign planning etc | Legitimate interests Consent |
| Buy, sell, transfer or dispose of our business | Compliance with a legal obligation Legitimate interests |
| Archiving, research or statistical purposes | Legitimate interests |
We can only collect and use Sensitive Personal Information where we have an additional, specific lawful basis to process such information. We usually rely upon one of the following lawful bases where we process Sensitive Personal Information:
- Reasons of substantial public interest:
- insurance purposes – including advising on, arranging, underwriting and administering contracts of insurance, administering claims under a contract of insurance and exercising rights, or complying with obligations that arise in connection with contracts of insurance;
- complying, or helping someone else comply with, a regulatory requirement relating to unlawful acts and dishonesty - including regulatory requirements to carry out money laundering checks;
- preventing or detecting unlawful acts – including disclosures to competent authorities;
- preventing fraud – including investigating alleged fraud;
- safeguarding the economic well-being of certain individuals – including where we identify additional support required by our customers;
- equality of opportunity or treatment – including where we need to keep under review the equality of treatment of customers with additional support needs.
- Necessary to establish, exercise or defend a legal claim – including where we are faced with legal proceedings, we bring legal proceedings ourselves or where we are investigating legal proceedings that a third party has brought against you;
- Information has been clearly or obviously made public by you.
Our lawful bases for the use of Sensitive Personal Information:
| Purpose | Lawful Basis for Sensitive Personal Information Processing |
|---|---|
| Communicating with you and others including complaints handling | Necessary for insurance purposes Legal claims Necessary for safeguarding economic well-being of certain individuals |
| Identifying customers requiring additional support | Necessary for safeguarding economic well-being of certain individuals |
| Providing and administering a policy | Necessary for insurance purposes |
| Risk assessment including underwriting | Necessary for insurance purposes |
| Managing third party relationships, e.g. brokers | Necessary for insurance purposes |
| Claims assessment and management of claims | Necessary for insurance purposes Legal claims |
| Identifying or investigating financial or other crime and fraud | Necessary for insurance purposes Legal claims Regulatory requirement relating to unlawful acts or dishonesty Clearly or obviously made public by you Prevent or detect crime Prevent fraud Necessary for safeguarding economic well-being of certain individuals |
| Compliance with legal or regulatory obligations | Necessary for insurance purposes Legal claims Regulatory requirement relating to unlawful acts or dishonesty |
| Establishing, enforcing or defending legal rights | Legal claims |
| Improving quality, training and security | Legal claims Explicit consent |
| Managing our business operations, e.g. accounts, financial analysis, internal audit | Legal claims Explicit consent |
| Data analysis (including modelling) | Necessary for insurance purposes |
| Applying for or claiming on our insurance | Necessary for insurance purposes Legal claims |
| Buying, selling, transferring or disposing of our business | Necessary for insurance purposes Legal claims Explicit consent |
| Archiving, research or statistical analysis | Necessary for archiving, research or statistical analysis |
Where we cannot rely on one of the above lawful bases to process your Sensitive Personal Information for a particular purpose, we will seek your explicit consent.
If you would like to know more about the lawful bases we rely upon, or how the lawful basis of legitimate interests applies to a particular purpose, you can contact us.
4. Fraud and Other Financial Crime
We use your Personal Information to detect and prevent fraudulent practices, fight financial and other financial crime and including to meet our statutory and regulatory responsibilities in relation to fraud and financial crime.
We may also use your Personal Information including details of our interactions with you to help us detect fraud committed by brokers or financial advisers or to identify where you or a third party may be at risk of fraud or other financial crime.
To prevent, detect and investigate fraud, we:
- conduct online searches from websites, social media and other information sharing platforms;
- use databases managed by, insurance industry bodies, fraud detection agencies and other reputable organisations. This includes the Insurance Fraud Bureau whose Privacy Policy can be viewed here; and
- share Personal Information and undertake searches with other third parties, including other insurers, fraud prevention agencies, law enforcement agencies, public bodies and our regulators (which include the FCA, PRA and ICO).
This will help us verify your identity, make decisions about providing you with our products and related services, e.g. paying claims, and trace debtors or beneficiaries.
If you give us false or inaccurate information and we suspect fraud, we’ll record this to prevent further fraud and money laundering and this may be shared with other parties.
We can supply on request further details of the agencies and databases we access or contribute to and how this information may be used. If you require further details contact us.
5. Profiling and Data Analysis
We may use your Personal Information to perform analysis, e.g. to help us to ensure data quality and accuracy, improve our business, train our machine-learning systems and ensure we’re appropriately pricing our products. The purpose of this analysis is not to make decisions about you directly, but your information, in combination with data relating to other customers and/or data provided by third parties, will be used to conduct data analysis. This may help us to identify trends or better understand insurance risk factors which in turn mean that we price our policies effectively. Where possible we pseudonymise the Personal Information in order to perform this analysis. This means that we remove information from which you can be directly identified, e.g. your name and replace it with a pseudonym. We do this to maximise the security of your information.
6. Retention
We keep Personal Information for as long as is reasonably required for the purposes explained in this Privacy Policy. We also keep records – which may include Personal Information – to meet legal, regulatory, tax or accounting needs. For example, we are required to retain an accurate record of your dealings with us, so we can respond to any complaints or challenges you or others might raise later. We’ll also retain files if we reasonably believe there is a prospect of litigation. The specific retention period for your Personal Information will depend on your relationship with us and the reasons we hold your Personal Information.
To support us in managing how long we hold your data and our record management, we maintain a data retention policy which includes clear guidelines on data retention and deletion.
If you would like more information about our data retention policy, please contact us.
7. International Data Transfers
Sometimes we, or third parties acting on our behalf, may need to transfer Personal Information outside of the UK. We’ll always take steps to ensure that any transfer of Personal Information outside the UK is carefully managed to protect your privacy rights and ensure that adequate safeguards are in place. This might include transfers to countries that the UK considers will provide adequate levels of data protection for your Personal Information (such as countries in the European Economic Area) or putting contractual obligations in place with the party we are sending information to. Transfers within the Aviva group will be covered by an agreement entered into by members of the Aviva group (an intra-group agreement) which contractually obliges each group company to ensure that your Personal Information receives an adequate and consistent level of protection wherever it is transferred within the group.
For more information about data transfers and the safeguards we have put in place, please contact us.
8. Data Rights
You have legal rights under data protection laws in relation to your Personal Information. Read below to learn more about each right you may have.
We may ask you for proof of identity when you make a request to exercise any of these rights. We do this to ensure we only disclose information to the right individual.
We aim to respond to all valid requests within one month. It may take us longer if the request is particularly complicated or you have made several requests. We’ll always let you know if we think a response will take longer than one month. We may also ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to do what you have asked. This is because your rights will not always apply, e.g. if it would impact the duty of confidentiality we owe to others, or if the law allow us to deal with the request in a different way. We will always explain to you how we are dealing with your request. In some circumstances (such as the right to erasure or withdrawal of consent), exercising a right might mean that we can no longer provide our product to you.
For further information about or to exercise any of your rights, please contact us. If you wish to make a subject access request, please fill out this form.
Your rights are as follows:
Access to your Personal Information
You may ask us for a copy of your Personal Information together with specified details about how we use your information. This is commonly known as a ‘subject access request’.
If you wish to make a subject access request, please fill out this form or write to us using the details in Contacting Aviva.
If your request is made electronically, we will, where possible, respond to you electronically. Otherwise, we will normally respond in writing unless you request otherwise.
Rectification of your Personal Information
We do our best to ensure that your Personal Information is accurate and kept up to date. If you believe your information is inaccurate or incomplete, then please contact us to request that we amend or update it.
Erasing your Personal Information
You may ask us to erase your Personal Information, but this right only applies in certain circumstances, e.g. where:
- it is no longer necessary for us to use your Personal Information for the original purpose;
- our lawful basis for using your Personal Information is consent and you withdraw your consent; or
- our lawful basis is legitimate interests and there is no overriding legitimate interest to continue using your Personal Information if you object.
This isn’t an absolute right and we have to balance your request against other factors such as legal or regulatory requirements, which may mean we cannot erase your Personal Information.
Restricting processing of your Personal Information
You may ask us to stop using your Personal Information in certain circumstances such as:
- where you have contacted us about the accuracy of your Personal Information and we are checking the accuracy;
- if you have objected to your Personal Information being used based on legitimate interests.
This isn’t an absolute right and we may not be able to comply with your request.
Data portability
In some cases, you can ask us to transfer Personal Information that you have provided to us to another third party of your choice. This right only applies where:
- we have justified our use of your Personal Information based on your consent or the performance of a contract with you; and
- our use of your Personal Information is by electronic means.
Right to object
You can object if you no longer wish to receive direct marketing from us.
You may also object where you have grounds relating to your particular situation and the lawful basis we rely on for using your Personal Information is our (or a third party's) legitimate interests. However, we may continue to use your Personal Information where there are compelling legitimate grounds to do so.
Automated decision making and profiling
You have the right not to be subject to a decision using your Personal Information which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right does not apply if the decision is:
- necessary for the purposes of a contract between us and you;
- authorised by law (e.g. to prevent fraud); or
- based on your explicit consent.
You do however have a right to request human intervention, express your view and challenge the decision.
Withdrawing consent
In some circumstances we ask for your consent to use your Personal Information. You are free to withdraw your consent at any time.
If it is the case that we need your consent to provide you with a particular product and you wish to withdraw your consent, we may no longer be able to provide our product to you. Where that is the case, we will inform you before taking any action.
9. Contacting Aviva
If you have any questions about this Privacy Policy or how to exercise your rights, please contact our Data Protection Officer:
Write to: The Data Protection Team, Aviva, PO Box 7684, Pitheavlis, Perth PH2 1JR
Email us: DATAPRT@aviva.com
If you'd like to submit a subject access request, please fill out this form or write to us at the above address.
If you’re not happy with the way we’re handling your Personal Information, you have a right to make a complaint with your local data protection supervisory authority at any time. In the UK this is the Information Commissioner's Office (ICO). We ask that you please attempt to resolve any issues with us before contacting the ICO.
10. Updates
This Privacy Policy is updated from time to time to take account of changes in our business activities, legal requirements and to make sure it’s as transparent as possible, so please check back here for the current version. You can see when this Privacy Policy was last updated by checking at the top of this page.