WPA takes the privacy and security of your data very seriously. It is important that you take the time to read this page, as it describes the data we collect and
explains how we use the information you have provided.
The WPA group is committed to protecting all personal data. This Privacy Policy provides more information on our approach to data protection.
Date effective and last updated: March 2025
1. About this Privacy Policy
WPA group companies that this Privacy Policy covers
This Privacy Policy covers the personal data which is processed by the following WPA group companies, each of which is a controller of the personal data that you supply:
Western Provident Association Limited which primarily processes your data in providing health insurance services
WPA Protocol PLC which primarily processes your data when it administers health care trusts (including making health benefits available to scheme members), and
WPA Healthcare Practice PLC which primarily processes your data when you obtain advice on WPA products from one of its Healthcare Partners (together,
"WPA")
Any reference to WPA means all of the WPA group companies covered by this Privacy Policy, or any one of them.
WPA stores and processes your personal data in accordance with the Data Protection Act 2018 (the "DPA"), the UK General Data Protection Regulation and
all other applicable data protection and direct marketing laws.
Purpose
This Privacy Policy sets out what personal data WPA uses, how we use it, and provides information about your data protection rights.
Who this Privacy Policy is for
Our Customers including anyone:
who has been or is able to make a claim on a policy, plan or scheme, including a scheme which is administered by us
who contacts us about our services
who accesses the WPA website or uses the WPA Health app, or
who is appointed to communicate with us on behalf of a
, for example someone appointed under a power
of attorney
Our Business Partners including:
any individual (other than a ) who engages with us
because of a business relationship. This includes our Healthcare Partners, individual providers of healthcare services and brokers
2. How to contact us
If you have any questions or concerns about WPA's use of your personal data, please contact the Data Protection Officer in writing at Rivergate House, Blackbrook Park,
Taunton, Somerset, TA1 2PE, or via email at dataprotection@wpa.org.uk.
3. Personal data we process
The personal data that WPA collects depends on whether you are a
or
and on how you use the WPA website and
other WPA services. It could include the following categories:
Business Partner Contact and Profile Data
Name
Identification number such as provider number
Title
Date of birth
Correspondence address
Telephone number
Practice address(es)/business address
Postcode
Email address
Details of invoices submitted and paid
Services provided
Qualifications and registrations
Professional biography information including references and qualifications, practice areas, conditions on practice
Any information not otherwise categorised that you may supply to us for example in the process of submitting invoices or in correspondence
Criminal Offence Data
Information about suspected, alleged or actual fraud and criminal activities, including Cifas records and investigation notes and records
Identification / Verification Data / Background Data
Identification documents needed to verify your identity to include government issued or national identity documents (such as passports or IDs)
Information about your credit record
Employment Details
Your employer (if any) and role
Business Partner Communication Data
Any personal data that you may supply to WPA in your communications with us
Payment Data
Bank details (account number and sort code), credit/debit card details
Date of bill
Billing address
Special Category Data
For Healthcare Partners, health data which you choose to give us in connection with your business relationship with us
Contact and Profile Data
Name, and former names
Identification number including
number & policy/plan/scheme/claim numbers
Username or similar identifier
Payroll number/job grade/work location (where your scheme or plan is funded or provided by your employer)
Marital status
Date of birth
Title
Residential address
Postcode
Email address
Telephone numbers
Details about authorised claim payments to you
Your policy/plan/scheme details
Information we may record on your account to assist us with managing our relationship with you
Any information not otherwise categorised below that you supply to us, for example in applications for a policy, in claims, or in correspondence
Employment Details
Your employer, role, rights under any employer sponsored scheme you are a member of and other information we receive in connection with your employment in
administering your employer sponsored scheme
Special Category Data
Medical history
Health data
Criminal Offence Data
Information about alleged or actual fraud and criminal activities, including Cifas records and investigation notes and records
Payment Data
Billing address
Payment method
Cardholder details
Bank details (account number and sort code)
Identification / Verification Data
Identification documents needed to verify your identity to include government issued or national identity documents (such as passports or IDs)
Information about your credit record
Communication Data
Any personal data that you may supply to WPA in your communications with us, as well as in applications for policies or for registration/recognition/claims,
such as your name, policy/plan/scheme details, claim and health data, contact information, payment details, and telephone number
Your preferences in receiving marketing from us and your communication preferences
Geolocation Data
IP address
Communication Data
Any information you supply to us, for example in web forms, by email, or by registering for or logging in to a
account or WPA website
Your preferences in receiving marketing from us and your communication preferences
Website Usage and Device Data
Analytics data and information about your visit (such as the session duration, the pages on the WPA website that you access, the page referrer, and other
analytics data)
Login information (if applicable)
Browser and operating system information
Cookies, Analytics, and Third-Party Technologies
We collect information through the use of cookies, tracking pixels, data analytics tools, Software Development Kits, and other third-party technologies like
advertising IDs to understand how you use the WPA website to improve your experience with our site (according to your cookies preferences) and to save your
preferences.
For more information about cookies, see
of this policy.
Data provided by your treatment provider or those involved in your care or treatment
Any information we feel reasonably appropriate in relation to the administration of your policy or plan, for example, health and medical data, contact and
profile data
Data provided by your Employer if your health care plan is made available to you as a result of your employment
Any information we feel reasonably appropriate in relation to the creation and ongoing administration of your policy, for example, health and medical data,
family status, contact and profile data
Information from Insurance brokers, your Healthcare Partner or other similar intermediaries
Any information we feel reasonably appropriate in relation to the creation and ongoing administration of your policy, for example, health and medical data,
contact and profile data
Information provided by medical professionals whose services you are able to access through your WPA policy or plan
Any information we feel reasonably appropriate in relation to the administration of your policy, for example, health and medical data, contact and profile data
Information provided by someone with authority to act on your behalf in relation to your WPA policy or plan
Any information we feel reasonably appropriate in relation to the administration of your policy or plan, for example, health and medical data, contact and
profile data
Information provided by our regulators, HM Revenue & Customs, law enforcement and fraud prevention agencies and the media including social media
Any information required to undertake checks for the purposes of preventing financial crime, fraud, money laundering, and to verify your identity or in
connection with any legal proceedings
From other sources such as authorised third parties who administer services on behalf of WPA
Any information we feel reasonably appropriate in relation to the creation and ongoing administration of your policy, for example, health and medical data,
contact and profile data. In addition, information that we collect to conduct commercial activities such as direct marketing
4. How we collect your personal data
We may collect and process your personal data from the following sources:
from you, or by someone on your behalf (including from the main policy/plan holder if you are a dependant), or by your broker, Healthcare Partner or solicitor
other WPA group companies
if you are a member of a scheme provided through your work (or a family member's work), your/their employer, the trustee of the scheme and firms who provide
services to your employer/the trustee such as brokers or advisers
other health insurance or health care plan providers (including if you or your employer switches from another provider to WPA), or in relation to the investigation
or prevention of financial crime
when you use WPA services and the WPA website
from other sources such as authorised third parties who administer services on behalf of WPA
your treatment provider or those involved in your care or treatment (e.g., your GP, specialist, or therapist)
public sources such as the electoral register, HM Land Registry, Companies House and through media, including social media in limited circumstances, or
our regulators, HM Revenue & Customs, law enforcement and debt collection, credit and fraud prevention agencies and bodies
We may collect and process your personal data from the following sources:
from you, or from someone on your behalf, including through third-party registration or appointment booking portals
from our
when you use the WPA website
if you are a provider of healthcare services to our
, from hospitals and healthcare facilities
from public sources such as The Medical Register maintained by the General Medical Council
public sources such as the electoral register, HM Land Registry, Companies House and through media, including social media in limited circumstances, or
our regulators, HM Revenue & Customs, law enforcement and debt collection, credit and fraud prevention agencies and bodies
5. How we process your personal data
In this section we explain each legal basis or other 'condition' that WPA relies on to process your personal data.
Our main legal bases for processing all types of your personal data are:
Performance of a contract: e.g. when it is necessary for WPA to take steps in order to enter into a contract with the individual to whom the personal
data relates, or for WPA to provide the services set out in a contract between WPA and the relevant individual
Legitimate interests: where WPA or a third party has a legitimate interest in the processing, for example to detect or prevent fraud
Consent: where you have consented to us processing your data
Compliance with legal obligations: where processing is required in order for WPA to comply with applicable laws or regulations, or
Vital interests: we may process personal data where it is necessary to protect your vital interests or those of others, for example in the event of
an emergency or an imminent threat to life
When we process special category data such as health data criminal offence data, additional legal bases/conditions will apply.
Special Category Data
Where we process your health data we may do so on the basis that the processing is necessary for reasons of substantial public interest:
to advise on, arrange, provide or manage an insurance contract
to manage claims made under an insurance contract
in relation to rights and responsibilities relating to or in an insurance contract or insurance law
The processing of health data for these purposes is provided for in Schedule 1, Part 2 section 20(1) of the DPA. Please note that WPA's health insurance contracts
include Western Provident Association Limited's cash plan and private medical insurance products.
We may also process health data with your consent (if required) or when it's in your vital interests.
WPA Protocol PLC administers health care schemes. If you access benefits under a health care scheme, we will seek your consent to process your health data. WPA Protocol
PLC is unable to process claims for health care benefits without having access to health data.
We may also use health data and other types of special category data as required to bring or defend legal proceedings or as otherwise permitted by law.
Criminal Offence Data
We process information about criminal offences and convictions to carry our background checks to prevent fraud and money laundering and to help us identify and prevent
fraud.
We do this as permitted by data protection law. The legal basis for this processing is set out in Schedule 1, Part 2, Paragraphs 10 (preventing or detecting unlawful
acts) & 14 (preventing fraud) of the DPA.
We may also process criminal offence data in other circumstances e.g. for insurance purposes or in the context of legal claims (as provided for in Schedule 1,
paragraph 33 DPA).
Further detail on the purposes for which we process personal data, the types of personal data we process for each purpose and the specific legal
bases for processing in that context are set out below.
We use your personal data to provide you access to our website and if you are a
, to provide you access to and to operate your
My WPA account and WPA Health app, and to troubleshoot.
Types of personal data we process for this purpose:
Geolocation Data
Website Usage and Device Data
Cookies, Analytics, and Third-Party Technologies
Identification / Verification Data / Background Data
Our legal basis for processing:
Performance of a Contract
Legitimate Interests - it is in the interests of WPA, our
and website visitors for us to provide
a website and app which provides suitable levels of functionality
We use personal data to administer health insurance policies/plans and healthcare schemes. This includes:
Managing our relationship with you
Assessing and processing claims
Paying claims, including making payment to providers of healthcare services
Communicating with you in relation to your policy/plan and optimising our efficiency and services
We also record and use information to help us to comply with regulatory provisions relating to tailoring our engagement with you to meet your specific needs.
When you use and access our services through your My WPA account or through the WPA Health app, we will also use other personal information. Please see the
information on for more details.
Types of personal data we process for this purpose:
Contact and Profile Data
Communication Data
Employment Details
Demographic Data
Criminal Offence Data
Payment Data
Identification / Verification Data
Special Category Data
Our legal basis for processing:
Performance of a Contract
Compliance with a Legal Obligation
Legitimate interest
Consent
Special Category Data: for insurance purposes. Please see the information on
for further details
We use personal data to promote our services. If you have opted in, WPA may contact you by letter, telephone, e-mail or using other contact details supplied by
you in order to inform you of services or products in which we believe may be of interest to you.
You can opt out of these communications at any time by following the instructions as set out in
of this policy.
WPA may also contact you to follow up on an enquiry about our products or services, or to administer your policy with WPA.
Types of personal data we process for this purpose:
Contact and Profile Data
Communication Data
Demographic Data
Website Usage and Device Data
Cookies, Analytics, and Third-Party Technologies
Our legal basis for processing:
Performance of a Contract
Legitimate Interest - It is in the interests of WPA, our
and potential
to provide information about our
services and to develop our products, services and
base
Consent - Where we cannot rely on our legitimate interests to process your personal information for any of these purposes, we will do so only with your consent
We use personal data to provide advice and information about our services and to produce quotes.
Types of personal data we process for this purpose:
Contact and Profile Data
Demographic Data
Special Category Data
Our legal basis for processing:
Legitimate Interests - It is in the interests of WPA and our potential
for us to provide information about our
services and produce quotes on request
Performance of a Contract
Special Category Data: for insurance purposes. Please see the above information on
for further detail
We collect and process data to confirm your identity and to verify your age and eligibility for our services.
Types of personal data we process for this purpose:
Contact and Profile Data
Demographic Data
Criminal Offence Data
Identification / Verification Data
Our legal basis for processing:
Compliance with a Legal Obligation
Legitimate Interests - It is in our interest to verify your identity to protect our business and to reduce the risk of fraud
Criminal Offence Data: preventing or detecting unlawful acts/preventing fraud. Please see the above information on
for further detail
We process your data to communicate with third parties.
We share personal data with third parties who provide services to us, or act as our agents such as those further described in
of this Privacy Policy. This includes communicating with medical professionals involved in your care or treatment.
Types of personal data we process for this purpose:
Contact and Profile Data
Special Category Data
Payment Data
Identification / Verification Data
Demographic Data
Communication Data
Our legal basis for processing:
Performance of a Contract
Consent
Special Category Data: Please see the above information on
for further detail
We process personal data in connection with investigating and managing complaints and bringing/defending legal claims.
We also process personal data as part of complying with applicable legal regulatory or tax requirements, or in response to requests from governmental or regulatory
bodies, including law enforcement agencies.
Types of personal data we process for this purpose:
Depending on the claim or legal/regulatory requirement, all types of personal data that we hold about you may be processed for this purpose.
Our legal basis for processing:
Compliance with a Legal Obligation
Consent
Legitimate interests - in the context of litigation or other disputes, investigations or regulatory inquiries, we may protect the interests and rights of WPA,
the interests of our or others
Special Category Data: Please see the above information on
for further detail
Criminal Offence Data: Please see the above information on
for further detail
We undertake checks and use data to investigate and prevent improper claims, financial crime, fraud, money laundering and to verify your identity. We may use the
personal data you have provided or that we have received from third parties to do this. This includes data we obtain from the media including social media.
Types of personal data we process for this purpose:
Contact and Profile Data
Special Category Data
Payment Data
Identification / Verification Data
Demographic Data
Communication Data
Special Category Data
Criminal Offence Data
Our legal basis for processing:
Compliance with a Legal Obligation
Legitimate Interests - we have a business interest in minimising financial crime, fraud, and money laundering, and checking identities to protect our business
Special Category Data: Please see the above information on
for further detail
Criminal Offence Data: Please see the above information on
for further detail
We perform research, testing, and analytics to monitor, better understand and improve our business and services.
We use and analyse aggregated statistical information (which may be anonymised). This includes data about claims, plans, policies,
, the WPA website, user accounts and the
WPA Health app.
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be used for this purpose.
Our legal basis for processing:
Legitimate Interest - We use and analyse data to make informed business decisions and get accurate reports. This helps us improve and develop our services
continuously
Consent (if required)
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be used for technical and cyber security reasons. These include:
ensuring the security of the service and website
backing-up data
addressing technical and security matters
Our legal basis for processing:
Legitimate Interest - We have a legitimate interest in keeping the personal data that we hold safe and secure
We may also use your data where it is necessary to protect your vital interests or those of others, for example in the event of an emergency or an imminent threat
to life.
Types of personal data we process for this purpose:
This may include
Our legal basis for processing:
Vital Interests
We may use CCTV at our premises and in our grounds to enhance our physical and data security.
We generally retain this data for 3 months unless it is needed for a specific purpose such as to bring or defend legal proceedings or in connection with an
investigation. We may share this information with law enforcement or fraud prevention agencies and with auditors.
Types of personal data we process for this purpose:
CCTV images. We also record the registration number of all vehicles which come into our grounds, and record the name, employer, reason for visit, date and time
of visit for anyone who visits our premises.
Our legal basis for processing:
Legitimate Interest - We have a legitimate interest in making sure our offices, and the people that visit and work at our offices, are safe and secure
We use personal data to provide access to our website including to your My WPA account, and to trouble shoot and improve our website and apps.
Types of personal data we process for this purpose:
Geolocation Data
Website Usage and Device Data
Cookies, Analytics, and Third-Party Technologies
Profile Data
Identification / Verification Data
Our legal basis for processing:
Performance of a Contract
Legitimate Interests - It is in the interests of WPA, our
, website visitors and app
users for us to provide a reliable service. This includes a functioning website and app
We may collect and process personal data to verify your identity/carry out background checks.
Types of personal data we process for this purpose:
Contact and Profile Data
Criminal Offence Data
Identification / Verification Data
Our legal basis for processing:
Compliance with a Legal Obligation
Legitimate Interests - It is in our interest to verify your identity to protect our business and to comply with applicable laws
WPA may contact you about our business relationship and new opportunities and ways of working. We may also share information about our products and services. WPA may
also contact you to follow up on an enquiry about working with us and to establish a relationship with you or your employer.
Types of personal data we process for this purpose:
Contact and Profile Data
Communication Data
Cookies, Analytics, and Third-Party Technologies
Our legal basis for processing:
Performance of a Contract
Legitimate Interest - It is in the interests of WPA and our
for us contact you about
our business relationship, new opportunities and ways of working, and our products and services
We may collect and process personal data in establishing and conducting our business relationship. This may include (depending on the nature of our relationship)
assessing managing your performance, checking that you continue to meet our requirements, arranging your travel, giving you account access, investigating complaints,
processing invoices and handling payments.
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be processed for this purpose
Our legal basis for processing:
Performance of a Contract
To comply with our regulatory obligations
We share personal data with third parties as set out in
of
this Privacy Policy.
Types of personal data we process for this purpose:
Contact and Profile Data
Payment Data
Identification / Verification Data
Communication Data
Our legal basis for processing:
Performance of a Contract
Legitimate Interest
Consent
We undertake checks and use data to investigate and prevent improper claims, financial crime, fraud, money laundering, and to verify your identity. We may use the
personal data you have provided or that we have received from third parties to do this. This includes data we obtain from the media including social media.
Types of personal data we process for this purpose:
Contact and Profile Data
Payment Data
Identification / Verification Data
Communication Data
Criminal Offence Data
Our legal basis for processing:
Compliance with a Legal Obligation
Legitimate Interest - We need to prevent financial crime, fraud, and money laundering, and to check identities to protect our business and follow the law
Please see the above information on
for further detail
We perform research, testing, and analytics to monitor, better understand and improve our business and services.
We use and analyse aggregated statistical information including information about claims (which may be anonymised).
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be used for this purpose
Our legal basis for processing:
Legitimate Interest - We have a legitimate interest in using and analysing data to make informed business decisions and to improve and develop our services
We may use CCTV at our premises and in our grounds to enhance our physical and data security.
We generally retain this data for 3 months unless it is needed for a specific purpose such as to bring or defend legal proceedings or in connection with an
investigation. We may share this information with law enforcement or fraud prevention agencies and with auditors.
Types of personal data we process for this purpose:
CCTV images. We also record the registration number of all vehicles which come into our grounds, and record the name, employer, reason for visit, date and
time of visit for anyone who visits our premises.
Our legal basis for processing:
Legitimate Interest - We have a legitimate interest in making sure our offices, and the people that visit and work at our offices, are safe and secure
Anonymised data
We may also anonymise your data by removing your name and any other information which identifies you. We use anonymised data for various purposes including to support
with employee training and to create reports to help us better understand our business and to improve how we deliver our services.
6. Failure to provide your personal data to us
Where we need to collect your personal data by law or in order to provide you with our services or perform a contract we have with you and you decide not to provide
that information when requested, we may not be able to provide our services or perform the contract we have or are trying to enter into with you. In other
circumstances where you choose not to provide us with your personal information when we request it, your decision not to provide us with your personal information may
affect our ability to provide you with our services.
7. Who we share your personal data with
Vital Interest: we may share personal data including with your employer or family members as we consider it appropriate to protect your or another person's vital
interests, for example in the event of an emergency or threat to life.
We also share data with third parties as authorised by you, for example we will share your data in line with any power of authority granted by you.
Companies within the WPA group (e.g., WPA Protocol Plc, WPA Healthcare Practice Plc, WPA World Class Services (India) Private Limited) may share personal data as needed
with each other. Western Provident Association Limited provides information technology infrastructure, platforms and other services to other WPA group companies.
Personal data processed by WPA group companies is held on the secure systems operated by Western Provident Association Limited.
WPA engages third-party service providers who may process data, including personal data, on its behalf.
At its sole discretion, WPA may add to or vary the third parties (known as 'processors') that it uses to process your personal data. Non-WPA entities
that provide a service to us, include:
Service providers who assist us to manage claims made overseas
Service providers which enable us to work efficiently with hospitals and healthcare providers or to book appointments for you. This includes providers which assist
with health care providers charging us and with us paying health care providers, and with enabling health care providers to verify that patients have cover with WPA,
and to streamline the process by which health care providers obtain pre-authorisation for treatment
Providers of fraud prevention and control, identity and criminal record checking services
Service providers who provide cloud services (e.g. Azure, Amazon Web Services), or services which use cloud services to provide a service to us, and providers of
network security solutions, software as service platforms, telecommunications systems and platforms. This would include the provider of our accounting and
telecommunication systems and providers of services which support our ability to generate and distribute communications
We may share data with other third parties who are not our processors where we are legally permitted to do this.
Other third parties that may not be our processors that we may share your personal data with include the following:
Your treatment provider or those involved in your care or treatment or in arranging your care or treatment (e.g. your GP, specialist, or therapist, firms which
support you to make appointments)
Service providers which enable us to work efficiently with hospitals and healthcare providers/or to book appointments for you
An individual or body with authority to act on your behalf
Public sector bodies including our regulators
The trustee of the scheme which provides healthcare benefits to you, your employer if they arrange or pay for your cover, or third parties appointed by your
employer (such as an auditor). We do not generally share health data with trustees or employers, however if your employer arranges or pays for your cover, please
see further information provided under 'Financial Crime and Fraud' in our
Fair Processing Notice for details of when this data may be shared. We may also share
health data with these parties where we think it is in your vital interests
Your parent or guardian or other person or company we reasonably believe to be appointed to act on your behalf
Other health insurance or health care plan providers or reinsurance companies (including if you or your employer switches to another provider) or in relation to
the investigation or prevention of financial crime
Fraud prevention and law enforcement agencies
Credit reference agencies
Our auditors or other professional advisers, or
If you are covered by someone else's policy, for example a family member's policy, the policyholder will have access to limited information in relation to your
membership
Our
An individual or body with authority to act on your behalf
Public sector bodies including our regulators
Your regulatory body for example the General Medical Council or the Financial Conduct Authority
Credit reference agencies
Fraud prevention and law enforcement agencies
Our auditors or other professional advisers, or
If you are a provider of health care services: hospitals, providers of medical services and other medical professionals, and other insurance firms
Whilst we do not expect this to occur, we may share personal data with third parties to whom we may choose to sell, transfer or merge parts of our business or our
assets. Alternatively, we may seek to acquire other businesses or merge with them. If such a change happens to our business, then the new owners may use your
personal data in the same way as set out in this Privacy Policy, unless they advise you otherwise.
8. Automated decision making
We use automated processes to assist with efficiency and accuracy. Our use of automated processing includes making decisions some of which may have a legal effect or
result in a similarly significant effect upon you. These decisions may not be reviewed in detail by any of our employees. Decisions which may be made or assisted by
automated processes include decisions to approve or decline claims made on our policies or schemes.
We also use automated processing/profiling to assist us in setting our prices for our insurance policies/plans. The price quoted to you is determined according to a
range of factors and information that you provide to us that enable us to conduct profiling, for example, the age of people to be covered by the policy/plan and
postcode. For some types of policy we may also have regard to the smoking status of people covered by the policy. We may also process other details that we have access
to, such as the past claim history of people covered by the policy/plan. WPA will then use this information to calculate a premium quote. Most quotes are not reviewed
by any of our employees before they are provided to you. When WPA makes an automated decision without detailed human oversight using your personal data and this
decision has a legal or substantially similar effect, you have rights in relation to that decision. Specifically, you have the right to receive meaningful details and
information about the logic involved in us coming to the decision, the right to human intervention, and the right to obtain an explanation about the decision and
ultimately challenge it. For further details, please see
of this Policy.
9. Transferring your personal data to other countries
We may share your personal data (including medical information and other special category personal data), in strict confidence with our service providers, other
companies within the WPA group or other entities that are located outside of the UK. If we do transfer your personal data outside of the UK we will ensure that it is
protected to the same extent as it is protected in the UK by using one of the safeguards listed below:
Only transfer it to a country outside of the UK with privacy laws that afford the same protections as the UK such as an EU member state or country deemed adequate
by the UK government, or
Put in place contractual terms with the recipient that requires them to protect your personal data to the same standards as it is protected in the UK (e.g., the UK
International Data Transfer Agreement).
If you would like further details of how your personal information is protected if transferred from one country to another then please contact us using the details set
out in of this Privacy Policy.
You can learn more about data transfers outside of the UK on the Information Commissioner's Officer ("ICO") website at the following link:
ICO: A Guide to International Transfers
.
10. How we keep your personal data safe
We take great care to ensure the safe custody and use of your personal data. We are independently audited by the British Standards Institution and have been certified
to ISO 27001:2022 Standard - the International and British Standard for Information Security Management Systems.
11. How long we retain your personal data for
WPA's policy is to retain your personal data whilst you are a
or a
. After you stop being a
or
we will retain it for
up to seven years. If you make enquiries about our services or about entering into a business relationship, but do not proceed, we may retain your data for up to
3 years. We may continue to hold data for longer than the stated period if it is needed for the purposes of bringing or defending legal proceedings, for the purposes
of fraud prevention or control, to meet our regulatory, taxation and legal obligations or as otherwise permitted or required by law.
12. Your rights in relation to the processing of your personal data
Under data protection law, you have the following rights that are in some cases subject to exemptions:
Your right of access - You have the right to request access to your personal data (commonly known as a "data subject access request"). This permits
you to request and receive a copy of the personal data that we hold about you and to check that we are lawfully processing it. Please address subject access requests
to WPA's Data Protection Officer as set out in
of this Policy.
Such data may be redacted or withheld in various circumstances, including to protect the rights of third parties and if we consider that it is necessary to protect
your or our legitimate interests, or those of a third party.
Right to withdraw consent - Where you have provided your consent to the collection, processing and transfer of your personal data for a specific
purpose, you have the right to withdraw your consent for that specific processing at any time. However, this will not affect the lawfulness of any processing carried
out by us before you withdraw your consent. We may also continue to process your data after you withdraw consent where we are legally permitted to do so. This may
include where we need to retain your data to be able to bring or defend legal proceedings. To withdraw your consent, please contact us at the details in
of this Policy.
Your right to rectification - Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate
data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Your right to erasure - Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data
where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully
exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal
data to comply with local law. There may be legal reasons why we cannot comply with your request. If this is the case we will tell you when you make your request.
Your right to object to processing - Object to processing of your personal data where we are relying on a legitimate interest (or those of a
third-party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may
demonstrate that we have compelling legitimate grounds to process your information that override your right to object. You also have the absolute right to object
any time to the processing of your personal data for direct marketing, please see
of this Policy.
Please note that our processing of your personal data, such as your name, address, medical, and health data to administer your policy, is an essential requirement
in order for us to provide services to you under the terms and conditions of your policy. Therefore, if you should object to us processing your personal data then
we may not be able to continue to provide you with our services and products and satisfy specific performance of the contract that we have with you.
Your right to data portability - Request the transfer to you or to a third-party of personal data you supplied to us. We will provide to you, or a
third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automatically processed
information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Your right to restriction of processing - Request restriction of processing of your personal data. This enables you to ask us to suspend the
processing of your personal data in one of the following scenarios:
If you want us to establish the data's accuracy
Where our use of the data is unlawful, but you do not want us to erase it
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims, or
You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it
Your rights in respect to automated decision making and profiling - You have the right not to be subject to a decision using your Personal
Information which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects
you. This right does not apply if the decision is:
necessary for the purposes of a contract between us and you
authorised by law (e.g. to prevent fraud), or
based on your explicit consent
However, you do have a right to request human intervention, express your view and challenge the decision.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your
other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask
you for further information to clarify your request to assist us with providing you with a response.
We are generally required to respond to requests within one calendar month but may extend this deadline by a further two months if your request is complex or if you
submit several requests to us. If we do extend the deadline then we will tell you and provide you with a response to your request as soon as possible.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a 'reasonable fee' for administrative
costs if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
If you have any concerns regarding the processing of your personal data, you have the right to lodge a complaint with the ICO. We would appreciate the opportunity to
resolve a complaint before you contact the ICO and so we encourage you to contact us first. Our details are in
of this Policy.
The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
If you have 'opted in', WPA may contact you by letter, telephone, e-mail or using other contact details supplied by you to inform you of services or products which we
believe may interest you. WPA may also contact you to follow up an enquiry that you have made about our products or services.
At a later stage, if you do not wish to receive such information, you may unsubscribe by contacting us using the details in
of this Policy.
Please allow up to 4 weeks for the unsubscribe process to be completed.
14. Cookies
A cookie is a text file containing anonymous information that is stored on your computer or mobile device by a web server when you visit a website. Each cookie is
unique to your web browser. It allows a website to remember things like your preferences or details of items that you are going to purchase online.
Cookies may be used to record details of pages relating to particular products and services that you have visited on our websites. This is to provide us with generic
usage statistics to allow us to improve our websites.
Web browsers are initially set up to accept cookies. If you prefer, you can set your web browser to disable cookies or to inform you when a website is attempting to
add a cookie. You can also delete cookies that have previously been added to your computer's cookie file. If you prevent us from placing strictly necessary cookies
on your computer during your visit or you delete a strictly necessary cookie that has been set previously, it may not be possible for you to use our website effectively.
When you first visit this website, you will be prompted to choose whether or not to give your consent to the use of optional cookies (namely functional, analytics and
marketing cookies). If you give such consent, we will set these cookies in order to allow us to provide the services and webpages you request, to improve your use of
our website, and to analyse and improve our online services. You may withdraw that consent at any time by amending the
.
If you do not give such consent, we will not set these optional cookies, but we will still need to set cookies that are strictly necessary for your use of our website.
15. Third parties appointed by our Customers
If you are appointed to communicate with us on behalf of one of our
, for example if you have been appointed under a
power of attorney, we will collect and use your personal information to enable us to liaise with you. The information we collect will be a subset of the information
we collect and use in relation to our .
It will include your name, address, email address, telephone number and relationship to the
. We will retain your data as if it were data held for
our .