The WPA group is committed to protecting all personal data. This Privacy Policy provides more information on our approach to data protection.
Date effective and last updated: March 2025
1. About this Privacy Policy
WPA group companies that this Privacy Policy covers
This Privacy Policy covers the personal data which is processed by the following WPA group companies, each of which is a controller of the personal data that you supply:
- Western Provident Association Limited which primarily processes your data in providing health insurance services
- WPA Protocol PLC which primarily processes your data when it administers health care trusts (including making health benefits available to scheme members), and
- WPA Healthcare Practice PLC which primarily processes your data when you obtain advice on WPA products from one of its Healthcare Partners (together, "WPA")
Any reference to WPA means all of the WPA group companies covered by this Privacy Policy, or any one of them.
WPA stores and processes your personal data in accordance with the Data Protection Act 2018 (the "DPA"), the UK General Data Protection Regulation and all other applicable data protection and direct marketing laws.
Purpose
This Privacy Policy sets out what personal data WPA uses, how we use it, and provides information about your data protection rights.
Who this Privacy Policy is for
Our Customers including anyone:
- who has been or is able to make a claim on a policy, plan or scheme, including a scheme which is administered by us
- who contacts us about our services
- who accesses the WPA website or uses the WPA Health app, or
- who is appointed to communicate with us on behalf of a , for example someone appointed under a power of attorney
Our Business Partners including:
- any individual (other than a ) who engages with us because of a business relationship. This includes our Healthcare Partners, individual providers of healthcare services and brokers
2. How to contact us
If you have any questions or concerns about WPA's use of your personal data, please contact the Data Protection Officer in writing at Rivergate House, Blackbrook Park, Taunton, Somerset, TA1 2PE, or via email at dataprotection@wpa.org.uk.
3. Personal data we process
The personal data that WPA collects depends on whether you are a or and on how you use the WPA website and other WPA services. It could include the following categories:
Business Partner Contact and Profile Data
- Name
- Identification number such as provider number
- Title
- Date of birth
- Correspondence address
- Telephone number
- Practice address(es)/business address
- Postcode
- Email address
- Details of invoices submitted and paid
- Services provided
- Qualifications and registrations
- Professional biography information including references and qualifications, practice areas, conditions on practice
- Any information not otherwise categorised that you may supply to us for example in the process of submitting invoices or in correspondence
Criminal Offence Data
- Information about suspected, alleged or actual fraud and criminal activities, including Cifas records and investigation notes and records
Identification / Verification Data / Background Data
- Identification documents needed to verify your identity to include government issued or national identity documents (such as passports or IDs)
- Information about your credit record
Employment Details
- Your employer (if any) and role
Business Partner Communication Data
- Any personal data that you may supply to WPA in your communications with us
Payment Data
- Bank details (account number and sort code), credit/debit card details
- Date of bill
- Billing address
Special Category Data
- For Healthcare Partners, health data which you choose to give us in connection with your business relationship with us
Contact and Profile Data
- Name, and former names
- Identification number including number & policy/plan/scheme/claim numbers
- Username or similar identifier
- Payroll number/job grade/work location (where your scheme or plan is funded or provided by your employer)
- Marital status
- Date of birth
- Title
- Residential address
- Postcode
- Email address
- Telephone numbers
- Details about authorised claim payments to you
- Your policy/plan/scheme details
- Information we may record on your account to assist us with managing our relationship with you
- Any information not otherwise categorised below that you supply to us, for example in applications for a policy, in claims, or in correspondence
Employment Details
- Your employer, role, rights under any employer sponsored scheme you are a member of and other information we receive in connection with your employment in administering your employer sponsored scheme
Special Category Data
- Medical history
- Health data
Criminal Offence Data
- Information about alleged or actual fraud and criminal activities, including Cifas records and investigation notes and records
Payment Data
- Billing address
- Payment method
- Cardholder details
- Bank details (account number and sort code)
Identification / Verification Data
- Identification documents needed to verify your identity to include government issued or national identity documents (such as passports or IDs)
- Information about your credit record
Communication Data
- Any personal data that you may supply to WPA in your communications with us, as well as in applications for policies or for registration/recognition/claims, such as your name, policy/plan/scheme details, claim and health data, contact information, payment details, and telephone number
- Your preferences in receiving marketing from us and your communication preferences
Geolocation Data
- IP address
Communication Data
- Any information you supply to us, for example in web forms, by email, or by registering for or logging in to a account or WPA website
- Your preferences in receiving marketing from us and your communication preferences
Website Usage and Device Data
- Analytics data and information about your visit (such as the session duration, the pages on the WPA website that you access, the page referrer, and other analytics data)
- Login information (if applicable)
- Browser and operating system information
Cookies, Analytics, and Third-Party Technologies
- We collect information through the use of cookies, tracking pixels, data analytics tools, Software Development Kits, and other third-party technologies like advertising IDs to understand how you use the WPA website to improve your experience with our site (according to your cookies preferences) and to save your preferences.
For more information about cookies, see of this policy.
Data provided by your treatment provider or those involved in your care or treatment
- Any information we feel reasonably appropriate in relation to the administration of your policy or plan, for example, health and medical data, contact and profile data
Data provided by your Employer if your health care plan is made available to you as a result of your employment
- Any information we feel reasonably appropriate in relation to the creation and ongoing administration of your policy, for example, health and medical data, family status, contact and profile data
Information from Insurance brokers, your Healthcare Partner or other similar intermediaries
- Any information we feel reasonably appropriate in relation to the creation and ongoing administration of your policy, for example, health and medical data, contact and profile data
Information provided by medical professionals whose services you are able to access through your WPA policy or plan
- Any information we feel reasonably appropriate in relation to the administration of your policy, for example, health and medical data, contact and profile data
Information provided by someone with authority to act on your behalf in relation to your WPA policy or plan
- Any information we feel reasonably appropriate in relation to the administration of your policy or plan, for example, health and medical data, contact and profile data
Information provided by our regulators, HM Revenue & Customs, law enforcement and fraud prevention agencies and the media including social media
- Any information required to undertake checks for the purposes of preventing financial crime, fraud, money laundering, and to verify your identity or in connection with any legal proceedings
From other sources such as authorised third parties who administer services on behalf of WPA
- Any information we feel reasonably appropriate in relation to the creation and ongoing administration of your policy, for example, health and medical data, contact and profile data. In addition, information that we collect to conduct commercial activities such as direct marketing
4. How we collect your personal data
We may collect and process your personal data from the following sources:
- from you, or by someone on your behalf (including from the main policy/plan holder if you are a dependant), or by your broker, Healthcare Partner or solicitor
- other WPA group companies
- if you are a member of a scheme provided through your work (or a family member's work), your/their employer, the trustee of the scheme and firms who provide services to your employer/the trustee such as brokers or advisers
- other health insurance or health care plan providers (including if you or your employer switches from another provider to WPA), or in relation to the investigation or prevention of financial crime
- when you use WPA services and the WPA website
- from other sources such as authorised third parties who administer services on behalf of WPA
- your treatment provider or those involved in your care or treatment (e.g., your GP, specialist, or therapist)
- public sources such as the electoral register, HM Land Registry, Companies House and through media, including social media in limited circumstances, or
- our regulators, HM Revenue & Customs, law enforcement and debt collection, credit and fraud prevention agencies and bodies
We may collect and process your personal data from the following sources:
- from you, or from someone on your behalf, including through third-party registration or appointment booking portals
- from our
- when you use the WPA website
- if you are a provider of healthcare services to our , from hospitals and healthcare facilities
- from public sources such as The Medical Register maintained by the General Medical Council
- public sources such as the electoral register, HM Land Registry, Companies House and through media, including social media in limited circumstances, or
- our regulators, HM Revenue & Customs, law enforcement and debt collection, credit and fraud prevention agencies and bodies
5. How we process your personal data
In this section we explain each legal basis or other 'condition' that WPA relies on to process your personal data.
Our main legal bases for processing all types of your personal data are:
- Performance of a contract: e.g. when it is necessary for WPA to take steps in order to enter into a contract with the individual to whom the personal data relates, or for WPA to provide the services set out in a contract between WPA and the relevant individual
- Legitimate interests: where WPA or a third party has a legitimate interest in the processing, for example to detect or prevent fraud
- Consent: where you have consented to us processing your data
- Compliance with legal obligations: where processing is required in order for WPA to comply with applicable laws or regulations, or
- Vital interests: we may process personal data where it is necessary to protect your vital interests or those of others, for example in the event of an emergency or an imminent threat to life
When we process special category data such as health data criminal offence data, additional legal bases/conditions will apply.
Special Category Data
Where we process your health data we may do so on the basis that the processing is necessary for reasons of substantial public interest:
- to advise on, arrange, provide or manage an insurance contract
- to manage claims made under an insurance contract
- in relation to rights and responsibilities relating to or in an insurance contract or insurance law
The processing of health data for these purposes is provided for in Schedule 1, Part 2 section 20(1) of the DPA. Please note that WPA's health insurance contracts include Western Provident Association Limited's cash plan and private medical insurance products.
We may also process health data with your consent (if required) or when it's in your vital interests.
WPA Protocol PLC administers health care schemes. If you access benefits under a health care scheme, we will seek your consent to process your health data. WPA Protocol PLC is unable to process claims for health care benefits without having access to health data.
We may also use health data and other types of special category data as required to bring or defend legal proceedings or as otherwise permitted by law.
Criminal Offence Data
We process information about criminal offences and convictions to carry our background checks to prevent fraud and money laundering and to help us identify and prevent fraud.
We do this as permitted by data protection law. The legal basis for this processing is set out in Schedule 1, Part 2, Paragraphs 10 (preventing or detecting unlawful acts) & 14 (preventing fraud) of the DPA.
We may also process criminal offence data in other circumstances e.g. for insurance purposes or in the context of legal claims (as provided for in Schedule 1, paragraph 33 DPA).
Further detail on the purposes for which we process personal data, the types of personal data we process for each purpose and the specific legal bases for processing in that context are set out below.
We use your personal data to provide you access to our website and if you are a , to provide you access to and to operate your My WPA account and WPA Health app, and to troubleshoot.
Types of personal data we process for this purpose:
- Geolocation Data
- Website Usage and Device Data
- Cookies, Analytics, and Third-Party Technologies
- Identification / Verification Data / Background Data
Our legal basis for processing:
- Performance of a Contract
- Legitimate Interests - it is in the interests of WPA, our and website visitors for us to provide a website and app which provides suitable levels of functionality
We use personal data to administer health insurance policies/plans and healthcare schemes. This includes:
- Managing our relationship with you
- Assessing and processing claims
- Paying claims, including making payment to providers of healthcare services
- Communicating with you in relation to your policy/plan and optimising our efficiency and services
We also record and use information to help us to comply with regulatory provisions relating to tailoring our engagement with you to meet your specific needs.
When you use and access our services through your My WPA account or through the WPA Health app, we will also use other personal information. Please see the information on for more details.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Communication Data
- Employment Details
- Demographic Data
- Criminal Offence Data
- Payment Data
- Identification / Verification Data
- Special Category Data
Our legal basis for processing:
- Performance of a Contract
- Compliance with a Legal Obligation
- Legitimate interest
- Consent
- Special Category Data: for insurance purposes. Please see the information on for further details
We use personal data to promote our services. If you have opted in, WPA may contact you by letter, telephone, e-mail or using other contact details supplied by you in order to inform you of services or products in which we believe may be of interest to you.
You can opt out of these communications at any time by following the instructions as set out in of this policy.
WPA may also contact you to follow up on an enquiry about our products or services, or to administer your policy with WPA.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Communication Data
- Demographic Data
- Website Usage and Device Data
- Cookies, Analytics, and Third-Party Technologies
Our legal basis for processing:
- Performance of a Contract
- Legitimate Interest - It is in the interests of WPA, our and potential to provide information about our services and to develop our products, services and base
- Consent - Where we cannot rely on our legitimate interests to process your personal information for any of these purposes, we will do so only with your consent
We use personal data to provide advice and information about our services and to produce quotes.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Demographic Data
- Special Category Data
Our legal basis for processing:
- Legitimate Interests - It is in the interests of WPA and our potential for us to provide information about our services and produce quotes on request
- Performance of a Contract
- Special Category Data: for insurance purposes. Please see the above information on for further detail
We collect and process data to confirm your identity and to verify your age and eligibility for our services.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Demographic Data
- Criminal Offence Data
- Identification / Verification Data
Our legal basis for processing:
- Compliance with a Legal Obligation
- Legitimate Interests - It is in our interest to verify your identity to protect our business and to reduce the risk of fraud
- Criminal Offence Data: preventing or detecting unlawful acts/preventing fraud. Please see the above information on for further detail
We process your data to communicate with third parties.
We share personal data with third parties who provide services to us, or act as our agents such as those further described in of this Privacy Policy. This includes communicating with medical professionals involved in your care or treatment.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Special Category Data
- Payment Data
- Identification / Verification Data
- Demographic Data
- Communication Data
Our legal basis for processing:
- Performance of a Contract
- Consent
- Special Category Data: Please see the above information on for further detail
We process personal data in connection with investigating and managing complaints and bringing/defending legal claims.
We also process personal data as part of complying with applicable legal regulatory or tax requirements, or in response to requests from governmental or regulatory bodies, including law enforcement agencies.
Types of personal data we process for this purpose:
Depending on the claim or legal/regulatory requirement, all types of personal data that we hold about you may be processed for this purpose.
Our legal basis for processing:
- Compliance with a Legal Obligation
- Consent
- Legitimate interests - in the context of litigation or other disputes, investigations or regulatory inquiries, we may protect the interests and rights of WPA, the interests of our or others
- Special Category Data: Please see the above information on for further detail
- Criminal Offence Data: Please see the above information on for further detail
We undertake checks and use data to investigate and prevent improper claims, financial crime, fraud, money laundering and to verify your identity. We may use the personal data you have provided or that we have received from third parties to do this. This includes data we obtain from the media including social media.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Special Category Data
- Payment Data
- Identification / Verification Data
- Demographic Data
- Communication Data
- Special Category Data
- Criminal Offence Data
Our legal basis for processing:
- Compliance with a Legal Obligation
- Legitimate Interests - we have a business interest in minimising financial crime, fraud, and money laundering, and checking identities to protect our business
- Special Category Data: Please see the above information on for further detail
- Criminal Offence Data: Please see the above information on for further detail
We perform research, testing, and analytics to monitor, better understand and improve our business and services.
We use and analyse aggregated statistical information (which may be anonymised). This includes data about claims, plans, policies, , the WPA website, user accounts and the WPA Health app.
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be used for this purpose.
Our legal basis for processing:
- Legitimate Interest - We use and analyse data to make informed business decisions and get accurate reports. This helps us improve and develop our services continuously
- Consent (if required)
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be used for technical and cyber security reasons. These include:
- ensuring the security of the service and website
- backing-up data
- addressing technical and security matters
Our legal basis for processing:
- Legitimate Interest - We have a legitimate interest in keeping the personal data that we hold safe and secure
We may also use your data where it is necessary to protect your vital interests or those of others, for example in the event of an emergency or an imminent threat to life.
Types of personal data we process for this purpose:
This may include
Our legal basis for processing:
- Vital Interests
We may use CCTV at our premises and in our grounds to enhance our physical and data security.
We generally retain this data for 3 months unless it is needed for a specific purpose such as to bring or defend legal proceedings or in connection with an investigation. We may share this information with law enforcement or fraud prevention agencies and with auditors.
Types of personal data we process for this purpose:
CCTV images. We also record the registration number of all vehicles which come into our grounds, and record the name, employer, reason for visit, date and time of visit for anyone who visits our premises.
Our legal basis for processing:
- Legitimate Interest - We have a legitimate interest in making sure our offices, and the people that visit and work at our offices, are safe and secure
We use personal data to provide access to our website including to your My WPA account, and to trouble shoot and improve our website and apps.
Types of personal data we process for this purpose:
- Geolocation Data
- Website Usage and Device Data
- Cookies, Analytics, and Third-Party Technologies
- Profile Data
- Identification / Verification Data
Our legal basis for processing:
- Performance of a Contract
- Legitimate Interests - It is in the interests of WPA, our , website visitors and app users for us to provide a reliable service. This includes a functioning website and app
We may collect and process personal data to verify your identity/carry out background checks.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Criminal Offence Data
- Identification / Verification Data
Our legal basis for processing:
- Compliance with a Legal Obligation
- Legitimate Interests - It is in our interest to verify your identity to protect our business and to comply with applicable laws
WPA may contact you about our business relationship and new opportunities and ways of working. We may also share information about our products and services. WPA may also contact you to follow up on an enquiry about working with us and to establish a relationship with you or your employer.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Communication Data
- Cookies, Analytics, and Third-Party Technologies
Our legal basis for processing:
- Performance of a Contract
- Legitimate Interest - It is in the interests of WPA and our for us contact you about our business relationship, new opportunities and ways of working, and our products and services
We may collect and process personal data in establishing and conducting our business relationship. This may include (depending on the nature of our relationship) assessing managing your performance, checking that you continue to meet our requirements, arranging your travel, giving you account access, investigating complaints, processing invoices and handling payments.
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be processed for this purpose
Our legal basis for processing:
- Performance of a Contract
- To comply with our regulatory obligations
We share personal data with third parties as set out in of this Privacy Policy.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Payment Data
- Identification / Verification Data
- Communication Data
Our legal basis for processing:
- Performance of a Contract
- Legitimate Interest
- Consent
We undertake checks and use data to investigate and prevent improper claims, financial crime, fraud, money laundering, and to verify your identity. We may use the personal data you have provided or that we have received from third parties to do this. This includes data we obtain from the media including social media.
Types of personal data we process for this purpose:
- Contact and Profile Data
- Payment Data
- Identification / Verification Data
- Communication Data
- Criminal Offence Data
Our legal basis for processing:
- Compliance with a Legal Obligation
- Legitimate Interest - We need to prevent financial crime, fraud, and money laundering, and to check identities to protect our business and follow the law
- Please see the above information on for further detail
We perform research, testing, and analytics to monitor, better understand and improve our business and services.
We use and analyse aggregated statistical information including information about claims (which may be anonymised).
Types of personal data we process for this purpose:
All types of personal data that we hold about you may be used for this purpose
Our legal basis for processing:
- Legitimate Interest - We have a legitimate interest in using and analysing data to make informed business decisions and to improve and develop our services
We may use CCTV at our premises and in our grounds to enhance our physical and data security.
We generally retain this data for 3 months unless it is needed for a specific purpose such as to bring or defend legal proceedings or in connection with an investigation. We may share this information with law enforcement or fraud prevention agencies and with auditors.
Types of personal data we process for this purpose:
CCTV images. We also record the registration number of all vehicles which come into our grounds, and record the name, employer, reason for visit, date and time of visit for anyone who visits our premises.
Our legal basis for processing:
- Legitimate Interest - We have a legitimate interest in making sure our offices, and the people that visit and work at our offices, are safe and secure
Anonymised data
We may also anonymise your data by removing your name and any other information which identifies you. We use anonymised data for various purposes including to support with employee training and to create reports to help us better understand our business and to improve how we deliver our services.
6. Failure to provide your personal data to us
Where we need to collect your personal data by law or in order to provide you with our services or perform a contract we have with you and you decide not to provide that information when requested, we may not be able to provide our services or perform the contract we have or are trying to enter into with you. In other circumstances where you choose not to provide us with your personal information when we request it, your decision not to provide us with your personal information may affect our ability to provide you with our services.
7. Who we share your personal data with
Vital Interest: we may share personal data including with your employer or family members as we consider it appropriate to protect your or another person's vital interests, for example in the event of an emergency or threat to life.
We also share data with third parties as authorised by you, for example we will share your data in line with any power of authority granted by you.
Companies within the WPA group (e.g., WPA Protocol Plc, WPA Healthcare Practice Plc, WPA World Class Services (India) Private Limited) may share personal data as needed with each other. Western Provident Association Limited provides information technology infrastructure, platforms and other services to other WPA group companies. Personal data processed by WPA group companies is held on the secure systems operated by Western Provident Association Limited.
WPA engages third-party service providers who may process data, including personal data, on its behalf.
At its sole discretion, WPA may add to or vary the third parties (known as 'processors') that it uses to process your personal data. Non-WPA entities that provide a service to us, include:
- Service providers who assist us to manage claims made overseas
- Service providers which enable us to work efficiently with hospitals and healthcare providers or to book appointments for you. This includes providers which assist with health care providers charging us and with us paying health care providers, and with enabling health care providers to verify that patients have cover with WPA, and to streamline the process by which health care providers obtain pre-authorisation for treatment
- Providers of fraud prevention and control, identity and criminal record checking services
- Service providers who provide cloud services (e.g. Azure, Amazon Web Services), or services which use cloud services to provide a service to us, and providers of network security solutions, software as service platforms, telecommunications systems and platforms. This would include the provider of our accounting and telecommunication systems and providers of services which support our ability to generate and distribute communications
We may share data with other third parties who are not our processors where we are legally permitted to do this.
Other third parties that may not be our processors that we may share your personal data with include the following:
- Your treatment provider or those involved in your care or treatment or in arranging your care or treatment (e.g. your GP, specialist, or therapist, firms which support you to make appointments)
- Service providers which enable us to work efficiently with hospitals and healthcare providers/or to book appointments for you
- An individual or body with authority to act on your behalf
- Public sector bodies including our regulators
- The trustee of the scheme which provides healthcare benefits to you, your employer if they arrange or pay for your cover, or third parties appointed by your employer (such as an auditor). We do not generally share health data with trustees or employers, however if your employer arranges or pays for your cover, please see further information provided under 'Financial Crime and Fraud' in our Fair Processing Notice for details of when this data may be shared. We may also share health data with these parties where we think it is in your vital interests
- Your parent or guardian or other person or company we reasonably believe to be appointed to act on your behalf
- Other health insurance or health care plan providers or reinsurance companies (including if you or your employer switches to another provider) or in relation to the investigation or prevention of financial crime
- Fraud prevention and law enforcement agencies
- Credit reference agencies
- Our auditors or other professional advisers, or
- If you are covered by someone else's policy, for example a family member's policy, the policyholder will have access to limited information in relation to your membership
- Our
- An individual or body with authority to act on your behalf
- Public sector bodies including our regulators
- Your regulatory body for example the General Medical Council or the Financial Conduct Authority
- Credit reference agencies
- Fraud prevention and law enforcement agencies
- Our auditors or other professional advisers, or
- If you are a provider of health care services: hospitals, providers of medical services and other medical professionals, and other insurance firms
Whilst we do not expect this to occur, we may share personal data with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If such a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy, unless they advise you otherwise.
8. Automated decision making
We use automated processes to assist with efficiency and accuracy. Our use of automated processing includes making decisions some of which may have a legal effect or result in a similarly significant effect upon you. These decisions may not be reviewed in detail by any of our employees. Decisions which may be made or assisted by automated processes include decisions to approve or decline claims made on our policies or schemes.
We also use automated processing/profiling to assist us in setting our prices for our insurance policies/plans. The price quoted to you is determined according to a range of factors and information that you provide to us that enable us to conduct profiling, for example, the age of people to be covered by the policy/plan and postcode. For some types of policy we may also have regard to the smoking status of people covered by the policy. We may also process other details that we have access to, such as the past claim history of people covered by the policy/plan. WPA will then use this information to calculate a premium quote. Most quotes are not reviewed by any of our employees before they are provided to you. When WPA makes an automated decision without detailed human oversight using your personal data and this decision has a legal or substantially similar effect, you have rights in relation to that decision. Specifically, you have the right to receive meaningful details and information about the logic involved in us coming to the decision, the right to human intervention, and the right to obtain an explanation about the decision and ultimately challenge it. For further details, please see of this Policy.
9. Transferring your personal data to other countries
We may share your personal data (including medical information and other special category personal data), in strict confidence with our service providers, other companies within the WPA group or other entities that are located outside of the UK. If we do transfer your personal data outside of the UK we will ensure that it is protected to the same extent as it is protected in the UK by using one of the safeguards listed below:
- Only transfer it to a country outside of the UK with privacy laws that afford the same protections as the UK such as an EU member state or country deemed adequate by the UK government, or
- Put in place contractual terms with the recipient that requires them to protect your personal data to the same standards as it is protected in the UK (e.g., the UK International Data Transfer Agreement).
If you would like further details of how your personal information is protected if transferred from one country to another then please contact us using the details set out in of this Privacy Policy.
You can learn more about data transfers outside of the UK on the Information Commissioner's Officer ("ICO") website at the following link: ICO: A Guide to International Transfers .
10. How we keep your personal data safe
We take great care to ensure the safe custody and use of your personal data. We are independently audited by the British Standards Institution and have been certified to ISO 27001:2022 Standard - the International and British Standard for Information Security Management Systems.
11. How long we retain your personal data for
WPA's policy is to retain your personal data whilst you are a or a . After you stop being a or we will retain it for up to seven years. If you make enquiries about our services or about entering into a business relationship, but do not proceed, we may retain your data for up to 3 years. We may continue to hold data for longer than the stated period if it is needed for the purposes of bringing or defending legal proceedings, for the purposes of fraud prevention or control, to meet our regulatory, taxation and legal obligations or as otherwise permitted or required by law.
12. Your rights in relation to the processing of your personal data
Under data protection law, you have the following rights that are in some cases subject to exemptions:
- Your right of access - You have the right to request access to your personal data (commonly known as a "data subject access request"). This permits you to request and receive a copy of the personal data that we hold about you and to check that we are lawfully processing it. Please address subject access requests to WPA's Data Protection Officer as set out in of this Policy. Such data may be redacted or withheld in various circumstances, including to protect the rights of third parties and if we consider that it is necessary to protect your or our legitimate interests, or those of a third party.
- Right to withdraw consent - Where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. However, this will not affect the lawfulness of any processing carried out by us before you withdraw your consent. We may also continue to process your data after you withdraw consent where we are legally permitted to do so. This may include where we need to retain your data to be able to bring or defend legal proceedings. To withdraw your consent, please contact us at the details in of this Policy.
- Your right to rectification - Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Your right to erasure - Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. There may be legal reasons why we cannot comply with your request. If this is the case we will tell you when you make your request.
- Your right to object to processing - Object to processing of your personal data where we are relying on a legitimate interest (or those of a third-party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information that override your right to object. You also have the absolute right to object any time to the processing of your personal data for direct marketing, please see of this Policy. Please note that our processing of your personal data, such as your name, address, medical, and health data to administer your policy, is an essential requirement in order for us to provide services to you under the terms and conditions of your policy. Therefore, if you should object to us processing your personal data then we may not be able to continue to provide you with our services and products and satisfy specific performance of the contract that we have with you.
- Your right to data portability - Request the transfer to you or to a third-party of personal data you supplied to us. We will provide to you, or a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automatically processed information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Your right to restriction of processing - Request restriction of processing of your personal data. This enables you to ask us to suspend the
processing of your personal data in one of the following scenarios:
- If you want us to establish the data's accuracy
- Where our use of the data is unlawful, but you do not want us to erase it
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims, or
- You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it
- Your rights in respect to automated decision making and profiling - You have the right not to be subject to a decision using your Personal
Information which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects
you. This right does not apply if the decision is:
- necessary for the purposes of a contract between us and you
- authorised by law (e.g. to prevent fraud), or
- based on your explicit consent
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information to clarify your request to assist us with providing you with a response.
We are generally required to respond to requests within one calendar month but may extend this deadline by a further two months if your request is complex or if you submit several requests to us. If we do extend the deadline then we will tell you and provide you with a response to your request as soon as possible.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a 'reasonable fee' for administrative costs if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
If you have any concerns regarding the processing of your personal data, you have the right to lodge a complaint with the ICO. We would appreciate the opportunity to resolve a complaint before you contact the ICO and so we encourage you to contact us first. Our details are in of this Policy.
The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
13. Direct marketing
If you have 'opted in', WPA may contact you by letter, telephone, e-mail or using other contact details supplied by you to inform you of services or products which we believe may interest you. WPA may also contact you to follow up an enquiry that you have made about our products or services.
At a later stage, if you do not wish to receive such information, you may unsubscribe by contacting us using the details in of this Policy.
Please allow up to 4 weeks for the unsubscribe process to be completed.
14. Cookies
A cookie is a text file containing anonymous information that is stored on your computer or mobile device by a web server when you visit a website. Each cookie is unique to your web browser. It allows a website to remember things like your preferences or details of items that you are going to purchase online.
Cookies may be used to record details of pages relating to particular products and services that you have visited on our websites. This is to provide us with generic usage statistics to allow us to improve our websites.
Web browsers are initially set up to accept cookies. If you prefer, you can set your web browser to disable cookies or to inform you when a website is attempting to add a cookie. You can also delete cookies that have previously been added to your computer's cookie file. If you prevent us from placing strictly necessary cookies on your computer during your visit or you delete a strictly necessary cookie that has been set previously, it may not be possible for you to use our website effectively.
When you first visit this website, you will be prompted to choose whether or not to give your consent to the use of optional cookies (namely functional, analytics and marketing cookies). If you give such consent, we will set these cookies in order to allow us to provide the services and webpages you request, to improve your use of our website, and to analyse and improve our online services. You may withdraw that consent at any time by amending the .
If you do not give such consent, we will not set these optional cookies, but we will still need to set cookies that are strictly necessary for your use of our website.
15. Third parties appointed by our Customers
If you are appointed to communicate with us on behalf of one of our , for example if you have been appointed under a power of attorney, we will collect and use your personal information to enable us to liaise with you. The information we collect will be a subset of the information we collect and use in relation to our . It will include your name, address, email address, telephone number and relationship to the . We will retain your data as if it were data held for our .
