We're passionate about protecting customers and visitors. Please read our privacy policy below and should you have any questions get in touch.
Updated March 2024
BHSF Group Limited and its subsidiaries (“BHSF”) are committed to protecting your data and complying with UK & EU Data Protection Legislation.
BHSF is a data controller. This means that we are responsible for deciding how we hold and use personal information about you. This notice sets out how and why we are processing the information we have on you. It also explains your rights as a data subject.
It is important that you read this notice, and any additional notices you are provided with to ensure you understand what personal information we collect and process in relation to you.
Our aim in processing your data is to successfully deliver our service to you with an appropriate level of data sharing whilst recognising the need to protect your fundamental rights to privacy.
BHSF is committed to:
In order to meet its commitment, BHSF operates a wide range of technical, physical and procedural controls to maintain the confidentiality, integrity and availability of information. BHSF maintains an information security policy which provides further details regarding the minimum standards of control to which it operates.
At BHSF we recognise that your data is important to you and therefore we are committed to supporting you with your data protection rights. Within legal and regulatory constraints, you have the right to:
Do you have a right to withdraw consent?
You have the right to withdraw your consent to specific processing at any time. Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis to do so in law.
How can you contact us about your data or your data rights?
If you wish to contact us about your data, or if you require any further information in addition to what is included in this privacy notice, please contact our Data Protection Officer at;
EU data protection representative:
We have appointed Green CDL EU Data Protection to act on our behalf in the EU. If you wish to contact them their details are as follows:
They will only transfer your personal details to us in the UK if you have given explicit consent, which you can withdraw at any time. We take data protection very seriously and aim to with comply with the General Data Protection Regulation (GDPR) in so far as it applies and the UK GDPR as from 1st Jan 2021. We also comply with all other relevant data protection laws, and we provide at least the same level of protection of your personal data as though the UK was still a Member State.
If we transfer your personal data from the UK to the EU, we rely upon the UK adequacy decision process as we are satisfied that the EU provides the same level of data protection as you would receive in the UK.
If we transfer personal data outside of the EU to any country that has not been granted adequacy status then we satisfy ourselves that you will enjoy the same level of protection of your data that you do in the UK by ensuring there is an appropriate safeguard in place in the form of the UK Extension to the EU-US Data Privacy Framework known as the UK Data Bridge, Standard Contractual Clauses or International Data Transfer Agreements. These are agreements that ensure you will receive a high level of data protection. If you would like to see a copy of the agreement relevant to you, please see contact details above.
At BHSF we make every endeavour to protect your data. In the unfortunate circumstance that you are not happy with the manner in which we process your data, you may wish to make a complaint. In the first instance, please contact the BHSF Data Protection Officer in writing at DPO, BHSF Group Limited, 13th Floor, 54 Hagley Road, Birmingham, B16 8PE.
Or email: DPO@bhsf.co.uk stating your name, contact details and the nature of your complaint against BHSF.
If you are not happy with the response you receive you may also wish to contact the UK data protection regulator, the Information Commissioner, whose contact details are available at https://ico.org.uk
We will only process your personal information for the purpose for which we collected it. Please see below for further information. If we need to use your information for an unrelated purpose, we will contact you and we will explain the lawful basis that allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with our obligations in the case of suspicious activity or criminal investigation.
We will update this privacy notice if there are any changes in the law or the manner in which we process personal data so please check back on a regular basis.
We are committed to being transparent about (a) what the lawful basis for processing your data is and (b) how we process it. At BHSF we process personal information of:
BHSF processes data on former, current and prospective customers. This section applies to all corporate clients, corporate client employees, and individual customers. We collect and use personal information about you during and after your commercial relationship with us. BHSF processes your personal information in order to provide a range of services.
Why do we process your data?
Data is processed in order to provide BHSF with the most up to date information on how our range of products and services are viewed by customers, which will be used to inform management decisions.
What kinds of data do we process?
In order to improve our products and services, we will process your contact information such as your email address and telephone number, so BHSF and our third party survey provider can send you surveys which will help BHSF monitor our customers’ perceptions.
We will also process any data you provide as part of your response, but participation in this research is voluntary, and you are free to decide not to take part if you do not want to.
The types of survey BHSF may carry out include but are not limited to: customer satisfaction surveys, Net Promoter Score (NPS) and feedback on services provided by BHSF.
Who has provided us with your data?
BHSF will have been provided your data by at least one of the following:
Will we share your data with anyone?
In order to gather the data we require on our products and services, we may share your contact information with other companies within the BHSF Group and third parties we use to help deliver our services and run our business such as third party survey providers.
At BHSF we only work with trusted suppliers where there is an agreement in place, or the data processor arrangement is comprehensively covered by their terms of use, to protect your data and treat your information as respectfully as we do and in accordance with the requirements of relevant data protection laws.
How long will we keep your data for?
We will keep your data you have provided in your survey responses until:
If neither of these requirements are met, your data will be securely deleted after a maximum period of 1 calendar year from when it was initially provided.
Where you have provided anonymous data, we will not be able to identify your responses. Therefore, you will not be able to:
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
BHSF has a legitimate business interest to try and gather this information so we can improve our products or services. We are collecting feedback to give our customers a chance to let us know that the products and services are working as they expect and to provide the opportunity for them to make suggestions. When we receive customer feedback, we will use it to address problems and make enhancements.
Why are we processing your data?
BHSF is processing your data for the purposes of providing health insurance to fulfil an insurance policy held directly with you or with your employer as part of your employee benefits package.
Where your data has been provided by your employer or by yourself for family policies, BHSF have a legitimate interest in processing your data for the purpose of providing health insurance as part of your employee benefits package or family cover.
What kinds of information do we process?
As part of our health insurance provision, we process: -
Who has provided us with your data?
Your data has been provided either
Will we share your data with anyone?
We only share your data if it is necessary for providing you with insurance coverage. We share your data under these different circumstances:
At BHSF we only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of the UK & EU General Data Protection Regulations.
How long will we keep your data for?
At BHSF, we store your data in line with regulatory and contractual requirements. For litigation purposes this means retaining data for seven years after the cancellation of a health insurance policy. We are committed to storing all of your data securely for the full duration of its retention.
Will we use your data to make automated decisions?
No – we do not use automated systems to make decisions in relation to Health Insurance.
Do you have to agree to us processing your data?
If you have completed an application form either online or in paper then we will process your data in order to meet our contractual obligations to you, in providing you with the insurance you have applied for.
If you have your policy as part of your benefits package offer from your employer or trade body then we have legitimate interest to lawfully process your data in order to provide the insurance cover. You have the right to opt out of this insurance and can do this by contacting your employer or trade body.
We may require medical information (such as details of hospital stays) to process claims for some benefits. Where you have submitted medical information (special category data) for the purposes of processing a claim, this will be processed under Schedule 1 of the Data Protection Act, section 20(1) – (a) necessary for an insurance purpose.
We may require medical information (such as GP reports or hospital notes) to process some claims as detailed on the declaration within each claim form.
Trade Union Members –
In addition to the above, if you are a member of a trade union and you have taken your policy out via your union, then we will process the knowledge that you are a trade union member and your membership number under the Data Protection Act 2018 – Public Interest (Insurance) derogation to Article 9 of the General Data Protection Regulations.
What happens if you fail to provide personal information?
If you fail to provide personal information we may not be able to meet the terms of the insurance policy (such as registering a new policy or making a claims payment) or we may be prevented from meeting our regulatory obligations for preventing fraud and financial crime.
Why are we processing your data?
BHSF are processing data for the purposes of providing term life insurance, travel insurance, income protection insurance, funeral, and bereavement insurance coverage to you under a contract with you.
Where your data has been provided by your employer or by the Policy Holder family policies, BHSF have a legitimate interest in processing your data for the purpose of providing term life insurance, travel insurance, income protection insurance, funeral, and bereavement insurance coverage to you under an employee benefits package or for family cover.
What kinds of information do we process?
Who has provided us with your data?
Will we share your data with anyone?
At BHSF we try to meet all your health and wellbeing requirements. On occasion, in order to provide full coverage, some insurance cover is underwritten by an alternative insurance provider. In this instance the alternative provider will also process claims data. We only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of the UK General Data Protection Regulation.
How long will we keep your data for?
At BHSF, we store your data in line with regulatory and contractual requirements. For litigation purposes this means retaining data for seven years after the cancellation of an insurance policy. We are committed to storing all of your data securely for the full duration of its retention.
Will we use your data to make automated decisions?
No – we do not use automated systems to make decisions in relation to brokered services.
Do you have to agree to us processing your data?
We will process your data in order to meet our contractual obligations to you, in providing you with the insurance you have applied for.
Where you have submitted medical information (special category data) for the purposes of processing a claim, this will be processed under Schedule 1 of the Data Protection Act, section 20(1) – (a) necessary for an insurance purpose.
We may require medical information (such as GP reports or hospital notes) to process some claims as detailed on the declaration within each claim form.
What happens if you fail to provide personal information?
If you fail to provide certain personal information we may not be able to meet the terms of the insurance policy (such as making a claims payment) or we may be prevented from meeting our regulatory obligations for preventing fraud and financial crime.
Why do we process your data?
BHSF are processing data for the purposes of providing you with access to employee benefits and employee support services. BHSF provides a range of employee benefits and health and wellbeing services through a network of approved providers. These services include employee assistance programmes (EAPs); confidential helplines; salary sacrifice schemes; employee discount schemes; and flexible benefits. These services are provided to you under a contract with either you or your employer.
What kinds of information do we process?
As part of our employee benefits provision we process:
Who has provided us with your data?
Your data has either been provided directly by you through an online application, or by your employer in order to provide you with access to a specific employee benefit or support service.
Will we share your data with anyone?
In order to provide you with a broad range of services, some services are facilitated through our approved partners. At BHSF we only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement, so as to safeguard your information and in accordance with the requirements of the UK & EU GDPR.
How long will we keep your data for?
At BHSF, we store your data in line with contractual requirements. For litigation purposes, this means retaining data for seven years after the cancellation of a contract with your employer. We are committed to storing all of your data securely for the full duration of its retention.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
We will only process your data if you provide us with consent. If you are referred to one of our counselling services consent will be requested at the point of referral.
What happens if you fail to provide personal information?
If you fail to provide certain personal information we may not be able to provide you with employee benefit services that your employer or you have paid for under a contractual agreement.
Why are we processing your data?
BHSF are processing your data for the purposes of occupational health medicine, for the assessment of working capacity, medical diagnosis and the provision of health or social care treatment under a contract with your employer.
What kinds of information do we process?
As part of our occupational health provision we process:-
Will we share your data with anyone?
We only share your data if it is absolutely necessary for providing you with the occupational health services. To provide the contracted service your data may be shared with your employer and other medical practitioners to meet your occupational health requirements. Your consent will be sought for this data sharing. In addition, periodically, your anonymised data may be shared with statutory bodies in order to undertake clinical audits that ensure we continually improve our clinical standards.
We only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement, to treat your information as respectfully as we do, and in accordance with the requirements of the General Data Protection Regulation. Your data will only ever be processed within the United Kingdom, except where customers have a base in the Republic of Ireland. Suppliers may include individual occupational physicians or organisations providing counselling, physiotherapy or blood screening services for example.
How long will we keep your data for?
At BHSF, we store your data in line with regulatory and contractual requirements. Different types of occupational health data must be retained for different periods of times due to regulatory requirements and litigation law. For example, health surveillance data will be kept for up to 40 years in compliance with the Care of Substances Hazardous to Health Regs. 2002 (COSHH 2003 Northern Ireland, Safety Health & Welfare at Work 2015 RoI). We are committed to storing all your data securely for the full duration of its retention. We will take appropriate technical and organisational security measures to safeguard information.
Will we transfer your data to another provider?
In the event that your employer terminates their contract with us and commences a contract with a new OH provider, you will be asked if you would like your data to be transferred to the new OH provider or returned to you. Once your data has been transferred we will permanently delete all of our records.
Will we use your data to make automated decisions?
Yes (this does not apply to Health Care Workers). Automated Decisions are made for:
New Starter Questionnaires – this aspect of processing cannot negatively affect you, some responses provided within the Questionnaire will result in a BHSF OH Clinician review to assess your fitness for a role
Night Worker Questionnaires – some night worker questionnaires may be subject to automated decisions depending on who you are employed by. Explicit consent to confirm your agreement is requested on the form where this applies.
Do you have to agree to us processing your data?
As a provider of occupational health services we can legitimately process your data under clause 6(f) and 9(h) of the GDPR without requiring your consent.
Prior to your initial contact with us, your employer (who holds a contract with us to provide OH services), will have directed you to sources of information on how we will be processing your data. On your initial contact with us, we will provide further information should you require it.
Why do we process your data?
Data is processed in order to provide you with the most up to date information regarding our range of products and services.
What kinds of data do we process?
As part of informing you about our products and services we process the following kinds of data:
Who has provided us with your data?
If you are a direct customer your data will have been provided directly by you. If you represent a business your data will either have been provided by you or by a corporate data house. All corporate data services suppliers used by BHSF only provide data where the corporations have consented to their data being shared by the data house.
Will we share your data with anyone?
In order to provide you with up-to-date information about our products and services we may share your data other companies within the BHSF Group and third parties we use to help deliver our services and run our business, such as emailing partners, public relations agencies or data profiling companies.
At BHSF we only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of relevant data protection laws.
How long will we keep your data for?
We will keep your data for up to 2 years for marketing purposes until your consent is withdrawn.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
Yes. As a direct customer, you will be asked if you consent to the use of data for marketing via user agreement, post, telephone, SMS and email separately. Consent will be obtained at the point of application or via the helpdesk at the first possible contact point.
You may withdraw your consent for processing data for marketing purposes at any time. If you’re an employee of one of our corporate customers’, you will have been asked for consent by them.
Why do we process your data?
Data is processed in order to provide corporate customers with the most appropriate information with regards to health and wellbeing services that BHSF provide, to optimise the customer experience and to provide services to you under our contractual obligations.
What kinds of records do we process?
In order to manage our relationship with you we process business contact details, details of appointments attended and telephone calls made. We also process any correspondence received, contractual documentation, lifestyle data and corporate customer employee data.
Who has provided us with your data?
Your personal information will either have been provided directly by you through a BHSF sales representative or indirectly through a broker.
Will we share your data with anyone?
Your data may be shared with other companies within the BHSF Group and third parties we use to help deliver our services and run our business, such as legal advisors and customer management. Corporate customer employee data may be shared with your broker if that is your preferred route of obtaining services. At BHSF, we only work with trusted brokers and legal advisors who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of relevant data protection laws.
How long will we keep your data for?
Contractual documentation is retained for seven years after the cessation of the contract in accordance with Section 5 Limitation Act 1980. Other records will be retained only until the cessation of the contract or the data is refreshed.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
Your personal information is processed for the performance of service level agreements to which you are a party or in order to take steps at your request prior to entering into a contract. Lifestyle data is collected in line with BHSF’s legitimate business interests for the purpose of maintaining effective business relationships with our corporate contacts.
What happens if you fail to provide personal information?
If you fail to provide certain necessary personal information we may not be able to meet our service level agreement to you.
BHSF processes data on existing, former and prospective employees, agency workers, contractors and apprentices. We collect, store and use personal information about you before, during and after your working relationship with us.
Why do we process your data?
BHSF Group Limited (BHSF) processes data on former, current and prospective employees, agency workers and contractors, work experience students and apprentices. We collect and use personal information about you prior to, during and after the end of your working relationship with us.
BHSF processes your personal information in order to enter into and perform the employment contract we have with you. To meet and comply with our regulatory and legislative obligations as an employer, BHSF processes your personal information to undertake recruitment, performance management, absence management, making appropriate workplace adjustments, for your wellbeing, learning and development, employee contract management and for monitoring equality and diversity.
What kinds of information do we process?
In order to manage our relationship with you we process lawfully the following kinds of personal data;
We also process the following Special category data;
Who has provided us with your data?
We collect your personal information through the recruitment process either directly from you, as the candidate, or through third parties including recruitment agencies, a vetting and screening provider, former employers, credit agencies, current BHSF employees through our recruitment referral scheme and psychometric profiling agencies. Data from vetting and screening is used to comply with the Disclosure and Barring Service and for other legal requirements.
We may also collect your personal information through a transfer under the Transfer of Undertakings (Protection of Employment) Regulations (TUPE), which applies when BHSF enters into a business transfer from one employer to another and employees of the incoming business transfer as part of that business transfer.
We will collect other personal information in the course of job related activities throughout the period that you are working with us.
Will we share your data with anyone?
We only share your data if it is absolutely legally and contractually necessary for us to do so to enable us to provide human resource services, and if it is in your interest. For example:
How long will we keep your data for?
Your personal information is retained for six years after the end of your relationship with us (one year in the case of agency workers) and, in the case of Director-level positions, for a period of 12 years after the end of the Directorship. There is an exception in respect of Right to Work information, which is retained for two years after the end of your relationship with us.
Personal information from unsuccessful candidates will be retained for one year; from work experience students, this will be six months.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
We only use your information when the law allows us to. Most commonly:
In addition we may also need to process:
What happens if you fail to provide personal information?
If you fail to provide the information when requested we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.
Why do we process your data?
We collect and use personal information about you during your working relationship with us. BHSF processes your personal information to meet the legislative requirements under reporting of injuries, diseases and dangerous occurrences regulations 2013/1472. This includes conducting health and safety assessments, and holding licenses, permits and certificates.
What kinds of information do we process?
In order to meet our legislative health and safety requirements we process the following kinds of personal information:
Who has provided us with your data?
We collect your personal information directly from you. In the case of an unfortunate health and safety incident this may be collected through your health and safety representative.
Will we share your data with anyone?
We only share your data if it is absolutely necessary for complying with health and safety legislation or if it is in your interest. For example, we will share the information relating to a health and safety incident with the health and safety executive using the RIDDOR database.
How long will we keep your data for?
Your personal information is retained for 3 years after the cessation of your relationship with us in accordance with health and safety law.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
No. We are legally required to process your data under health and safety regulation and legislation.
What happens if you fail to provide personal information?
If you fail to provide the information when requested we may be prevented from complying with our legal obligations under reporting of injuries, diseases and dangerous occurrences regulations 2013/1472.
Why do we process your data?
We collect and use personal information about you during and after your working relationship with us. BHSF processes your personal information to meet the pension obligations to you under our contractual relationship.
What kinds of information do we process?
In order to deliver your pension benefits and meet legislative pension scheme requirements we process the following kinds of personal information:
Who has provided us with your data?
We typically collect your personal information directly from you.
Will we share your data with anyone?
To meet our pension obligations, it is necessary to share your personal information with:
How long will we keep your data for?
Your pension fund personal information will be retained for 12 years after the cessation of your pension benefits.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
No. We are legally required to process your data under pension scheme legislation.
What happens if you fail to provide personal information?
If you fail to provide the information when requested we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.
Why do we process your data?
If you are, or are applying to be, or have been a senior insurance manager as defined under the senior insurance management regime, we collect and use personal information about you during and after your working relationship with us, to meet regulatory requirements, for senior insurance managers under the FCA handbook – Systems and Controls and regulation under the PRA for senior insurance managers.
What kinds of information do we process?
In order to be compliant with the senior insurance managers regime, we process the following kinds of personal information
Who has provided us with your data?
We typically collect your personal information through the recruitment process either directly from you, the candidate, or through a recruitment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit check referencing agencies, or other background check agencies. We may also collect information from the regulatory authorities, the FCA and the PRA.
We will collect other personal information in the course of job related activities throughout the period that you are working with us.
Will we share your data with anyone?
We only share your data if it is a regulatory requirement. In order to meet the Senior Insurance Management Regime requirements it is necessary to share your personal information with statutory bodies in particular:
How long will we keep your data for?
In most cases, your senior insurance management personal information will be retained for 6 years after the cessation of your relationship with us or from when your role changes. However, we are required to retain governance map records for 10 years after the approval date.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
No. We are legally required to process your data under the senior insurance management regime.
What happens if you fail to provide personal information?
If you fail to provide the information when requested, we may not be able to process your application for a senior insurance manager role.
Why do we process your data?
We collect and use personal information about you during and after your working relationship with us in order to pay your wages and in order to meet taxation legislative requirements.
What kinds of information do we process?
In order to deliver your benefits and to be compliant with taxation law, we process the following kinds of personal information
Who has provided us with your data?
We typically collect your personal information directly from you, although further personal information may be provided by the HMRC.
Will we share your data with anyone?
We only share your data if it is absolutely necessary, if it is a legislative requirement and if it is in your interest. For taxation legislative requirements, it is necessary to share your personal information with:
How long will we keep your data for?
Your personal information will be retained for 6 years after the cessation of your relationship with us.
Will we use your data to make automated decisions?
No.
Do you have to agree to us processing your data?
No. We are legally required to process your data.
What happens if you fail to provide personal information?
If you fail to provide the information when requested we may not be able to pay you your wages or we may be prevented from complying with our legal obligations.