Privacy notice

Updated August 2023

BHSF Group Limited and its subsidiaries (“BHSF”) are committed to protecting your data and complying with data protection legislation and the General Data Protection Regulation (GDPR). BHSF is a data controller. This means that we are responsible for deciding how we hold and use personal information about you. This statement sets out how and why we are processing the information we have on you. It also explains your rights as a data subject.

It is important that you read this notice, together with any specific privacy notice to inform you of what personal information we are collecting or processing about you.

What is our commitment to you?

Our aim in processing your data is to successfully deliver our service to you with an appropriate level of data sharing whilst recognising the need to protect your fundamental rights to privacy.

BHSF is committed to:-

  • Protecting the confidentiality, integrity and availability of the information it collects, stores, transfers and processes in accordance with the GDPR, and international good practice, and to meet its legal requirements and contractual obligations.
  • Explaining why it needs personal information and only asking for the personal information it needs.
  • Processing data only in a manner that is compatible with the specified and lawful purposes.
  • Maintaining the accuracy and completeness of data.
  • Only sharing personal information with other organisations as necessary, where the person concerned has given their consent to share their personal data, or where another legal basis of sharing the data overrides the need to give consent.
  • Ensuring the individual can make requests in relation to their data subject rights.
  • Not keeping personal information for longer than necessary or as required by legislation.
  • Investigating and reporting data breaches and suspected breaches, and to being open and honest when things have gone wrong.
  • Assessing its information security controls annually.
  • Applying the above standards to its supply chain and delivery partners.
  • Keeping data in a form that permits identification of individuals no longer than necessary for the purposes for which the personal data is processed, in accordance with the BHSF data record.
  • Applying appropriate technological and organisational controls to ensure the security of personal data.

In order to meet its commitment, BHSF operates a wide range of technical, physical and procedural controls to maintain the confidentiality, integrity and availability of information. BHSF maintains an information security policy which provides further details regarding the minimum standards of control to which it operates.

What are your rights?

At BHSF we recognise that your data is important to you and therefore we are committed to supporting you with your data protection rights. Within legal and regulatory constraints, you have the right to:

  • Have information about how your information is being processed
  • Request a copy of your data at any time (commonly known as a data subject access request)
  • Port (move/transfer) your data to an alternative service provider
  • Have your data rectified or corrected if it is factually inaccurate
  • Be forgotten or have your data erased
  • Restrict the processing of your data, in certain circumstances
  • Object to the processing of your data, in certain circumstances
  • Appropriate decision making

Do you have a right to withdraw consent?

You have the right to withdraw your consent to specific processing at any time. Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis to do so in law.

How can you contact us about your data or your data rights?

If you wish to contact us about your data, or if you require any further information in addition to what is included in this privacy notice, please contact our Data Protection Officer at;
DPO, BHSF Group Limited, 13th Floor, 54 Hagley Road, Birmingham, B16 8PE

Telephone: 0800 0744 318
Email: [email protected]

EU data protection representative:
We have appointed Green CDL EU Data Protection to act on our behalf in the EU. If you wish to contact them their details are as follows:
Email: [email protected]
Address: 09/10 Fenian Street, Dublin 2, D02RX24, Ireland
Telephone: 01 539 4429 (00353 1539 4429 from outside of Republic of Ireland)

They will only transfer your personal details to us in the UK if you have given explicit consent, which you can withdraw at any time. We take data protection very seriously and fully comply with the General Data Protection Regulation (GDPR) in so far as it applies and the UK GDPR as from 1st Jan 2021. We also comply with all other relevant data protection laws and we provide at least the same level of protection of your personal data as though the UK was still a Member State.

Transfers of Personal Data to and from the EU

If we transfer your personal data from the UK to the EU we rely upon the UK adequacy decision process as we are satisfied that the EU provides the same level of data protection as you would receive in the UK.

If we transfer personal data outside of the EU to any country that has not granted adequacy status then we satisfy ourselves that you will enjoy the same level of protection of your data that you do in the UK by ensuring there is an appropriate safeguard in place in the form of either Standard Contractual Clauses or International Data Transfer Agreements. These are agreements that ensure you will receive a high level of data protection. If you would like to see a copy of the agreement relevant to you please contact us using the details in this privacy notice.

What should you do if you want to make a complaint about the way your data is being processed?

At BHSF we make every endeavour to protect your data. In the unfortunate circumstance that you are not happy with the manner in which we process your data, you may wish to make a complaint. In the first instance, please contact the BHSF Data Protection Officer in writing, stating your name, contact details and the nature of your complaint against BHSF.

If you are not happy with the response you receive you may also wish to contact the UK data protection regulator, the Information Commissioner, whose contact details are available at https://ico.org.uk

How and why do we process your personal data?

We will only process your personal information for the purpose for which we collected it. Please see below for further information. If we need to use your information for an unrelated purpose we will contact you and we will explain the legal basis that allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with our obligations in the case of criminal investigation.

Changes to this privacy notice

We will update this privacy notice if there are any changes in the law or the manner in which we process personal data so please check back on a regular basis.

Who do we process the personal data of?

We are committed to being transparent about (a) what the legal basis for processing your data is and (b) how we process it. At BHSF we process personal information of:-

Existing, former and prospective customers

BHSF processes data on former, current and prospective customers. This section applies to all corporate clients, corporate client employees, and individual customers. We collect and use personal information about you during and after your commercial relationship with us. BHSF processes your personal information in order to provide a range of services.

Customer surveys

Why do we process your data?

Data is processed in order to provide BHSF with the most up to date information on how our range of products and services are viewed by customers, which will be used to inform management decisions.

What kinds of data do we process?

In order to improve our products and services, we will process your contact information such as your email address and telephone number, so BHSF and our third party survey provider can send you surveys which will help BHSF monitor our customers’ perceptions.

We will also process any data you provide as part of your response, but participation in this research is voluntary, and you are free to decide not to take part if you do not want to.

The types of survey BHSF may carry out include but are not limited to: customer satisfaction surveys, Net Promoter Score (NPS) and feedback on services provided by BHSF.

Who has provided us with your data?

BHSF will have been provided your data by at least one of the following:

  • Directly by yourself.
  • Your employer.
  • A broker or intermediary trusted by yourself or your employer.

Will we share your data with anyone?

In order to gather the data we require on our products and services, we may share your contact information with other companies within the BHSF Group and third parties we use to help deliver our services and run our business such as third party survey providers.

At BHSF we only work with trusted suppliers where there is an agreement in place, or the data processor arrangement is comprehensively covered by their terms of use, to protect your data and treat your information as respectfully as we do and in accordance with the requirements of relevant data protection laws.

How long will we keep your data for?

We will keep your data you have provided in your survey responses until:

  • The data is refreshed, renewed, is superseded or becomes obsolete.
  • You request its deletion.

If neither of these requirements are met, your data will be securely deleted after a maximum period of 1 calendar year from when it was initially provided.

Where you have provided anonymous data, we will not be able to identify your responses. Therefore, you will not be able to:

  • Request access or deletion of your data.
  • Object to, or restrict, the processing of the data.
  • Rectify the data held.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

BHSF has a legitimate business interest to try and gather this information so we can improve our products or services. We are collecting feedback to give our customers a chance to let us know that the products and services are working as they expect and to provide the opportunity for them to make suggestions. When we receive customer feedback, we will use it to address problems and make enhancements.

Health Insurance

Why are we processing your data?

BHSF is processing your data for the purposes of providing health insurance to fulfil an insurance policy held directly with you or with your employer as part of your employee benefits package.

Where your data has been provided by your employer or by your partner for family policies, BHSF have a legitimate interest in processing your data for the purpose of providing health insurance as part of your employee benefits package or family cover.

What kinds of information do we process?

As part of our health insurance provision we process:-

  • Your personal details such as name, address, date of birth, email address and telephone number, names and dates of birth of family members. If you pay your premiums via your wages/salary then we will use your National Insurance number or payroll number for reconciliation purposes.
  • Claims records
  • Complaints records
  • Your bank details and details of payment made by us and you.

Who has provided us with your data?

Your data has been provided either

  • Directly by you through application forms, claim forms, online portal or other correspondence; or
  • By your employer (directly or through a broker) in order to provide you with health insurance coverage as part of your employment benefits package; or
  • For family policies details have been provided by the Policy Holder directly or through their employer.

Will we share your data with anyone?

We only share your data if it is absolutely necessary for providing you with insurance coverage. We share your data under these different circumstances:-

  • Claims payment: – To process your insurance claims it may be necessary to share your data with medical practitioners.
  • Fraudulent claim: – In the event of a fraudulent claim it will be necessary for us to share your data with statutory bodies such as the police and the county courts.
  • Document management: – We use third party providers to receive your policy/claims information, issue correspondence and retention/destruction of your data.
  • In addition, on some occasions, it may be necessary to share your data with our reinsurers who will also process claims data.

At BHSF we only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of the General Data Protection Regulations.

Your data will only be processed within the United Kingdom.

How long will we keep your data for?

At BHSF, we store your data in line with regulatory and contractual requirements. For litigation purposes this means retaining data for seven years after the cancellation of a health insurance policy. We are committed to storing all of your data securely for the full duration of its retention.

Will we use your data to make automated decisions?

No – we do not use automated systems to make decisions in relation to Health Insurance.

Do you have to agree to us processing your data?

If you have completed an application form either online or in paper then we will process your data in order to meet our contractual obligations to you, in providing you with the insurance you have applied for.

If you have your policy as part of your benefits package offer from your employer or trade body then we have legitimate interest to lawfully process your data in order to provide the insurance cover. You have the right to opt out of this insurance and can do this by contacting your employer or trade body.

We may require medical information (such as details of hospital stays) to process claims for some benefits. Where you have submitted medical information (special category data) for the purposes of processing a claim, this will be processed under Schedule 1 of the Data Protection Act, section 20(1) – (a) necessary for an insurance purpose.

We may require medical information (such as GP reports or hospital notes) to process some claims as detailed on the declaration within each claim form.

Trade Union Members –
In addition to the above, if you are a member of a trade union and you have taken your policy out via your union, then we will process the knowledge that you are a trade union member and your membership number under the Data Protection Bill 2018 – Public Interest (Insurance) derogation to Article 9 of the General Data Protection Regulations.

What happens if you fail to provide personal information?

If you fail to provide personal information we may not be able to meet the terms of the insurance policy (such as registering a new policy or making a claims payment) or we may be prevented from meeting our regulatory obligations for preventing fraud and financial crime.

Brokered Insurance

Why are we processing your data?

BHSF are processing data for the purposes of providing term life insurance, travel insurance, income protection insurance, funeral, and bereavement insurance coverage to you under a contract with you.

Where your data has been provided by your employer or by the Policy Holder family policies, BHSF have a legitimate interest in processing your data for the purpose of providing term life insurance, travel insurance, income protection insurance, funeral, and bereavement insurance coverage to you under an employee benefits package or for family cover.

What kinds of information do we process?

  • Your personal details such as name, address, date of birth, email address and telephone number, names and dates of birth of family members. If you pay your premiums via your wages/salary then we will use your National Insurance number or payroll number for reconciliation purposes.
  • Claims records
  • Complaints records
  • Your bank details and details of payment made by us and you.

Who has provided us with your data?

  • Your data has been either provided directly by you through application forms and other correspondence; or
  • Your data has been provided by your employer (directly or through a broker) in order to provide you with insurance cover; or
  • For family policies details have been provided by the Policy Holder

Will we share your data with anyone?

At BHSF we try to meet all your health and wellbeing requirements. On occasion, in order to provide full coverage, some insurance cover is underwritten by an alternative insurance provider. In this instance the alternative provider will also process claims data. We only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of the General Data Protection Regulation.

Your data will only ever be processed within the United Kingdom.

How long will we keep your data for?

At BHSF, we store your data in line with regulatory and contractual requirements. For litigation purposes this means retaining data for seven years after the cancellation of an insurance policy. We are committed to storing all of your data securely for the full duration of its retention.

Will we use your data to make automated decisions?

No – we do not use automated systems to make decisions in relation to brokered services.

Do you have to agree to us processing your data?

We will process your data in order to meet our contractual obligations to you, in providing you with the insurance you have applied for.

Where you have submitted medical information (special category data) for the purposes of processing a claim, this will be processed under Schedule 1 of the Data Protection Act, section 20(1) – (a) necessary for an insurance purpose.

We may require medical information (such as GP reports or hospital notes) to process some claims as detailed on the declaration within each claim form.

What happens if you fail to provide personal information?

If you fail to provide certain personal information we may not be able to meet the terms of the insurance policy (such as making a claims payment) or we may be prevented from meeting our regulatory obligations for preventing fraud and financial crime.

Employee Benefits

Why do we process your data?

BHSF are processing data for the purposes of providing you with access to employee benefits and employee support services. BHSF provides a range of employee benefits and health and wellbeing services through a network of approved providers. These services include employee assistance programmes (EAPs); confidential helplines; salary sacrifice schemes; employee discount schemes; and flexible benefits. These services are provided to you under a contract with either you or your employer.

What kinds of information do we process?

As part of our employee benefits provision we process:-

  • EAP referral records
  • Flexsme profile data
  • Network Benefits records
  • Complaints records

Who has provided us with your data?

Your data has either been provided directly by you through an online application, or by your employer in order to provide you with access to a specific employee benefit or support service.

Will we share your data with anyone?

In order to provide you with a broad range of services, some services are facilitated through our approved partners. At BHSF we only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement, so as to safeguard your information and in accordance with the requirements of the GDPR.

How long will we keep your data for?

At BHSF, we store your data in line with contractual requirements. For litigation purposes, this means retaining data for seven years after the cancellation of a contract with your employer. We are committed to storing all of your data securely for the full duration of its retention.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

We will only process your data if you provide us with consent. If you are referred to one of our counselling services consent will be requested at the point of referral.

What happens if you fail to provide personal information?

If you fail to provide certain personal information we may not be able to provide you with employee benefit services that your employer or you have paid for under a contractual agreement.

Occupational Health Services

Why are we processing your data?

BHSF are processing your data for the purposes of occupational health medicine, for the assessment of working capacity, medical diagnosis and the provision of health or social care treatment under a contract with your employer.

What kinds of information do we process?

As part of our occupational health provision we process:-

  • Management referral records
  • Health surveillance records- ionising radiation
  • Health surveillance records- non-radiation
  • New starter screening records
  • Health screening records upon which a job depends
  • Lifestyle Health screening records
  • Counselling referrals records
  • Physiotherapy records
  • Vaccinations records
  • Appointment records
  • Equipment calibration records
  • Clinical audit records
  • Medical equipment use records
  • Complaints records
  • Private GP Records

Will we share your data with anyone?

We only share your data if it is absolutely necessary for providing you with the occupational health services. To provide the contracted service your data may be shared with your employer and other medical practitioners to meet your occupational health requirements. Your consent will be sought for this data sharing. In addition, periodically, your anonymised data may be shared with statutory bodies in order to undertake clinical audits that ensure we continually improve our clinical standards.

We only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement, to treat your information as respectfully as we do, and in accordance with the requirements of the General Data Protection Regulation. Your data will only ever be processed within the United Kingdom, except where customers have a base in the Republic of Ireland. Suppliers may include individual occupational physicians or organisations providing counselling, physiotherapy or blood screening services for example.

How long will we keep your data for?

At BHSF, we store your data in line with regulatory and contractual requirements. Different types of occupational health data must be retained for different periods of times due to regulatory requirements and litigation law. For example, health surveillance data will be kept for up to 40 years in compliance with the Care of Substances Hazardous to Health Regs. 2002 (COSHH 2003 Northern Ireland, Safety Health & Welfare at Work 2015 RoI). We are committed to storing all your data securely for the full duration of its retention. We will take appropriate technical and organisational security measures to safeguard information.

Will we transfer your data to another provider?

In the event that your employer terminates their contract with us and commences a contract with a new OH provider, you will be asked if you would like your data to be transferred to the new OH provider or returned to you. Once your data has been transferred we will permanently delete all of our records.

Will we use your data to make automated decisions?

Yes (this does not apply to Health Care Workers). Automated Decisions are made for:

New Starter Questionnaires – this aspect of processing cannot negatively affect you, some responses provided within the Questionnaire will result in a BHSF OH Clinician review to assess your fitness for a role

Night Worker Questionnaires – some night worker questionnaires may be subject to automated decisions depending on who you are employed by. Explicit consent to confirm your agreement is requested on the form where this applies.

Do you have to agree to us processing your data?

As a provider of occupational health services we can legitimately process your data under clause 6(f) and 9(h) of the GDPR without requiring your consent.

Prior to your initial contact with us, your employer (who holds a contract with us to provide OH services), will have directed you to sources of information on how we will be processing your data. On your initial contact with us, we will provide further information should you require it.

Marketing

Why do we process your data?

Data is processed in order to provide you with the most up to date information regarding our range of products and services.

What kinds of data do we process?

As part of informing you about our products and services we process the following kinds of data:-

  • Marketing campaign records eg press releases, advertising campaigns, design assets
  • Prospect records eg marketing leads of corporate organisations and individuals, names and email addresses of contacts
  • Profile records eg market sector, volume of employees for corporate organisations and lifestyle data, age, occupation for individuals
  • Consent/ marketing subscription records eg subscription to newsletters, consent to receive marketing information
  • Social media records eg email address of a corporate client who has clicked on LinkedIn advert.

Who has provided us with your data?

If you are a direct customer your data will have been provided directly by you.

If you represent a business your data will either have been provided by you or by a corporate data house. All corporate data services suppliers used by BHSF only provide data where the corporations have consented to their data being shared by the data house.

Will we share your data with anyone?

In order to provide you with up to date information about our products and services we may share your data other companies within the BHSF Group and third parties we use to help deliver our services and run our business, such as emailing partners, public relations agencies or data profiling companies.

At BHSF we only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of relevant data protection laws.

How long will we keep your data for?

We will keep your data for marketing purposes until your consent is withdrawn or the data is refreshed.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

Yes. As a direct customer, you will be asked if you consent to the use of data for marketing via post, telephone, SMS and email separately. Consent will be obtained at the point of application or via the helpdesk at the first possible contact point. You may withdraw your consent for processing data for marketing purposes at any time. As a representative of a corporate customer, you will have been asked for consent for the processing of your data by the corporate data house. You can withdraw your consent at any time by contacting us requesting details of the data house. We will amend our records to show that consent has been withdrawn.

Customer Relationship Management

Why do we process your data?

Data is processed in order to provide corporate customers with the most appropriate information with regards to health and wellbeing services that BHSF provide, to optimise the customer experience and to provide services to you under our contractual obligations.

What kinds of records do we process?

In order to manage our relationship with you we process business contact details, details of appointments attended and telephone calls made. We also process any correspondence received, contractual documentation, lifestyle data and corporate customer employee data.

Who has provided us with your data?

Your personal information will either have been provided directly by you through a BHSF sales representative or indirectly through a broker.

Will we share your data with anyone?

Your data may be shared with other companies within the BHSF Group and third parties we use to help deliver our services and run our business, such as legal advisors and customer management. Corporate customer employee data may be shared with your broker if that is your preferred route of obtaining services. At BHSF, we only work with trusted brokers and legal advisors who have agreed to the terms of our Data Processor Agreement to treat your information as respectfully as we do and in accordance with the requirements of relevant data protection laws.

How long will we keep your data for?

Contractual documentation is retained for seven years after the cessation of the contract in accordance with Section 5 Limitation Act 1980. Other records will be retained only until the cessation of the contract or the data is refreshed.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

Your personal information is processed for the performance of service level agreements to which you are a party or in order to take steps at your request prior to entering into a contract. Lifestyle data is collected in line with BHSF’s legitimate business interests for the purpose of maintaining effective business relationships with our corporate contacts.

What happens if you fail to provide personal information?

If you fail to provide certain necessary personal information we may not be able to meet our service level agreement to you.

Former, existing and prospective employees

BHSF processes data on existing, former and prospective employees, agency workers, contractors and apprentices. We collect, store and use personal information about you before, during and after your working relationship with us.

Human Resources

Why do we process your data?

BHSF Group Limited (BHSF) processes data on former, current and prospective employees, agency workers and contractors, work experience students and apprentices. We collect and use personal information about you prior to, during and after the end of your working relationship with us.

BHSF processes your personal information in order to enter into and perform the employment contract we have with you. To meet and comply with our regulatory and legislative obligations as an employer, BHSF processes your personal information to undertake recruitment, performance management, absence management, making appropriate workplace adjustments, for your wellbeing, learning and development, employee contract management and for monitoring equality and diversity.

What kinds of information do we process?

In order to manage our relationship with you we process lawfully the following kinds of personal data;

  • Employment contract records
  • Right to work records
  • Performance records
  • Absence records
  • Dispute records
  • Recruitment records
  • Reward records
  • Training and personal development records

We also process the following personal sensitive data;

  • Racial and ethnic origin
  • Religious belief
  • Gender
  • Physical and mental health information
  • Criminal records

Who has provided us with your data?

We collect your personal information through the recruitment process either directly from you, as the candidate, or through third parties including recruitment agencies, a vetting and screening provider, former employers, credit agencies, current BHSF employees through our recruitment referral scheme and psychometric profiling agencies. Data from vetting and screening is used to comply with the Disclosure and Barring Service and for other legal requirements.

We may also collect your personal information through a transfer under the Transfer of Undertakings (Protection of Employment) Regulations (TUPE), which applies when BHSF enters into a business transfer from one employer to another and employees of the incoming business transfer as part of that business transfer.

We will collect other personal information in the course of job related activities throughout the period that you are working with us.

Will we share your data with anyone?

We only share your data if it is absolutely legally and contractually necessary for us to do so to enable us to provide human resource services, and if it is in your interest. For example:-

  • At your request we will share your personal information when recruiting and appointing a prospective employee through a recruitment agency;
  • At your request we will share your personal information with a future employer, and property agency, for reference purposes;
  • To provide you with workplace adjustments your personal information may be provided to an occupational health specialist or other medical practitioners to meet your occupational health requirements;
  • To satisfy immigration law your personal information may be provided to the Home Office;
  • In the unfortunate instance of early conciliation or an employment tribunal your personal information may be provided to ACAS and / or an Employment Tribunal;
  • As part of an outgoing TUPE transfer arrangement to a transferring organisation where we are legally required to do so as part of the outgoing TUPE transfer;
  • Periodically, and with your consent, we may share your data with a third party survey provider in order to monitor staff morale and equality and diversity. With regard to processing for survey purposes, BHSF utilises outsourced providers to conduct the survey, who send links to surveys which are then completed by employees anonymously. Basic demographic information is provided in survey responses according to pre-agreed demographic categories. The demographic categories are defined in a broad enough way to ensure that identification of the employee is not possible from the employee responses to survey questions.
  • We have a legitimate interest in processing your personal data to ensure or enhance your wellbeing. In doing so, we may share your personal data with external service providers to fulfil this processing.

How long will we keep your data for?

Your personal information is retained for six years after the end of your relationship with us (one year in the case of agency workers) and, in the case of Director-level positions, for a period of 12 years after the end of the Directorship. There is an exception in respect of Right to Work information, which is retained for two years after the end of your relationship with us.

Personal information from unsuccessful candidates will be retained for one year; from work experience students, this will be six months.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

We only use your information when the law allows us to. Most commonly:-

  • to perform a contract we have with you;
  • where we need to comply with a legal obligation;
  • where it is necessary for our legitimate interests and your interest and fundamental rights do not override these interests.

In addition we may also need to process:

  • To protect your vital interests;
  • Where it is in the public interest to do so.

What happens if you fail to provide personal information?

If you fail to provide the information when requested we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

Health and safety

Why do we process your data?

We collect and use personal information about you during your working relationship with us. BHSF processes your personal information to meet the legislative requirements under reporting of injuries, diseases and dangerous occurrences regulations 2013/1472. This includes conducting health and safety assessments, and holding licenses, permits and certificates.

What kinds of information do we process?

In order to meet our legislative health and safety requirements we process the following kinds of personal information:-

  • Health and safety incident records
  • Health and safety assessments
  • Permits, licences, certificates
  • CCTV with DVR recording/playback

Who has provided us with your data?

We collect your personal information directly from you. In the case of an unfortunate health and safety incident this may be collected through your health and safety representative.

Will we share your data with anyone?

We only share your data if it is absolutely necessary for complying with health and safety legislation or if it is in your interest. For example, we will share the information relating to a health and safety incident with the health and safety executive using the RIDDOR database.

How long will we keep your data for?

Your personal information is retained for 3 years after the cessation of your relationship with us in accordance with health and safety law.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

No. We are legally required to process your data under health and safety regulation and legislation.

What happens if you fail to provide personal information?

If you fail to provide the information when requested we may be prevented from complying with our legal obligations under reporting of injuries, diseases and dangerous occurrences regulations 2013/1472.

Pension administration

Why do we process your data?

We collect and use personal information about you during and after your working relationship with us. BHSF processes your personal information to meet the pension obligations to you under our contractual relationship.

What kinds of information do we process?

In order to deliver your pension benefits and meet legislative pension scheme requirements we process the following kinds of personal information:-

  • Pension scheme records
  • Membership and communication records
  • Pension scheme deeds
  • Pension application forms

Who has provided us with your data?

We typically collect your personal information directly from you.

Will we share your data with anyone?

We only share your data if it is absolutely necessary and it is in your interest. To meet our pension obligations it is necessary to share your personal information with:-

  • Pension providers
  • Pension administrators
  • Statutory bodies
  • Pension fund auditors, professional parties
  • Pension fund trustees and pension governance bodies

How long will we keep your data for?

Your pension fund personal information will be retained for 12 years after the cessation of your pension benefits.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

No. We are legally required to process your data under pension scheme legislation.

What happens if you fail to provide personal information?

If you fail to provide the information when requested we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

Senior insurance manager governance

Why do we process your data?

If you are, or are applying to be, or have been a senior insurance manager as defined under the senior insurance management regime, we collect and use personal information about you during and after your working relationship with us, to meet regulatory requirements, for senior insurance managers under the FCA handbook – Systems and Controls and regulation under the PRA for senior insurance managers.

What kinds of information do we process?

In order to be compliant with the senior insurance managers regime, we process the following kinds of personal information

  • Regulatory approval records
  • Governance map records
  • Conflicts of interest records
  • Hand over records
  • Regulatory references records
  • Updated SIMF records after employment
  • Criminal records
  • Credit references

Who has provided us with your data?

We typically collect your personal information through the recruitment process either directly from you, the candidate, or through a recruitment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit check referencing agencies, or other background check agencies. We may also collect information from the regulatory authorities, the FCA and the PRA.

We will collect other personal information in the course of job related activities throughout the period that you are working with us.

Will we share your data with anyone?

We only share your data if it is a regulatory requirement. In order to meet the Senior Insurance Management Regime requirements it is necessary to share your personal information with statutory bodies in particular:-

  • The Financial Conduct Authority
  • The Prudential Regulatory Authority

How long will we keep your data for?

In most cases, your senior insurance management personal information will be retained for 6 years after the cessation of your relationship with us or from when your role changes. However, we are required to retain governance map records for 10 years after the approval date.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

No. We are legally required to process your data under the senior insurance management regime.

What happens if you fail to provide personal information?

If you fail to provide the information when requested we may not be able to process your application for a senior insurance manager role or we may be prevented from complying with our regulatory obligations.

Wage provision

Why do we process your data?

We collect and use personal information about you during and after your working relationship with us in order to pay your wages and in order to meet taxation legislative requirements.

What kinds of information do we process?

In order to deliver your benefits and to be compliant with taxation law, we process the following kinds of personal information

  • Payroll and wages records
  • National insurance records
  • Employee PAYE records
  • Maternity pay/ absence pay records

Who has provided us with your data?

We typically collect your personal information directly from you, although further personal information may be provided by the HMRC.

Will we share your data with anyone?

We only share your data if it is absolutely necessary, if it is a legislative requirement and if it is in your interest. For taxation legislative requirements, it is necessary to share your personal information with:-

  • Auditors,
  • Tax advisors,
  • HMRC

How long will we keep your data for?

Your personal information will be retained for 6 years after the cessation of your relationship with us.

Will we use your data to make automated decisions?

No.

Do you have to agree to us processing your data?

No. We are legally required to process your data.

What happens if you fail to provide personal information?

If you fail to provide the information when requested we may not be able to pay you your wages or we may be prevented from complying with our legal obligations.