privacy notice for group critical illness and group income protection claims

Your personal data – what is it?

Personal data is defined as any data from which a living individual can be identified.

Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the Data Protection Act 2018.

Who are we?

AIG Life Limited, trading as Ellipse, is the data controller of personal data in respect of arranging and administering group insurance contracts.

How will we use the information about you? 

We process personal data in order to undertake any activity relating to our policies, products and services which includes assessing and paying any claims.

The legal basis on which we will process your data is legitimate interests – i.e to assess an insurance claim. Where we require special categories of data, e.g. health information we will ask for your consent to do so.

When do we ask for consent and how can you withdraw it?

As part of the claims assessment process we will ask you for your consent to obtain and process additional personal information about you. You have the right to withdraw your consent at any time however this may impact our ability to assess your claim. Should you decide that you want to withdraw consent please contact us.

What personal data do we hold and where did we get it from?

From your employer:

Your employer will have passed on to us your details as part of the claims process. You will also provide us with personal information when you complete a personal statement to support a claim being made. 

Our website:

When you access our website, certain information (e.g. IP address, date, time) is automatically kept on our server for a period of four weeks for data security purposes only (e.g. in order to identify and trace any persons attempting to gain unauthorised access to the web server). Anonymised usage data (date, time of day, pages viewed, navigation, software used, etc) is also recorded on our behalf by Google Analytics for the purpose of analysing usage behaviour. We use cookies to retrace usage behaviour in anonymised form. This anonymised usage data is recorded, processed and used only in order to gear our website to the users’ needs and not to collect any personal information about you. You can decide whether you wish to accept or decline these cookies by modifying the settings in your browser, which is explained here.

If you send us an e-mail or you register to use our secure website, your personal data (i.e. name or e-mail address) will be used only for our correspondence with you in order to send you the documents you produce or information you requested.

Which other organisations may we share your data with?

Ellipse may share your sensitive or special categories of personal information with:

  • other AIG companies
  • our reinsurers
  • our claims service partners
  • our IT service providers
  • our regulators and government agencies: the Financial Conduct Authority and Her Majesty’s Revenue and Customs ‘HMRC’
  • your own doctor or relevant medical professionals, should we require additional information as a result of the answers you have supplied in connection with a claim
  • with your employer and/or their advisers. We will not provide sensitive or special categories (e.g. medical or health information) of data with your employer or their advisers

 

We may process Personal Information both nationally and internationally.

This may include transferring Personal Information outside the European Economic Area (EEA).

We take additional steps to ensure the security of Personal Information when we transfer it outside the EEA.

International Transfers

Due to the global nature of our business activities, for the purposes set out above (see section entitled ‘How do we use Personal Information?’), depending on the nature of our relationship with you, we will transfer Personal Information to parties located in other countries (including the USA, China, Mexico, Malaysia, Philippines, Bermuda and other countries that have data protection regimes which are different to those in the country where you are based, including countries which have not been found to provide adequate protection for Personal Information by the European Commission).

For example, we may transfer Personal Information in order to help detect, investigate and prevent financial crime.  We may transfer information internationally to our group companies, service providers, business partners, government or public authorities, and other third parties.

When making these transfers, we will take steps to ensure that your Personal Information is adequately protected and transferred in accordance with the requirements of data protection law.

This typically involves the use of data transfer agreements in the form approved by the European Commission and permitted under Article 46 of the EU General Data Protection Regulation (GDPR) (the relevant data protection law). If there is no data transfer agreement in place, we may use other mechanisms recognised by the GDPR as ensuring an adequate level of protection for Personal Information transferred outside the EEA (for example, the US Privacy Shield framework or any framework that replaces it).

How long do we hold your personal data for?

We will keep personal information only as long as we require it either for claims administration or in respect of any complaints relating to the policy. We will retain insurance records to satisfy regulatory requirements which will be for a maximum of six years after the end of a claim. After this time, data will either be anonymised (a means by which an individual can no longer be identified by the data) or deleted. We will regularly review our data retention policy to ensure that data is not kept for longer than is necessary. 

How can you access the data and correct it?

You can find out if we hold any personal information by making a ‘subject access request’. Within one month of your request we will:

  • give you a description of the information we hold
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form, usually a pdf file

 

To make a request for any personal information we may hold about you please contact us.

If we do hold information about you, you can ask us to correct any mistakes by contacting us.

How to complain

If you are unhappy with the way in which your personal data is handled, please contact our Data Protection Officer.

If you remain unhappy with our response to your complaint, you can complain directly to the Information Commissioners Office (ICO). They are the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Visit https://ico.org.uk/concerns/ to raise a complaint.

Automated decisions

We do not apply any automated decision making to the personal data you provide to us.