Silhouette of two people chatting by a window

Privacy Policy

WPA takes the privacy and security of your data very seriously. It is important that you take the time to read this page, as it describes the data we collect and explains how we use the information you have provided.

The WPA group is committed to protecting all personal data. This Privacy Policy provides more information on our approach to data protection.

Date effective and last updated: March 2025

Policy List

Info Circle icon

1. About this Privacy Policy

WPA group companies that this Privacy Policy covers

This Privacy Policy covers the personal data which is processed by the following WPA group companies, each of which is a controller of the personal data that you supply:

  • Western Provident Association Limited which primarily processes your data in providing health insurance services
  • WPA Protocol PLC which primarily processes your data when it administers health care trusts (including making health benefits available to scheme members), and
  • WPA Healthcare Practice PLC which primarily processes your data when you obtain advice on WPA products from one of its Healthcare Partners (together, "WPA")

Any reference to WPA means all of the WPA group companies covered by this Privacy Policy, or any one of them.

WPA stores and processes your personal data in accordance with the Data Protection Act 2018 (the "DPA"), the UK General Data Protection Regulation and all other applicable data protection and direct marketing laws.

Purpose

This Privacy Policy sets out what personal data WPA uses, how we use it, and provides information about your data protection rights.

Who this Privacy Policy is for

Our Customers including anyone:

  • who has been or is able to make a claim on a policy, plan or scheme, including a scheme which is administered by us
  • who contacts us about our services
  • who accesses the WPA website or uses the WPA Health app, or
  • who is appointed to communicate with us on behalf of a Customer, for example someone appointed under a power of attorney

Our Business Partners including:

  • any individual (other than a Customer) who engages with us because of a business relationship. This includes our Healthcare Partners, individual providers of healthcare services and brokers
Phone icon

2. How to contact us

If you have any questions or concerns about WPA's use of your personal data, please contact the Data Protection Officer in writing at Rivergate House, Blackbrook Park, Taunton, Somerset, TA1 2PE, or via email at dataprotection@wpa.org.uk.

Person icon

3. Personal data we process

The personal data that WPA collects depends on whether you are a Customer or Business Partner and on how you use the WPA website and other WPA services. It could include the following categories:

Box Arrow Right icon

4. How we collect your personal data

Repeat icon

5. How we process your personal data

In this section we explain each legal basis or other 'condition' that WPA relies on to process your personal data.

Our main legal bases for processing all types of your personal data are:

  • Performance of a contract: e.g. when it is necessary for WPA to take steps in order to enter into a contract with the individual to whom the personal data relates, or for WPA to provide the services set out in a contract between WPA and the relevant individual
  • Legitimate interests: where WPA or a third party has a legitimate interest in the processing, for example to detect or prevent fraud
  • Consent: where you have consented to us processing your data
  • Compliance with legal obligations: where processing is required in order for WPA to comply with applicable laws or regulations, or
  • Vital interests: we may process personal data where it is necessary to protect your vital interests or those of others, for example in the event of an emergency or an imminent threat to life

When we process special category data such as health data criminal offence data, additional legal bases/conditions will apply.

Special Category Data

Where we process your health data we may do so on the basis that the processing is necessary for reasons of substantial public interest:

  • to advise on, arrange, provide or manage an insurance contract
  • to manage claims made under an insurance contract
  • in relation to rights and responsibilities relating to or in an insurance contract or insurance law

The processing of health data for these purposes is provided for in Schedule 1, Part 2 section 20(1) of the DPA. Please note that WPA's health insurance contracts include Western Provident Association Limited's cash plan and private medical insurance products.

We may also process health data with your consent (if required) or when it's in your vital interests.

WPA Protocol PLC administers health care schemes. If you access benefits under a health care scheme, we will seek your consent to process your health data. WPA Protocol PLC is unable to process claims for health care benefits without having access to health data.

We may also use health data and other types of special category data as required to bring or defend legal proceedings or as otherwise permitted by law.

Criminal Offence Data

We process information about criminal offences and convictions to carry our background checks to prevent fraud and money laundering and to help us identify and prevent fraud.

We do this as permitted by data protection law. The legal basis for this processing is set out in Schedule 1, Part 2, Paragraphs 10 (preventing or detecting unlawful acts) & 14 (preventing fraud) of the DPA.

We may also process criminal offence data in other circumstances e.g. for insurance purposes or in the context of legal claims (as provided for in Schedule 1, paragraph 33 DPA).

Further detail on the purposes for which we process personal data, the types of personal data we process for each purpose and the specific legal bases for processing in that context are set out below.

Anonymised data

We may also anonymise your data by removing your name and any other information which identifies you. We use anonymised data for various purposes including to support with employee training and to create reports to help us better understand our business and to improve how we deliver our services.

Exclamation Diamond icon

6. Failure to provide your personal data to us

Where we need to collect your personal data by law or in order to provide you with our services or perform a contract we have with you and you decide not to provide that information when requested, we may not be able to provide our services or perform the contract we have or are trying to enter into with you. In other circumstances where you choose not to provide us with your personal information when we request it, your decision not to provide us with your personal information may affect our ability to provide you with our services.

Box Arrow Up icon

7. Who we share your personal data with

Vital Interest: we may share personal data including with your employer or family members as we consider it appropriate to protect your or another person's vital interests, for example in the event of an emergency or threat to life.

We also share data with third parties as authorised by you, for example we will share your data in line with any power of authority granted by you.

Companies within the WPA group (e.g., WPA Protocol Plc, WPA Healthcare Practice Plc, WPA World Class Services (India) Private Limited) may share personal data as needed with each other. Western Provident Association Limited provides information technology infrastructure, platforms and other services to other WPA group companies. Personal data processed by WPA group companies is held on the secure systems operated by Western Provident Association Limited.

WPA engages third-party service providers who may process data, including personal data, on its behalf.

At its sole discretion, WPA may add to or vary the third parties (known as 'processors') that it uses to process your personal data. Non-WPA entities that provide a service to us, include:

  • Service providers who assist us to manage claims made overseas
  • Service providers which enable us to work efficiently with hospitals and healthcare providers or to book appointments for you. This includes providers which assist with health care providers charging us and with us paying health care providers, and with enabling health care providers to verify that patients have cover with WPA, and to streamline the process by which health care providers obtain pre-authorisation for treatment
  • Providers of fraud prevention and control, identity and criminal record checking services
  • Service providers who provide cloud services (e.g. Azure, Amazon Web Services), or services which use cloud services to provide a service to us, and providers of network security solutions, software as service platforms, telecommunications systems and platforms. This would include the provider of our accounting and telecommunication systems and providers of services which support our ability to generate and distribute communications

We may share data with other third parties who are not our processors where we are legally permitted to do this.

Other third parties that may not be our processors that we may share your personal data with include the following:

CPU icon

8. Automated decision making

We use automated processes to assist with efficiency and accuracy. Our use of automated processing includes making decisions some of which may have a legal effect or result in a similarly significant effect upon you. These decisions may not be reviewed in detail by any of our employees. Decisions which may be made or assisted by automated processes include decisions to approve or decline claims made on our policies or schemes.

We also use automated processing/profiling to assist us in setting our prices for our insurance policies/plans. The price quoted to you is determined according to a range of factors and information that you provide to us that enable us to conduct profiling, for example, the age of people to be covered by the policy/plan and postcode. For some types of policy we may also have regard to the smoking status of people covered by the policy. We may also process other details that we have access to, such as the past claim history of people covered by the policy/plan. WPA will then use this information to calculate a premium quote. Most quotes are not reviewed by any of our employees before they are provided to you. When WPA makes an automated decision without detailed human oversight using your personal data and this decision has a legal or substantially similar effect, you have rights in relation to that decision. Specifically, you have the right to receive meaningful details and information about the logic involved in us coming to the decision, the right to human intervention, and the right to obtain an explanation about the decision and ultimately challenge it. For further details, please see Section 12 'Your rights in relation to the processing of your personal data' of this Policy.

Globe icon

9. Transferring your personal data to other countries

We may share your personal data (including medical information and other special category personal data), in strict confidence with our service providers, other companies within the WPA group or other entities that are located outside of the UK. If we do transfer your personal data outside of the UK we will ensure that it is protected to the same extent as it is protected in the UK by using one of the safeguards listed below:

  • Only transfer it to a country outside of the UK with privacy laws that afford the same protections as the UK such as an EU member state or country deemed adequate by the UK government, or
  • Put in place contractual terms with the recipient that requires them to protect your personal data to the same standards as it is protected in the UK (e.g., the UK International Data Transfer Agreement).

If you would like further details of how your personal information is protected if transferred from one country to another then please contact us using the details set out in Section 2 'How to contact us' of this Privacy Policy.

You can learn more about data transfers outside of the UK on the Information Commissioner's Officer ("ICO") website at the following link: ICO: A Guide to International Transfers.

Lock icon

10. How we keep your personal data safe

We take great care to ensure the safe custody and use of your personal data. We are independently audited by the British Standards Institution and have been certified to ISO 27001:2022 Standard - the International and British Standard for Information Security Management Systems.

Calendar icon

11. How long we retain your personal data for

WPA's policy is to retain your personal data whilst you are a Customer or a Business Partner. After you stop being a Customer or Business Partner we will retain it for up to seven years. If you make enquiries about our services or about entering into a business relationship, but do not proceed, we may retain your data for up to 3 years. We may continue to hold data for longer than the stated period if it is needed for the purposes of bringing or defending legal proceedings, for the purposes of fraud prevention or control, to meet our regulatory, taxation and legal obligations or as otherwise permitted or required by law.

File Text icon

12. Your rights in relation to the processing of your personal data

Under data protection law, you have the following rights that are in some cases subject to exemptions:

  • Your right of access - You have the right to request access to your personal data (commonly known as a "data subject access request"). This permits you to request and receive a copy of the personal data that we hold about you and to check that we are lawfully processing it. Please address subject access requests to WPA's Data Protection Officer as set out in Section 2 'How to contact us' of this Policy. Such data may be redacted or withheld in various circumstances, including to protect the rights of third parties and if we consider that it is necessary to protect your or our legitimate interests, or those of a third party.
  • Right to withdraw consent - Where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. However, this will not affect the lawfulness of any processing carried out by us before you withdraw your consent. We may also continue to process your data after you withdraw consent where we are legally permitted to do so. This may include where we need to retain your data to be able to bring or defend legal proceedings. To withdraw your consent, please contact us at the details in Section 2 'How to contact us' of this Policy.
  • Your right to rectification - Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Your right to erasure - Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. There may be legal reasons why we cannot comply with your request. If this is the case we will tell you when you make your request.
  • Your right to object to processing - Object to processing of your personal data where we are relying on a legitimate interest (or those of a third-party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information that override your right to object. You also have the absolute right to object any time to the processing of your personal data for direct marketing, please see Section 13 'Direct Marketing' of this Policy. Please note that our processing of your personal data, such as your name, address, medical, and health data to administer your policy, is an essential requirement in order for us to provide services to you under the terms and conditions of your policy. Therefore, if you should object to us processing your personal data then we may not be able to continue to provide you with our services and products and satisfy specific performance of the contract that we have with you.
  • Your right to data portability - Request the transfer to you or to a third-party of personal data you supplied to us. We will provide to you, or a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automatically processed information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Your right to restriction of processing - Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
    • If you want us to establish the data's accuracy
    • Where our use of the data is unlawful, but you do not want us to erase it
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims, or
    • You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it
  • Your rights in respect to automated decision making and profiling - You have the right not to be subject to a decision using your Personal Information which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right does not apply if the decision is:
    • necessary for the purposes of a contract between us and you
    • authorised by law (e.g. to prevent fraud), or
    • based on your explicit consent
    However, you do have a right to request human intervention, express your view and challenge the decision.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information to clarify your request to assist us with providing you with a response.

We are generally required to respond to requests within one calendar month but may extend this deadline by a further two months if your request is complex or if you submit several requests to us. If we do extend the deadline then we will tell you and provide you with a response to your request as soon as possible.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a 'reasonable fee' for administrative costs if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

If you have any concerns regarding the processing of your personal data, you have the right to lodge a complaint with the ICO. We would appreciate the opportunity to resolve a complaint before you contact the ICO and so we encourage you to contact us first. Our details are in Section 2 'How to contact us' of this Policy.

The ICO's address:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

ICO helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Envelope At icon

13. Direct marketing

If you have 'opted in', WPA may contact you by letter, telephone, e-mail or using other contact details supplied by you to inform you of services or products which we believe may interest you. WPA may also contact you to follow up an enquiry that you have made about our products or services.

At a later stage, if you do not wish to receive such information, you may unsubscribe by contacting us using the details in Section 2 'How to contact us' of this Policy.

Please allow up to 4 weeks for the unsubscribe process to be completed.

Cookie icon

14. Cookies

A cookie is a text file containing anonymous information that is stored on your computer or mobile device by a web server when you visit a website. Each cookie is unique to your web browser. It allows a website to remember things like your preferences or details of items that you are going to purchase online.

Cookies may be used to record details of pages relating to particular products and services that you have visited on our websites. This is to provide us with generic usage statistics to allow us to improve our websites.

Web browsers are initially set up to accept cookies. If you prefer, you can set your web browser to disable cookies or to inform you when a website is attempting to add a cookie. You can also delete cookies that have previously been added to your computer's cookie file. If you prevent us from placing strictly necessary cookies on your computer during your visit or you delete a strictly necessary cookie that has been set previously, it may not be possible for you to use our website effectively.

When you first visit this website, you will be prompted to choose whether or not to give your consent to the use of optional cookies (namely functional, analytics and marketing cookies). If you give such consent, we will set these cookies in order to allow us to provide the services and webpages you request, to improve your use of our website, and to analyse and improve our online services. You may withdraw that consent at any time by amending the .

If you do not give such consent, we will not set these optional cookies, but we will still need to set cookies that are strictly necessary for your use of our website.

Person Add icon

15. Third parties appointed by our Customers

If you are appointed to communicate with us on behalf of one of our Customers, for example if you have been appointed under a power of attorney, we will collect and use your personal information to enable us to liaise with you. The information we collect will be a subset of the information we collect and use in relation to our Customers. It will include your name, address, email address, telephone number and relationship to the Customer. We will retain your data as if it were data held for our Customer.

Help & advice

We'll help you find the answers you need

Help & supportContact us