Health services privacy policy

This Privacy Policy tells you about what data we collect, why we collect it and what we do with it. It also tells you about the rights that you have over your personal data and AXA Health Services Limited’s use of a third party to deliver some of the health and wellbeing services.

Entity: AXA Health Services Ltd
Date: March 2025
Version: 2025.1

AXA Health Services Limited (‘we’, ‘AXA Health’, ‘us’, ‘our’) also provides other services, such as administration services for clients' healthcare trust schemes. Those services are not described here. You can find the Privacy Policy covering those other services here.

AXA Health Services Limited

AXA Health, directly and indirectly via third-party providers:

provides online and telephone-based musculoskeletal services directly to you. It is the Data Controller for processing your personal data when you access these services.
manages the AXA Health App. It is the Data Controller for some of the personal data processing that happens in the App (for more information, please see the dedicated AXA Health App privacy policy within the App).
outsources the delivery of Employee Assistance Programme (EAP) services and Wellbeing Services to an expert supplier, Spectrum Wellness UK Ltd (Spectrum.Life).
outsources the delivery of some other services to other suppliers, When you click on links that take you to those supplier’s websites you can access their privacy policies there.

Spectrum.Life

The EAP and Wellbeing Services provided by Spectrum.Life are:

EAP
Events
Learn
Health coaching
Mental wellbeing coaching
Health assessments (Know Your Numbers, glucose and cholesterol, wellbeing consultation and DIY checkpoint)
Health score

Which of these services you can access will depend on what your employer has made available.

When you use these services, they’ll be branded ‘AXA Health’ but the company delivering them and processing your personal data is Spectrum.Life. Spectrum.Life is the Data Controller for processing your personal information. The services are delivered in person, by telephone, via the internet or the AXA Health App.

For information about what Spectrum.Life does with your personal information, please access:
AXA Be Supported website: www.axabesupported.co.uk/privacy-policy
AXA Health App: please refer to the Spectrum.Life privacy policy within the app.
General: www.spectrum.life/privacy

The rest of this privacy policy relates only to the personal data processing done by AXA Health Services Limited.

From time to time, we may make changes to this privacy policy; you should check back periodically to view the most up-to-date version. We may also provide you with further notices highlighting certain uses we wish to make of your personal data.

1. Our Privacy Principles

When we collect and use your personal information, we look after it properly and use it in accordance with our privacy principles:

Your personal information is processed fairly, lawfully and in a transparent manner
Your personal information is collected for a specific purpose and is not processed in a way which is incompatible with the purpose for which we collected it
Your personal information is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
Your personal information is kept accurate and, where necessary kept up to date
Your personal information is kept no longer than is necessary for the purposes for which the personal information is processed
We take appropriate steps to keep your personal information secure
Your personal information is processed in accordance with your rights
We only transfer your personal information to another country or an international organisation outside the United Kingdom and European Economic Area when we have taken steps to ensure that it is adequately protected. Such steps may include placing the party that we are transferring information to under contractual obligations to protect it to adequate standards
AXA UK and AXA Group companies do not sell your personal information, nor do we permit the selling of customer data by any companies who provide a service to us.

2. How do we collect your personal information?

We collect information from you directly, including during conversation we have on the phone or online. Our telephone system records your telephone number, your conversation with us, and other metadata about your call.

We may also collect information about you from third parties, including:

your employer
other AXA Health companies
medical professionals (for example your GP)
a physiotherapist in the form of a medical report
health and wellbeing service providers (e.g. Spectrum.Life).

3. What personal information do we collect and how do we use it?

We may collect personal information, such as your contact details and medical information. In certain circumstances we may need to process a large volume of medical information to provide the service to you.

We process this personal information for different reasons and to do so we must rely on ‘legal bases’ set out in data protection law. Further, when we process sensitive personal information (like your health information), there is another legal requirement that we identify an additional reason, also set out in data protection law, for the processing.

Musculoskeletal Services

You may have contact with one of our physiotherapists via the “Muscles Bones and Joints pathway” under your PMI policy or your employer’s medical benefits scheme. We will use information you have entered via an online assessment tool such as information about your health condition, symptoms, lifestyle and other relevant personal information and our AXA Health physiotherapists may ask for further information. They use this information to help them determine the next steps for you, for example exercises, or face to face assessment with a healthcare practitioner.

The main legal basis is that the processing is necessary for the performance of a contract with you or to which you are a party. For health and other sensitive information, the main reason for processing is that it is necessary for the purpose of medical diagnosis, and the provision of healthcare or treatment.

Note: as with all provision of health-related services, there may be circumstances when we process your personal data relying on other legal bases and additional reasons, for example:

To protect your vital interests or those of someone else
Within the context of a dispute or legal claim
To comply with a legal obligation
If it is in the public interest, for instance to assist certain bodies to investigate deficiencies in the standards of care provided
You have provided your explicit consent to specific processing activities

Research, analytical, service improvement, marketing and product development purposes

We use your personal information to help us understand our business and monitor our performance as well as to consider how you use our services and consider what other products may be of interest to you. As part of this, we may use your personal information collected from customer satisfaction surveys and where possible, we will anonymise such information.

We may provide reports to your employer, or a parent company, for example about service utilisation and workforce health trends. These are based on aggregated data to a level which means you cannot be identified.

Our legal basis for processing your information is that we have a legitimate interest to monitor and understand how people are using our services and improve them and to create reports to inform your employer as described above. Where necessary, for customer satisfaction services, we will obtain your consent as our legal basis to process your personal information.

Anonymising your personal information

We analyse anonymous information to gain insights about how we can improve our products and services and the health and wellbeing of the people who use them. Further, it allows us to show clients through corporate reporting how their workforces interact with different AXA Health services and provide them with workforce heath trends – to do this we may bring together information from your use of various AXA Health services such as your employer's healthcare scheme, and analyse it without using information from which you can be identified.

The way that we anonymise personal information is in line with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data. In line with regulatory guidance our use of your personal information to create anonymised data relies on the same legal bases and reasons that were relied on when we obtained your data.

Complaint Handling

AXA Health manages complaints relating to its own services and clinical complaints relating to the services provided by Spectrum.Life. In doing so it acts as a Data Controller of the information it processes. Where complaints relate to the services provided by Spectrum.Life, Spectrum.Life will provide us with the information we need to manage those Spectrum.Life complaints. This will include your personal information such as contact details and any health and clinical records, recordings of telephone calls and any other information relevant to your complaint.

The main legal basis is that the processing is necessary for our legitimate interest in ensuring that the service is provided to the required clinical and other standards, and that your complaint is handled correctly. For health and other sensitive information that we process, the additional reason for processing is that it is necessary for the provision and management of healthcare or treatment.

Note: as with all provision of health-related services, there may be circumstances when we process your personal data relying on other legal bases and additional reasons, for example:

To protect your vital interests or those of someone else
Within the context of a dispute or legal claim
To comply with a legal obligation
If it is in the public interest, for instance to assist certain bodies to investigate deficiencies in the standards of care provided
You have provided your explicit consent to specific processing activities

Clinical consent processes for musculoskeletal services and clinical complaint handling

In respect of these services, we must satisfy clinical confidentiality rules. This is in addition to meeting the 'legal bases' and additional reasons for processing under data protection law.

Where necessary we do this by asking you for a clinical consent to process your clinical information, undertake health-related assessments and to share information from clinical records with third parties, for example a healthcare professional involved in your care.

Our clinical consent processes are based on the General Medical Council (GMC) Confidentiality Guidance as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal information under data protection law, which we rarely ask you for (the legal bases and additional reasons for processing that we do rely on under data protection law are set out above). If we do ever need your consent under data protection law to process your personal data, we'll make that clear to you at the time.

4. Who do we share your personal information with?

Disclosures within the AXA Group

We may share information with other AXA companies, for example with AXA Health’s medical insurance company, AXA PPP healthcare Ltd, to help you obtain medical treatment covered by your healthcare policy or scheme. Your personal information may also be transferred to other companies when we make changes to our Group company structure.

Disclosures to third parties

With the appropriate data protection legal basis and, where necessary, additional data protection reason for processing, and clinical consent, we may disclose your information to the categories of third parties listed below for the purposes described in this privacy policy. This might include:

Your relatives, guardians (on your behalf if you are incapacitated) or other people or organisations connected to you
Your current, past or prospective employers
Your medical, social and welfare advisers or practitioners 
Our third-party clinical providers
Our third-party services providers such as IT suppliers, auditors, lawyers
Professional regulatory bodies for example the General Medical Council (GMC) and the Nursing and Midwifery Council (NMC).
The police, health and social care practitioners for the purposes of safeguarding (Health and Social Care Act 2012, Article 13, 2 (d))
Information Commissioners Office (ICO) UK.

Disclosure of your personal information to a third party outside the AXA Group will only be made when the third party has agreed to keep your information confidential.

Transfer of your data outside the UK

If we transfer personal information outside the UK to a country which is deemed not to have the same standards of data protection as the UK, we will ensure that appropriate safeguards have been implemented to protect your personal information. Such steps may include imposing contractual obligations on third parties to adequately protect your personal information.

5. How long do we keep records for?

We keep your personal information for as long as reasonably necessary to fulfil the purposes set out in this Privacy Policy and to comply with our legal and regulatory obligations.

In most cases, we keep your information for between three and seven years after our last interaction with you; this varies depending on the information and why we hold it. There may be exceptions where we retain your information for longer than seven years, when we need it as part of an ongoing legal claim or to comply with legal or regulatory obligations.

6. What are your rights in relation to your personal information?

You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We’ll either do what you’ve asked or explain why we can’t - usually because of a legal or regulatory issue.

If you wish to exercise any of the rights set out below in relation to Musculosketal Services or our Complaints Handling please email dataprotectionofficer@axahealth.co.uk. In any other case please email data.protection@axahealth.co.uk. We may ask you for information to confirm your identity.

Apart from Musculoskeletal Services and Complaint Handling we only use limited information about you because our other services are provided via Spectrum.Life (see www.spectrum.life/privacy for information on how to exercise your rights over the information Spectrum.Life processes).

Right to access your personal information

You are entitled to a copy of the personal information we hold about you and certain details of how we use it. There will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you electronically where possible. Where not possible, or where otherwise agreed, we will provide your personal information in writing (audio recording for telephone calls).

Right to rectification

We take reasonable steps to ensure that the personal information we hold about you is accurate and, to the extent necessary, complete. However, if you do not believe this is the case, please contact us by using the details shown in your documentation and you can ask us to update or amend it. If you use the AXA Health App you can update the App information in the “Personal Details” page.

Right to erasure

In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the purpose for which we have told you we will use it, or where you withdraw your consent if that is our legal ground for processing the information. However, this will need to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it. There may be some legal or regulatory reason which means we cannot comply with your request; if there is, we’ll advise you of this at the time. (If you use the App you can request an App account deletion from the Privacy Centre within the App and we’ll delete your App account and the personal information that’s connected to your App use).

Right to restriction of processing

In certain circumstances, you are entitled to ask us to suspend using your personal information for a period, for example where you think that the personal information we hold about you may be inaccurate, to allow us to verify the accuracy, or where you think that we no longer need to process your personal information, but you need us to keep it for legal reasons.

Right to data portability

In certain circumstances, you have the right to the personal information that you have provided to us in a machine-readable format, or you can ask us to transfer this to another third-party. Once transferred, the other party will be responsible for looking after your personal information.

Right to object

You can ask us to stop processing all or some of your personal information. Depending on the purpose and our legal basis for processing, we may not always be able to fulfil your request.

Rights relating to automated-decision making:

Some of our decisions may be made automatically by computer systems/technology (rather than by our employees) and are based on your personal information. We recognise that sometimes these decisions can have a legal or similarly significant effect on you and when they do, you can ask us to provide an explanation and ask for a member of staff to review the decision.

Right to lodge a complaint:

You have the right to complain to the Information Commissioner’s Office (ICO) if you think that we have not complied with data protection law. The ICO will expect you to have given us the opportunity to resolve your complaint first, so please bring any concerns to us in the first instance. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/.

7. How to contact the Data Protection Officer (DPO)

You can contact the AXA Health DPO by email or post:

The Data Protection Officer

International House,

Forest Road,

Tunbridge Wells,

TN2 5FE

Email address:

For matters regarding Musculosketal Services and Handling of Complaints: dataprotectionofficer@axahealth.co.uk

For concern about any other processing by AXA Health described in this policy data.protection@axahealth.co.uk

8. Company Details

AXA Health Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 03429917 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.

AXA UK Group

Information about some of the other companies in the wider AXA UK Group is available here.

9. AXA’s data privacy declaration

AXA's mission is to help you, our customers, live your lives with more peace of mind by protecting you, your family, your property and your assets against risks and by supporting health and wellbeing. Doing so involves the collection of data.

Today's world is one in which the amount of available data is growing exponentially. Ultimately, this allows us to enhance your experience through tailor-made protection, and services, more relevant information and simplified, efficient procedures.

We believe that protecting your personal information is essential when seizing these opportunities. This is why we considered it important to share with you the principles that will guide us regarding the treatment of personal information.

Our commitment to safeguard personal information

We know that respecting the confidentiality of personal information is critical to preserving your trust and therefore have developed security procedures and we use a range of organisational and technical security measures designed to protect your personal information from unauthorized use or disclosure.

We have a Data Privacy team at a global level and a network of Data Privacy Officers throughout our businesses to oversee data safety.

We have adopted Binding Corporate Rules (BCR). These rules represent an internationally recognised standard for protection of personal information and are an adequate safeguard for transferring your personal information to our group companies outside the European Economic Area. They were approved by the French Data Protection Authority (CNIL) and 15 other EU Data Protection Authorities including the UK’s Information Commissioner’s Office. BCRs are a data privacy contractual framework setting minimum measures for the protection of personal data (data of customers, employees, and other stakeholders) obtained in the course of business when such data is transferred in multinational companies.

Find out more on the Our commitments page, where you can access:

Our commitment in respect to the use of personal information

We provide you with up-to-date prevention and protection solutions and health services, through an in-depth and well-informed understanding. To do this, we collect your personal information and use it in compliance with data protection laws.

We have in place procedures and contractual arrangements designed to ensure that all employees, sales representatives, advisers and service providers keep client and service user files confidential.

Our customers often entrust us with sensitive information. We view ourselves as custodians of this data and do not sell it to third parties outside the AXA Group. We may market products jointly with other companies in cases where we believe there is a unique or compelling value proposition for our customers, but we do not do this using clinical information collected in the provision of clinical services.

Our commitment to dialogue and transparency

As a leading international insurance group, we play a proactive role in public policy and regulatory debates around personal information protection.

These are our continuing commitments to you. We will keep pace with future developments surrounding data privacy to adapt them to your evolving needs.

For more information, please feel free to contact privacy@axa.com.

Privacy Policy