Your data's journey through Nuffield Health Fitness and Wellbeing
Discover how your data may be processed through our Fitness and Wellbeing services
What information you may be asked to provide
Signing up for our gym membership:
At the point you sign up with Nuffield Health you will be asked to complete a pre-exercise questionnaire and complete the membership agreement. This will collect the following information:
- Direct debit details, sort code, account number, name on account
- Name, address, date of birth, email address, contact phone number
- Medical history, history of heart conditions, chest pains, bone/joint issues, medication, pregnancy history
- Corporate Membership: in addition to the above, if you are signing up to a corporate gym or a membership paid for or arranged by your employer, we may additionally ask you to confirm the company you work for, provide proof of ID and confirm your job title, department etc… based on your company’s requirements.
On site carpark:
Most of our Fitness & Wellbeing sites have car parks. Nuffield Health owns some but some may be run by another company or may be a shared car park. In some of our clubs you may be required to provide your registration number, make and model of the car. In instances where the car park is owned/run by another company or a shared car park, we might need to share these details with third parties in order to facilitate your use of the car park.
Other wellbeing services:
- Beauty/alternative services - You will be asked to complete a form when you go for your treatment, this will include some questions about your health and medical history and your contact details.
- Swim School - Please see our separate ‘Track your data’s journey through Nuffield Health Swim School’ for further information about this service.
- Children's services - Please see our separate ‘Track your data’s journey through Nuffield Health Children’s Services’ for further information about how you or your child’s data may be used.
Where we may collect your information from
- You - When you sign up to the membership terms and conditions, personal training agreement or complete a Health MOT, your information will be collected.
- Your employer - If your gym is located on site at your place of work or your company pay for your membership, we might need a small amount of information from your employer to confirm that you are eligible to use the gym.
How we might use your information
- Billing/finance - We will need to collate and send your account holder name, account number, sort code and monthly membership fees to the relevant bank in order to collect your monthly direct debit. This amount may include any additional fees you have opted to pay for in addition to your membership fees; such as: locker hire, towel hire, personal training, child services or car park access.
- Personal training - You may choose to take up personal training sessions at Nuffield Health; in order to ensure you get the most out of your personal training sessions, your telephone number will be shared with your personal trainer and they will have it stored on their personal phone. The benefit to this is that you can change and book sessions and ask questions, even if they are not physically in at the club and out of hours.
- Health MOT (HMOT) - Each member is entitled to a free mini health check or HMOT. This will be carried out at your club by one of the fitness staff. They will test for things like height, weight, blood pressure, blood sugar level etc… and you will get a report with an overall indication of your health and some recommendations.
Who your information may be shared with
Vitality or Corporate Membership
- If you hold a corporate membership or membership linked to your Vitality policy, we might need to share your: access swipe data, name, date of birth and monthly membership fee with either your employer or Vitality. Vitality customers can obtain points based on positive lifestyle choices - so the frequency you have attended the gym, Health MOT results or Health Assessment results may all help you earn points. You will have a choice as to whether you want your HMOT or Health Assessment results to be shared with Vitality, if you have any questions about this please speak to the Duty Manager at your club.
- Some of our sites facilitate informal squash leagues. These are normally co-ordinated by a member of the club. There is a notice board containing a list of member’s names, telephone numbers and what league they are in. If you want to join up to a Squash League all you have to do is ring the member who co-ordinates the squash league and they will tell you how the process works. You just need to provide the co-ordinator with your name and telephone number and they will put you within a league. Your number and name will then appear on the noticeboard and other people within the league will be able to see your number and give you a call to organise a squash match. You will also be able to give people on the noticeboard a call to arrange matches.
Our trusted 3rd parties
- In order to provide the best possible service we use carefully selected third parties including the following:-
- Personal Trainers: Most of our Personal Trainers are employed by Nuffield Health however, we do have some self employed Personal Trainers. If you sign up to a personal training agreement with Nuffield Health we will have to share a certain amount of information with your Personal Trainer to allow them to provide you with the best possible service.
- Class Instructors: Most of our class instructors are self employed so they are an independent third party and responsible for keeping the data they control safe and secure. When you book into a class at Nuffield Health we will pass the class instructor a list of people attending. We may need to share further information with class instructors but this will be limited to that data they need to see.
- Beauty Therapists: Some of our beauty therapists are self employed and some of them are employed by Nuffield Health. If you book a treatment with Nuffield Health your therapist may be self employed. The therapist will have a form that you are asked to complete providing contact details and a small amount of medical/health information. If the beauty therapist is self employed they will be responsible for storing your data securely and in accordance with data protection laws.
If you are concerned about the data we share with third parties please speak to the Duty Manager at your club.
Fair and lawful processing
Each organisation is required to demonstrate that they are processing personal data fairly and lawfully, to do this we must have a ‘lawful basis for processing’ personal data. Consent is probably the condition that has gained the most attention but we only rely on consent in limited circumstances e.g. to share information with a third party or your GP.
Your personal data will mainly be processing data based on the following lawful basis for processing:
- Article 6 (1)(a) Consent
Article 6 (1)(b) Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract.
Article 6 (1)(f) Legitimate interests: the processing is necessary because of a legitimate interest or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
- Article 9 (2)(h) The Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of English Law or pursuant to contract with a health professional.
What does this actually mean?
In order to provide you with the level of support agreed to in our contracts in a safe and effective way we need to process the data discussed, and as such, we are doing so lawfully. This means we may not always ask your consent each time we use your data if what we are doing is linked to your treatment or doing something we must do by law.
Your rights in respect of your personal data
The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the key rights available to you.
- Data Subject Access Request - with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. Where the data is data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish (Right to Data Portability).
Right to Rectification - you have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion, such as assessments of performance or fitness to work.
- Right to Erasure - in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (for example, because we are obliged to do so by law).
- Right to Restrict Processing - you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights.
The above is not a complete and exhaustive statement of the law.
When things go wrong
Nuffield Health pride ourselves with the quality of our services and consistent positive customer satisfaction, however, we understand that in a small number of cases you may have cause to raise a concern regarding an element of the service. It is important that Nuffield Health learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern we may need to share information with our compliance team, senior leaders or other parties outside of your club. For example, if you raised concerns about a member of staff we might need to share this information with our Central HR team, and their professional body, where appropriate. In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern. We may also need to share details of your concern with your members of staff at the club.
If the concern has come via a third party e.g. a regulator, body or solicitor, we may need to disclose your data with them in order to resolve, defend or investigate a concern.
How long we will keep your personal data for
Data is retained in accordance with our Retention Periods, which are based on industry legislation, regulations and best practice. Generally your membership records are kept for a period of 7 years from the date your membership ends, however, shorter or longer retention periods may apply e.g. HMOT records contain health data therefore these records are kept for a period of 8 years in accordance with latest NHS guidance.
We do not rely on wholly automated decision taking for any part of your Fitness &Wellbeing journey.
For further information about how your data may be processed or to ask any questions please raise this with the Duty Manager at your Nuffield Health Club. If you are not satisfied with how we handle your personal data or a request to exercise one of your rights in relation to your data, you can contact the Data Protection Officer on firstname.lastname@example.org
Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through their website https://ico.org.uk/