United Kingdom

Aon Privacy Notice

Aon plc (NYSE: AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.

Aon is committed to protecting your privacy. This commitment reflects the value we place on earning and keeping the trust of our employees, customers, clients, business partners and others who share their personal information with us.

 

What does this Privacy Notice do?

This Privacy Notice (“Notice”) explains Aon’s information processing practices. This Notice applies to any personal information you provide to Aon and any personal information we collect from other sources unless you are provided a more specific privacy statement at the time of data collection. This Notice does not apply to your use of any third-party sites linked to from this website or any websites which have their own privacy notices.

This Notice aims to help you understand our personal data collection, usage and disclosure practices by explaining:

 

Aon UK PRIVACY NOTICE

  1. Who is responsible for your information?
  2. How do we collect your information and what information do we collect?
  3. How do we use your personal information?
  4. Legal basis
  5. Do we collect information from children?
  6. How long do we retain your personal information?
  7. How do we disclose your personal information?
  8. Do we transfer your personal information across geographies?
  9. Do we have security measures in place to protect your information?
  10. Other rights regarding your data
  11. Automated Decisions
  12. Contact Us
  13. Changes to this Notice
 

1. Who is responsible for your information?

Throughout this Notice, “Aon” refers to Aon plc, including its affiliated companies and subsidiaries (also referred to as “we,” “us,” or “our”). Personal information is collected by each member of the Aon group who is responsible for its processing in their capacity as a controller. A full list of our group entities is available here. These entities may provide separate privacy notices when your personal information is first collected by that Aon entity, for example, when you or the business you work for engages us to provide a service.

Aon entities also provide services to our clients as a processor. Where this is the case, we will process your personal information in line with our legal obligations and contractual commitments with our clients.

In the context of providing the Services, we and other insurance market participants need to collect, use and share personal information. To help you understand how insurance market participants may process personal information across the insurance lifecycle, please see the Insurance Market Core Uses Information Notice available on the website of the UK insurance industry association, Lloyd’s Market Association (“LMA”).

 

2. How do we collect your information and what information do we collect?

The personal information we collect varies depending upon the nature of our services. This Notice provides an overview of the categories of personal information we collect and the purposes for which we use it. More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information, may be provided to you in separate privacy notices relevant to the applicable services.

a. Aon collects personal information in the following ways:

Information you provide to us

Aon collects information directly from you when you:

  • Request a service from us;
  • Visit an Aon site or attend an Aon event;
  • Apply for a position at Aon;
  • Contact us with a complaint or query;
  • Engage with us over social media; or
  • Register with or use any of our websites or applications.

You are required to provide any personal information we reasonably require (in a form acceptable to us) to meet our obligations in connection with the services we provide to you, including any legal and regulatory obligations. Where you fail to provide or delay in providing information, we reasonably require to fulfil these obligations, we may be unable to offer the services to you and/or we may terminate the services provided with immediate effect.

Where you provide personal information to Aon about third-party individuals (e.g., information about your spouse, civil partner, child(ren), dependents or emergency contacts), where appropriate, you should provide these individuals with a copy of this Notice beforehand or ensure they are otherwise made aware of how their information will be used by Aon. Where you provide information to us about your beneficiaries, we may require you to provide explicit consent on their behalf.

Information we automatically collect

In some instances, we automatically collect certain types of information when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, "cookies" and web beacons. Further information about our use of cookies can be found in our Cookie Notice and Cookie Preference Center at the footer of our page (where applicable).

Information we collect from clients or third parties

When we provide the services to our clients, we may collect personal information from our clients about you, such as your name, contact details, date of birth, gender, marital status, financial details, employment details, and benefit coverage. We may also collect (in each case as strictly relevant to the services we provide) sensitive information about you, such as health information in relation to life, health, professional liability and workers compensation insurance or employee benefit programs sponsored by your employer. Most of the personal information we receive relates to your participation in the compensation and benefits programs offered by your employer. Where permitted by national law, and appropriate to do so, we may collect criminal records information; for example, where required as part of our business acceptance, finance, administration, recruitment, anti-money laundering and sanctions screening processes.

b. The information we collect about you may include the following:

a.

Basic personal details, such as your name, address contact details, date of birth, age, gender and marital status;

b.

Unique identifiers such as National Insurance Number or pension scheme reference number;

c.

Demographic details, such as information about your age, gender, race, marital status, lifestyle, and insurance requirements;

d.

Employment information such as role, employment status (such as full/part time, contract), salary information, employment benefits, and employment history;

e.

Health information such as information about your health status, medical records and medical assessment outcomes;

f.

Benefits information such as benefit elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits such as voluntary contributions, pension sharing orders, tax protections or other adjustments;

g.

Financial details such as payment card and bank account details, details of your credit history and bankruptcy status, salary, tax code, third-party deductions, bonus payments, benefits and entitlement data, national insurance contributions details;

h.

Claims details such as information about any claims concerning your or your employer’s insurance policy;

i.

Your marketing preferences;

j.

Online information: e.g., information about your visits to our websites;

k.

Events information such as information about your interest in and attendance at our events, including provision of feedback forms;

l.

Social media information such as interactions (e.g., likes and posts) with our social media presence; and

m.

Criminal records information such as the existence of or alleged criminal offences, or confirmation of clean criminal records.

 

Where we collect sensitive personal information (such as information about your health or alleged criminal activities), we will ensure that it is necessary and is done in accordance with applicable law, which may include obtaining your explicit consent and/or necessary authorisations prior to collection.

 

3. How do we use your personal information?

The following is a summary of the purposes for which we use personal information. More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information, may be provided to you in separate privacy notices which are relevant to the services which affect you.

Performing services for our clients

We process personal information which our clients provide to us to perform our commercial risk, reinsurance, retirement, health, and data and analytics services. The precise purposes for which your personal information is processed will be determined by the scope and specification of our client engagement, and by applicable laws, regulatory guidance and professional standards.

Administering our client engagements

We process personal information about our clients and the individual representatives of our corporate clients to:

  • Carry out Aon’s regulatory and compliance obligations, including:
    • "Know Your Customer" checks and screening;
    • Anti-money laundering;
    • Trade sanctions screening;
    • Obtain and update credit information with appropriate third parties, such as credit reporting agencies, where transactions are made on credit;
  • Communicate with our clients;
  • Address client inquiries and complaints; and
  • Administer claims.

Communications and marketing to our clients and prospective clients

We process personal information about our clients, prospective clients, and the individual representatives of our corporate clients to: send newsletters, know-how, promotional material and other marketing communications; and invite our clients to events, including arranging and administering those events.

Conducting data analytics, benchmarking and modelling

Aon is an innovative business, which relies on developing sophisticated products and services by drawing on our experience from prior engagements to analyse trends. Aon also uses data to perform analysis, modelling, benchmarking and research.

Crime Prevention

We process personal information to facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders and to comply with laws/regulations. For example, we do this as part of our business acceptance, finance, administration and recruitment processes, including anti-money laundering and sanctions screening checks.

Mergers and acquisitions

We process personal information in the event of a sale, acquisition or reorganisation. This includes processing personal information for planning and due diligence purposes both prior to closing and after a transaction has closed for reasons related to the sale, acquisition, or reorganisation and in order to transfer books of business to successors of the business.

Process and service improvement

We process personal data to maintain and improve processes used in providing the services and uses of technology, including testing and upgrading of systems. We also process data to develop new services.

If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected, we will request your consent unless your personal information is being processed to satisfy our legal and regulatory obligations. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal information is not subject to unnecessary risk.

 

4. Legal basis

We rely on the following legal grounds to collect and use your personal information:

a.

Performance of the service contract

Where we offer services or enter into a contract with you to provide services, we will collect and use your personal information where necessary to enable us to take steps to offer you the services, process your acceptance of the offer and fulfil our obligations in the contract with you.

b.

Legal and regulatory obligations

The collection and use of some aspects of your personal information is necessary to enable us to meet our legal and regulatory obligations. For example, Aon is licensed and regulated by certain industry regulators and is required to provide some services in accordance with relevant regulatory rules.

c.

Preventing and detecting fraud

We will use your personal information, including information relating to criminal convictions or alleged offences to prevent and detect fraud, other financial crime, and crime generally in the insurance and financial services industry.

d.

Legitimate interests

The collection and use of some aspects of your personal information is necessary to enable us to pursue our legitimate commercial interests. For example, we have legitimate interests in:

  • Providing professional services across our global solution lines;
  • Operating our business, and managing and developing our relationships with clients, suppliers and with you;
  • Understanding and responding to inquiries;
  • Receiving information from third parties and Aon affiliates to provide services;
  • Sharing data in connection with mergers and acquisitions and transfers of business;
  • Improving our services; and
  • Understanding how you and our clients use our services and websites.
Where we rely on this legal basis to collect and use your personal information, we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under the applicable data privacy laws.

 

e.

Consent

In certain instances, we rely on your consent as a legal basis. For example, we rely on your consent to collect and use personal information concerning any criminal convictions or alleged offences, specifically for assessing risks relating to your prospective or existing insurance policy. We may also share this information with other insurance market participants and third parties where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers and vetting agencies.

Where we rely on your consent to collect and use your information, you are not obliged to provide your consent and you may choose to subsequently withdraw your consent at any stage once provided. However, where you refuse to provide information that we reasonably require to provide the services, we may be unable to offer you the services and/or we may terminate the services provided with immediate effect.

Where you choose to receive the services from us you agree to the collection and use of your personal information in the way we describe in this section of the Notice. If applicable you also agree that such information may be collected and used for the above purpose by the insurance underwriter named in your insurance policy documentation. You should refer to the insurer’s privacy statement on their website for further information about their privacy practices.

f.

Substantial public interest (in accordance with applicable law

If applicable law allows, we may collect and use your information for a substantial public interest. For example, to prevent or detect unlawful acts or in public health.

g.

Insurance purposes

Except where we need to process special categories of data as part of the delivery of our services, we will not usually ask you for special categories of data (such as information relating to physical or mental health) when you correspond with us. Depending on the nature of your correspondence with us (e.g. as part of our [e.g. claims processing services]), it is possible that you provide us with information that contains some special categories of personal data and which will therefore be included in the information that we collect or record. To the extent that we do process any special categories of data in this way, we do so under Article 9(2)(g) of the UK GDPR and Section 10(3) of the DPA 2018 (necessary for reasons of substantial public interest), in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.

 

5. Do we collect information from children?

Our websites are not directed to children and we do not knowingly collect personal information from children on our websites. Children are prohibited from using our websites.

Certain Aon solution lines may process data related to children, such as their date of birth, address, and other identifiable information. This information is not collected directly from children, but from other parties such as from our client, the carrier, or directly from you as the parent or guardian of the child (e.g., so that the child may be named a beneficiary to an insurance policy or pension plan).

 

6. How long do we retain your personal information?

How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for the period necessary to fulfil the purposes described in this Notice unless a longer retention period is permitted or required by law and in accordance with the Aon Record Retention Policy. Your personal information will be securely destroyed when it is no longer required.

 

7. How do we disclose your personal information?

We generally share your personal information with the following categories of recipients where necessary to offer, administer and manage the services provided to you:

a.

Within Aon: we may share your personal information with other Aon entities, brands, divisions, and subsidiaries for the processing purposes outlined in this Notice;

b.

Insurance market participants where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers, intermediaries and loss adjusters. The insurance underwriter is the insurer that is underwriting your insurance policy and is named in your policy documentation. You should refer to the insurer’s privacy statement on their website for further information about their privacy practices;

c.

Vetting and risk management agencies such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing insurance policies and/or the services;

d.

Legal advisers, loss adjusters, and claims investigators, where necessary to investigate, exercise or defend legal claims, insurance claims or other claims of a similar nature;

e.

Medical professionals, e.g., where you provide health information in connection with a claim against your insurance policy;

f.

Law enforcement bodies, when required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request, and where necessary to facilitate the prevention or detection of crime or the apprehension or prosecution of offenders;

g.

Public authorities, regulators and government bodies, where necessary for us to comply with our legal and regulatory obligations, or in connection with an investigation of suspected or actual illegal activity;

h.

Third-party suppliers, where we outsource our processing operations to suppliers that process personal information on our behalf. Examples include IT service providers who manage our IT and back office systems and telecommunications networks, and contact centre providers. These processing operations shall remain under our control and will be carried out in accordance with our security standards and strict instructions;

i.

Successors of the business, where Aon or the services are sold to, acquired by or merged with another organisation, in whole or in part, and personal information needs to be shared with relevant third parties as part of due diligence processes and transfers to the new entity. Where personal information is shared in these circumstances it will shared in accordance with this Notice; and

j.

Internal and external auditors where necessary for the conduct of company audits or to investigate a complaint or security threat.

k.

Business partners: such as joint venture entities, sponsors and/or other third-party business partners who collaborate or co-operate with Aon on projects, events, products or Services. You should refer to their privacy notices for more information about their privacy practices;

 

8. Do we transfer your personal information across geographies?

We are a global organisation and transfer certain personal information across geographical borders in accordance with applicable law.

When we do, if the applicable law requires, we use a variety of legal mechanisms to help ensure your rights and protections travel with your data, such as:

  • We ensure transfers between Aon entities are covered by agreements that incorporate prescribed contractual wording, such as the EU Commission's standard contractual clauses, which contractually oblige each party to ensure that personal information receives an adequate and consistent level of protection.
  • Where we transfer to or receive your personal information from third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information, which incorporate standard contractual clauses where required.
  • Where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information is disclosed.

Where required, further information concerning these safeguards can be obtained by contacting us.

 

9. Do we have security measures in place to protect your information?

The security of your personal information is important to us and Aon has implemented reasonable physical, technical and administrative security standards in an effort to protect personal information from loss, unauthorised access, misuse, alteration or destruction and to ensure that such information is processed in accordance with applicable data privacy laws.

 

10. Other rights regarding your data

Subject to certain exemptions and the jurisdiction in which you live, and in some cases dependent upon the processing activity we are undertaking, you may have certain rights in relation to your personal information. We have listed some of the common rights that may be applicable below. When you exercise these rights, we may need to ask you for additional information to confirm your identity, before disclosing information to you or responding to your request. We will not charge a fee unless your request is manifestly unfounded or excessive and/or we are permitted by law to levy such charges.

You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. If we cannot fully address your request, we will contact you to let you know and explain the reason why your request was denied.

Right to Access

You have the right under certain circumstances to access and inspect personal information which Aon holds about you. If you have created a profile, you can access that information by visiting your account.

Right to Rectification

You may have the right to request us to correct your personal information where it is inaccurate or out of date.

Right to be Forgotten (Right to Erasure)

You have the right under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.

Right to Restrict Processing

You have the right under certain circumstances to request the restriction of your personal information from further use, e.g., where the accuracy of the information is disputed, and you request that the information not be used until its accuracy is confirmed.

Right to Data Portability

You have the right under certain circumstances to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.

Right to Object to Processing

You have the right to object the processing of your personal information at any time, but only where that processing is based our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

Right to Object to Automated Decision Making

You have the right to object to decisions involving the use of your personal information, which have been taken solely by automated means. See section eleven (11) below for further information.

Right to Object to Direct Marketing

Where your personal information is processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning him or her for such marketing. We will provide specific information on how to opt-out from our marketing initiatives through the medium we communicate with you.

Right to Withdraw Consent

The right to withdraw consent at any time, whenever we have asked for your consent for processing your personal information without affecting the lawfulness of processing based on consent before its withdrawal. See section 4(e) above for further information.

 

11. Automated Decisions

Where you apply or register to receive the service, we may carry out a real-time automated assessment to determine whether you are eligible to receive the service. An automated assessment is an assessment carried out automatically using technological means (e.g., computer systems) without human involvement. This assessment will analyse your personal information and comprise several checks, e.g., credit history and bankruptcy check, validation of your driving licence and motoring convictions, validation of your previous claims history and other fraud prevention checks. Where your application to receive the service does not appear to meet the eligible criteria, it may be automatically refused, and you will receive notification of this during the application process. However, where a decision is taken solely by automated means involving the use of your personal information, you have the right to challenge the decision and ask us to reconsider the matter, with human intervention. If you wish to exercise this right, you should contact us.

 

12. Contact Us

If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about a breach of the Act or this Notice, please contact the Privacy Officer: [email protected]. Alternatively, you have the right to contact your local Data Protection Authority.

If you have any questions relating to this Notice, please contact us at the Data Protection Officer, The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London, EC3V 4AN or [email protected].

 

13. Changes to this Notice

We may update this Notice from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.

We encourage you to periodically review this Notice so that you will be aware of our privacy practices.

This Notice was last updated on 28th February 2024.