Navigate today’s most pressing health industry challenges with a leading global expert by your side.
Meet growing needs for innovative insurance solutions while increasing operational health and improving compliance.
Deliver on the promises of the past and create smart solutions for the future.
Manage complex risks using data-driven insights, advanced approaches, and deep industry experience.
This is a place where your ideas and insights make an impact. Where an independent, entrepreneurial spirit is an advantage. And where diversity of thought and experience makes us who we are.
Data-driven insight. Deep expertise. Transformative innovation. Since 1947, Milliman has delivered intelligent solutions to improve health and financial security.
In the context of whistleblowing alerts and the use of the platform Convercent, Milliman, Inc. and its affiliates (hereafter “Milliman” or “we”) may collect Personal Information related to you or to individuals named in a whistleblowing alert. In this Privacy Notice, “Personal Information” refers to any information that could lead to the identification of a natural person. A natural person can be identified directly through a name or an identification number. However, a natural person can also be identified indirectly through location data, an online identifier, or through one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.
This Privacy Notice is compliant with applicable data protection laws, including the:
hereafter “Applicable Data Protection Laws”.
“You” and “your” refer to the whistleblower reporting wrongdoing (or “Informant”).
The conditions provided for in this Privacy Notice also apply to individuals named in an alert.
The purpose of the collection of Personal Information is:
Milliman relies on Article 6 c) GDPR (compliance with a legal obligation), Article 6 f) GDPR (legitimate interests pursued by Milliman) and equivalent provisions in Applicable Data Protection Laws.
When collecting, using, storing, and transferring your Personal Information, Milliman, Inc. and its affiliates are acting in their capacity as “Data Controller” (or equivalent terms under the various Applicable Data Protection Laws). This means that Milliman, alone, determines the purposes and means of the processing of your Personal Information and that Milliman is responsible for the Processing of your Personal Information.
Milliman uses the cloud-based ethics and compliance platform “Convercent Inc. by One Trust”, whose registered office is at 3858 Walnut Street, Suite #255, Denver CO 80205, (hereafter “Convercent”). Convercent is a software-as-a-service platform (SaaS Platform), which allows Informants to report (anonymously or not) wrongdoing in writing through its web portal.
Convercent is Milliman’s Data Processor (or equivalent terms under the various Applicable Data Protection Laws). It means that Convercent acts upon Milliman’s instructions and on its behalf. Convercent and Milliman are bound by a Data Processing Agreement.
You have the option to report wrongdoing, through Convercent’s web portal, anonymously or not. The authorized recipients having access to the Personal Information depend on the reporting action you have chosen:
- Non-anonymous reporting action
When you start a non-anonymous reporting action, depending on the relevant workplace , your complaint will be handled by a designated “case owner”, i.e., either (i) by Milliman’s Head of Legal EMEA, who is responsible for the Milliman offices in the EEA, Switzerland, the Isle of Man and the UK, or (ii) by Milliman’s HR Business Partner responsible for the region in which the workplace is located (e.g. the Employment lawyer and HR Generalist or any other person assuming the functions of HR European Business Partner/Officer).
Your identity will not be disclosed to third parties, except (i) as provided for in section VII and (ii) to the judicial authorities, upon your consent, if the analysis of the reporting action confirms the suspicions of a crime, an offense, or a serious violation. If Milliman does not have your consent, Milliman will not disclose your identity, unless required by law. To analyse the merits of a case, Milliman can inform others of the facts on a need-to-know basis but the identity of the whistleblower will remain strictly confidential. For the sake of clarity, the correspondence with external attorneys is not subject to the conditions of this Privacy Notice.
- Anonymous reporting action
Two possibilities are offered to the whistleblower: he/she can decide to remain anonymous to Milliman but not Convercent or to be completely anonymous to both Milliman and Convercent. In both cases, Convercent will send an automatic email alert to Milliman’s regional “case owner” to inform them of the case.
The Personal Information that Milliman collects about you or about other individuals depend on the reporting action you have chosen:
(i) Non-anonymous reporting action
When you make a non-anonymous reporting action, or where you have consented to give your identity following an anonymous reporting action, Convercent’s web portal may collect the following data:
The processed data may include sensitive data (or special category of personal data) within the meaning of Applicable Data Protection Laws, such as the reference to individuals’ race or ethnic origin, political opinion, religious or philosophical belief, trade union membership, health, sex life, sexual orientation or criminal convictions or offenses.
At the request of the case owner, the Informant shall provide any document that may support the claim. Any conversation may be transcribed into a durable and retrievable form, based on the consent of the Informant. The conversation will be subject to verification, correction and approval by the Informant. In the event of an arranged meeting, based on the consent of the Informant, a complete and accurate record of the meeting may be kept in a durable and retrievable form. The record of the meeting shall be subject to verification, correction and approval by the Informant.
(ii) Anonymous reporting action
You will have the possibility to share your Personal Information (the same data as listed in (i) above) with only Convercent or neither Convercent nor Milliman.
Convercent and Milliman, Inc. have agreed that Convercent must not provide Milliman with any information from which the identity of an anonymous whistleblower may be determined. Milliman will not use any monitoring or tracing of internet access, or other means to try to identify which person provided a particular message.
Milliman and Convercent maintain accurate data and, where necessary, keep the data up to date; every reasonable step is taken to ensure that Personal Information that is inaccurate, irrelevant, and not limited to what is strictly necessary, considering its processing purposes, is erased or rectified without delay. For instance, if a whistleblower reports that a colleague has defrauded Milliman, if, within the statement, the whistleblower also discloses information about that colleague’s health situation, this information, to the extent it is irrelevant to the reported wrongdoing, will, where possible, not be retained.
Once the case is analyzed, and no action is taken, Milliman will destroy the Personal Information within two months after the case is closed. If a disciplinary or judicial procedure is initiated, the data will be retained until the end of the procedure. Personal Information outside the scope of the procedure will be destroyed. You will be informed about the date of the closing, to the extent permitted by law.
Convercent uses the cloud provider Microsoft Azure. When using the Convercent web portal, your Personal Information is stored in the cloud in Ireland, or the Netherlands. As part of the services provided by Convercent’s administrative and IT staff working in the USA (Denver), your Personal Information may be accessed by these employees in Denver, subject to strict security measures (use of a Jump Box and a VPN tunnel). The transfer is covered by appropriate contractual guarantees to protect your Personal Information in accordance with Applicable Data Protection Laws.
Milliman has reviewed and vetted Convercent’s IT security. Convercent has data protection and data security measures and processes in place in its software and hardware, in its IT security program, and in its standard operating procedures (“Privacy by Design”). Convercent also secured the following certifications: ISO27001, HI TRUST, SOC2 and NIST.
At any point while Milliman and/or Convercent is in possession of your Personal Information, you have the following rights:
Right to access your Personal Information – you may ask us to confirm what information we hold about you at any time.
Right to ask for rectification – you have a right to correct inaccurate or incomplete Personal Information.
Right to object to the Processing of your Personal Information – you have the right to object to the Processing of your Personal Information, where Milliman does so for its legitimate interest, unless 1) Milliman can demonstrate compelling legitimate grounds for the Processing, which override your interests and rights, or 2) Milliman has a lawful basis to process your Personal Information.
Right to be forgotten – you have the right to request that Milliman erase your Personal Information in certain circumstances: i.e., where the data are no longer necessary for the purpose for which Milliman originally collected and/or processed them (i.e., after the 2-month retention period once the case is closed); the data has been processed unlawfully, or because you have a legitimate interest overriding Milliman’s legitimate grounds.
Right to restriction of Processing – in specific circumstances you have the right to restrict the Processing: 1) inaccuracy of your Personal Information, 2) unlawfulness of the Processing of your Personal Information, and 3) Milliman no longer needs the Personal Information (i.e., after the 2-month retention period once the case is closed) and you need the Information for the establishment, exercise or defense of legal claims (in order for you to exercise this right, Milliman will ensure that you will be duly informed of the case’s closing date);
These rights will not apply in cases of prevention, investigation, detection or prosecution of criminal offenses, to the extent supported by applicable national laws.
If Milliman refuses your request, Milliman will provide you with the reason for refusal. The request must be addressed to Milliman at the following address: [email protected]. A response will be given to you at the latest one month after the date of receipt of the request.
For any questions regarding this Privacy Notice, you can contact Milliman’s Data Protection Officer at [email protected].
You have the right to lodge a complaint with your local Supervisory Authority according to Applicable Data Protection Laws.
"workplace” understood as: