Milliman Personal Data Privacy Policy

Last updated January 2020

Milliman, Inc. and its affiliates (“Milliman”) take data privacy very seriously. This Privacy Policy sets out the principles governing Milliman’s use and protection of personal data that individuals and clients share with us (“Personal Data”) as well as describing the rights of individuals regarding their Personal Data. Milliman is committed to handling Personal Data in accordance with this Privacy Policy, the EU-U.S. Privacy Shield, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other data protection and privacy laws, as applicable. See rights specific to California residents here

Collection of Data

Aggregate Data

Like many companies, Milliman monitors the use of its websites by collecting aggregate data. No Personal Data is collected in this process. Typically, Milliman collects data about the number of visitors to the website, to each web page, and the originating domain name of the visitor's Internet Service Provider. This data is used to improve the usability, performance and effectiveness of Milliman’s website.

Cookies

In some instances, Milliman may collect data through cookies. A "cookie" is a text-only string of data that Milliman sends to the cookie file of the browser on a website visitor’s computer hard disk using Milliman’s web server. Cookies are used to make websites work, or work more efficiently, as well as to provide data to the owners of the website.

Milliman’s website may use both required cookies and analytics and performance cookies.

Required cookies enable a website visitor to move from page to page within the website and to use its features. These cookies are deleted when the visitor closes his/her browser.

Analytics and performance cookies allow Milliman’s third-party agents to collect data, including the number of visitors to the website, where they have come to the website from, and the length of time they have spent on the website. Milliman uses the following third-party agents for website performance tracking, and you can learn more about their privacy policies and how to opt-out of their cookies by clicking on these links:

Google Analytics:http://www.google.com/analytics/learn/privacy.html

AI Media group:https://aimediagroup.com/user/themes/aimedia/docs/privacy_2018.pdf

The majority of web browsers accept cookies and similar files, but a visitor can usually change the browser settings to prevent this. However, by doing so, some functionality of the website may be lost. Please visit https://www.aboutcookies.org/ to learn more about cookies and how to control them. We rely on your consent, to the extent required by law, to use non-required cookies that may contain your Personal Data. To change your cookie preferences, click here .

Third-Party Embedded Content and Do Not Track

Milliman websites may feature content (such as buttons, widgets, and other embedded features or content) embedded by third parties that rely on cookies or similar technologies. You can learn more about the privacy policies of these third-party content providers and how to opt-out of their cookies by clicking the appropriate link below:

Facebook and Instagram: https://www.facebook.com/policies/cookies/

Google Inc. and YouTube: https://policies.google.com/privacy

LinkedIn: https://privacy.linkedin.com/

Twitter: https://twitter.com/en/privacy

Please note that Milliman websites currently do not respond to Do Not Track signals in browsers.

Processing of Personal Data

We may collect, store and otherwise process Personal Data of visitors to our websites, employees, officers, partners or other representatives and agents of our clients, business partners, job candidates, and other individuals (i.e., name, age, date of birth, country of residence, professional and/or private address, e-mail, title and working position, employer, professional interests, professional and/or private telephone number, previous work experience, skills, referral information, and other information voluntarily submitted, and, for job candidates applying for positions in the United States, ethnicity, disability and veteran status) who enter into a business relationship or apply for a job with Milliman or who receive or request information about products or services from Milliman. Milliman uses this Personal Data for purposes of contract administration, to activate and maintain client accounts, to fulfill requests for or respond to inquiries about Milliman products or services, to analyze how its websites are used and how they are performing, to provide offers and information (as permitted by law) about products, services, or events offered by Milliman or that Milliman thinks may be of interest, and to facilitate the recruitment process.

In certain situations, where required by applicable law, Milliman will seek your express consent to collect or process your Personal Data. You may withdraw that consent at any time by emailing Milliman at data.protection@milliman.com. If you provide us with Personal Data of another individual that requires consent, it is your duty to make sure that the individual has consented to or is appropriately informed about the processing of their Personal Data by Milliman. If a website visitor uses a log-in to access our website, certain criteria such as user data, transactional data, session surveillance, IP data, and pattern recognition may be collected and used by Milliman for authentication purposes.

Affiliates and Authorized Third-Party Agents

All Milliman websites, products, and services are provided in cooperation with Milliman, Inc., located in the U.S. Any Personal Data may be shared with Milliman, Inc. or other entities controlled by or under common control with Milliman, Inc. for purposes of centralization of Milliman’s administrative, contract management, CRM, IT maintenance, marketing and IT security practices, for the purpose of the website’s management and security, and to provide information about Milliman products, services, or events. We may also share Personal Data with affiliated entities using the MILLIMAN® mark, in which case we will require those affiliates to honor this Privacy Policy. Please note that we may be transferring your Personal Data to a country that does not have the same data protection laws as your home country. However, Milliman ensures that it and its affiliates will process Personal Data in compliance with this Privacy Policy.

Milliman also may share Personal Data with authorized third-party agents or contractors that perform services for Milliman. If Milliman shares Personal Data with a third party, Milliman requires that those third parties agree to process Personal Data based on Milliman’s instructions and in compliance with this Privacy Policy.

Any transfers of Personal Data are subject to appropriate safeguards that are compliant with the GDPR (adequacy decision or Model Clauses of the European Commission), as applicable. Those can be made available at Milliman’s premises by contacting us at data.protection@milliman.com.

Other Disclosures

Milliman may also disclose Personal Data and other related information in response to subpoenas, court orders, or other lawful requests by public authorities, and to meet national security or law enforcement requirements. Milliman may collect and share Personal Data in order to investigate or take action regarding illegal activities, suspected fraud, violations of Milliman's Terms of Use, or as otherwise required by law or regulation.

Security

Milliman stores Personal Data on a secure server that is password protected and shielded from unauthorized access by a firewall. Milliman has in place security policies that are intended to ensure the security and integrity of all Personal Data. Milliman has appropriate technical and organizational measures in place to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by Milliman. If Milliman forwards Personal Data to any third party, Milliman requires that those third parties have appropriate technical and organizational measures in place to comply with this Privacy Policy and applicable laws.

Data Retention

Milliman retains Personal Data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by law. Milliman will delete your Personal Data once the purpose of the collection and processing of such Personal Data has been fulfilled and the adequate duration for documentation and backup storage of such Personal Data has lapsed. If you have unsubscribed from receiving marketing information from us, we will continue to maintain your Personal Data for any other purpose for which we still have legal grounds for processing such Personal Data (such as for the purposes of complying with a legal obligation or when the processing is necessary for the purpose of a legitimate interest of us). In certain cases, if no other legal grounds exist, we will maintain limited Personal Data (such as your email address) about you on record, so as to be able to ensure for the future that such marketing communications are no longer sent to you.

If you want to opt-out from a specific electronic communication service or marketing offer, you can unsubscribe at any time by using the opt-out link on such communication e-mail or send us an e-mail at: data.protection@milliman.com. Unsubscribing from a special service or product information may not automatically end the processing of your Personal Data by us unless we receive a specific e-mail request from you in this respect. Any complaints about un-solicited marketing communication can be sent by e-mail to Milliman at the same e-mail address.

Children

Milliman’s websites, products, and services are not directed to children, and Milliman does not knowingly collect Personal Data from children. If a parent or legal guardian becomes aware that his or her child has provided Milliman with Personal Data without their consent, the parent or legal guardian should contact Milliman at data.protection@milliman.com, and Milliman will take steps to delete any such Personal Data.

Access and Corrections

As allowed or required by law and consistent with our applicable agreements, you may contact Milliman at any time at data.protection@milliman.com to request a copy of any Personal Data that Milliman has about you, to request that certain Personal Data be corrected, updated, or deleted, or to express any complaints or concerns about Milliman’s use of your Personal Data. It is not technologically possible to change or delete each and every instance of the data Milliman holds on its systems, and some Personal Data may remain in non-erasable forms. See rights specific to California residents here

Third-party Links

Milliman’s websites may provide links to other third-party websites that are outside of Milliman’s control and not covered by this Privacy Policy. Milliman is not responsible for the availability, content or accuracy, or privacy practices of other websites, products, services, or goods that may be linked to Milliman’s websites. Milliman encourages all users of its websites to review the privacy policies posted on these (and all) sites.

Policy Updates

Milliman may change its Privacy Policy from time to time. Milliman therefore asks all persons concerned to check it occasionally to ensure that they are aware of the most recent version.

Privacy Shield

Milliman is committed to handling Personal Data in accordance with this Privacy Policy and the EU-U.S. Privacy Shield Framework (or the Swiss-U.S. Privacy Shield Framework, as the case may be), as administered by the U.S. Department of Commerce. If there is any conflict between the terms of this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and to view Milliman’s certification, please visit https://www.privacyshield.gov/list.

Milliman’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Milliman remains responsible and liable under the Privacy Shield Principles if third parties engaged by Milliman process the Personal Data in a manner inconsistent with the Principles, unless Milliman proves that it is not responsible for the event giving rise to any damage. Additionally, Milliman, Inc. has put in place data protection agreements with its affiliates located in the European Economic Area based on the EU Standard Contractual Clauses issued by the European Commission (the “EU Standard Contractual Clauses”).

As further explained in the "How to Contact Us" section below, Milliman encourages any individual to contact us should they have a Privacy Shield-related (or general privacy-related) complaint. Any right of access, rectification, erasure, restriction of the processing as well as the right to data portability of individuals domiciled in the European Economic Area or Switzerland may be exercised under the conditions set forth in the GDPR by contacting Milliman at: data.protection@milliman.com. Furthermore, these individuals will have the right to lodge a complaint with a competent supervisory authority at any time.

Important Information for California Residents

The California Consumer Privacy Act of 2018 (CCPA) provides California consumers (California residents) with specific rights regarding their personal information. This section describes those rights and explains how to exercise them.

Rights

As a California resident, you have the right under the CCPA to exercise free of charge:

a. Disclosure of Personal Information We Collect About You

You have the right to know:

i. The categories of personal information we have collected about you;

ii. The categories of sources from which the personal information is collected;

iii. Our business or commercial purpose for collecting or selling personal information;

iv. The categories of third parties with whom we share personal information, if any;

v. The specific pieces of personal information we have collected about you; and

Please note that we are not required to:

i. Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;

ii. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or

iii. Provide the personal information to you more than twice in a 12-month period.

b. Disclosure of Personal Information Sold or Used for a Business Purpose

In connection with any personal information we may sell or disclose to a third party for a business purpose, you have the right to know:

i. The categories of personal information about you that we sold and the categories of third parties to whom the personal information was sold; and

ii. The categories of personal information that we disclosed about you for a business purpose.

c. Right to Opt-Out of the Sale of Personal Information

Under the CCPA, you have the right to opt-out of the sale of your personal information. If you exercise your right to opt-out of the sale of your personal information, we will add you to our “Do Not Sell List.” Please be aware that Milliman is not currently in the business of selling personal information.

d. Right to Deletion

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

Please note that we may not delete your personal information if it is necessary to:

i. Complete the transaction for which the personal information was collected, provide a good or service requested by you or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform services under a contract;

ii. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;

iii. Debug to identify and repair errors that impair existing intended functionality;

iv. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;

v. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.);

vi. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;

vii. Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;

viii. Comply with an existing legal or contractual obligation; or

ix. Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

d. Protection Against Discrimination

You have the right to not be discriminated against by us because you exercise any of your rights under the CCPA. This means we cannot, among other things:

i. Deny goods or services to you;

ii. Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

iii. Provide a different level or quality of goods or services to you; or

iv. Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Please note that we may charge a different price or rate or provide a different level or quality of goods and/or services to you if that difference is reasonably related to the value provided to you by your personal information.

Submitting Requests

Requests to Know, Requests to Delete and Do-Not-Sell (Opt-out) Requests,* may be submitted by either:

*Please note that Milliman is not in the business of selling Personal Information.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Categories of Personal Information Collected

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category Examples Collected (Yes or No)
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. Y
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. Y
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). Y
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Y
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. Y
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. Y
G. Geolocation data. Physical location or movements. Y
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. Y
I. Professional or employment-related information. Current or past job history or performance evaluations. Y
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. N
K. Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. N

This Section on the rights of California residents does not address or apply to Milliman’s handling of:

  • Publicly available information from government records;
  • De-identified or aggregated consumer information;
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994;
  • Personal information we collect about job applicants, independent contractors, or current or former full-time, part-time and temporary employees and staff, officers, directors or owners of Milliman; and
  • Personal information about individuals acting for or on behalf of another company, to the extent the information relates to our transactions with such company, products or services that we receive from or provide to such company, or associated communications or transactions (accept that such individuals have the right to opt-out of any sale of their personal information and to not be subject to any discrimination for exercising such right).

Sources of Information Collected

We collect personal information directly from you, as well as automatically related to your use of our websites and other services, and from third parties. For example, we collect personal information:

  • From any form you may complete and submit through our websites, for example information collected from the "Contact Us" page of our websites;
  • From the content of surveys that you may complete;
  • From 'cookies' and other similar tools deployed on parts of our websites that can only be accessed by authenticated users who are logged into the website (for further information regarding cookies used on our websites, please see section on Cookies above);
  • When you provide information as a client in connection with us providing professional services to you;
  • From other sources, such as public databases, joint marketing partners, social media platforms (including from people with whom you are friends or otherwise connected) and from other third parties; and
  • From or on behalf of clients when we provide professional services, which could include personal information about their employees, benefits recipients, insureds, etc.

Purposes of Collecting Information

Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The table above sets out generally the categories of personal information (as defined by the CCPA) about California residents that we collect and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Sources of Information Collected section above, and for the following purposes:

  • Contract administration;
  • Executing and performing our client engagements;
  • Providing various professional services to our clients;
  • Activating and maintaining client accounts;
  • Fulfilling requests for or responding to inquiries about our products or services;
  • Analyzing how our websites are used and how they are performing;
  • Providing offers and information to you (as permitted by law) about products, services, or events offered by us or that we think may be of interest to you; and
  • Facilitating the recruitment process.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

  • Categories A-I in the above table.

We disclosed your personal information for a business purpose to the following categories of third parties:

  • Milliman affiliates;
  • Service providers and independent contractors we use to help deliver our products and/or services;
  • Other third parties we use to help us run our business, such as marketing agencies, website hosts, technical security solutions;
  • Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
  • Our insurers and brokers; and
  • Our banks.

We may disclose your personal information in response to subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal information in order to enforce or apply our rights and agreements, or when we believe in good faith that disclosing this information is necessary or advisable, including, for example, to protect the rights, property, or safety of our businesses, our websites, our customers, our users, or others, as permitted under the applicable laws, or as otherwise required by law or by government and regulatory entities. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.

Changes to Our California Privacy Disclosures

We reserve the right to amend these California specific privacy disclosures at our discretion and at any time. Milliman therefore asks all concerned California residents to check it occasionally to ensure that you are aware of the most recent version.

How to Contact Us

Milliman welcomes feedback and questions on this Privacy Policy. If for any reason you wish to contact us, please send an email (data.protection@milliman.com). Complaints will be resolved internally in accordance with Milliman’s complaints procedures.

If you reside in California and have questions or comments about this notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, see the Rights of California Residents above, or contact us at: data.privacy@milliman.com.

If you live in the European Union, European Economic Area, or Switzerland and you have a complaint regarding the handling of your Personal Data in accordance with the EU-U.S. or Swiss-U.S. Privacy Shield Framework and your efforts to resolve the matter internally are unsatisfactory, the complaint may be submitted to the American Arbitration Association (http://go.adr.org/privacyshield.html), which has been selected as the independent recourse mechanism to resolve complaints and disputes relating to treatment of Personal Data originating in the European Union, European Economic Area, or Switzerland and transferred to the U.S. under this Privacy Policy. Under certain conditions, you may be entitled to invoke binding arbitration through the Privacy Shield Panel when other dispute resolution procedures have been exhausted. Milliman is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).