7. Do I have the right to withdraw consent?
The majority of our processing of your personal data is not based on consent however, where we do rely on your consent to process personal data, you have the right to withdraw this at any time. You can do this via phone, email or post.
8. How long will you keep my data for?
We will only retain your personal information for as long as necessary. For example, if you proceed with setting up a debt solution, we will normally keep your core data for a period of 6 years from the end of our relationship with you. We may however need to retain some information for a longer period where we need to comply with regulatory, legal, accountancy or reporting requirements. There may be some information however that we do not need to retain for this period of time and we may destroy, delete or anonymise it more promptly. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from email@example.com
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
9. How do you keep my data secure?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, inappropriately altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We regularly review our information collection, storage and processing practices, including physical security measures.
10. Is any of my data transferred outside the EEA?
We do not routinely transfer personal information we collect outside of the European Economic Area (EEA). However, in the event that we did, to ensure that your personal information does receive adequate protection, we will put in place protective measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respect the UK and EU laws on data protection.
Appropriate specific protective measures include for example, model clauses in data sharing contracts and ongoing security assessments. If you require further information about these measures you can request it from firstname.lastname@example.org
11. Do you share or disclose my personal data with third parties in order to provide your services?
We need to share your data with certain third parties, including third-party service providers and the entities within StepChange listed under the heading "Who we are". in order to deliver the services and products to assist you. This includes:
- Searching the files of external data bureaus in order to verify your identity (see section 5)
- To notify creditors and creditor partners of the status of your progress through the advice service. We only do this where creditors have signed up to the principles of using this information to enable them to provide early forbearance whilst we work with you to set up a plan or debt management solution
- Some of our funding for debt advice in England is provided by the Money and Pensions Service (MaPS), an executive non-departmental public body, supporting the provision of debt advice. Part of this arrangement involves us sharing data with the MaPS in relation to the advice element of the services we provide. This enables them to fulfil their 'public work' function which involves calculating the services being offered. You can find more information or object about how the Money and Pensions Service use your data here.
- To notify the Money Advice Network (MaN) (part of the MaPS noted above) of the status of your progress should you have been referred to us through this service to enable MaN to evaluate the service received by you. More information on how MaN process data can be found here.
- Where disclosure is made at your request or consent
- Where it is necessary to administer our relationship with you or where we have another legitimate interest in doing so. For example, where you are making and application for a mortgage or equity release plan, we need to share data with the lender, the property valuer appointed by the lender and your appointed solicitor
- Our third party payments provider to enable us to process card transactions when you make payments to your debt solutions via card
- To provide you with printed materials for the provision of our online application system where it is not hosted by StepChange
- Our third party security partner that provides software programs to support us with access arrangements for your account with us
- We will disclose your personal data to third parties if we are under a duty to disclose or share your personal data in order for us to comply with any laws, regulations or good governance obligations, or in order to enforce or protect our rights, property or safety, or that of our customers or other persons with whom we have a business relationship. These parties will include (without limitation) the Charity Commission, the Financial Conduct Authority (FCA), the police, Action Fraud, The National Crime Agency, HMRC, HM Treasury and the Department of Work and Pensions
How secure is my information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. A data sharing agreement that sets out how we expect third parties to handle any data we share with them is required to be in place before we share any data. Ongoing checks are carried out on these arrangements at regular intervals.
Sharing aggregated or anonymised information
We may share aggregated or anonymised data within and outside of the StepChange companies with partners to assist with our work in improving financial lives. For example, we may share information about the challenges we see our clients facing when trying to deal with their debts and reasons why people are getting into financial difficulty within our consultation work with the FCA and our partnerships such as the Money and Pensions Service (Maps). You will not be able to be identified from this information.
12. Your rights in connection with your personal data
Under certain circumstances, by law you, or your legal representative, have a number of rights listed below. If you want to request a copy of the personal information we hold about you, or make a rights request please contact email@example.com in writing detailing your request.
Where data is processed only on the basis of consent you can withdraw this consent at any time. However, this does not affect the lawfulness of any processing carried out before you notify us that you have withdrawn your consent.
Where we have another legal basis for processing your data we may be able to continue to process this even if you do not consent to it. We also have no obligation to stop using your data if your data is required for legal proceedings or the establishment, exercise or defence of legal rights.
Where we process data on the basis of legitimate interests you have a right to object to this. We will restrict what we do with your data while we consider this request and will stop processing the data if we cannot show overriding legitimate grounds for processing the data. We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.
Where data is being processed only on the basis of consent and you withdraw that consent you also have the right to ask for the data to be deleted. You have the right to ask for data to be deleted where the data is no longer necessary for the purposes for which it was collected, or if it is being processed unlawfully. You can also ask for data to be deleted if you successfully object to processing based on our legitimate interests. Your rights to do this are described above.
This right does not apply to all information about you. Information required to establish, enforce or defend our legal rights, or which is required for compliance purposes also does not need to be deleted.
We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.
13. How can I complain about how you use my data?
If you are unhappy with the products or services that we have provided you with or are dissatisfied with the handling of your customer data, you can contact us at firstname.lastname@example.org
You may also refer your complaint to the Information Commissioner’s Office. The ICO has web forms for making complaints and also has a helpline you can call. Details are available here.
We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance the ICO will usually ask if you have done this before progressing your complaint.
14. How will I find out about any changes in how you use my data?
We reserve the right to update this privacy notice at any time, and we will make you aware when we make any substantial updates that would affect your rights or how we process your personal data.
We may also notify you in other ways from time to time about the processing of your personal information.