Making it clear how we handle your information

1. Our privacy notice

StepChange is committed to protecting the privacy and security of your personal information. We are committed to protecting your personal data and this Privacy Notice describes how we collect and use personal information about you during and after your client relationship with us and what your rights in relation to it.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are "special categories" of more sensitive personal data which may require a higher level of protection.

This Privacy Notice is provide in a Frequently Asked Questions (FAQS) format so you can click through to answers to specific questions set out above.

This notice does not form part of any contract with you. We may update this notice at any time.

Please note that this website and our products and services are not intended for children and we do not proactively collect their personal information. However, we are sometimes given information about children as part of providing advice and setting up products and services. The information in the relevant parts of this notice applies to children as well as adults.

2. Who is responsible for my data?

StepChange is a "Data Controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

At times StepChange acts as a “Data Processor”. This means that we process personal information about you on another Data Controller's behalf and instruction. We will only do so where the Data Controller has explicit consent to share your information with us for a specified purpose(s).

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

This Privacy Notice has been written to encompass the activity of the three companies that provide the end to end solutions for our Clients. The full details for each firm are as follows:

Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland
Registered Office:
123 Albion Street
Leeds
LS2 8ER
Registered In England no. 2757055
Registered charity in England and Wales: 1016630, Scotland: SC046263.
Authorised and regulated by the Financial Conduct Authority.
ICO registration No. Z743192X

Consumer Credit Counselling Service Voluntary Arrangements Limited

Trading as StepChange Voluntary Arrangements
Registered Office as above
Registered in England no. 5659160
ICO registration No. Z9690343

Consumer Credit Counselling Service (Equity Release) Limited

Trading as StepChange Financial Solutions
Registered Office as above
Registered in England no. 6741879
ICO registration No. Z1721238

3. How can I contact you with questions or comments about how you use my data?

We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice.

If you have any questions about this privacy notice or how we handle your personal information please contact dpo@stepchange.org

4. What information do we collect and when?

Type	Gathered when dealing with	Examples	How it is obtained
Contact	All StepChange companies	Your full name Your postal address Your date of birth Your contact telephone numbers (daytime and evening) Your e-mail address	From you - online and during advisory discussion over the phone
Personal	All StepChange companies	Previous names Previous address(es) Your marital status Property details, value and remaining mortgage Nationality Your employment details/status Details of assets, investments and pensions The number of children or dependents in your household Your residential status (whether you own or rent your home) Gender, Race or Ethnicity	From you - online and during advisory discussion over the phone
Personal	StepChange Financial Solutions	Your requested loan amount and term Details of beneficiaries, executors, trustees, attorneys, related person for estate planning purposes (e.g. Wills, Trusts and Lasting Powers of Attorney).	From you - online and during advisory discussion over the phone
Protection Plans	StepChange Financial Solutions	Existing insurance arrangements - life, health, buildings and contents insurance	From you - during advisory discussion over the phone
Assets	StepChange Financial Solutions	Savings, Investments and Pensions, Vehicles	From you - during advisory discussion over the phone
Budget	All StepChange companies	Your income and expenditure Details of existing credit arrangements including mortgage and unsecured credit	From you - during advisory discussion over the phone
Financial	All StepChange companies	Bank Account Details Debit Card Details	From you - during advisory discussion over the phone
Medical	All StepChange companies	Details of any health and medical related matters	From you - during advisory discussion over the phone
Documentary	All StepChange companies	Copies of documents such as passport, drivers licence, utility bills, credit arrangements	From you - after recommendations are accepted and we set up a plan on your behalf. These are obtained via email or post
Behavioural	All StepChange companies	Information about your device or the software you use e.g. its IP address	From your use of our website and online services
Correspondence	All StepChange companies	Records of communications including emails, live chat, and social media communications; records of advice and recommendations	From you and generated by us whilst using our services

5. What other information do you collect about me?

Credit reference agencies

We access data held by credit reference agencies for several reasons:

If you decide to proceed with any managed solution from StepChange (including any of the entities listed in section 2), we will carry out checks on your identity. We need to do this in order to progress with the solution you choose to take. We carry out this activity based on our legitimate interests to conduct identity checks.
As part of the service we provide when setting up certain debt solutions, we undertake a check on your credit file to ensure that we hold up-to-date and accurate information about you and your finances. We carry out this activity based on our legitimate interests, to ensure your personal data is accurate and up to date.
If you decide to proceed with a recommendation from StepChange Financial Solutions for a mortgage or, in some instances, an Equity Release plan, your application will be subject to a Decision in Principle (DiP) credit search. This will be undertaken by a credit reference agency and the outcome will be given to StepChange. We carry out this activity as it is necessary when entering in to, or for the performance of, a contract you will be party to.
We also use credit reference agencies to carry out ‘Know Your Client’ and ‘Anti Money Laundering’ checks. These fulfil our legal obligations under Money Laundering Regulations and Financial Conduct Regulations.

To conduct credit reference checks, StepChange will usually make a request, via one of our third party software providers, to one of the main three credit reference agencies in the UK: Experian Ltd, Equifax, or TransUnion. StepChange will only share the minimum amount of personal data with them to identify you.

You can find out more about how these credit reference agencies use your personal data by reading their ‘Credit Reference Agency Information Notice’(CRAIN).

Creditors and debt recovery agencies

During the process of setting up and administering some of our debt solutions, we may receive information from creditor(s) and debt recovery agencies about you and your debts then enable us to better manage your debt solution.

6. What do you use my personal data for?

What we use it for	Lawful Basis for Processing
To initially contact you to provide you with information on the products and services available from the three StepChange companies (Debt Solutions, Financial Solutions and Voluntary Arrangements)	Legitimate Interest – the provision of this information will generally be due to a request made by yourself about our products and services.
To provide you with advice and recommendation on the products and services available from the three StepChange companies (Debt Solutions, Financial Solutions and Voluntary Arrangements)	Legitimate Interest - the provision of advice and recommendation for a debt management solution requires us to process your data to ensure we have a full understanding of your personal and financial situation in order for us to be able to assist you effectively and meet our regulatory requirements. Contractual obligations – the provision of advice and recommendation for a mortgage or equity release plan is pursuant to you entering into a contract with a third party lender of standard mortgages or lifetime mortgages and we are required to process the data to achieve this. Explicit Consent – we will ask you to give explicit consent to process data relating to health at the time we ask for it, if it is relevant to retain it to support you with the service going forward. We also seek explicit consent to gather data relating to ethnicity where we use it for research and evaluation purposes. (See Section 7 below on how to withdraw consent.)
To set up and administer a Debt Management plan	Legitimate Interest - the set up and ongoing servicing of a debt management plan requires us to process your data to ensure we are managing your arrangements in an effective and timely way and to meet our regulatory requirements of administering a debt management plan.
To process an application for a mortgage or equity release plan	Contractual Obligations – the provision of advice and recommendation is pursuant to you entering into a contract with a third party Lender of standard mortgages and lifetime mortgages and therefore are required to process the date to achieve this.
Setting up setting up and administering a Debt Relief Order, an Individual Voluntary Arrangement or Bankruptcy	Legal obligations - the setting up and administering these types of debt solutions forms a legally binding agreement and we are there required to process your data to achieve this.
To make and manage your payments	Legitimate interests - where you make payments to us as part of a debt solution, we have a requirement to process these in line with regulatory requirements.
To verify your identity	Legal obligations - we have a legal responsibility to carry out checks to ensure we are dealing with you.
To contact you in connection with any enquiries that you raise	Legitimate interests - of responding to questions and comments raised when you contact us.
Record keeping	Legitimate interests - we need to have a need to retain to comply with regulatory rules and ensuring we are implementing quality checking and compliance processes.
Monitoring and recording of telephone calls and email communications where necessary for compliance with regulatory rules or self-regulatory practices or procedures relevant to our business including quality and training purposes and customer satisfaction surveys	Legitimate interests - to monitor and improve the quality of our products and service offerings (which may involve using your data in quality and performance training) and to ensure we comply with regulatory requirements.
Financial Crime matters	Legal requirement - we are required by law to detect, investigate, report, and seek to prevent financial crime.
Marketing	Legitimate Interest - to provide you with information on our products and services to you such as newsletters where you take up certain debt solutions. Consent - In some circumstances we will ask for consent for marketing purposes e.g. where you have subscribed to or signed up to some of our financial help initiatives such, or before using your feedback as testimonials or your situation as a case study.
Research and analysis	Legitimate Interest - to enable the Charity to better understand the issues faced by Clients in relation to the impact of debt. We will use anonymised date to support our work with campaigning to influence government and policy makers to help reduce the number of people falling into financial difficulty, and campaigning to raise awareness of the support available for people struggling with debt.
Improving our products and services	Legitimate interest - to enable the Charity to better understand your circumstances and preferences so we can provided you with the best advice and offer you a tailored service.
To support the work of our funders	Legitimate Interest - StepChange has contractual arrangements in place with various UK government bodies to receive funding for some of its debt advice services. (See section 11 below) Your data may be subject to processing as part of these arrangements on the basis of further the research and evaluation work they do to better understand the provision of debt advice in England. You may have the right to object to some of this processing should you wish to do so. Consent - where funders wish to use third parties to contact our clients to aid their research, we will seek consent to allow them to do this. (see Section 7 below on how to withdraw consent.)

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to provide our services for example; debt management plans may need to be cancelled or revoked and applications for mortgages, debt relief orders, individual voluntary arrangements, bankruptcy orders may be delayed or terminated.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7. Do I have the right to withdraw consent?

The majority of our processing of your personal data is not based on consent however, where we do rely on your consent to process personal data, you have the right to withdraw this at any time. You can do this via phone, email or post.

8. How long will you keep my data for?

We will only retain your personal information for as long as necessary. For example, if you proceed with setting up a debt solution, we will normally keep your core data for a period of 6 years from the end of our relationship with you. We may however need to retain some information for a longer period where we need to comply with regulatory, legal, accountancy or reporting requirements. There may be some information however that we do not need to retain for this period of time and we may destroy, delete or anonymise it more promptly. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from dpo@stepchange.org

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

9. How do you keep my data secure?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, inappropriately altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We regularly review our information collection, storage and processing practices, including physical security measures.

10. Is any of my data transferred outside the EEA?

We do not routinely transfer personal information we collect outside of the European Economic Area (EEA). However, in the event that we did, to ensure that your personal information does receive adequate protection, we will put in place protective measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respect the UK and EU laws on data protection.

Appropriate specific protective measures include for example, model clauses in data sharing contracts and ongoing security assessments. If you require further information about these measures you can request it from dpo@stepchange.org

11. Do you share or disclose my personal data with third parties in order to provide your services?

We need to share your data with certain third parties, including third-party service providers and the entities within StepChange listed under the heading "Who we are". in order to deliver the services and products to assist you. This includes:

Searching the files of external data bureaus in order to verify your identity (see section 5)
To notify creditors and creditor partners of the status of your progress through the advice service. We only do this where creditors have signed up to the principles of using this information to enable them to provide early forbearance whilst we work with you to set up a plan or debt management solution
Some of our funding for debt advice in England is provided by the Money and Pensions Service (MaPS), an executive non-departmental public body, supporting the provision of debt advice. Part of this arrangement involves us sharing data with the MaPS in relation to the advice element of the services we provide. This enables them to fulfil their 'public work' function which involves calculating the services being offered. You can find more information or object about how the Money and Pensions Service use your data here.
To notify the Money Advice Network (MaN) (part of the MaPS noted above) of the status of your progress should you have been referred to us through this service to enable MaN to evaluate the service received by you. More information on how MaN process data can be found here.
Where disclosure is made at your request or consent
Where it is necessary to administer our relationship with you or where we have another legitimate interest in doing so. For example, where you are making and application for a mortgage or equity release plan, we need to share data with the lender, the property valuer appointed by the lender and your appointed solicitor
Our third party payments provider to enable us to process card transactions when you make payments to your debt solutions via card
To provide you with printed materials for the provision of our online application system where it is not hosted by StepChange
Our third party security partner that provides software programs to support us with access arrangements for your account with us
We will disclose your personal data to third parties if we are under a duty to disclose or share your personal data in order for us to comply with any laws, regulations or good governance obligations, or in order to enforce or protect our rights, property or safety, or that of our customers or other persons with whom we have a business relationship. These parties will include (without limitation) the Charity Commission, the Financial Conduct Authority (FCA), the police, Action Fraud, The National Crime Agency, HMRC, HM Treasury and the Department of Work and Pensions.

How secure is my information with third-party service providers?

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. A data sharing agreement that sets out how we expect third parties to handle any data we share with them is required to be in place before we share any data. Ongoing checks are carried out on these arrangements at regular intervals.

Sharing aggregated or anonymised information

We may share aggregated or anonymised data within and outside of the StepChange companies with partners to assist with our work in improving financial lives. For example, we may share information about the challenges we see our clients facing when trying to deal with their debts and reasons why people are getting into financial difficulty within our consultation work with the FCA and our partnerships such as the Money and Pensions Service (Maps). You will not be able to be identified from this information.

12. Your rights in connection with your personal data

Under certain circumstances, by law you, or your legal representative, have a number of rights listed below. If you want to request a copy of the personal information we hold about you, or make a rights request please contact customerrelations@stepchange.org in writing detailing your request.

Right to access: What rights do I have to access information about me?

You have the right to find out what personal data we hold about you, and to receive a copy of that data. This is commonly know as a "Data Subject Access Request". We will process your request in accordance with your subject access rights set out in the General Data Protection Regulation ((EU) 2016/679).

We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.

Right to rectification: What should I do if I think the details you hold are inaccurate?

It is important that the personal data we hold about you is accurate and current lease keep us informed if your personal data changes during your relationship with us. If for any reason you are unsure about the personal and account information we are holding in your name, please contact us using the details in section 2.

Where data is simply out of date (for example you have moved house) we will update your file but may retain a record of the old data for audit and compliance purposes or example we may need to verify that we carried out searches against the address which was current at the relevant time. If you dispute the accuracy of the information we hold, we will restrict processing, where appropriate, while we consider your request.

Right to object: Can I ask you to stop processing information about me?

Where data is processed only on the basis of consent you can withdraw this consent at any time. However, this does not affect the lawfulness of any processing carried out before you notify us that you have withdrawn your consent.

Where we have another legal basis for processing your data we may be able to continue to process this even if you do not consent to it. We also have no obligation to stop using your data if your data is required for legal proceedings or the establishment, exercise or defence of legal rights.

Where we process data on the basis of legitimate interests you have a right to object to this. We will restrict what we do with your data while we consider this request and will stop processing the data if we cannot show overriding legitimate grounds for processing the data. We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.

Right to object to automated processing: Can I ask you to manually review any automated decisions?

We do not use automated decision making (i.e. making a decision solely by automated means without any human involvement) in any of the services we currently offer.

Right to deletion (erasure): Can I ask for information about me to be deleted?

Where data is being processed only on the basis of consent and you withdraw that consent you also have the right to ask for the data to be deleted. You have the right to ask for data to be deleted where the data is no longer necessary for the purposes for which it was collected, or if it is being processed unlawfully. You can also ask for data to be deleted if you successfully object to processing based on our legitimate interests. Your rights to do this are described above.

This right does not apply to all information about you. Information required to establish, enforce or defend our legal rights, or which is required for compliance purposes also does not need to be deleted.

Right to data portability: Can I ask you to port my data to someone else?

Where data has been provided in machine-readable electronic format, you can request us to provide this to another data controller.

13. How can I complain about how you use my data?

If you are unhappy with the products or services that we have provided you with or are dissatisfied with the handling of your customer data, you can contact us at customerrelations@stepchange.org

You may also refer your complaint to the Information Commissioner’s Office. The ICO has web forms for making complaints and also has a helpline you can call. Details are available here.

We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance the ICO will usually ask if you have done this before progressing your complaint.

14. How will I find out about any changes in how you use my data?

We reserve the right to update this privacy notice at any time, and we will make you aware when we make any substantial updates that would affect your rights or how we process your personal data.

We may also notify you in other ways from time to time about the processing of your personal information.

15. Do you use cookies?

We use cookies and similar technologies to remember you and your preferences and improve your experience whilst using our website. Our cookies policy contains more details and can be found here.