We aim to make our website as accessible as possible. However if you use a screen reader and require debt advice you may find it easier to phone us instead. Our phone number is 0 8 0 0 1 3 8 1 1 1 1. Freephone (including all mobiles).

Our privacy notice for clients

Making it clear how we handle your information

1. About our privacy notice

This notice tells you, as a StepChange client:

  • What personal data we hold about you
  • How and why we use that personal data
  • Your legal rights

We recommend you read this notice so you can understand your data protection rights and how to manage them.

'Personal data' means any information that:

  • Is about you
  • And which can be used to find out who you are

In some cases this data could be more sensitive. It may be data that is private to you.

As a debt advice charity we often need to collect and use your sensitive data. We need to do this to provide a full and complete service. Find out more in Section 4.

We will also use your personal data to:

  • Review and improve our service
  • Collate data to campaign for change
  • Find out how to make things better for you
  • Meet our goals as a charity

We do not offer products or services to children

When we help you we may collect some personal data about children who live with you or who you are responsible for. We would only do this to make sure our advice is right for you. For example: We need to know how many people live with you when making your budget.

2. Who is responsible for your personal data?

StepChange is made up of three companies. Find out more about them.

The Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland

Registered Office:

123 Albion Street



  • Registered In England no. 2757055
  • Registered charity in England and Wales: 1016630, Scotland: SC046263.
  • Authorised and regulated by the Financial Conduct Authority.
  • ICO registration No. Z743192X

Consumer Credit Counselling Service Voluntary Arrangements Limited

Trading as StepChange Voluntary Arrangements

  • Registered Office as above
  • Registered in England no. 5659160
  • ICO registration No. Z9690343

Consumer Credit Counselling Service (Equity Release) Limited

Trading as StepChange Financial Solutions

  • Registered office as above
  • Registered in England no. 6741879
  • ICO registration No. Z1721238

These companies are all known as 'Data Controllers'. This means we are responsible for deciding:

  • Why we collect data about you
  • What data we collect
  • How we use your personal data
  • How we store your personal data

By law, we have to tell you this and share this privacy notice with you.

To provide our services, we may need to share data across our group.

Colleagues only have access to the data they need to do their job. We have controls in place to ensure this.

Our Data Protection Officer checks we are meeting the law and standards across the group.

Their contact details have been included in Section 12.

3. Where do we collect your personal data from?

In most cases, we will collect your personal data directly from you. This could be through our website, by email, over the phone or by letter.

We may also sometimes get data from other sources.

These include:

  • Other organisations who have referred you to us. Such as other charities or your council
  • Your creditors
  • Debt collection agencies
  • Credit reference agencies (see Section 7)
  • Law enforcement agencies and government departments (only in certain circumstances)
  • You, through the course of you using our services
  • Others who are acting on your behalf
  • People you have a personal relationship with
  • From technology you use to access our services. For example, your IP address

4. What information do we collect about you and why?

 Read the full list of types of data and how we use them. There may be other examples than the ones listed.

If you do not provide the information we ask for, we may not be able to help you. For example, we need information about you to:

  • Give you debt advice that is right for you
  • Start, end or change debt management plans
  • Make applications for mortgages
  • Make sure debt relief orders, IVAs and bankruptcy orders continue

By law, there are some times when we may have to use or share your data without asking you first. For example, to investigate a crime or if there is a court order making us do this.

5. When do we use Automated Decision Making?

We make use of algorithms to help us provide debt advice. They work out solutions you can apply for based on information you have shared.

Our algorithm:

  • Is managed by us
  • Is based on the debt advice policy written by our own debt advice experts

We also have a number of free online tools and calculators. They can give you quick answers and ways to help you deal with your money worries.

We may sometimes use algorithms built by other organisations. Where this is the case we ensure that we have checked that it is accurate and meets our expectations.

If you feel that the wrong outcome has been reached using our algorithms or online tools then you have the right to a review of the automated outcome by a human being.

More details have been provided in the section on rights requests. See Section 11.

We will not go ahead with a debt solution (such as a Debt Management Plan) unless you have asked us to.

6. Who do we share your personal data with?

We may share your personal data with other organisations for a number of reasons. Find out why we share your personal data and who with. There may be other examples than the ones listed.

Data Controllers

We sometimes may need to share your personal data:

  • With other organisations who you may have a relationship with
  • Where we have a legitimate business reason
  • Where we have to by law
  • To meet the terms of a contract
  • Where you have told us we can do this

When we may share data and who with

  • Credit references agencies: To check your credit file. See Section 7
  • Creditors and debt collectors:
  •  To make payments to them if you have a debt solution with us.
  •  To let them know we are helping you. If you have asked us to do this
  •  To give you additional support if you have a health condition, for example. If you have told us we can do this
  • Third party organisations: When we refer you to them for further support. If you have told us we can do this. These may be charities or other specialists
  • Lenders, their valuation companies and solicitors: When you are applying for a mortgage or equity release
  • Government departments: When they manage or sign off debt solutions. Such as, the Accountant in Bankruptcy (AiB) in Scotland and the Insolvency Service
  • Regulators: Where we must share personal data by law. These include the Charity Commission, the Financial Conduct Authority, Insolvency Practitioners Association, the Information Commissioner’s Office, HM Revenue and Customs, HM Treasury, and the Department of Work and Pensions
  • Law enforcement agencies: Where we need to report a crime. Also to help them detect, investigate and prevent crime
  • Legal professionals, Courts of Law and other parties: Where information is needed for legal claims and proceedings
  • Auditors: Where we have to be audited by law. These are called 'statutory audits'
  • Our funders and partners may also expect us to agree to audits. This is to make sure our service meets their standards. To do this, we may have to share your personal data. This could be because we are allowed by law to do this, or you have given us permission. These are called 'non-statutory audits'
  • Our insurers
  • Our accountants, legal and compliance advisers. As well as other specialist consultants or contractors
  • Researchers we work with. Such as, universities, market researchers and companies who track customer satisfaction. Where possible, we will hide personal information from the data we share

We may also share your information if you have asked us to, or told us we can.

Where we do share your personal data with third parties, we will:

  • Maintain records of what has been shared
  • Keep a written agreement

Please note, unless this is subject to a legal obligation.

Data Processors

We also work with third party suppliers who help to deliver our services. These are known as ‘data processors’.

We only allow them to use your personal data when we allow it and to do what we have asked them to do.

We make sure your personal data is secure when it is with them. There are processes in place to check this.

We use them for:

  • IT services, software, and hardware. Such as, our servers and information security
  • Outsourced administration services
  • Payment services. For example, to allow you to make a payment

There may be other examples.

Sharing statistics

We may share ‘statistical data’:

  • Internally within our organisation
  • With Charity partners and funders
  • The wider public to support our campaign work

In this case, personal details are not included. For example, we may share or publish details about the challenges our clients face as part of our reporting on the reasons why people have financial difficulty.

You will not be able to be identified from this information

7. Why do we use Credit Reference Agencies (CRAs)?

There will be no negative impact on your credit file from getting debt advice from StepChange.

We will not go ahead with a debt solution unless you have asked us to. At which point we will use CRAs as described below. This may leave a footprint on your credit file. Find out more about how we work with CRAs.

We will use a CRA for a number of reasons:

  • We need check who you are when we manage a debt solution for you
  • We need to know about your current finances when we set up your solution
  • We must meet the Money Laundering Regulations and Financial Conduct Regulations. To do this, we use CRAs to carry out ‘Know Your Client’ and ‘Anti Money Laundering’ checks.

Only if you apply for a product from StepChange Financial Solutions:

  • It may depend on a 'Decision in Principle' (DiP) credit search
  • We will disclose your personal data to a lender then the lender will use a CRA to run the DiP and share the results with us

We do this to comply with the contract you may be entering into with the lender.

How we run credit reference checks

Through our third party software providers we run checks with the main CRAs. These are:

  • Experian Ltd
  • Equifax
  • TransUnion

We limit what information we share with the CRAs. We will only share basic details to find your record.

You can find out more about how CRAs use your personal data. Look on their websites for ‘Credit Reference Agency Information Notice’(CRAIN).

8. How long will we keep your personal data for?

We will usually only keep your personal data for as long as we need it.

We will need it to:

  • Provide debt advice to you
  • Manage your debt solutions
  • Keep a record of the advice and services we have provided

In most cases we will keep this data for six years from the end of our relationship with you.

For example, this could be six years from:

  • Our last significant contact
  • The end of your debt solution
  • The end of any product that we helped you to get
  • The end of the financial year when you have made a payment

In some cases we may need to keep some information for longer. This would be if there is the need to comply with laws or standards. Such as, defending legal claims.

9. How do we keep your personal data secure?

We take appropriate technical and organisational measures to make sure that the data we hold is safe and secure.

We only allow your personal data to be used by individuals who need it to carry out their job and all of our employees and contractors are subject to confidentiality rules.

We regularly review our security controls and monitor for security breaches. We have processes in place to handle security breaches if they do happen.

10. Will we transfer any of your personal data outside of the UK?

We may need to do this from time to time. For example, if a supplier stores data in another country.

But we will only do this if:

  • That country meets data protection standards, as laid out by UK law. Such as, countries in the European Economic Area. or
  • We, or one of our third party data processors, have entered into a contract with an organisation outside of the UK, on terms approved by the UK’s data protection regulator.
  • We also have assessed that country’s laws. Or,
  • You have clearly asked us to share your personal data with an organisation outside of the UK and we have explained the risks of doing so to you.

11. What are your data protection rights?

You have a number of rights relating to how we use your personal data. They depend on why we are using your personal data. We have listed these below.

Please contact us at DPO@stepchange.org and we will respond.

We may need you to share extra detail so we can check who you are and understand what you need from us.

In most cases, we will respond within one calendar month. If there is a reason that this is taking us longer than that, we will let you know.

Your rights are:

  • To have access to, or a copy of, this notice
  • To get copies of the information we hold about you
  • To get confirmation of how we use and/or have used your personal data
  • To find out how long we will continue to store your personal data
  • To update any information that is wrong, incomplete, or out of date
  • To delete or destroy data we hold about you
  • To restrict the use of your personal data
  • To ask us to transfer your personal data to another organisation
  • To object to how we use your personal data
  • To take away any consent you have given us before
  • To ask for a human review where a decision has been made using a computer

There can be exemptions or restrictions for all of the above rights. If so, that could mean that we would not be able to do as you have asked. We will let you know if this is the case.

12. How can you complain about how we use your personal data?

If you are unhappy with how we have used your data there is a process you can follow.

If you are unhappy with:

  • How we have used or handled your personal data or
  • How we have handled your data protection rights request

Please follow our client complaints process: https://www.stepchange.org/legal/complaints-process

Email: customerrelations@stepchange.org.

If you are unhappy with how a data protection complaint was handled, email DPO@stepchange.org

You may also raise this with the Information Commissioner’s Office. They are the UK’s Data Protection regulator.

Visit their website to find out more about this

Please note: The ICO expect you to have gone though our internal complaints process before raising a complaint with them.

13. How will we tell you about any changes in how your personal data is used?

We reserve the right to update this privacy notice at any time.

We may write to you to let you know if major changes are made to this notice.

We may also tell you in other ways, from time to time, about how we use your personal data.

We will only use your personal data for the reasons why we collected it, unless:

  • We reasonably think we need to use it for another reason, and
  • That reason is compatible with the original purpose

If we need to use your personal data for a new reason, we will let you know. We will explain at this point why we are allowed to do this by law.

This notice does not form part of any contract with you. We may update this notice at any time.

Published: January 2024. (Version 5.2).