We aim to make our website as accessible as possible. However if you use a screen reader and require debt advice you may find it easier to phone us instead. Our phone number is 0 8 0 0 1 3 8 1 1 1 1. Freephone (including all mobiles).

Our privacy notice for StepChange colleagues

Making it clear how we handle your information

Click on the links below to jump to the sections you want to find out more about.

Quickly find what you are looking for

  1. About our privacy notice
  2. Who is responsible for your data?
  3. Where do we collect your personal data from?
  4. What personal data do we collect and why?
  5. When do we use Automated Decision Making?
  6. Who do we share your personal data with?
  7. Do we carry out any employment vetting checks?
  8. How long will we keep your personal data for?
  9. How do we keep your personal data secure?
  10. Will we transfer your personal data outside of the UK?
  11. What are your data protection rights?
  12. How can you complain about use of your personal data?
  13. How will we tell you about any changes in how your personal data is used?

1. About our privacy notice

This notice tells you, as a current or former StepChange colleague:

  • What personal data we hold about you
  • How and why we use that personal data
  • What your legal rights are and how to apply them

A StepChange colleague is someone who has been employed by StepChange. This includes temporary workers but not contractors or Trustees. It also does not cover people who may work for us in future - please see our recruitment privacy notice.

We recommend that you read this notice.

'Personal data' means any information that:

  • Is about you
  • Which can be used to identify you

In some cases this personal data could be more sensitive. It may be personal data that is private to you.

As your employer we will need to collect and use your personal data. We need to do this to:

  • Make sure we are carrying out all our employment responsibilities
  • Ensure the smooth running of the charity
  • Maintain a successful relationship with you.

A full list of how we use personal data has been included at Section 4 of this notice.

2. Who is responsible for your personal data?

StepChange is made up of two companies:

The Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland

Registered Office:

123 Albion Street
Leeds
LS2 8ER

  • Registered In England no. 2757055
  • Registered charity in England and Wales: 1016630, Scotland: SC046263.
  • Authorised and regulated by the Financial Conduct Authority.
  • ICO registration No. Z743192X

All StepChange colleagues are employed by The Foundation for Credit Counselling

Consumer Credit Counselling Service Voluntary Arrangements Limited

Trading as StepChange Voluntary Arrangements

Registered Office as above

  • Registered in England no. 5659160
  • ICO registration No. Z9690343

While StepChange Voluntary Arrangements is not an employer, it will hold personal data about StepChange employees

These companies are all known as 'Data Controllers'. This means we are jointly responsible for deciding:

  • Why we collect personal data about you
  • What personal data we collect
  • How we use your personal data
  • How we store your personal data

To provide our services, we may need to share personal data across our Group.

Colleagues only have access to the personal data they need to do their job. We have controls in place to ensure this.

Our Data Protection Officer checks we are meeting the law and standards across the Group Their contact details have been included in Section 12.

3. Where do we collect your personal data from?

In most cases, we will collect your personal data directly from you. This could be your personal details, bank details and contact information. We can get these throughout the time you work for us.

We may also sometimes get personal data from other sources. These include:

  • Law enforcement agencies, regulators and government departments (only in certain circumstances)
  • Our colleague benefits providers, where you have agreed to this. For example, if you use our Employee Assistance Programme or Occupational Health.
  • Others who are acting on your behalf
  • People you have a personal relationship with. For example, your emergency contact
  • From technology we provide to you, or that you use to access our systems. For example, your IP address

4. What personal data do we collect about you and why?

The types of personal data we collect about you will depend on what happens during your employment with us. This could include:

General data Such as: Your identifiers, biographical information, and employment details So that we can maintain up to date employment records
Communications data Such as: Contact details, and those of any nominated emergency contact So that we can contact you when needed, including in the event of an emergency.
Financial data Such as: your bank account details, and information about your pay So that we can pay you your wages, and maintain accurate tax, National Insurance and pension records
Sensitive data Such as: your health or additional needs, So that we support you in the event of illness or injury.
Data shared about crime Such as: any disclosures you make to us or any information we receive from other parties, such as the police So that we can support you if you are a victim of crime
Diversity information Information about gender, sexuality, disabilities or any other information about diversity, where you have chosen to provide this to us. So we can monitor equality and diversity
Other data Such as: any other information you provide to us while you are employed

Read the full list of types of data and how we use them. There may be other examples than the ones listed.

If you do not provide the personal data we ask for, then this may affect your employment. We will let you know whenever any of the data we collect about you is optional.

By law, there are some times when we may have to use or share your personal data without telling you first. For example, to investigate a crime or if we receive a court order.

5. When do we use Automated Decision Making?

StepChange does not use any Automated Decision Making to make decisions about employees. Work you have completed may be automatically flagged to our Quality Monitoring Team for review, but all decisions based on these reviews would be made solely by a human reviewer.

6. Who do we share your personal data with and why?

There are a number of reasons why we might share your personal data with other organisations. We sometimes may need to do this where:

  • Where we have a legitimate business reason
  • Where we have to by law
  • To meet the terms of a contract
  • Where you have told us we can do this

Who we may share personal data with and why:

  • Organisations who we work with (e.g. creditors, funders, partners) where this relates to your work (e.g. relationship management)
  • Government departments and agencies: Where we must share personal data by law. Such as HM Revenue and Customs (HMRC), HM Treasury, and the Department of Work and Pensions (DWP)
  • The Student Loan Company, if you are repaying a Student Loan
  • Regulators: Where we must share personal data by law. These include the Charity Commission, the Financial Conduct Authority (FCA), Insolvency Practitioners Association (IPA), and the Information Commissioner's Office (ICO)
  • Law enforcement agencies: Where we need to report a crime. Also to help them detect, investigate and prevent crime
  • Legal professionals, Courts of Law and other parties: Where information is needed for legal claims and proceedings
  • Auditors: Where we have to be audited by law. These are called 'statutory audits'
  • Our insurers
  • Our accountants, legal, and compliance advisers. As well as other specialist consultants or contractors
  • Our partners who may provide occupational health services to you
  • Our landlords and their agents but only where there is a legitimate business need to do so (e.g. a health and safety issue)
  • Your future employers, or any other organisations who request a reference from us
  • Pension providers and companies who might provide you with insurance plans
  • Our partners who may provide workplace benefits to you or whose schemes you are signed up to (e.g. cashback plans)

We may also share your personal data if you have asked us to or told us we can.

We will keep records of what has been shared with third parties and why.

We also work with third party suppliers who help to carry out our duties as an employer.

Our suppliers will only have access to your personal data where we have given them strict instructions and have first made sure that your personal data is secure when it is with them.

We use them for:

  • Specialist equipment. Such as Display Screen Equipment
  • Outsourced administration services
  • IT services, software and hardware
  • Couriers

There may be other examples.

We may share 'statistical data':

  • Internally within our organisation
  • With Charity partners and funders
  • The wider public

In these cases, you will not be able to be identified.

7. Do we carry out any employment vetting checks?

We may carry out checks to establish your ongoing suitability for your role. Depending on the role, this may include:

  • The Disclosure and Barring Service (DBS)
  • Credit Industry Fraud Avoidance System (CIFAS)
  • Or the Financial Conduct Authority (FCA)

As part of these checks, we may share basic personal identifiers with these companies to enable them to identify you, such as your name and date of birth. Depending on the company, the responses we receive may include:

  • Details of criminal convictions
  • Details of convictions for fraud or identity fraud
  • Any information that suggests your identity is at risk of impersonation
  • Any information that previous employers have reported to the FCA

The outcome of these checks may affect your employment with StepChange, as they may mean that you are not a suitable candidate for the role you are carrying out.

StepChange does not use Credit Reference Agencies as part of your employment with us.

8. How long will we keep your personal data for?

We will need to keep your personal data to:

  • Ensure you are paid correctly
  • Ensure any employee benefits you are entitled to are provided
  • To keep track of your employment and progress with us
  • Support you throughout your employment

In most cases we will keep this data for six years from the end of your employment with us.

In some cases we may need to keep some information for longer. For example, to continue looking after your pension. This could also be if there is the need to comply with specific laws or for defending legal claims.

What about recording of phone calls and other interactions?

All calls between StepChange and our clients are recorded. If you speak to clients as part of your role, these calls will be recorded, including your voice. Automated transcripts of these calls will also be created. These calls are held for 6 years from the date of recording.

If you make calls to our IT Helpdesk, these will be recorded to help with training and quality. These calls are held for 1 year from the date of recording.

Some video calls made by Microsoft Teams may be recorded. Where these are recorded, they will usually be held for 1 year from the date of recording.

If you agree to take part in StepChange events and publicity, photographs and videos may be recorded as part of this. If you are participating in any of these activities you should read our Events & Publicity Privacy Notice.

9. How do we keep your personal data secure?

We take appropriate technical and organisational measures to make sure that the data we hold is safe and secure.

We only allow your personal data to be used by individuals who need it to carry out their job and all our employees and contractors are subject to confidentiality rules.

We regularly review our security controls and monitor for security breaches. We have processes in place to handle security breaches if they do happen.

10. Will we transfer any of your personal data outside of the UK?

We may need to do this from time to time. For example, if a supplier has computer servers in another country.

But we will only do this if:

  • That country meets data protection standards, as laid out by UK law. Such as, countries in the European Economic Area. Or,
  • We, or one of our third party data processors, have entered into a contract with an organisation outside of the UK, on terms approved by the UK's data protection regulator. We also have assessed that country's laws. Or,
  • You have clearly asked us to share your personal data with an organisation outside of the UK and we have explained the risks of doing so to you

11. What are your data protection rights?

You have a number of rights relating to how we use your personal data.

Please contact us at DPO@stepchange.org to make a request.

We may need you to share extra detail so we can check who you are and understand what you need from us.

In most cases, we will respond within one calendar month. If there is a reason that this is taking us longer than that, we will let you know.

Your rights are:

  • To have access to, or a copy of, this privacy notice
  • To get copies of the information we hold about you
  • To get confirmation of how we use and/or have used your personal data
  • To find out how long we will continue to store your personal data
  • To update any information that is wrong, incomplete, or out of date
  • To delete or destroy data we hold about you if we no longer need it
  • To restrict the use of your personal data
  • To ask us to transfer your personal data to another organisation
  • To object to how we use your personal data
  • To take away any consent you have given us before
  • To ask for a human review where a decision has been made using a computer

There can be exemptions or restrictions for all the above rights. If so, that could mean that we would not be able to do as you have asked. We will let you know if this is the case.

12. How can you complain about how we use your personal data?

If you are unhappy with how we have used or handled your personal data, or if you are unhappy with how a data protection request was handled, please email DPO@stepchange.org with details.

You may also raise any concerns with the Information Commissioner's Office. They are the UK's Data Protection regulator. Visit their website (www.ico.org.uk) to find out more about how to contact the ICO or call 0303 123 1113. Please note that the ICO expect you to have gone through our internal complaints process before raising a complaint with them.

13. Will we tell you about any changes in how your personal data is used?

We reserve the right to update this privacy notice at any time.

We may write to you to let you know if major changes are made to this notice.

We may also tell you in other ways, from time to time, about how we use your personal data.

We will only use your personal data for the reasons why we collected it, unless:

  • We reasonably think we need to use it for another purpose, and
  • That reason is compatible with the original purpose

If we need to use your personal data for a new reason, we will let you know and we will explain why we are allowed to do this by law.

This notice does not form part of any contract with you. We may update this notice at any time.

Published: January 2026. (Version 3).