We aim to make our website as accessible as possible. However if you use a screen reader and require debt advice you may find it easier to phone us instead. Our phone number is 0 8 0 0 1 3 8 1 1 1 1. Freephone (including all mobiles).

Our privacy notice for third parties

Making it clear how we handle your information

1. About our privacy notice

This notice is for third parties.

A third party is someone who:

  • Has a personal or professional relationship with one of our clients
  • Does not have a direct relationship with StepChange

A client is:

  • A person who we provide debt advice services to

Our clients may have shared details about you as part of the services we provide.

If you are a client of StepChange, on a joint plan or one of your own, you should read our Client Privacy Notice instead.

This notice tells you, as a third party:

  • What personal data we hold about you
  • How and why we use your personal data
  • What your legal rights are

We recommend you read this notice to understand your data protection rights and how to manage them.

'Personal data' means any information that:

  • Is about you
  • And which can be used to find out who you are

In some cases this data could be more sensitive. It may be data that is private to you.

As a debt advice charity we often need to collect and use sensitive data. We need to do this to provide a full and complete service. Find out more in Section 4.

We do not offer products or services to children.

When we help our clients we may collect some personal data about children who live with them or who they are responsible for.

We would only do this to make sure our advice is right for our clients. As an example, we need to know how many people live with them when making their budget.

2. Who is responsible for your personal data?

StepChange is made up of three companies.

The Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland

Registered Office:

123 Albion Street



  • Registered In England no. 2757055
  • Registered charity in England and Wales: 1016630, Scotland: SC046263.
  • Authorised and regulated by the Financial Conduct Authority.
  • ICO registration No. Z743192X

Consumer Credit Counselling Service Voluntary Arrangements Limited

Trading as StepChange Voluntary Arrangements

  • Registered Office as above
  • Registered in England no. 5659160
  • ICO registration No. Z9690343

Consumer Credit Counselling Service (Equity Release) Limited

Trading as StepChange Financial Solutions

  • Registered office as above
  • Registered in England no. 6741879
  • ICO registration No. Z1721238

These companies are all known as 'Data Controllers'. As a Group, this means we are responsible for deciding:

  • Why we collect data about you
  • What data we collect
  • How we use your personal data
  • How we store your personal data

By law, we have to tell you this and share this privacy notice with you.

To provide our services, we may need to share data across our Group.

Colleagues only have access to the data they need to do their job. We have controls in place to ensure this.

Our Data Protection Officer checks we are meeting the law and standards across the Group.

Their contact details have been included in Section 12.

3. Where do we collect your personal data from?

In most cases, we will collect your personal data directly from one of our clients. Sometimes we may collect data directly from you. This could be through our website, by email, over the phone, or by letter.

We may also sometimes get data from other sources.

These could include:

  • Other organisations who have referred clients to us. Such as other charities, their council, or their bank.
  • Organisations who have a relationship with our clients. Such as businesses they owe money to
  • Credit reference agencies (see Section 7)
  • Law enforcement agencies and government departments (only in certain circumstances)
  • You, through the course of interacting with us
  • From technology you use to access our services. For example, your IP address

4. What information do we collect about you and why?

We collect data about third parties for the following reasons:

When our client has provided information about you as part of their debt advice.

Types of information:

  • Your name
  • Details about your relationship with our client
  • Your age, if this is relevant to the advice we are giving
  • Any circumstances which may affect our client and their ability to pay what they owe. Such as, if they are your caregiver
  • Your home address. Only if you live at the same address as our client
  • Any other information about you which we have taken into consideration to give our client debt advice

Sensitive information:

Sometimes our clients may provide sensitive information about you, to us, as part of getting debt advice. For example, this could be information about your health, about any criminal offences or any other information that is private to you.


  • To ensure our advice is right for our clients
  • To understand all circumstances which may affect our clients’ ability to pay what they owe

This is because we have a legitimate interest to provide our services. We process sensitive data where we need to provide confidential debt advice and credit counselling services. This is a substantial public interest.

There may be times where we need to ask if you agree to the use of your specific sensitive personal data for these or other purposes.

When we are helping our clients to manage their debts through one of our managed services and you are helping them with this.

This may be where you provide financial assistance to our client. Such as making payments or providing assets, or you are their direct debit payer.

Types of information:

  • Your full name
  • Your date of birth
  • Your address, including postcode
  • Your bank account details. Account number, sort code and who you bank with
  • Documentation showing information about source of funds (if applicable). This means where any money you are paying to us comes from. Such as savings
  • Your signature, if requested
  • Your identification documents, if requested
  • Copies of your credit file, where applicable and requested. Usually for mortgage and equity release solutions
  • Your relationship with our client
  • Payments you have made to us
  • Contact details. If you or our client have provided these to us
  • Any correspondence. Including recorded phone calls, which you have had with us

Sensitive information:

As part of our responsibilities to ensure that any funds received have been lawfully obtained, we are required to conduct ‘Know Your Client’ (KYC) and Anti-Money Laundering (AML) Checks (see Section 7). This means that through our own investigations, or other sources, we may detect and report criminal activity.


  • To set up and manage solutions for our clients
  • To determine our clients’ eligibility for equity release or mortgage products
  • To comply with the law around detecting and preventing unlawful acts
  • To prevent fraud

This is because we have a legitimate interest to provide our services or report suspected criminal behaviour. We process sensitive data where we need to meet legal obligations.

This could be because you:

  • Have Power of Attorney
  • Are a lawyer
  • Have been nominated by our client as their representative
  • Help or support our client. Even if you do not normally represent them

Types of information:

  • Your full name
  • Your date of birth
  • Your address, including postcode
  • Your relationship with our client
  • What type of authority is in place. Such as Power of Attorney or our client has authorised you to act on their behalf
  • Your contact details. Such as phone number or email address
  • Your signature, if provided
  • Your identification documents, if requested
  • Any organisation you are affiliated with and have told us about
  • Any correspondence. Including recorded phone calls, which you have had with us


  • To ensure that StepChange knows, and is able to demonstrate, that you have authority to act on behalf of our client
  • To be able to correspond with you about our client, where appropriate to do so

This is because we have a legitimate interest to provide our services.

There may be times where we indirectly use information about you:

  • As part of our research activities, or
  • To gather insights about the situation of our clients

For example, we may wish to find out how many of our clients are carers. You will never be identified from this data.

This is because we have a legitimate interest to conduct research activities.

5. When do we use Automated Decision Making?

We make use of algorithms to help us provide debt advice. It is unlikely that decisions about you as a third party will be made using these algorithms. However, in some very limited circumstances your relationship with our client could be a factor in our decision making.

For more information about how we use automated decision making as part of our services, please read our Client Privacy Notice.

6. Who do we share your personal data with?

We may share your personal data with other organisations for a number of reasons.

Find out why we share your personal data and who with. There may be other examples than the ones listed:

We sometimes may need to share your personal data:

  • With other organisations who our client may have a relationship with and it is necessary to deliver our service
  • Where we have a compelling and legitimate business reason
  • Where we have to by law
  • Where you have told us we can do this

When we may share data and who with

  • Credit reference agencies: To check your credit file. See Section 7
  • Third party organisations: When we have referred our clients for further support and our client has told us we can do this. These may be charities, other specialists or organisations our client owes money to
  • (Mortgage or equity release solutions only) Lenders: where a ‘Decision in Principle’ query, or similar, is being carried out to understand whether a lender would accept an application.
  • Government departments: When they manage or sign off debt solutions
  • Regulators: Where we must share personal data by law. These include the Charity Commission, the Financial Conduct Authority, Insolvency Practitioners Association, the Information Commissioner’s Office, HM Revenue and Customs, HM Treasury, and the Department of Work and Pensions
  • Law enforcement agencies: Where we need to report a crime. Also to help them detect, investigate and prevent crime
  • Legal professionals, Courts of Law and other parties: Where information is needed for legal claims and proceedings
  • Auditors: Where we have to be audited by law. These are called 'statutory audits'
  • Our funders and partners may also expect us to agree to audits. This is to make sure our service meets their standards. To do this, we may have to share your personal data. This could be because we are allowed by law to do this, or you have given us permission. These are called 'non-statutory audits'
  • Our insurers
  • Our accountants, legal and compliance advisers. As well as other specialist consultants or contractors
  • Researchers we work with: Such as, universities, market researchers and companies who track customer satisfaction. Where possible, we will hide personal information from the data we share

We may also share your information if you have asked us to or told us we can.

Where we do share your personal data with third parties, we will:

  • Maintain records of what has been shared
  • Keep a written agreement

Please note, unless this is subject to a legal obligation.

We also work with third party suppliers who help to deliver our services. These are known as ‘data processors’.

We only allow them to use your personal data when we allow it and to do what we have asked them to do.

We make sure your personal data is secure when it is with them. There are processes in place to check this.

We use them for:

  • IT services, software, and hardware. Such as, our servers and information security
  • Outsourced administration services
  • Payment services. For example, to allow you to make a payment

There may be other examples.

We may share ‘statistical data’:

  • Internally within our organisation
  • With partners and funders
  • The wider public to support our campaign work

In this case, personal details are not included. For example, we may share or publish details about the challenges our clients face. This is part of our reporting on the reasons why people have financial difficulty.

You will not be identified from this information.

7. Why do we use Credit Reference Agencies (CRAs)?

There will be no negative impact on your credit file from somebody you know getting debt advice from StepChange.

If you are helping one of our clients to repay the money they owe, we will use CRAs as described below. This could be if you are setting up a direct debit from your own account or you are providing a lump sum to help them. This may leave a footprint on your credit file.

We will not go ahead with a debt solution unless our client has asked us to and you have agreed to this.

We will use a CRA for a number of reasons:

  • We need to check who you are when we manage a solution which you are involved with
  • We may need to know about your current finances when we set up certain solutions
  • We must meet the Money Laundering Regulations and Financial Conduct Regulations. To do this, we use CRAs to carry out ‘Know Your Client’ and ‘Anti Money Laundering’ checks

How we run credit reference checks

Through our third party software providers we run checks with the main CRAs. These are:

  • Experian Ltd
  • Equifax
  • TransUnion

We limit what information we share with the CRAs. We will only share basic details to find your record if is this needed.

You can find out more about how CRAs use your personal data. Look on their websites for ‘Credit Reference Agency Information Notice’(CRAIN).

8. How long will we keep your personal data for?

We will usually only keep your personal data for as long as we need it.

We will need it to:

  • Provide debt advice to our client
  • Manage debt solutions for our client
  • Keep a record of the advice and services we have provided

In most cases we will keep this data for six years from the end of our relationship with our client. Where we can we will keep as little information about you as possible.

For example, this could be six years from:

  • Our last significant contact with our client
  • The end of the debt solution that you are involved with
  • The end of any product that you are involved with
  • The end of the financial year when you have made a payment to StepChange

In some cases we may need to keep some information for longer. This would be if there is the need to comply with laws or standards. Such as, defending legal claims.

9. How do we keep your personal data secure?

We take appropriate technical and organisational measures to make sure that the data we hold is safe and secure.

We only allow your personal data to be used by individuals who need it to carry out their job and all of our employees and contractors are subject to confidentiality rules.

We regularly review our security controls and monitor for security breaches. We have processes in place to handle security breaches if they do happen.

10. Will we transfer any of your personal data outside of the UK?

We may need to do this from time to time. For example, if a supplier stores data in another country.

But we will only do this if:

  • That country meets data protection standards, as laid out by UK law. Such as, countries in the European Economic Area. Or,
  • We, or one of our third party data processors, have entered into a contract with an organisation outside of the UK, on terms approved by the UK’s data protection regulator. We also have assessed that country’s laws. Or,
  • You have clearly asked us to share your personal data with an organisation outside of the UK and we have explained the risks of doing so to you.

11. What are your data protection rights?

You have a number of rights relating to how we use your personal data. They depend on why we are using your personal data. We have listed these below.

Please contact us at DPO@stepchange.org and we will respond.

We may need you to share extra detail so we can.

  • Check who you are
  • Establish your relationship with us or one of our clients
  • Understand what you need from us
  • Ask for additional forms of identification. As we will not usually have a relationship with you

In most cases, we will respond within one calendar month. If there is a reason why it is taking us longer, we will let you know.

Your rights are:

  • To have access to, or a copy of, this notice
  • To get copies of the information we hold about you
  • To get confirmation of how we use and/or have used your personal data
  • To find out how long we will continue to store your personal data
  • To update any information that is wrong, incomplete, or out of date
  • To delete or destroy data we hold about you
  • To restrict the use of your personal data
  • To ask us to transfer your personal data to another organisation
  • To object to how we use your personal data
  • To take away any consent you have given us before
  • To ask for a human review where a decision has been made using a computer

There can be exemptions or restrictions for all of the above rights. You should also be aware that when we consider your data protection rights, we must by law, balance these against the rights of our client. This could mean we may not be able to do as you have asked. We will let you know if this is the case.

12. How can you complain about how we use your personal data?

If you are unhappy with how we have used your data there is a process you can follow.

If you are unhappy with:

  • How we have used or handled your personal data or
  • How we have handled your data protection rights request

Please follow our client complaints process:

Email: customerrelations@stepchange.org.

If you are unhappy with how a data protection complaint was handled, email DPO@stepchange.org

You may also raise this with the Information Commissioner’s Office (ICO). They are the UK’s Data Protection regulator.

Visit their website to find out more about this.

Please note: The ICO expect you to have gone though our internal complaints process before raising a complaint with them.

13. How will we tell you about any changes in how your personal data is used?

We reserve the right to update this privacy notice at any time.

We may also tell you in other ways, from time to time, about how we use your personal data.

We will only use your personal data for the reasons why we collected it, unless:

  • We reasonably think we need to use it for another reason, and
  • That reason is compatible with the original purpose

If we need to use your personal data for a new reason, we will let you know. We will explain at this point why we are allowed to do this by law.

This notice does not form part of any contract with you. We may update this notice at any time.

Published: November 2023. (Version 1.1).