1. Our privacy notice
StepChange is committed to protecting the privacy and security of your personal information. We are committed to protecting your personal data and this Privacy Notice describes how we collect and use personal information about you during and after your client relationship with us and what your rights in relation to it.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data which may require a higher level of protection.
This Privacy Notice is provide in a Frequently Asked Questions (FAQS) format so you can click through to answers to specific questions set out above.
This notice does not form part of any contract with you. We may update this notice at any time.
Please note that this website and our products and services are not intended for children and we do not proactively collect their personal information. However, we are sometimes given information about children as part of providing advice and setting up products and services. The information in the relevant parts of this notice applies to children as well as adults.
2. Who is responsible for my data?
StepChange is a “Data Controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
At times StepChange acts as a “Data Processor”. This means that we process personal information about you on another Data Controller’s behalf and instruction. We will only do so where the Data Controller has explicit consent to share your information with us for a specified purpose(s).
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
This Privacy Notice has been written to encompass the activity of the three companies that provide the end to end solutions for our Clients. The full details for each firm are as follows:
Foundation for Credit Counselling
Trading as StepChange Debt Charity and StepChange Debt Charity Scotland
Registered Office:
123 Albion Street
Leeds
LS2 8ER
Registered In England no. 2757055
Registered charity in England and Wales: 1016630, Scotland: SC046263.
Authorised and regulated by the Financial Conduct Authority.
ICO registration No. Z743192X
Consumer Credit Counselling Service Voluntary Arrangements Limited
Trading as StepChange Voluntary Arrangements
Registered Office as above
Registered in England no. 5659160
ICO registration No. Z9690343
Consumer Credit Counselling Service (Equity Release) Limited
Trading as StepChange Financial Solutions
Registered Office as above
Registered in England no. 6741879
ICO registration No. Z1721238
3. How can I contact you with questions or comments about how you use my data?
We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice.
If you have any questions about this privacy notice or how we handle your personal information please contact dpo@stepchange.org
4. What information do we collect and when?
Type | Gathered when dealing with | Examples | How it is obtained |
---|---|---|---|
Contact | All StepChange companies | Your full name Your postal address Your date of birth Your contact telephone numbers (daytime and evening) Your e-mail address |
From you – online and during advisory discussion over the phone |
Personal | All StepChange companies | Previous names Previous address(es) Your marital status Property details, value and remaining mortgage Nationality Your employment details/status Details of assets, investments and pensions The number of children or dependents in your household Your residential status (whether you own or rent your home) Gender, Race or Ethnicity |
From you – online and during advisory discussion over the phone |
Personal | StepChange Financial Solutions | Your requested loan amount and term Details of beneficiaries, executors, trustees, attorneys, related person for estate planning purposes (e.g. Wills, Trusts and Lasting Powers of Attorney). |
From you – online and during advisory discussion over the phone |
Protection Plans | StepChange Financial Solutions | Existing insurance arrangements – life, health, buildings and contents insurance | From you – during advisory discussion over the phone |
Assets | StepChange Financial Solutions | Savings, Investments and Pensions, Vehicles | From you – during advisory discussion over the phone |
Budget | All StepChange companies | Your income and expenditure Details of existing credit arrangements including mortgage and unsecured credit |
From you – during advisory discussion over the phone |
Financial | All StepChange companies | Bank Account Details Debit Card Details |
From you – during advisory discussion over the phone |
Medical | All StepChange companies | Details of any health and medical related matters | From you – during advisory discussion over the phone |
Documentary | All StepChange companies | Copies of documents such as passport, drivers licence, utility bills, credit arrangements | From you – after recommendations are accepted and we set up a plan on your behalf. These are obtained via email or post |
Behavioural | All StepChange companies | Information about your device or the software you use e.g. its IP address | From your use of our website and online services |
Correspondence | All StepChange companies | Records of communications including emails, live chat, and social media communications; records of advice and recommendations | From you and generated by us whilst using our services |
5. What other information do you collect about me?
Credit reference agencies
We access data held by credit reference agencies for several reasons:
- If you decide to proceed with any managed solution from StepChange (including any of the entities listed in section 2), we will carry out checks on your identity. We need to do this in order to progress with the solution you choose to take. We carry out this activity based on our legitimate interests to conduct identity checks.
- As part of the service we provide when setting up certain debt solutions, we undertake a check on your credit file to ensure that we hold up-to-date and accurate information about you and your finances. We carry out this activity based on our legitimate interests, to ensure your personal data is accurate and up to date.
- If you decide to proceed with a recommendation from StepChange Financial Solutions for a mortgage or, in some instances, an Equity Release plan, your application will be subject to a Decision in Principle (DiP) credit search. This will be undertaken by a credit reference agency and the outcome will be given to StepChange. We carry out this activity as it is necessary when entering in to, or for the performance of, a contract you will be party to.
- We also use credit reference agencies to carry out ‘Know Your Client’ and ‘Anti Money Laundering’ checks. These fulfil our legal obligations under Money Laundering Regulations and Financial Conduct Regulations.
To conduct credit reference checks, StepChange will usually make a request, via one of our third party software providers, to one of the main three credit reference agencies in the UK: Experian Ltd, Equifax, or TransUnion. StepChange will only share the minimum amount of personal data with them to identify you.
You can find out more about how these credit reference agencies use your personal data by reading their ‘Credit Reference Agency Information Notice’(CRAIN).
Creditors and debt recovery agencies
During the process of setting up and administering some of our debt solutions, we may receive information from creditor(s) and debt recovery agencies about you and your debts then enable us to better manage your debt solution.
6. What do you use my personal data for?
What we use it for | Lawful Basis for Processing |
---|---|
To initially contact you to provide you with information on the products and services available from the three StepChange companies (Debt Solutions, Financial Solutions and Voluntary Arrangements) | Legitimate Interest – the provision of this information will generally be due to a request made by yourself about our products and services. |
To provide you with advice and recommendation on the products and services available from the three StepChange companies (Debt Solutions, Financial Solutions and Voluntary Arrangements) | Legitimate Interest – the provision of advice and recommendation for a debt management solution requires us to process your data to ensure we have a full understanding of your personal and financial situation in order for us to be able to assist you effectively and meet our regulatory requirements.
Contractual obligations – the provision of advice and recommendation for a mortgage or equity release plan is pursuant to you entering into a contract with a third party lender of standard mortgages or lifetime mortgages and we are required to process the data to achieve this. Explicit Consent – we will ask you to give explicit consent to process data relating to health at the time we ask for it, if it is relevant to retain it to support you with the service going forward. We also seek explicit consent to gather data relating to ethnicity where we use it for research and evaluation purposes. (See Section 7 below on how to withdraw consent.) |
To set up and administer a Debt Management plan | Legitimate Interest – the set up and ongoing servicing of a debt management plan requires us to process your data to ensure we are managing your arrangements in an effective and timely way and to meet our regulatory requirements of administering a debt management plan. |
To process an application for a mortgage or equity release plan | Contractual Obligations – the provision of advice and recommendation is pursuant to you entering into a contract with a third party Lender of standard mortgages and lifetime mortgages and therefore are required to process the date to achieve this. |
Setting up setting up and administering a Debt Relief Order, an Individual Voluntary Arrangement or Bankruptcy | Legal obligations – the setting up and administering these types of debt solutions forms a legally binding agreement and we are there required to process your data to achieve this. |
To make and manage your payments | Legitimate interests – where you make payments to us as part of a debt solution, we have a requirement to process these in line with regulatory requirements. |
To verify your identity | Legal obligations – we have a legal responsibility to carry out checks to ensure we are dealing with you. |
To contact you in connection with any enquiries that you raise | Legitimate interests – of responding to questions and comments raised when you contact us. |
Record keeping | Legitimate interests – we need to have a need to retain to comply with regulatory rules and ensuring we are implementing quality checking and compliance processes. |
Monitoring and recording of telephone calls and email communications where necessary for compliance with regulatory rules or self-regulatory practices or procedures relevant to our business including quality and training purposes and customer satisfaction surveys | Legitimate interests – to monitor and improve the quality of our products and service offerings (which may involve using your data in quality and performance training) and to ensure we comply with regulatory requirements. |
Financial Crime matters | Legal requirement – we are required by law to detect, investigate, report, and seek to prevent financial crime. |
Marketing | Legitimate Interest – to provide you with information on our products and services to you such as newsletters where you take up certain debt solutions.
Consent – In some circumstances we will ask for consent for marketing purposes e.g. where you have subscribed to or signed up to some of our financial help initiatives such, or before using your feedback as testimonials or your situation as a case study. |
Research and analysis | Legitimate Interest – to enable the Charity to better understand the issues faced by Clients in relation to the impact of debt. We will use anonymised date to support our work with campaigning to influence government and policy makers to help reduce the number of people falling into financial difficulty, and campaigning to raise awareness of the support available for people struggling with debt. |
Improving our products and services | Legitimate interest – to enable the Charity to better understand your circumstances and preferences so we can provided you with the best advice and offer you a tailored service. |
To support the work of our funders | Legitimate Interest – StepChange has contractual arrangements in place with various UK government bodies to receive funding for some of its debt advice services. (See section 11 below) Your data may be subject to processing as part of these arrangements on the basis of further the research and evaluation work they do to better understand the provision of debt advice in England. You may have the right to object to some of this processing should you wish to do so.
Consent – where funders wish to use third parties to contact our clients to aid their research, we will seek consent to allow them to do this. (see Section 7 below on how to withdraw consent.) |
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to provide our services for example; debt management plans may need to be cancelled or revoked and applications for mortgages, debt relief orders, individual voluntary arrangements, bankruptcy orders may be delayed or terminated.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
7. Do I have the right to withdraw consent?
The majority of our processing of your personal data is not based on consent however, where we do rely on your consent to process personal data, you have the right to withdraw this at any time. You can do this via phone, email or post.
8. How long will you keep my data for?
We will only retain your personal information for as long as necessary. For example, if you proceed with setting up a debt solution, we will normally keep your core data for a period of 6 years from the end of our relationship with you. We may however need to retain some information for a longer period where we need to comply with regulatory, legal, accountancy or reporting requirements. There may be some information however that we do not need to retain for this period of time and we may destroy, delete or anonymise it more promptly. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from dpo@stepchange.org
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
9. How do you keep my data secure?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, inappropriately altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We regularly review our information collection, storage and processing practices, including physical security measures.
10. Is any of my data transferred outside the EEA?
We do not routinely transfer personal information we collect outside of the European Economic Area (EEA). However, in the event that we did, to ensure that your personal information does receive adequate protection, we will put in place protective measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respect the UK and EU laws on data protection.
Appropriate specific protective measures include for example, model clauses in data sharing contracts and ongoing security assessments. If you require further information about these measures you can request it from dpo@stepchange.org
11. Do you share or disclose my personal data with third parties in order to provide your services?
We need to share your data with certain third parties, including third-party service providers and the entities within StepChange listed under the heading “Who we are”. in order to deliver the services and products to assist you. This includes:
- Searching the files of external data bureaus in order to verify your identity (see section 5)
- To notify creditors and creditor partners of the status of your progress through the advice service. We only do this where creditors have signed up to the principles of using this information to enable them to provide early forbearance whilst we work with you to set up a plan or debt management solution
- Some of our funding for debt advice in England is provided by the Money and Pensions Service (MaPS), an executive non-departmental public body, supporting the provision of debt advice. Part of this arrangement involves us sharing data with the MaPS in relation to the advice element of the services we provide. This enables them to fulfil their ‘public work’ function which involves calculating the services being offered. You can find more information or object about how the Money and Pensions Service use your data here.
- To notify the Money Advice Network (MaN) (part of the MaPS noted above) of the status of your progress should you have been referred to us through this service to enable MaN to evaluate the service received by you. More information on how MaN process data can be found here.
- Where disclosure is made at your request or consent
- Where it is necessary to administer our relationship with you or where we have another legitimate interest in doing so. For example, where you are making and application for a mortgage or equity release plan, we need to share data with the lender, the property valuer appointed by the lender and your appointed solicitor
- Our third party payments provider to enable us to process card transactions when you make payments to your debt solutions via card
- To provide you with printed materials for the provision of our online application system where it is not hosted by StepChange
- Our third party security partner that provides software programs to support us with access arrangements for your account with us
- We will disclose your personal data to third parties if we are under a duty to disclose or share your personal data in order for us to comply with any laws, regulations or good governance obligations, or in order to enforce or protect our rights, property or safety, or that of our customers or other persons with whom we have a business relationship. These parties will include (without limitation) the Charity Commission, the Financial Conduct Authority (FCA), the police, Action Fraud, The National Crime Agency, HMRC, HM Treasury and the Department of Work and Pensions.
How secure is my information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. A data sharing agreement that sets out how we expect third parties to handle any data we share with them is required to be in place before we share any data. Ongoing checks are carried out on these arrangements at regular intervals.
Sharing aggregated or anonymised information
We may share aggregated or anonymised data within and outside of the StepChange companies with partners to assist with our work in improving financial lives. For example, we may share information about the challenges we see our clients facing when trying to deal with their debts and reasons why people are getting into financial difficulty within our consultation work with the FCA and our partnerships such as the Money and Pensions Service (Maps). You will not be able to be identified from this information.
12. Your rights in connection with your personal data
Under certain circumstances, by law you, or your legal representative, have a number of rights listed below. If you want to request a copy of the personal information we hold about you, or make a rights request please contact customerrelations@stepchange.org in writing detailing your request.
We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.
Where data is simply out of date (for example you have moved house) we will update your file but may retain a record of the old data for audit and compliance purposes or example we may need to verify that we carried out searches against the address which was current at the relevant time. If you dispute the accuracy of the information we hold, we will restrict processing, where appropriate, while we consider your request.
Where we have another legal basis for processing your data we may be able to continue to process this even if you do not consent to it. We also have no obligation to stop using your data if your data is required for legal proceedings or the establishment, exercise or defence of legal rights.
Where we process data on the basis of legitimate interests you have a right to object to this. We will restrict what we do with your data while we consider this request and will stop processing the data if we cannot show overriding legitimate grounds for processing the data. We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.
This right does not apply to all information about you. Information required to establish, enforce or defend our legal rights, or which is required for compliance purposes also does not need to be deleted.
We will not charge you a fee and we will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.
13. How can I complain about how you use my data?
If you are unhappy with the products or services that we have provided you with or are dissatisfied with the handling of your customer data, you can contact us at customerrelations@stepchange.org
You may also refer your complaint to the Information Commissioner’s Office. The ICO has web forms for making complaints and also has a helpline you can call. Details are available here.
We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance the ICO will usually ask if you have done this before progressing your complaint.
14. How will I find out about any changes in how you use my data?
We reserve the right to update this privacy notice at any time, and we will make you aware when we make any substantial updates that would affect your rights or how we process your personal data.
We may also notify you in other ways from time to time about the processing of your personal information.
15. Do you use cookies?
We use cookies and similar technologies to remember you and your preferences and improve your experience whilst using our website. Our cookies policy contains more details and can be found here.