We aim to make our website as accessible as possible. However if you use a screen reader and require debt advice you may find it easier to phone us instead. Our phone number is 0 8 0 0 1 3 8 1 1 1 1. Freephone (including all mobiles).

Our privacy notice for clients

Making it clear how we handle your information

1. About our privacy notice

This notice tells you, as a StepChange client:

  • What personal data we hold about you
  • How and why we use that personal data
  • What your legal rights and how to apply them

We recommend that you read this notice.

'Personal data' means any information that:

  • Is about you
  • Which can be used to identify you

In some cases this personal data could be more sensitive. It may be personal data that is private to you.

As a debt advice and solutions charity we often need to collect and use your personal data. We need to do this to provide a full and complete service.

We will also use your personal data to:

  • Review and improve our service
  • Collate data to campaign for change
  • Find out how to make things better for you
  • Meet our goals as a charity

A full list of how we use personal data has been included at Section 4 of this notice.

We do not offer products or services to children

When we help you we may collect some personal data about children who live with you or who you are responsible for. We would only do this to make sure our advice is right for you. For example: We need to know how many people live with you when making your budget.

2. Who is responsible for your personal data?

StepChange is made up of three companies. Click ‘Carry on reading’ to find out their registration details:

The Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland

Registered Office:

123 Albion Street

Leeds

LS2 8ER

  • Registered In England no. 2757055
  • Registered charity in England and Wales: 1016630, Scotland: SC046263.
  • Authorised and regulated by the Financial Conduct Authority.
  • ICO registration No. Z743192X

Consumer Credit Counselling Service Voluntary Arrangements Limited

Trading as StepChange Voluntary Arrangements

  • Registered Office as above
  • Registered in England no. 5659160
  • ICO registration No. Z9690343

Consumer Credit Counselling Service (Equity Release) Limited

Trading as StepChange Financial Solutions

  • Registered office as above
  • Registered in England no. 6741879
  • ICO registration No. Z1721238

These companies are all known as 'Data Controllers'. This means we are jointly responsible for deciding:

  • Why we personal collect data about you
  • What personal data we collect
  • How we use your personal data
  • How we store your personal data

To provide our services, we may need to share personal data across our Group.

Colleagues only have access to the personal data they need to do their job. We have controls in place to ensure this.

Our Data Protection Officer checks we are meeting the law and standards across the Group. Their contact details have been included in Section 12.

3. Where do we collect your personal data from?

In most cases, we will collect your personal data directly from you. This could be through our website, by email, over the phone or by letter.

We may also sometimes get personal data from other sources. Click ‘Carry on reading’ to see some examples:

These include:

  • Other organisations who have referred you to us. Such as other charities, your energy supplier, or your council
  • Your creditors
  • Debt collection agencies
  • Credit reference agencies (see Section 7)
  • Law enforcement agencies and government departments (only in certain circumstances)
  • You, through the course of you using our services
  • Others who are acting on your behalf
  • People you have a personal relationship with
  • From technology you use to access our services. For example, your IP address

4. What personal data do we collect about you and why?

 Read the full list of types of data and how we use them. There may be other examples than the ones listed.

If you do not provide the personal data we ask for, we may not be able to help you. For example, we need personal data about you to:

  • Give you debt advice that is right for you
  • Start, change or end debt solutions which we manage for you
  • Make applications for mortgages
  • Make sure debt relief orders, IVAs and bankruptcy orders continue
  • To improve the experience of our clients and reviewing the quality of our services
  • To conduct research which helps us to campaign and promote our charitable objectives

By law, there are some times when we may have to use or share your personal data without asking you first. Such as, to investigate a crime or if we receive a court order.

5. When do we use Automated Decision Making?

We make use of algorithms to help us provide debt advice. They work out solutions you can apply for based on information you have shared.

Our algorithm:

  • Is managed by us
  • Is based on the debt advice policy written by our own experts

We also have a number of free online tools and calculators. They can give you quick answers and ways to help you deal with your money worries.

We may sometimes use algorithms built by other organisations. Where this is the case we ensure that we have checked that it is accurate and meets our expectations.

If you feel that the wrong outcome has been reached using our algorithms or online tools then you have the right to a review of the automated outcome by a human. More details have been provided in the section on your rights. See Section 11.

We will not go ahead with a debt solution (such as a debt management plan) unless you have asked us to.

We also use automated technology to assist with ensuring that the quality of our service meets our standards – for example flagging where an interaction with us may not have met our expectations.

6. Who do we share your personal data with and why?

There are a number of reasons why we might share your personal data with other organisations.

Find out who we share your personal data with and why by clicking below.

Debt Advice

When you get debt advice from StepChange we will often share your personal details and our debt advice recommendations with your creditors.

This information allows your creditors to know that you are getting help from StepChange, understand the outcome of the debt advice, and make informed decisions about your accounts with them.

We will only do this where your creditors have signed up to our arrangement. We will tell you if they are signed up when you go through debt advice with us.

Where your creditors have signed up to this arrangement then we will share the following personal data with them:

  • Your StepChange reference number
  • Your creditor account number (so your creditor can locate your records)
  • Your name, address, and date of birth (so your creditor can verify you)
  • Confirmation of your progress through debt advice
  • Types of debt you tell us about
  • Our recommendation to you and any debt solution you may have chosen

Your interactions with StepChange will otherwise stay between us.

We may also ask your creditor to cover the costs of providing you with debt advice. This helps us to provide you and other people with free and independent advice.

Managed Debt Solutions

When you choose to go ahead with a debt solution we manage (for example, a debt management plan) we will need to share your personal data with your creditors. This is so:

  • They can review your circumstances
  • An arrangement can be agreed.
  • Payments can be made to them

We only share the minimum amount of data and your interactions with StepChange will otherwise stay between us.

We will only do this if you have signed an agreement with us. We will provide you with more information about how your personal data will be shared in the agreement for your debt solution.

Other circumstances

There may also be other times where we may share your personal data with your creditors. This could be:

  • Where you have asked to do so
  • To investigate complaints or issues
  • Where we have asked you if we can do this

We sometimes may need to share your personal data with other organisations:

  • Where we have a legitimate business reason
  • Where we have to by law
  • To meet the terms of a contract
  • Where you have told us we can do this

Who we may share personal data with and why:

  • Credit references agencies: To check your credit file. See Section 7
  • Third party organisations: When we refer you to them for further support and only if you have told us we can do this. These may be charities or other specialists
  • Lenders, their valuation companies and solicitors: When you are applying for a mortgage or equity release with our help
  • Government departments and agencies: When they manage or sign off certain debt solutions. Such as, the Accountant in Bankruptcy (AiB) in Scotland and the Insolvency Service
  • Government departments and agencies: Where we must share personal data by law. Such as HM Revenue and Customs (HMRC), HM Treasury, and the Department of Work and Pensions (DWP)
  • Regulators: Where we must share personal data by law. These include the Charity Commission, the Financial Conduct Authority (FCA), Insolvency Practitioners Association (IPA), and the Information Commissioner’s Office (ICO)
  • Law enforcement agencies: Where we need to report a crime. Also to help them detect, investigate and prevent crime
  • Legal professionals, Courts of Law and other parties: Where information is needed for legal claims and proceedings
  • Auditors: Where we have to be audited by law. These are called 'statutory audits'
  • Our funders and partners may also expect us to agree to audits. This is to make sure our service meets their standards. To do this, we may have to share your personal data. This could be because we are allowed by law to do this, or you have given us permission. These are called 'non-statutory audits'
  • Our insurers
  • Our accountants, legal, and compliance advisers. As well as other specialist consultants or contractors
  • Researchers we work with. Such as universities, market researchers and companies who track customer satisfaction. Where possible, we will remove personal data from the information we share with them

We may also share your personal data if you have asked us to or told us we can.

We will keep records of what has been shared with third parties and why.

We also work with third party suppliers who help to deliver our services.

Our suppliers will only have access to your personal data where we have given them strict instructions and have first made sure that your personal data is secure when it is with them

We use them for:

  • IT services, software, and hardware
  • Outsourced administration services
  • Payment services. For example, to allow you to make a payment to us

There may be other examples.

We may share ‘statistical data’:

  • Internally within our organisation
  • With Charity partners and funders
  • The wider public to support our campaign work

In these cases, you will not be able to be identified. For example, we may share or publish details about the challenges our clients face as part of our reporting on the reasons why people have financial difficulty.

7. Why do we use Credit Reference Agencies (CRAs)?

There will be no negative impact on your credit file from getting debt advice from StepChange.

We will not go ahead with a debt solution unless you have asked us to. At which point we will use CRAs as described below. This may leave a footprint on your credit file. 

We will use a CRA for a number of reasons:

  • We need to check who you are when we manage a debt solution for you
  • We need to know about your current finances when we set up your solution
  • We must meet the Money Laundering Regulations and Financial Conduct Regulations. To do this, we use CRAs to carry out ‘Know Your Client’ (KYC) and ‘Anti Money Laundering’ (AML) checks

Only if you apply for a product from StepChange Financial Solutions:

  • It may depend on a 'Decision in Principle' (DiP) credit search
  • We will disclose your personal data to a lender then the lender will use a CRA to run the DiP and share the results with us. We do this to comply with a contract you may be entering into with the lender

How we run credit reference checks

Through our third party software providers we run checks with the main CRAs. These are:

  • Experian Ltd
  • Equifax
  • TransUnion

We limit what information we share with the CRAs. We will only share basic details to find your record.

You can find out more about how CRAs use your personal data. Look on their websites for ‘Credit Reference Agency Information Notice’(CRAIN).

8. How long will we keep your personal data for?

We will need to keep your personal data to:

  • Provide debt advice to you
  • Manage your debt solutions
  • Keep a record of the advice and services we have provided to you
  • Investigate any complaints or concerns

In most cases we will keep this data for six years from the end of our relationship with you.

For example, this could be six years from:

  • Our last significant contact with you
  • The end of your StepChange managed debt solution
  • The end of any product application that we helped you with
  • The end of the financial year when you have made a payment to us

In some cases we may need to keep some information for longer. This could be if there is the need to comply with laws and standards, or for defending legal claims.

What about recording of phone calls and other interactions?

StepChange operates a policy of recording all interactions (which includes telephone calls, web chat, and emails) which it receives and sends.

These interactions are usually kept for the following periods of time:

  • Before July 2024: 1 year after the interaction
  • After July 2024: 6 years after the interaction
  • Interactions about equity release products: 25 years after the interaction

9. How do we keep your personal data secure?

We take appropriate technical and organisational measures to make sure that the data we hold is safe and secure.

We only allow your personal data to be used by individuals who need it to carry out their job and all of our employees and contractors are subject to confidentiality rules.

We regularly review our security controls and monitor for security breaches. We have processes in place to handle security breaches if they do happen.

10. Will we transfer any of your personal data outside of the UK?

We may need to do this from time to time. For example, if a supplier has computer servers in another country.

But we will only do this if:

  • That country meets data protection standards, as laid out by UK law. Such as, countries in the European Economic Area. or
  • We, or one of our third party data processors, have entered into a contract with an organisation outside of the UK, on terms approved by the UK’s data protection regulator. We also have assessed that country’s laws. Or,
  • You have clearly asked us to share your personal data with an organisation outside of the UK and we have explained the risks of doing so to you.

11. What are your data protection rights?

You have a number of rights relating to how we use your personal data. We have listed these below.

Please contact us at DPO@stepchange.org to make a request.

We may need you to share extra detail so we can check who you are and understand what you need from us.

In most cases, we will respond within one calendar month. If there is a reason that this is taking us longer than that, we will let you know.

Your rights are:

  • To have access to, or a copy of, this privacy notice
  • To get copies of the information we hold about you
  • To get confirmation of how we use and/or have used your personal data
  • To find out how long we will continue to store your personal data
  • To update any information that is wrong, incomplete, or out of date
  • To delete or destroy data we hold about you if we no longer need it
  • To restrict the use of your personal data
  • To ask us to transfer your personal data to another organisation
  • To object to how we use your personal data
  • To take away any consent you have given us before
  • To ask for a human review where a decision has been made using a computer

There can be exemptions or restrictions for all of the above rights. If so, that could mean that we would not be able to do as you have asked. We will let you know if this is the case.

12. How can you complain about how we use your personal data?

There is a process you can follow if you are unhappy with how we have used your personal data.

Or -

  • If you are unhappy with how a data protection complaint or data protection request was handled, email DPO@stepchange.org with details

You may also raise any concerns with the Information Commissioner’s Office. They are the UK’s Data Protection regulator.

Visit their website to find out more about how to contact the ICO or call 0303 123 1113. Please note that the ICO expect you to have gone though our internal complaints process before raising a complaint with them.

13. Will we tell you about any changes in how your personal data is used?

We reserve the right to update this privacy notice at any time.

We may write to you to let you know if major changes are made to this notice.

We may also tell you in other ways, from time to time, about how we use your personal data.

We will only use your personal data for the reasons why we collected it, unless:

  • We reasonably think we need to use it for another purpose, and
  • That reason is compatible with the original purpose

If we need to use your personal data for a new reason, we will let you know and we will explain why we are allowed to do this by law.

This notice does not form part of any contract with you. We may update this notice at any time.

Published: February 2025. (Version 6).