We aim to make our website as accessible as possible. However if you use a screen reader and require debt advice you may find it easier to phone us instead. Our phone number is 0 8 0 0 1 3 8 1 1 1 1. Freephone (including all mobiles).

Our privacy notice for social media users

Making it clear how we handle your information

1. About our privacy notice

This notice is for users of social media platforms whose information we may collect as part of our online activities.

This is someone who:

  • Has contacted us or interacted with us on a social media platform
  • Has mentioned StepChange on a social media platform
  • Has contributed to, or interacted with, an online conversation or campaign which we are interested in (e.g. debt awareness week / cost of living crisis)

We recognise that individuals whose information we collect for these purposes may or may not be a StepChange client.

If you are a client of StepChange you should also read our Client Privacy Notice

This notice tells you, as a social media user:

  • What personal data we hold about you
  • How and why we use your personal data
  • What your legal rights are

We recommend you read this notice to understand your data protection rights and how to manage them.

'Personal data' means any information that:

  • Is about you
  • And which can be used to find out who you are

In some cases this data could be more sensitive. It may be data that is private to you. Find out more in Section 4.

We do not offer products or services to children

Where we interact with social media users we can not guarantee that they are not children due to the nature of social media platforms. Although this is not our intention as our services are not offered to this audience. For guidance on internet safety then please refer to: https://www.internetmatters.org/advice/

2. Who is responsible for your personal data?

StepChange is made up of three companies. Find out more about them:

The Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland

Registered Office:

123 Albion Street

Leeds

LS2 8ER

  • Registered In England no. 2757055
  • Registered charity in England and Wales: 1016630, Scotland: SC046263.
  • Authorised and regulated by the Financial Conduct Authority.
  • ICO registration No. Z743192X

Consumer Credit Counselling Service Voluntary Arrangements Limited

Trading as StepChange Voluntary Arrangements

  • Registered Office as above
  • Registered in England no. 5659160
  • ICO registration No. Z9690343

Consumer Credit Counselling Service (Equity Release) Limited

Trading as StepChange Financial Solutions

  • Registered office as above
  • Registered in England no. 6741879
  • ICO registration No. Z1721238

These companies are all known as 'Data Controllers'. As a Group, this means we are responsible for deciding:

  • Why we collect data about you
  • What data we collect
  • How we use your personal data
  • How we store your personal data

By law, we have to tell you this and make this privacy notice available to you.

To provide our services, we may need to share data across our Group.

Colleagues only have access to the data they need to do their job. We have controls in place to ensure this.

Our Data Protection Officer checks we are meeting the law and standards across the group.

Their contact details have been included in Section 12.

3. Where do we collect your personal data from?

In most cases we collect your personal data from social media platforms (such as Facebook, X, Instagram, LinkedIn, Reddit etc.) and web forums (e.g. MoneySavingExpert forum).

We make use of a third party tool which helps us keep track of StepChange mentions, interactions, and other topics we are interested in. Our dedicated social media team manage the use of this tool as well keeping an eye on all of our social media profiles.

4. What information do we collect about you and why?

We collect data about social media users for the following reasons:

When a social media user has made contact with us on social media (e.g. direct message or mention) or has interacted with one of our social media posts.

Types of information:

  • Your social media user name
  • Your first and last name (if available and/or publicly shared)
  • Your profile picture or avatar
  • Your social media bio / description (if available and/or publicly shared)
  • Any social media posts, comments, interactions, or re-posts (if available and/or publicly shared)
  • Your relationship with us (if you make this available to us)
  • Any information which you have voluntarily provided to us

Sensitive information:

If you openly share sensitive information about yourself (e.g. your health or other details personal to you) then this may relevant to our interaction with you.

Purposes:

  • To ensure that we give you the best interaction with our service and use of social media profiles.
  • To help us get our key messages across, build trust, gain feedback and develop stronger relationships with our brand online.

This is because we have a legitimate interest to maintain an online presence.

When a social media user or news outlet has mentioned StepChange on social media or online and has made this publicly available.

Types of information:

  • Source of information (e.g. link to publicly shared information which mentions StepChange)
  • Your social media user name
  • Your first and last name (if available and/or publicly shared)
  • Your age bracket (if available via the social media platforms)
  • Your profile picture or avatar
  • Your social media bio / description (if available and/or publicly shared)
  • Your interests (if available and/or publicly shared)
  • Any social media posts, comments, interactions, or re-posts (if available and/or publicly shared)
  • Your relationship with us or views about us (if you make this available to us)

Sensitive information:

If you openly share sensitive information about yourself (e.g. your health or other details personal to you) then this may relevant to you mentioning StepChange online.

Purposes:

  • To review and monitor brand health and organisational reputation
  • To monitor any customer service issues or feedback
  • To monitor the success of our online activities and campaigns

This is because we have a legitimate interest to maintain an online presence and brand.

When we have an interest in debt, finance, economic and societal issues which are directly linked to, or adjacent to, the services we provide.

Types of information:

  • Source of information (e.g. link to publicly shared information which mentions StepChange)
  • Your social media user name
  • Your first and last name (if available and/or publicly shared)
  • Your age bracket (if available via the social media platforms)
  • Your profile picture or avatar
  • Your social media bio / description (if available and/or publicly shared)
  • Your interests (if available and/or publicly shared)
  • Any social media posts, comments, interactions, or re-posts (if available and/or publicly shared)
  • Your relationship with us or views about us (if you make this available to us)

Sensitive information:

If you openly share sensitive information about yourself (e.g. your health or other details personal to you) then this may relevant to the topics we are interested in (e.g. if you are campaigning about debt issues faced by ethnic minorities).

Purposes:

  • To maintain brand health and reputation
  • To deliver online campaigns which support the work we do and services we provide
  • To detect any emerging or ongoing societal issues which we may choose to campaign about, or conduct more detail research about, in the future

This is because we have a legitimate interest to conduct research activities and conduct charitable campaigns.

5. When do we use Automated Decision Making?

To ensure that we have 24/7 coverage of some of our social media profiles we make use of an automated ‘chat bot’ run by a third party. This chat bot will not make decisions about you but will decide how to deal with your query – for example based on your question it may decide to signpost you to a page on our website.

6. Who do we share your personal data with?

We may share your personal data with other organisations for a number of reasons.

Find out why we share your personal data and who with. There may be other examples than the ones listed:

We sometimes may need to share your personal data:

  • Where we have a compelling and legitimate business reason
  • Where we have to by law
  • Where you have told us we can do this

When we may share data and who with

  • Regulators: Where we must share personal data by law. These include the Charity Commission, the Financial Conduct Authority, Insolvency Practitioners Association, the Information Commissioner’s Office, HM Revenue and Customs, HM Treasury, and the Department of Work and Pensions
  • Law enforcement agencies: Where we need to report a crime. Also to help them detect, investigate and prevent crime
  • Legal professionals, Courts of Law and other parties: Where information is needed for legal claims and proceedings
  • Auditors: Where we have to be audited by law. These are called 'statutory audits'
  • Our insurers
  • Our accountants, legal and compliance advisers. As well as other specialist consultants or contractors
  • Researchers we work with. Such as, universities, market researchers and companies who track customer satisfaction. Where possible, we will hide personal information from the data we share
  • Social media providers: where we need them to help us resolve any issues

We may also share your information if you have asked us to or told us we can.

Where we do share your personal data with third parties, we will:

  • Maintain records of what has been shared
  • Keep a written agreement

Please note, unless this is subject to a legal obligation.

We also work with third party suppliers who help to deliver our services. These are known as ‘data processors’.

We only allow them to use your personal data when we allow it and to do what we have asked them to do.

We make sure your personal data is secure when it is with them. There are processes in place to check this.

We use them for:

  • Facilitating an automated ChatBot function on some of our social media profiles
  • To help us find, review, and digest any relevant social media information
  • To help us link or advertise our social media profiles

There may be other examples.

We may share ‘statistical data’:

  • Internally within our organisation
  • With partners and funders
  • The wider public to support our campaign work

In this case, personal details are not included. For example, we may share or publish details about the challenges our clients face. This is part of our reporting on the reasons why people have financial difficulty.

You will not be identified from this information.

7. How long will we keep your personal data for?

We will hold any social media information, where you can be identified, for 2 years following the date of our interaction with you / when we first collected your data via a social media platform.

We may still have access to your data, interactions, or relevant posts via the social media platform where we do not have control over content.

In some cases we may need to keep some information for longer. This would be if there is the need to comply with laws or standards. Such as, defending legal claims.

8. How do we keep your personal data secure?

We take appropriate technical and organisational measures to make sure that the data we hold is safe and secure.

We only allow your personal data to be used by individuals who need it to carry out their job. All our employees and contractors are subject to confidentiality rules.

We regularly review our security controls and monitor for security breaches. We have processes in place to handle security breaches if they do happen.

9. Will we transfer any of your personal data outside of the UK?

We may need to do this from time to time. For example, if a supplier stores data in another country.

But we will only do this if:

  • That country meets data protection standards, as laid out by UK law. Such as, countries in the European Economic Area. Or,
  • We, or one of our third party data processors, have entered into a contract with an organisation outside of the UK, on terms approved by the UK’s data protection regulator. We also have assessed that country’s laws. Or,
  • You have clearly asked us to share your personal data with an organisation outside of the UK and we have explained the risks of doing so to you

*Please note that we are not responsible for where a social media company stores your social media information.

10. What are your data protection rights?

You have a number of rights relating to how we use your personal data. They depend on why we are using your personal data. We have listed these below.

Please contact us at DPO@stepchange.org and we will respond.

We may need you to share extra detail so we can:

  • Check who you are
  • Establish your relationship with us or one of our clients
  • Understand what you need from us.
  • Ask for additional forms of identification, as we will not usually have a relationship with you

In most cases, we will respond within one calendar month. If there is a reason why it is taking us longer, we will let you know.

Your rights are:

  • To have access to, or a copy of, this notice
  • To get copies of the information we hold about you
  • To get confirmation of how we use and/or have used your personal data
  • To find out how long we will continue to store your personal data
  • To update any information that is wrong, incomplete, or out of date
  • To delete or destroy data we hold about you
  • To restrict the use of your personal data
  • To ask us to transfer your personal data to another organisation
  • To object to how we use your personal data
  • To take away any consent you have given us before
  • To ask for a human review where a decision has been made using a computer

There can be exemptions or restrictions for all of the above rights. You should also be aware that when we consider your data protection rights, we must by law, balance these against the rights of our client. This could mean we may not be able to do as you have asked. We will let you know if this is the case.

11. How can you complain about how we use your personal data?

If you are unhappy with how we have used your data there is a process you can follow.

If you are unhappy with:

  • How we have used or handled your personal data or
  • How we have handled your data protection rights request

Please follow our client complaints process: https://www.stepchange.org/legal/complaints-process

Email: customerrelations@stepchange.org.

If you are unhappy with how a data protection complaint was handled, email DPO@stepchange.org

You may also raise this with the Information Commissioner’s Office. (ICO) They are the UK’s Data Protection regulator. Visit their website to find out more about this

Please note: The ICO expect you to have gone through our internal complaints process before raising a complaint with them.

12. How will we tell you about any changes in how your personal data is used?

We reserve the right to update this privacy notice at any time.

We may also tell you in other ways, from time to time, about how we use your personal data.

We will only use your personal data for the reasons why we collected it, unless:

  • We reasonably think we need to use it for another reason, and
  • That reason is compatible with the original purpose

If we need to use your personal data for a new reason, we will let you know. We will explain at this point why we are allowed to do this by law.

This notice does not form part of any contract with you. We may update this notice at any time.

Published: March 2024. (Version 1).