Privacy and your data
Who we are
The Money Advice Trust “The Trust” is a charity founded in 1991 to help people across the UK tackle their debts and manage their money with confidence. The Trust’s main activities are giving advice, supporting debt advisers and improving the UK’s money and debt environment.
The Trust runs the services Business Debtline and National Debtline. We give advice and information to people concerned about their debts through these services.
The Trust is registered with the Information Commissioners Office (ICO). Our registration number is Z270290X.
The Trust is committed to good practice in the handling of personal data and careful compliance with the requirements of the Data Protection Act (2018).
The Trust is a "Data Controller". This means that we are responsible for deciding how we hold and use personal information about you. The Trust looks after the information it holds about you and respects your privacy.
This privacy notice explains how we will treat your information, what your rights are, and how we will ensure that your data is kept safe, secure and in your control.
Please contact us if you require a paper copy of this privacy notice. Email DPO@moneyadvicetrust.org.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We make sure that:
the information we hold is as accurate as possible;
we do not hold more information than we need; and
we do not hold it longer than we need to.
Processing your data
We need a lawful basis to collect and use your personal data under data protection law. The UK data protection legislation details six possible bases that organisations can use to process personal data (and additional ways to process special category data).
Our lawful basis for processing your personal data is legitimate interests as collecting the data is necessary to fulfil our purpose as a debt advice charity and to assist you in dealing with your situation.
The purpose of processing your data is so that Business Debtline can understand and record details about your personal and financial situation to provide advice and assist you effectively, and also to meet our regulatory requirements and charitable purpose. We believe that legitimate interests is an appropriate basis as we only use data in ways that people contacting a charity for help with their debt situation would reasonably expect.
When we use your personal information, we will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:
To enable us to better understand the issues faced by our clients. This will include surveys and research.
To understand how well we delivered the service and how we can improve.
To understand the impact of our advice.
We will only ask for the information we need. We always let you decide what you're comfortable telling us, explain why we need it and treat it as confidential.
We only access your information for other reasons if we really need to. For example:
for training and quality purposes;
to investigate complaints;
to get feedback from you about our services; and
to help us improve our services.
All staff accessing data have had data protection training to make sure your information is handled sensitively and securely.
Some of our funding for debt advice in England is provided by the Money and Pensions Service (MaPS). MaPS is a government body and works alongside partners across the UK to make debt advice easier and quicker to access. MaPS also works to improve standards and quality across the sector.
Part of this arrangement involves us sharing data with MaPS to help with the important work they undertake. Their lawful basis for processing this data is it enables them to carry out their “public work” function which involves reviewing, assessing and improving the services being offered. If you would like further information or would like to object about how the Money and Pensions Service use your data, please visit https://moneyandpensionsservice.org.uk/privacy-notice/.
Contacting us with questions about how we use your data
We have a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact DPO@moneyadvicetrust.org
How we keep your data secure
The Trust is committed to good data management to protect people from harm. This means we take appropriate security precautions to prevent your information being lost, used or accessed in an unauthorised way, inappropriately altered or disclosed. In addition, we limit access to your personal data to those employees and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. We regularly review our information collection, storage and processing practices, including physical security measures.
What information do we collect?
We collect the following data that is provided by you.
Personal identification information (name, email address, postal address, phone number).
Details of your situation as described to us by you. This includes any debts you may have.
Some data is automatically collected from your computer. You can read more about this below.
We will always explain how we use your information.
How do we collect your information?
You directly provide us with the information we collect. We collect information and process it when you do the following.
Talk to one of our Business Debtline advisers on the phone.
Use our Business Debtline webchat services.
Use our online My Budget tool
Provide feedback to us on the Business Debtline website
Respond to a survey
On the phone
As part of the advice process we will set up a case record. This record will be completely confidential. We will take details of your circumstances and give you advice on your options to deal with your debt. We will give you a unique reference number which means you can call back and get more advice from us without having to repeat your details.
If you would prefer, we are also able to set up an anonymous record which means you can still call back for follow on advice by quoting the reference number and the memorable password you give us. However, this will mean that we will be unable to post any information out to you (unless you provide us with your email address) but we can signpost you to relevant and appropriate fact sheets and information on our websites.
We hold your records for six years after the last contact. After this time, your details are anonymised. You can remove your details from the record at any time, either by calling us or writing to us.
Calls are recorded for training and quality purposes and are stored for three years before they are deleted.
Webchat
When you use our webchat service we will not set up a client record for you. If you have an existing record, we will not update this following a webchat. Any advice we give you will be based only on the information you share with the webchat adviser and nothing else. When you start a webchat you will be told that chats are recorded and may be used by us and third parties for training and quality purposes. Chat records are stored by us for three years on an internal encrypted database before they are deleted. You can request that your personal information is deleted from our webchat database at any time, either calling us or writing to us.
My Budget
When you register we will set up a case record. This record will be completely confidential. We will take details of your circumstances including income, outgoings and debts in My Budget. We will give you a unique reference number which means you can call us and your adviser will be able to see the information you have entered into My Budget. If you have already spoken to one of our advisers, you can call back and get more advice from us without having to repeat the details you have entered in to My Budget.
We hold your records for six years after the last contact. After this time, your details are anonymised. You can remove your details from the record at any time, either by calling us or writing to us.
If you contact us to enquire further about our services, your email and our response will only be held for as long as is necessary and for the purposes for which it was processed. Once dealt with, and the purpose no longer applies, the emails will be deleted. If there is a legal or business reason to retain these emails, then a clearly defined retention time will be agreed after which time the emails will be deleted.
The feedback tab
You can use the feedback tab on our website to give us feedback on our website or service. If you share any personal data, we will only use it to understand your feedback and act if we need to. You will not receive any marketing. We will only hold this information for as long as is necessary before it is deleted.
If you are making a complaint and you give us your contact details, we will respond to you. We keep details of complaints for six years before they are deleted. For more details please refer to our complaints policy.
Surveys
We use client surveys so that we can understand how we delivered our service to you, your circumstances and the impact that our advice has had. If you respond to our survey we will hold your survey response for 3 years from the date of your response.
Opting in to share your experience with the Money & Pensions Service (MaPS) & their research partners
If you opt in and consent to “share your experience” with MaPS and their research partners when registering with My Budget, or on the phone, you can withdraw your consent and opt out at any time. You can do this by calling us or writing to us at DPO@moneyadvicetrust.org
Information we automatically collect from your computer
When you visit the Business Debtline website our web server automatically records your IP address. This IP address is not linked to any of your personal information. We use IP addresses to help us administer the site, to collect demographic information and to find out such things as how many people are visiting particular pages on our site.
Our website may also use a website recording service which may record mouse clicks, mouse movements, page scrolling and any text keyed into website forms. Data collected by this service is used to improve our website usability. The information collected is stored and is used for aggregated and statistical reporting and is not shared with anybody else.
We may also gather other non-personal information (from which we cannot identify you) such as the type of internet browser you use so that we can provide you with a more effective service.
For a comprehensive overview of how we use cookies please refer to our Cookies Policy.
How will we use automatically collected information from your computer?
We will use some of this information to:
carry out marketing analysis and make general improvements to our site; and
analyse how users are making use of the site.
We may collect anonymous data which is shared with our partner agencies, funders and the government. This enables us to demonstrate demand and use of the site.
Special category data and explicit consent
‘Special categories’ of particularly sensitive personal information require higher levels of protection under the Data Protection Act. This sort of information includes the following.
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Genetic data
Trade Union membership (where you are recording the actual name of the union)
Physical or Mental health or condition
Sex life or sexual orientation
If we need to ask you for this information and record it to help us give you advice on the phone or webchat, we will ask for your explicit verbal consent at the time. We will provide you with full details of the information that we would like and the reason we need it, so that you can consider whether you wish to consent.
If you provide this information using My Budget, you will have been provided with details of our privacy notice when you registered and will have opted in to enable us to record any data that you disclose, including special category data. You can request to remove this information from our records at any time by calling or writing to us.
Do you share or disclose my personal data to third parties?
Referrals to other agencies / data processors
In order to provide you with advice and also recommendations on an appropriate debt solution, we may need to share some of your personal information with other data processors. This is necessary for the purposes of delivering specific services to you. Other data controllers which we may share this information with may include:
other debt advice providers. For example, if we refer you on to a casework service;
debt solution providers. For example, if we refer you on for an Individual Voluntary Arrangement or a Debt Management Plan;
the Insolvency Service if we refer you on for a Debt Relief Order or Breathing Space; or
your creditors or their agents, if they have been included in your Breathing Space application and they have queries regarding this, or if we are delivering a casework service to you.
In all of the above cases we will always gain your consent to share your data with the appropriate third party and your explicit consent if we need to share any special category data or sensitive information about you.
Sharing your data without your consent
We would only share your data without your permission in the following circumstances.
To prevent a risk to life to you or other people and you were physically unable or lacked the capacity to give consent at the time. Under the Data Protection Act our basis for processing your data in such circumstances is vital Interests. If we do disclose information without your permission in these exceptional circumstances, this is authorised by a senior member of staff.
If you or someone else is at risk of neglect or physical, mental or emotional harm and we do not have your consent to record or share your details we may process your data for reasons of substantial public interest. We would only do so in exceptional circumstances, to protect someone from serious harm, or to prevent the loss of life.
When we are under a duty to disclose or share your personal data with certain parties in order to comply with any laws, regulations or good governance obligations, we may process your data for reasons of substantial public interest. These parties will include the Charity Commission, the Financial Conduct Authority, the police, Action Fraud, the National Crime Agency, HMRC, HM Treasury and the Department of Work and Pensions.
Your personal data rights
We do our best to be open and transparent about how we use your personal data and, where possible, give you choice over what data is held and how it is used.
The Data Protection Act (2018) sets out the rights you have over how organisations should treat an individual’s data. These are as follows.
Right to be informed
Right of access
Right to rectification
Rights to object to, and restrict the use of your data
Right to be forgotten
Right to data portability
Rights in relation to automated decision making and profiling
Rights relating to direct marketing
Right to be informed
The Trust will ensure that all individuals understand why their data is being obtained, how it is being used and how they can access it. We shall provide this information in a manner that is clear, transparent and easily accessible. This information is provided for all ways in which you may communicate with us.
Right of access
You have the right to find out what personal data we hold about you, and to receive a copy of that data. This is commonly known as a ‘Data Subject Access Request’. Please refer to the subject access request section below if you want further information on how to access your data. We will always ensure that you can access your data quickly and easily.
Right to rectification
To provide advice that is comprehensive, accurate and tailored to the circumstances of each person that we help, the Trust needs to hold accurate data. If you believe that your personal data is inaccurate or incomplete, let us know and we will ensure that this is rectified. If the Trust has disclosed the personal data in question to third parties it will inform them of the rectification where possible.
Rights to object to, and restrict the use of your data
You can ask to remove your details from our records at any time if you object to or wish to restrict any processing of your data. However, this does not affect the lawfulness of any processing carried out before you notify us that you want your data to be removed.
We have no obligation to stop using your data if your data is required for legal proceedings or the establishment, exercise or defence of legal rights.
Right to be forgotten
The Trust wants you to be comfortable about the data that we hold about you. Therefore, you have a right to have your personal data deleted in the following circumstances:
you no longer want us to process this data;
you object to the use of your data and we have no overriding reason to keep it;
we no longer need your data for the original reason it was collected for;
we have collected your data unlawfully.
The Trust can refuse to comply with your request for deletion of your data only in certain limited circumstances.
The Trust has a policy of anonymising your data six years after last contact. These records are used for statistical purposes by the Trust. Anonymised records will be held indefinitely.
Right to data portability
Should you wish for your data to be provided to you in a machine-readable format (e.g. CSV file) so that another organisation can process this data, then the Trust will facilitate this where possible. Please contact the DPO@moneyadvicetrust.org for more information.
Rights in relation to automated decision making and profiling
The Trust does not use automated decision making in any of its processes.
Rights relating to direct marketing
The Trust only uses personal data for direct marketing in the following instances.
Stakeholder contact details for email marketing to promote our commercial Training and Consultancy services.
Contact details for advisers for email marketing to promote our (free) WiserAdviser courses.
Permission will be obtained when the contact details are provided together with details of how your details will be processed. The Trust must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse. The request must be dealt with immediately and be free of charge.
Transferring your information outside of Europe
We do not routinely transfer personal information we collect outside of the European Economic Area (EEA). However, in the event that we needed to, we would ensure that your personal information was adequately protected. We will put in place protective measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which align with UK and EU laws on data protection.
How secure is my information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. A data sharing agreement that sets out how we expect third parties to handle any data we share with them is required to be in place before we share any data. Ongoing checks are carried out on these arrangements at regular intervals.
Appropriate specific protective measures include for example, model clauses in data sharing contracts and ongoing security assessments. If you require further information about these measures you can request it from DPO@moneyadvicetrust.org
Subject access requests
Business Debtline is fully committed to respecting your right to access personal information that is held about you in accordance with the Data Protection Act (DPA).
A subject access request (SAR) is a request you can make to find out what personal information (data) we hold about you.
You are entitled to a copy of all information held about you and to be:
told whether any personal data is being processed;
given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people;
given a copy of your personal data; and
given details of the source of the data (where this is available).
You are only entitled to your own personal data, and not to information relating to other people unless you are acting on behalf of that person. In these circumstances, that person’s written consent will be required.
How to make a subject access request
You can make a subject access request by calling us or by email to:
DPO@moneyadvicetrust.org
You can complete the subject access request form to ensure we identify all of the relevant information and documentation.
To make a valid subject access request the following information must be provided.
Personal details: your name, address, date of birth and any previous addresses detailed on the record.
Proof of identity: two forms of identification will be required. One of these must be something like a driving licence, passport or birth certificate (see request form for a full list), and the other, a form of address verification dated in the last 3 months (see the request form for acceptable forms of ID).
Representative details: only applicable if you are applying for a subject access request on behalf of someone else.
Business Debtline will comply with requests for access to personal information as quickly as possible but will ensure that the information is provided within one month, as required by the Data Protection Act.
Is there a fee?
There is no fee for a subject access request. However, we can charge a ‘reasonable’ fee when a request is excessive or particularly repetitive.
What happens if some of the information we hold is incorrect?
You are entitled to have your personal data rectified if it is inaccurate or incomplete. We will respond to any requests for rectification within one month. This can be extended to two months where the request for rectification is complex. If we decide not to take any action to rectify the data we will explain why and inform you of your right to complain to the Information Commissioner’s Office (ICO).
You also have a right to request deletion or removal of your personal data where there is no compelling reason for its continued processing.
Where the personal data is no longer accurate.
When you object to the processing and there is no overriding legitimate interest for continuing to process it.
The personal data was unlawfully processed.
The data has to be erased in order to comply with a legal obligation.
What if I want to complain?
If you are unhappy with the way the subject access request has been handled or how your personal data has been handled, you can make a formal complaint. Please refer to our Complaints Policy.
If you are still dissatisfied with the outcome of your complaint after following our process then you can lodge a complaint with the Information Commissioners Office who will investigate the matter.
For more information on data protection and subject access requests, please visit www.ico.org.uk.
How to contact us
The Data Protection Officer for the Trust is the Head of Compliance and Risk. You can contact them by emailing DPO@moneyadvicetrust.org