Crosslight Advice and the charities which support us are committed to protecting your data and your privacy. We aim to ensure that any information you give us is held securely and safely.
Crosslight strives to follow industry best practice regarding how we collect, store and use your personal data. We are registered with the Information Commissioner’s Office.
As you use our service, visit our website, get in touch with us, or take part in our campaigns and activities, we collect information. This enables us to provide our services to our clients and improve the quality and relevance of our communications with supporters.
However you interact with us, we will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever.
This policy explains how we collect, use and store your personal information. If you have any questions about this policy or how your data is handled, please contact us:
The Operations Manager
HTB Brompton Road
Telephone: 020 7052 0318
1. Who We Are
Crosslight Advice (‘Crosslight’) is a registered debt and money advice charity (charity number 1163306) whose registered address is HTB Brompton Road, London, SW7 1JA. You can find out more about our work at crosslightadvice.org.
Crosslight is supported by a number of independent local charities that provide funding and resources for our branches. These are;
- West Kent Debt Advice (charity number 1125756)
- TW Money Advice Service (charity number 1162828)
- St Paul’s Money Advice Centre (charity number 250015).
These charities share a common purpose with Crosslight and exist to support the work of debt advice in their local communities. Each works cooperatively and collaboratively with Crosslight, and share many systems, processes and policies with Crosslight.
In light of the close relationship between these supporting charities and Crosslight, each have agreed to adopt a common approach to privacy and data protection. This policy therefore covers Crosslight and each of the charities listed above, and we refer to all of these organisations as ‘we’ or ‘us’ in this policy.
2. What Information Do We Collect and Why Do We Collect It?
The main reason we will use personal information is to help us effectively carry out our charitable activities i.e. providing debt advice and money education to those in need. However, we also use personal data to help us raise funds to support our work, and to help us manage our staff, agents and volunteers.
We will always try to be clear, honest and open with you whenever we collect and use your personal data. The overview below summarises the different reasons why we may collect and use your data. We won’t use your personal information for all of these purposes, it will depend on the nature of your relationship with us.
a) Delivery of debt and budgeting advice: We will usually need to record quite detailed personal information about those individuals who seek the help of Crosslight’s services. This is to ensure that the advice and information we provide is appropriate and accurate. We also need to ensure you are eligible for our charitable services and on rare occasions we may also need to use your personal information for the prevention of fraud and to identify any misuse or abuse of our services. It will also be used to help us monitor the effectiveness of the services we provide.
The information we will collect may include (amongst other things);
- your contact and biographical information
- information about your income, expenditure and financial transactions
- information about your debts, financial standing and past or current insolvency actions
- information about your housing situation, personal circumstances and employment situation
- in certain circumstances it may be relevant to collect health information where this has an impact upon your ability to manage your finances or you require extra assistance or consideration in how we deal with your case (for more information about this, see the ‘Sensitive personal information’ section below)
b) Budget Builder software: Our Budget Builder website and app is available to users to create and manage their own budgets. This site will record and store the user’s name, email and encrypted user-generated password to enable users to securely access the site and save their own budget information. Any other data stored is provided by users themselves and kept on a secure server. Unless users give us their consent to receive marketing information, we will only use their contact details to provide service updates and other relevant information about the users account.
As stated above, we will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever.
c) Money Course website: The Money Course website allows users to download Money Course resources in order to run money education programmes for their own communities. The website requires users to create an account, and we therefore record and store the user’s name, email and encrypted user-generated password to enable users to download the resources.
Unless users give us their consent to receive marketing information, we will only use their contact details to provide service updates and other relevant information about the users account. As stated above, we will never share your information with another organisation for their own marketing purposes and we will never sell your information for any reason whatsoever.
d) Fundraising, campaigning and marketing: Like all charities, we need to raise funds to support our work, as well as provide news and information to promote our aims and objectives. Although the range of marketing activities we use is limited, they may include things such as direct marketing, face-to-face activity, advertising (print, broadcast and digital) and public relations for marketing, fundraising, and income generation. This may include talking to you about specific appeals, promoting ongoing campaigns in which you can play an active role, competitions, sponsorships, events or volunteering opportunities. We may also ask if you are able and prepared to Gift Aid any of your donations.
The information we will collect may include (amongst other things);
- your contact details and preferences
- details of donations you have made
- any Gift Aid declarations you have made
- in certain situations, we may need use publicly available sources to carry out due diligence on donors to ensure that we are fundraising within the law.
e) Management of volunteers and agents: If you are one of our valued volunteers or agents we will need to use your personal information to manage your activities, deliver training, involve and update you on our projects and campaigns and to ensure your safety. This may include sending you newsletters or information about our activities so that you are best equipped to perform your role.
The information we will collect may include (amongst other things);
- your contact and biographical information
- references and searches regarding your background
- any relevant health information
- information about your level of education and relevant training
- feedback and comments about your volunteering experience, progress and appraisals
f) Staff administration: We employ a number of staff who are crucial to delivering our programmes and raising the funds to provide our charitable services, as well as providing a range of professional and technical support. We process the personal information of our employees for recruitment, staff administration, remuneration, pensions and performance management purposes.
Sensitive personal information: Under data protection law, certain categories of personal information are recognised as sensitive, including health information, race, religious beliefs, and political opinions (‘sensitive personal data’). The only sensitive personal data we currently collect is health information. We will only collect sensitive personal data if there is a clear reason for doing so – as outlined above – such as where we need this information to ensure that we provide appropriate advice or support to our service users or those who work/volunteer for us. We will only use sensitive information with your consent and for the purposes for which it is provided.
3. Lawful Processing
Like all organisations in the UK, we need a lawful basis to collect and use personal data. The law allows for six legitimate purposes which organisations can rely on to legally process people’s personal data. Of these, only three are relevant to us for the type of activities listed above:
- Information is processed based on an individual’s consent.
- Information is processed in line with a contractual relationship.
- Information is processed on it being a legitimate interest for us to do so.
Where you give us consent to process your data we will always keep a clear record of how and when this consent was obtained.
Marketing/Fundraising: We will always ask for your consent to send you marketing by email, SMS or other digital means. We will also ask you for your consent before contacting you by telephone for the purpose of marketing or fundraising.
Sensitive personal data: Should we ever ask you to provide any sensitive personal data about yourself, for example any health condition that may be relevant, we will always seek your explicit consent to process this data.
Sharing information about service users: Part of our charitable activities involves us working on our clients’ behalf to negotiate and intermediate with creditors and other third parties to assist our clients resolve their difficulties. We will ask the consent of our service users before we share any information with any third parties in relation to their case.
Recruitment: For those applying for a job or volunteering position with us, we will ask for your consent to contact third parties such as referees, to undertake a DBS check if appropriate, or for other vetting purposes.
b) Contractual relationships
The majority of our relationships with supporters and beneficiaries are voluntary and not contractual. This purpose primarily relates to how we process the data that we hold in relation to our staff, and in some circumstances, our volunteers.
c) Legitimate interests
The law allows personal data to be legally collected and used by an organisation if it is necessary for a legitimate business (or in our case charitable) interest of the organisation – as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned. This basis covers the majority of the personal information we collect.
What are our legitimate interests?
Delivery of our charitable aims as set out in our charitable objects:
- Provision of debt advice and money education to those in need
- Provision of related support services
- Assistance with benefit applications, grants applications, benefit appeals
- Assistance with insolvency applications
- Reporting criminal acts and compliance with the legal instructions of law enforcement agencies.
- Internal and external audit for financial, quality or regulatory compliance.
- Statutory reporting.
Publicity and income generation:
- Conventional direct marketing by direct mail and other forms or marketing, publicity or advertisement.
- Unsolicited communications to Churches and other organisations with whom we work closely in order to publicise our appeals and campaigns.
- Personalisation to tailor and enhance the supporter experience in our digital and postal communications.
- Analysis, targeting and segmentation to develop fundraising strategy and improve communication efficiency.
- Processing for research purposes.
- Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes.
- Provision and administration of staff benefits such as pensions.
- Physical security, IT and network security.
- Processing for historical, research or statistical purposes.
Financial management and control:
- Processing of financial transactions and maintaining financial controls.
- Prevention of fraud, misuse of services, or money laundering.
- Enforcement of legal claims.
Purely administrative purposes:
- Responding to any solicited enquiry from any of our stakeholders.
- Delivery of requested products, resources or information packs.
- Administration of direct debits and other existing financial transactions.
- Administration of Gift Aid.
- Providing ‘thank you’ communications and receipts.
- Maintaining ‘do not contact’ lists
When we use your personal information, we will always consider if it is fair and balanced to do so and whether it would be within your reasonable expectations that we would use your data in this way.
We will balance your rights and our legitimate interests to ensure that the way in which we use your data never goes beyond what you would expect and is not unduly intrusive or unfair.
4. Data Retention
We remove personal data from our systems in line with our data retention policy below. The length of time each category of data will be retained will vary on how long we need to process it, the reason it is collected, and in line with any statutory requirements. After this point the data will either be deleted or rendered anonymous.
Call log: We keep a record of calls made to our service so that we can return calls and handle any enquiries. We will keep details on our call log for a maximum of 6 months unless the individual becomes a client.
Service User Enquiries: If anyone contacts us to enquire about our service with a view to making an appointment, we will keep their personal data for a maximum of 2 years unless the individual becomes a client. This is to ensure we are able to respond to their enquiry and manage any missed appointments or subsequent actions, and for audit purposes.
Referrals from third parties: We receive personal information about potential service users from third parties who wish to refer individuals to us for support. We will hold the information we are given for a maximum 18 months unless the individual becomes a client. This is to ensure we are able to respond to their enquiry and manage any missed appointments or subsequent actions, and for audit purposes.
Client records: If someone becomes a client, we will keep their case records for a maximum of 6 years after their case is closed and we cease acting for them. This is to ensure we can provide further assistance if a client subsequently needs our help again, and for regulatory and audit reasons to ensure that we are able to manage any future complaints or enquiries.
Staff and Volunteer records: If someone becomes a member of our team, we will keep their personnel records for a maximum of 6 years after they cease working/volunteering for us in order to comply with employment regulations and for audit purposes.
Donor records: We will keep records of our donors for a maximum of 6 years after their last donation in order to comply with HMRC and charity law regulations, and for financial audit purposes.
Supporter / Marketing records: We will keep the contact details of those who have consented to receiving news and updates from us until they tell us that they no longer which to receive such information.
Recruitment records: Where you provide personal data and sensitive personal data when applying for a job or volunteering opportunity, such as the information on your CV, we will process, store and disclose this personal data to support the recruitment process. CVs and application details will be stored for a period of 2 years for audit purposes before being deleted, unless the individual becomes an employee.
5. Data Sharing
We will only share your personal data with others in very limited situations.
- Fundraising, campaigning and marketing (as outlined in section 2d)
- Management of volunteers and agents (as outlined in section 2e)
- Staff administration (as outlined in section 2f).
b) Externally: The most common occasion we may need to share personal information is where we use third party suppliers, for example software providers or to send out emails or marketing information on our behalf. We will always ensure that these providers are compliant with data protection regulations, and we delete information from these suppliers as soon as possible when it’s no longer needed. If you have any questions please contact us.
We may also share your data if you are one of the users of our charitable services and you consent for us to share your information as part of the process of helping you (see 3a above).
The only other circumstances in which we will share your personal data is for audit purposes or if we are compelled to do so by a legal authority acting in compliance with the law. For example, the quality of the advice we give is audited by our membership body and external quality auditors to ensure we are always giving the best advice possible. And as a regulated entity, we may also have to reveal information to our regulator, The Financial Conduct Authority. In any of these events, we will always ensure your data is treated confidentially and that no one ever discloses it to anyone else for any other purpose.
We will never sell your personal information to anyone.
We will never share your personal information with an external organisation for their own marketing purposes.
6. Your Data Rights
Where we are using your personal information based on your consent, you have the right to withdraw that consent at any time. You also have the right to ask us to stop using your personal information for direct marketing purposes.
The law also gives you a number of other rights in relation to your personal data. Contact us on email@example.com or on 020 7052 0318 and we will amend your details accordingly.
Right to be informed: You have the right to be told how your personal information will be used. This policy document, and shorter summary statements used on our forms and other communications, are intended to be a clear and transparent description of how your data may be used.
Right of access: You can write us asking what information we hold on you and to request a copy of that information. We have 30 days to comply once we are satisfied you have rights to see the requested records and we have successfully confirmed your identity.
Right of erasure: In certain circumstances you have the right to be forgotten (i.e. to have your personally identifiable data deleted). In many cases however, we are required by law or other regulations to retain your data. If this applies, we will ensure that your data remains secure and is not used for any purpose other than those allowed. Please contact us if you have any questions about this.
Right of rectification: If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated.
Right to restrict processing: In certain situations, you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.
Right to data portability: Where we are processing your personal data under your consent the law allows you to request data portability from one service provider to another. This right is largely seen as a way for people to transfer their personal data from one service provider to a competitor and is unlikely to be relevant to your relationship with us.
Right to object: You have an absolute right to stop the processing of your personal data for direct marketing purposes.
Right to object to automated decisions: In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions ‘that have a legal effect on you’, you have the right to object. This right is more applicable to mortgage or finance situations. We do not use your data in such a way and so this right is not relevant in your relationship with us.
We collect data using cookies. A cookie is a text file that is sent from our website/s as soon as you visit the site. It is stored on your computer’s hard drive and helps us to identify your computer (not you) and collects information in an aggregate, anonymous way.
The cookie data that we collect we may use to:
- Customise the content on our website/s and to help us understand visitor’s current and future needs
- Process any requests, applications or transactions you may make
- Aid internal administration and analysis
Managing cookies: Most browsers allow you to turn off the cookie function. To do this you can look at the help function on your browser.
Third party cookies: We occasionally work with third party suppliers who set cookies on our website to enable them to provide us with services. These are mainly used for reporting and advertising purposes so we can improve the way we communicate.
We occasionally use websites such as YouTube and Vimeo to embed videos and you may be sent cookies from these websites. We do not control the setting of these cookies, so we suggest you check the third-party website for more information about their cookies and how to manage them.
As some of these services may be based outside of the UK and the European Union, they may not fall under the jurisdiction of UK courts. If you are concerned about this you can change your cookie settings (see above).
Document Created: 09.04.18
Last reviewed: 25.04.19
Next review: 25.04.20