Privacy Policy

Updated with effect from 4^th March 2025

At Citizens Advice Esher & District, we collect and use your personal information to help solve your problems, improve our services and tackle wider issues in society that affect people’s lives.

This privacy policy explains how we use your information and what your rights are.  We handle and store your personal information in line with data protection law and our confidentiality policy. The following pages tell you more about how we use your information in more detail.

Our network

Citizens Advice is a membership organisation made up of the national Citizens Advice charity and many local offices across England and Wales, including Citizens Advice Esher & District. Citizens Advice Esher & District is an independent charity and a member of the national Citizens Advice charity.

All members of the Citizens Advice network are responsible for keeping your personal information safe and making sure data protection law is followed.

Members of the network also run some jointly designed services and use some of the same systems to process your personal data. In these instances we are joint data controllers for these activities.

Jointly controlled data

All offices in the Citizens Advice network use some joint systems to carry out our activities. These include joint case management systems, telephony platforms and more.

Staff from a different local Citizens Advice can only access your personal information in a joint system if they have a good reason. For example when:

• you go to a different office to seek advice
• more than one office is working together in partnership
• they need to investigate a complaint or incident

We have rules and controls in place to stop people accessing or using your information when they shouldn’t.

Tell an adviser if you’re worried about your details being on a national system. We’ll work with you to take extra steps to protect your information – for example by recording your problem without using your name.

National Citizens Advice has a privacy notice available on their website that covers general advice and nationally managed systems, including our case management systems. This policy covers the processing we carry out in our office.

How we use your data for advice

This section covers how we use your data to provide you with advice.

For general advice and nationally funded advice programmes please see the national Citizens Advice privacy notice.

How we collect and store your information

When you visit us

When you visit us in person, we’ll ask you to complete a Client Details form.  We’ll then scan and upload this form to the secure national case management system.  Once uploaded, the scans are deleted from our local office server. The paper copy is stored in our secure filing cabinets for six years after which it is confidentially shredded.

The information you share during your appointment with an adviser will be entered into the secure national case management system.  Please see the national Citizens Advice privacy notice for more information about this case management system.  Any written notes made by the adviser will be stored securely and then shredded.

If you give us any paperwork relevant to your problem, this will be scanned into our local office server before it is uploaded to the secure national case management system.  Once uploaded, the scans are deleted from our local office server.  Any paper copies are stored in our secure filing cabinets for six years after which they are confidentially shredded. We do not keep your original paperwork.

When you call us

When you call our local helpline, our advisers will ask for information that’s relevant to your problem.  They will enter these details directly into the secure national case management system, as described in the national Citizens Advice privacy notice.

Calls to our local helpline are not recorded, but our local telephone system keeps an automatic log of incoming and outgoing calls.  These logs are stored  for six months after which they are deleted.

When you use our web enquiry form or email us

The information you submit on our web enquiry form is sent direct to our secure office email system. No data is stored on the website.  Transcripts of your message and our response are then copied into the secure national case management system.  The emails are deleted once we have dealt with them, and by no later than six months.

Similarly, when you email us direct for advice your emails are stored within our secure office email system. Transcripts of your message and our response are copied into the secure national case management system.  The emails are deleted once we have dealt with them, and by no later than six months.

What information we collect

When you visit us

The Client details form we ask you to complete when you first visit us asks for your name, address, contact details and contact preferences.  We also ask for some background information about you, such as your household type, employment status and nationality.  You don’t have to provide us with this information and it does not affect the advice you receive. However, it helps us ensure that we are delivering our service in a way that supports everyone and that we are reaching people from all backgrounds.

To find out what information we collect during your appointment with an adviser please see the national Citizens Advice privacy notice.

When you call us

When you call our local helpline, our advisers will ask for information that’s relevant to your problem. For further information see the national Citizens Advice privacy notice.

Our local telephone system logs incoming and outgoing calls with caller details (number, time and duration).

When you use our web enquiry form or email us

When you use the enquiry form on our website to contact us for advice, we ask you for your name, address, contact details and contact preferences. We ask for information about the situation you need help with, and you have the option to upload any relevant images or document files.

If you email us direct, we collect your email address, your name and any contact details you provide.  We also collect details about the situation you need help with and any relevant images or document files you choose to send us as an attachment to your email.

What we use your information for

Whether you get advice face-to-face, over the phone or by email, please see the national Citizens Advice privacy notice to find out what we use your information for.

Our confidentiality policy

At Citizens Advice we have a confidentiality policy which states that anything you tell us as part of advice will not be shared outside of the Citizens Advice network unless you provide your permission for us to do so.

There are some exceptions to this such as needing to share:

• to prevent an immediate risk of harm to an individual
• In select circumstances if it is in the best interests of the client
• where we are compelled to do so by law (e.g. a court order or meeting statutory disclosures)
• where there is an overriding public interest such as to prevent harm against someone or to investigate a crime
• to defend against a complaint or legal claim
• to protect our name and reputation for example to provide our side of a story reported in the press

Who we share your information with

With your permission, we might share your information with other organisations so we can:

• help solve your problem – for example, if you ask us to contact your creditors we might need to share your name, address and financial details with them
• refer you quickly to another organisation for more advice or support, if relevant
• help you access certain services – for example food banks or Trading Standards
• monitor the quality of our services

Organisations we share your data with must store and use your data in line with data protection law. They’ll have their own privacy policies for how they handle your information and keep it safe.

Organisations we commonly share information with include:

• Elmbridge Borough Council and Surrey County Council
• The Department for Works and Pensions (DWP)
• HM Revenues and Customs (HMRC)
• Utility companies
• Credit reference agencies such as Experian, Transunion
• Support organisations, for example, CHEER (Concern and Help for East Elmbridge Retired)

Our lawful basis for using your information

Under data protection law we have a ‘legitimate interest’ to process your information so we can help you. This means it lets us carry out our aims and goals as an organisation.

How we use your data when you text us

If you use our dedicated SMS number to text us a short message, a transcript of your message will be copied into the secure national case management system.  Your text will then be deleted from our office mobile phone.

How we use your data when you ask us for help to apply for a charitable grant

How we collect and store your information

If you ask us to apply for an individual charitable grant on your behalf, we’ll collect information from you during your appointment or call with an adviser, or by email.  The information will be recorded in our national case management system.   Additionally, we store a log of charitable grant applications securely on our internal systems

What information we collect

We collect information required by the grant giving organisations.  This will include your contact details, assistance required and financial information such as your income and expenditure and any debts.

What we use your information for

We’ll use this information to apply for a charitable grant for you.

Who we share your information with

With your permission, we’ll share your information with grant giving organisations such as:

• The Henry Smith Charity
• Walsingham Care
• Walton Charity

Organisations we share your data with must store and use your data in line with data protection law. They’ll have their own privacy policies for how they handle your information and keep it safe.

Our lawful basis for using your information

Under data protection law we have a ‘legitimate interest’ to process your information so we can help you. This means it lets us carry out our aims and goals as an organisation.

How we use your data for research and statistics

This section covers how we use your data to carry out our research and statistical work.

National Citizens Advice covers their use of data for this purpose in their privacy notice.

How we collect and store your information

We collect your data for research and statistical work through reports generated by the national case management system.  These reports are stored securely on our internal systems.

What information we collect

We collect information about how you contacted us, the situation you needed help with and the action we took.  Where you are happy to provide it, we also collect information about your background, such as your employment status and ethnicity.

What we use your information for

We use this information to create statistics about who we’re helping and what problems are the most common. This allows us to identify trends in demand and to plan improvements to our service.  The information is always anonymised – you can’t be identified.

The statistics are used in reports to funders and inform our policy research, campaigns, or media work.

Who we share your information with

We share anonymised information with funders, government departments and publicly on our reports, social media and press releases.

Our lawful basis for using your information

We have a legitimate interest to carry out statistical analysis and research using our client data.

How we use your data for fundraising and donations

This section covers how we use your data to carry out our fundraising activities.

National Citizens Advice covers their use of data for fundraising in their privacy notice.

How we collect and store your information

When you join our 200 Club

If you choose to join our ‘200 Club’ (for regular donors), we’ll ask you to complete a ‘200 Club’ membership form and standing order mandate.  At the same time, we’ll ask you to consider completing a Gift Aid declaration.  The completed forms are stored securely on our internal systems.

When you donate via our website

When you make an online donation via our website you will be transferred to the CAF (Charities Aid Foundation) online donation platform for your payment to be processed securely.  We do not store your debit or credit card details at all.

Please refer to the CAF privacy policy to find out how they keep your data secure.

What information we collect

Our 200 Club membership form and Gift Aid declaration ask for your name, address, email address, the amount of money you would like to donate and your contact preferences.  We’ll enter these details into a spreadsheet stored in a secure area of our internal IT system.

Your email address will be added to our 200 Club contact list on our office email system.

What we use your information for

We’ll use your information to process your donation and, where relevant, your gift aid donation, and to keep a record of your relationship with us.

Only where you have agreed that we can do so, we’ll use your information for marketing communications, such as newsletters and invitations to fundraising events.

Who we share your information with

If you make a Gift Aid declaration, we are required to share your information with HMRC.

Our lawful basis for using your information

We process the personal data of our 200 Club members under the bases of legitimate interests and legal obligation.

If we send you marketing communications, we do so under the basis of consent.

How we use your data for Bureau Membership

This section covers how we use your data if you sign up to become a ‘Member’ of our Charity.

How we collect and store your information

If you decide to become a ‘Bureau Member’ in support of the work of our Charity, we’ll ask you to complete a Bureau Membership form.  The completed forms are stored securely on our internal systems.

What information we collect

We’ll collect your name, address and email address and enter these details into a spreadsheet stored in a secure area of our internal IT system.

Your email address will be added to our Bureau Members contact list on our office email system.

If you attend our AGM as a Bureau Member, or submit a proxy form, your name will be recorded in the minutes of the meeting.

What we use your information for

We’ll use your information to administer your Membership and keep a record of your relationship with us.

Only where you have agreed that we can do so, we’ll use your information for marketing communications, such as newsletters and invitations to fundraising events.

Who we share your information with

Your Bureau Membership information is not shared with other organisations.

Our lawful basis for using your information

We process the personal data of our Bureau Members under the bases of contractual necessity, legal obligation and legitimate interests.

If we send you marketing communications, we do so under the basis of consent.

How we use your data when you apply to work or volunteer with us

How we collect and store your information

When you apply to join us, we collect your personal information through a variety of ways.  For example, data might be contained in application forms, CVs or resumes or collected through interviews.

If we make you a job offer, we will also collect your personal information from identity documents such as your passport.  At the same stage, we will also collect personal data about you from third parties, such as references and, in some cases, information from criminal records checks.  We will tell you when we do this.

We will keep your information securely in our internal IT system (including email).

What information we collect

We’ll collect personal information such as name, address, telephone number and email address, previous job history and experience, qualifications, and any support needs you may have.

We’ll also ask for diversity information like your gender, ethnicity and sexual orientation. You don’t have to tell us this.

We might collect other information depending on whether you’ve applied for a staff or volunteer role.

You’ve applied for a staff role

If we offer you a position, we’ll ask for:

• references for your previous and current work
• proof of your right to work in the UK, like a valid UK passport or visa
• your national insurance number and P45
• your bank details, so we can pay you
• details of your student loan if you’re paying one back

Where it’s needed for the role, we might contact the DBS for a criminal record check. Once the DBS check is completed and you’ve received your certificate, we’d expect you to share this information with us as part of the background check process. This information would include your name, date of birth, place of birth, gender, position applied for and anything else disclosed on your DBS check.

You’ve applied for a volunteer role

If we offer you a volunteering position, we’ll ask your referees about your suitability for the role.

What we use your information for

The main reasons we ask for your personal information are to:

• check you’ve got the right skills for a role when you apply
• arrange an interview
• contact you to tell you the result of your application
• do checks when we make an offer, for example contacting your references, checking your right to work in the UK or DBS checks, where applicable
• send you an offer letter or contract

We’ll treat any diversity information you give us as strictly confidential. We’ll anonymise this information and only use it to look at trends. This means we won’t look at your information individually or compare it to other people and we won’t use it as part of the recruitment selection process.

Who we share your information with

If you accept an offer to work for us we’ll:

• get your permission to share your information with your references
• get your permission to share your information with the third party organisation we use to obtain any necessary criminal records checks from the Disclosure and Barring service
• add your information to our internal management and technology systems
• share your information with our payroll accountants if you have accepted a paid staff role

Our lawful basis for using your information

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• For legitimate interests, allowing us to manage the recruitment process, assess your suitability for employment and decide whether to offer you a job or volunteer role
• To perform or enter into a contract with you (for example, an employment contract)
• To comply with a legal obligation (for example, to check your eligibility to work in the UK before employment starts)

Some special categories of personal data, such as data about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes).

Where we process other special categories of personal data, such as data about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that we use for these purposes is anonymised or pseudonymised.

Where we process criminal offence data, this is in line with substantial public interest conditions.

How we use your data when you make a complaint about our service

This section covers how we use your data when you make a complaint about the service or advice you receive from us.

National Citizens Advice covers their use of data for this purpose in their privacy notice.

How we collect your information

We collect your information from you via phone, email, online form or letter – depending on how you complain.

What information we collect

So we can help you with your complaint, we need to know:

• your name
• one way we can get in touch with you – email, phone or address
• details of the complaint

If your complaint is about advice you received, we’ll need to look at the information we’ve recorded about your problem.

What we use your information for

We use the information you give us to deal with your complaint.

Who we share your information with

If you escalate your complaint to an external independent adjudicator, we’ll share your complaint information with them. We’ll always ask for your consent before we do this.

If your complaint involves an insurance claim, we might share details of your complaint with our insurance representative.

Our lawful basis for using your information

We have a ‘legitimate interest’ to collect your information under data protection law. This means it lets us carry out our aims and goals as an organisation.

How we use your data when you view our website

What information we collect

When you view our website we use data called ‘cookies’ to get information about what pages you click on and what device you’re using. This helps us improve your experience of our website. Find out more about how we use cookies.

How long we keep your data for

National Citizens Advice is responsible for managing any data in joint client case records. For more information please see their privacy notice.

Data	Purpose	Retention
Log of telephone calls to our local advice number	To monitor demand and call response times	6 months
Supporter records (200 Club)	To keep a record of supporter donations	7 years from the last donation
Gift Aid records	To process Gift Aid claims	7 years
Bureau Membership records	To keep a record of Bureau Members with voting rights	Permanent
Job and volunteer applications	To make a decision about recruitment or appointment to a role	For successful candidates: Transfer to personnel record and keep for 6 years from end of appointment   For unsuccessful candidates: 1 year
Complaint records	To deal with any complaint about our service	6 years or 16 years if involving an insurance claim or other dispute

Third party processors

Third party processors are other organisations that carry out data processing on our behalf. Third party processors don’t use data for their own purposes and we have agreements in line with data protection law.

Processor name	Activities	Data hosting location
Microsoft 365	Emails, internal documents	See Microsoft Privacy Policy
CAF Donate	Online donations	See CAF Privacy Policy

Your data protection rights

You have rights in relation to your personal data that we hold. Your rights include being able to request:

• Access to copies of your data
• Corrections are made to inaccurate data
• Deletion of your personal data
• Object to how we use your personal data

These rights are not absolute and may not apply in every circumstance. For more information about your rights you can visit the ICO website.

To make a data protection rights request you can do so by contacting us at:

Citizens Advice Esher & District

Civic Centre

High Street

Esher

KT10 9SD

Telephone: 01372 464770

Raising a concern about how we use your information

If you are concerned about how we have handled your personal information please contact us at:

Citizens Advice Esher & District

Civic Centre

High Street

Esher

KT10 9SD

Telephone: 01372 464770

You can also contact the national charity if you are unhappy with how we have used your personal data or wish to raise a concern about how a local office has handled your personal data. To do so you can email us at DPO@citizensadvice.org.uk

Contacting the Information Commissioner’s Office (ICO)

You can also raise your concern with the Information Commissioner’s Office which regulates data protection law in the UK. if you are unhappy with how we have used your personal information. They will normally expect you to have made a complaint to us directly in the first instance.

• Visit the ICO website.
• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• Helpline number: 0303 123 1113