St Luke’s Advice Service

Client Privacy Notice September 2025

This document tells you in detail, what you as a client can expect us to do with your personal information in. It describes information you may provide, your rights and what we do with your information.

1.      About us and your information

St Luke’s Advice Service holds your information and so has overall control of it. As such, we make decisions about processing it and are responsible for it.  We do this in the way required by UK data protection law and ensure we protect your rights.  This means that as an organisation we are a ‘Data Controller’.

Our Data Protection Officer is the best person to contact.  The nominated person is Grace Smyth, our Director of Operations & Fundraising.

You can contact us as described in other places in the Privacy Notice using the details below. 

Post: Brighthelm Centre, North Road, Brighton, East Sussex, BN1 1YD, GB

Phone:  01273 549203           

Email: [email protected]

2.      What information we collect, use, and why

We collect and use the following information to provide advice and support services to you.  Some of this information is considered to be sensitive personal information and is marked with the following symbol “ * ” in the list below:

  • Names and contact details
  • Gender, sex and pronoun preferences
  • Addresses
  • Date of birth
  • Health information (including medical conditions) *
  • Information about care needs (including disabilities*, home conditions, dietary requirements and general care provisions).
  • Information about work, home and living conditions
  • Information about support requirements
  • Information about your income and spending for personal budget support and to help you see what you can afford
  • Banking and loan information
  • Information about personal assets and liabilities for personal budget support or welfare benefits support
  • Information exchanged with third parties about you, such as referral and subsequent communication.
  • Records of meetings and decisions
  • Records of your use of our service
  • Information relating to feedback, compliments or complaints

We also collect or use the following information to monitor our service to clients and provide anonymous statistical information to third parties on the basis of “legitimate interest”, if you provide it (see below for more information about Legitimate Interest).

  • Racial or ethnic origin*
  • Religious or philosophical beliefs*
  • Sexual orientation information*
  • Health information*.

3.      UK data protection law and Lawful bases

The UK’s data protection law is made up of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). 

The law tells us we must have a “Lawful Basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website. 

Which Lawful Basis we depend on may affect your Information Rights.  These are briefly set out below, with your Rights, which are further explained in section 5.

  • Consent – this means we have permission from you after we gave you all the relevant information about your information rights. All of your Information Rights may apply, except the right to object. For sensitive personal information, we require explicit consent. However, even after you have signed a consent form, you have the right to withdraw your consent at any time.
  • Legal obligation – this means we must collect or use your information so we can follow the law correctly. All your Information Rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – this means we are collecting or using your information because it benefits you, our organisation or someone else, without causing an unnecessary risk of harm to anyone. All your Information Rights may apply, except the right to portability. Our legitimate interests are that we will use or share your information in a way that does not identify you, and only in statistical form to report on the profile of our service to clients. We will provide this information to organisations that have or might provide us with grants or other ways of providing us with money. You will never be able to be seen or picked out in this information.

4.      Your Information Rights

The UK data protection laws give you Information Rights (also called Data Protection Rights).  These are the things you can do:

  • See your information: You can ask us for copies of your personal information that we have collected. You can ask for other information such as details about where we get personal information from and who we share personal information with. There may be some information we cannot and are allowed not to provide to you, which means you may not receive all the information you ask for. This is also called your Right of Access.
  • Fix mistakes: If your personal information is wrong or missing something important, you can ask us to correct or remove personal information you think is incorrect or incomplete.  This is also called your Right to Accuracy (or Rectification)
  • Delete your data: You can ask us to remove your personal information. We will do this anyway six years after you stop being a client.  This is also called your Right of Erasure or Right to be Forgotten.
  • Limit Use: You can ask us to use your personal information less or only in certain ways. This is also called your right to Restriction of Processing 
  • Say no: You can say you do not want us to use your personal information. We will let you know if this means we cannot give you our service.  This is also called your right to Object to Processing 
  • Move your data: You can ask us to send your personal information to you, or another organisation. This is also called your right to Data Transfer.
  • Change your mind: If you gave us permission to use your personal information, you can take it back at any time. Permission is also called Consent.  This is your right to withdraw consent and applies when consent is the lawful basis for holding your personal information. 

If you make a Information Rights request relating to information we hold about you, we must respond to you without any unneeded delay.  In any event, we must respond within one month.  To make any Information Rights request, please contact us using the contact details at the top of this document.

You can find out more about your Information Rights, and the exemptions that apply, on the ICO’s website, Information Commissioner’s Office (ICO). 

5.        Where we get personal information from

  • Directly from you as a client
  • Family members or carers
  • Other organisations that help you and that you’ve given permission to share information with us.
  • Welfare Benefit authorities e.g. the Department of Work & Pensions and Local Authorities. Credit reference agencies
  • Companies involved in lending, money management, utility services, or any others you’ve told us about that you may owe money to or have a liability to.
  • Credit Reference Agencies, but only with your consent.

6.      How long we keep information

We keep your personal information either;

  • for 6 years following the last contact with you as a client, or
  • until you request deletion of data, whichever is sooner

7.      Who we share information with

a)      Data processors.  These are system providers who do not have any right to access your data or use it, other than when acting on our instructions or the activities below:

  • Our case management system provider, that is located in the United Kingdom, does this for advice organisations like us.  This data processor does the following activities for us: case management system for the specific purpose of storing data and providing system functionality.  
  • Enquiry Database.  This data processor holds name & contact information, for the specific purpose of giving us viability of the initial request for service, by clients who would reasonably expect us to respond using the data.
  • Our telephony provider when you leave a voice message for us or we record your conversation.
  • Microsoft Corporation and our technical support provider.  These data processors do the following activities for us: File storage, email services and website provision and technical support.

b)      Third party organisations, as part of providing our service to you as a client, with your permission or consent: For each of the following we will explain why we are disclosing your personal information and obtain your consent, before we contact them.  We will record your consent, whether it is written or spoken.

·      Welfare Benefit Authorities E.g. Department of Work & Pensions and Local Authorities.

  • Companies to do with lending or managing money and utility companies, or Local Authorities or anyone else you have told us about that you may owe money to and have a liability to.
  • External auditors or inspectors, where you will need to give specific consent and can opt in or out.
  • Credit Reference Agencies, for the purpose of obtaining your personal information from them to you and us.

Before we disclose sensitive personal information, such as health information or about your disabilities, we will clearly explain why it could help you and ask you for permission. This is called “Explicit Consent”.

c)      Additional third-party organisations we are obliged to share information with from time to time for:

  • a specific legal responsibility or duty.
  • for safeguarding reasons when it is necessary, proportionate, and we have a good reason.  This could be to protect a child or individual at risk of harm, who could be one of our staff or you.

d)      Sharing information outside the UK

Some of our data processors process personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.  Microsoft Corporation and our Enquiry Database provider may hold data in countries outside of the United Kingdom and EU.  The transfer outside the UK complies with UK data protection law by the inclusion of ‘Addendum to the EU Standard Contractual Clauses’ in their terms.  For further information or to obtain a copy of the appropriate safeguard for any of the transfers mentioned here, please contact us using the St Luke’s Advice Service contact details at the top of this privacy notice.

8.      How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the St Luke’s Advice Service contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO at Information Commissioner’s Office, Wycliffe House, Wilmslow, Cheshire, SK9 5AF.  Helpline: 0303 123 1113.  Website: https://www.ico.org.uk/make-a-complaint