Record keeping is an important but often overlooked part of running or working in a voluntary organisation. It is vital for good governance and necessary for complying with the wide range of regulations that apply to charities in England and Wales. While the toolkit is specifically written for organisations that need to comply with charity law in England and Wales, we hope that it will also be useful for groups and organisations that are not registered charities, or who are based outside England and Wales.

Good record keeping will:

• Show that you are complying with regulation;

• Provide evidence of how you have made decisions and demonstrate good governance and processes;

• Make day-to-day work more efficient as staff members, trustees and volunteers know where to find information;

• Make it easier to show the impact of your organisation;

• Build trust with donors, funders, regulators and the public as they know that organisations can provide evidence and be held accountable for their actions and decisions.

However, many organisations, especially small and medium sized ones, may find it hard to know quite what the state of their records is. There is a lack of advice, training and knowledge about record keeping and a bewildering array of different regulatory requirements.

This toolkit will help you make sense of what you are currently doing and think about how you can improve. It will help you to identify issues and find solutions to fit the size and scope of your organisation. This toolkit does not assume that you can immediately put in place a perfect system for managing records and information. Instead, it offers you some tools and guidance to help you continually improve your practices, policies and processes.

About the toolkit

This toolkit was generously funded by a UCL Public Policy Engagement Grant and produced in partnership with Charity Finance Group in 2017. We would like to thank colleagues from The National Archives, Leonard Cheshire Disability, Charity Archives and Records Managers Group (CHARM) and the Small Charities Coalition for providing feedback on the draft toolkit. This toolkit was tested out in focus groups  with finance directors, founders, trustees and staff of charities. Over fifty people, many of whom are from small and medium sized charities, provided helpful suggestions to ensure this toolkit can help smaller organisations, in particular, to improve their records management.

The toolkit was put online in this format in 2018, and links and resources were last updated in June 2020. 

Record keeping and regulation: What do you need to know? What do you need to keep?

There are a lot of different rules and regulations covering the work of registered charities in England and Wales. Many of these require charities to be able to provide evidence of good governance, processes and decision making. This evidence is often stored in the records of the organisation, and it can be confusing to figure out which regulations require organisations to keep records, what they want kept, and for how long.

What are ‘records’?

Records are the documents which are generated by the work of the organisation. These documents can be current, used for the current day-to-day running of the organisation. They can also be historical, showing how an organisation made decisions in the past. Not every document should be retained for permanent preservation, but those that are preserved are commonly known as archives.

Collectively, records should reflect the work of an organisation. They might be organised by the functions or activities of different departments and directorates, but overall they should tell anyone who consults them, who you are, how you are run and what you do.

Who is responsible for a charity’s records?

There are a variety of parties who have responsibility for a charity’s records:

  • Trustees

    As persons with the overall legal responsibility for ensuring that a charity is well-run, trustees play a vital role in ensuring that the organisation is a responsible record-keeper. Principle six of ‘Good Governance: A Code for the Voluntary Sector’ (2010, Second Edition) explicitly states that this is the responsibility of trustees to provide good governance and leadership through:

    “complying with any applicable legal or regulatory requirements concerning membership records”

    The Charity Commission expects trustees to be responsible for complying with these regulations, and has statutory powers allowing them to intervene where trustees fail to perform this role.

  • Executive Committee Members and Senior Management

    Trustees are supported in their role by other executives and those in senior management, through their delegated powers to oversee the work of the charity, both on a day-to-day and longer term basis. This includes records management and sits alongside any powers they may hold or responsibilities they have to ensure regulatory compliance.

  • Staff

    Staff are responsible for ensuring that the correct records management policies and procedures are followed, as well as training and supervising volunteers in records management best practice.

  • Volunteers

    Volunteers need to ensure that they create and store records in accordance with the organisation’s records management policy.

What records might you have?

Below we have included some examples of the types of records you might have, listed under different functions performed by the organisation. This list is not exhaustive.

Type of Record


Minutes of governing bodies
Trust deeds
Charity Commission schemes of management
Annual Reports
Membership records
Correspondence (including emails)
General administrative documents (day to day management and governance)
Policy and subject files
Case files
Visitor books
Records of special projects or committees

Finance and Resources

Annual accounts
Trust accounts
Fundraising appeals, accounts, and literature
Property records
Tenders, specifications, architectural plans and drawings, photographs relating to major projects e.g. new buildings and extensions
Correspondence (including emails)

Staff and work

Personnel files for key members of staff
Press releases
Records from events including: invitation cards, publicity material, photographs
Documents/correspondence generated by users, beneficiaries and other stakeholders
Scrapbooks and newspaper cuttings
Appropriate personal papers from founders, activists, donors, officials, users or volunteers (if they provide useful additional information on the organisation’s history and governance). This might include diaries, correspondence (including emails), study notes, photographs, press cuttings

Record keeping and charity regulation

The Charities Act 2011 and The Charities (Protection and Social Investment) Act 2016

This legislation sets out the function and responsibilities of charities and gives the legal basis for the Charity Commission. Under these laws, records may be required for the following:

  • Preparation of Annual Reports
  • Preparation of the annual submission to the Charity Commission (including financial data)
  • Demonstrating to the Charity Commission (amongst others) that the organisation is well-run and has suitable governance arrangements
  • To provide evidence to the Charity Commission in the event of an enquiry into the charity – this could mean any information which Commissioners deem to be relevant.

Charities have a legal duty to comply with requests for information from the Charity Commission, and the Commission expects this information to be readily available. If information is not available, the Commission has the power to ask why. One defence afforded to charities is that records have been securely destroyed according to a records management disposal policy. However, organisations would be wise to err on the side of caution when deciding what to dispose of.

Reporting Serious Incidents

The Charity Commission also requires organisations to report serious incidents, which can include fraud, theft, and money laundering. Other examples of serious incidents that should be reported could be financial loss, terrorism, or failure to safeguard beneficiaries. It is the responsibility of the charity’s trustees to ensure that an incident has been reported, though the report itself can be done by a member of staff. The Commission might need to offer regulatory advice, conduct an investigation, or use safeguarding powers to mitigate the serious incident and protect the charity’s assets.

Charities with good records management procedures will find it much easier to provide the level of information required by a serious incident report to the Commission. The Commission also recognises that charities that are working in high-risk areas, e.g. overseas or with vulnerable beneficiaries may have numerous, similar incidents to report. The Commission recommends that a charity should make periodic reports highlighting all serious incidents in the prescribed time period. The current Charity Commission guidelines outline how and where an organisation can report an incident.

Data Protection Act 1998

The Data Protection Act 1998 will apply to some information held by most charities. For example, personal data collected about donors and beneficiaries will be covered, along with information about staff and volunteers. Data protection guidance requires data holders to have clear policies and processes governing how personal data is collected, stored and used. It might apply specifically, for example, to how organisations can use donor data to ask for further donations or sell data on to other organisations.

On 25 May 2018, the new General Data Protection Regulations (GDPR) came into effect in the UK. Organisations should make sure they keep abreast of changes by checking the Information Commissioner’s website and using its guidance: 

A guide on GDPR for charities can be found here: 

The National Archives guidance on Archives and Data Protection in UK Law can be found here: 

Statement of Recommended Practice (SORP)

This covers the practice that should be followed in preparing charity accounts and making sure they comply with regulations. It is important to note that organisations should be keeping records which show why an organisation made spending decisions, or decided to carry out its work in a specific way. Keeping documents that contain information about decision making and spending reduce the risk of fraud and show that the organisation uses resources effectively.

The Fundraising Code

The Fundraising Regulator now requires all organisations which fundraise to follow a code of practice. Part of this tells organisations to be clear about what data is kept on donors and how it can be used, directly relating to data protection. It is your responsibility to keep data secure and give donors control over how it can be used. The Fundraising Code, available online, requires organisations to produce an annual report outlining their approach to fundraising and compliance with the Code. Keeping good records on the fundraising function of a charity is vital in ensuring that organisations can demonstrate compliance with the Code.

Other potential regulations that may impact record keeping

Depending on the kind of work an organisation does, and the services it delivers, charities may also be subject to a range of other regulation e.g. on safeguarding, employing paid staff, managing premises etc. The evidence you need to show compliance with regulation, and indeed to carry out much day-to-day work, is in your records. Having organised and well-managed records means that you can respond quickly and efficiently to requests for information which may come from a range of regulators, funders and stakeholders.

Other types of investigation and inquiry might also have statutory powers to request that charities produce information. For example, the Independent Inquiry into Child Sexual Abuse issued a memorandum halting the possible destruction of pertinent records. It also demanded that residential and other services for children (including those run by charities) collated and produced documents for the inquiry.

Whilst it does not affect charities at the moment, it is likely that Freedom of Information legislation will soon be extended to some charities, especially those that deliver services under contract to local or national government. Charities that do public work which affects the environment are also subject to the Environmental Information Regulations 2004, and must respond to public requests for environmental data. By implementing a records management improvement plan now, organisations can make sure that they do not face a greatly increased regulatory burden should they ever find themselves subject statutory requests for information. Both the Information Commissioner’s Office and The National Archives provide comprehensive advice about establishing records management programmes.

The table below highlights key issues that are addressed by statutory requirements and which rely on the evidence kept in the records of voluntary organisations, providing basic guidance on the kind of records that might need to be kept, and for how long:

Key Issue What sort of evidence is needed Where is the information found? How long should records be kept for? What law/ regulation is applicable?
Decision making, positions of responsibility, processes and procedures Minutes of meetings (Board minutes and subcommittees); accounts; Annual Reports; other relevant reports and policy documents Permanently - these records provide evidence of the development of the organisation GDPR, Charity Commission requirements, Freedom of Information, potential use as evidence or for future regulation
Effectiveness /Impact Decision making, records of long term impact, processes and procedures Reports /monitoring of services; Annual Reports; policy documents; correspondence Having a long term evidence bank of the achievements of the organisation is a good idea for demonstrating that a charity meets its aims and can be used in bidding for funding GDPR, Charity Commission public benefit requirements,
Donor Data What data is held on donors, what they have agreed to regarding future contact and data sharing. Data security policy and processes. Fundraising projects and policies Donor databases and CRM software, records generated by fundraising function of the organisation Depends on protocols agreed with donors – but policies etc. should be retained for at least seven years once they are no longer current GDPR, Data Protection Act, financial reporting, Fundraising Regulator requirements
Safeguarding Policies, staff and volunteer checks (Disclosure and Barring Service checks, formerly Criminal Records Bureau checks) Within Human Resources and Policy functions. This could potentially cover staff and volunteer personnel files as well as service user case files There is a balance to be struck in having evidence that you have taken steps to make sure personnel are suitable to work with vulnerable service users and protecting the data of staff and volunteers (as per principle 5 of the Data Protection Act). Your organisation may need to assess the risks on each side and seek expert advice. GDPR, Data Protection Act, potential use as evidence or for future regulation or investigations. Relevant safeguarding legislation of supervising authorities
Risks e.g. closure, fraud, whistleblowing Financial data, records of decision making Accounts; Annual Reports; minutes of meetings; At least seven years, though it would be wise to keep some data permanently to show source of long term assets and changing financial structures. GDPR, Data Protection Act, Charity Commission requirements in the case of an investigation, in case of potential future regulation or litigation
Access to information (i.e. by those about whom data is held) Information about donors, beneficiaries, service users and their families Case files, fundraising databases As long as a data subject (person the data is about) might want to access this information GDPR, Data Protection Act, Environmental Information Regulations, in case of an investigation, potential litigation or a subject access request from the data subject

As is evident from the above, records are vital to many areas of regulation and the daily work of any organisation. Given the piecemeal nature of the regulatory landscape, however, it is best to consider pursuing an overall strategy for managing records within specified guidelines. Understanding the present context and considering risks are vital to drawing up and implementing a records management improvement plan. The next section will address this in more detail.

Using this toolkit

This work is licensed This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. This means that others who use this work must give credit. Others may copy, distribute, display, perform, and modify this work, as long as they distribute any modified work on the same terms and do not do so commercially. If you want to distribute modified works under other terms, you must seek permission. 

Use of data provided

Anonymous data is collected on the use of the toolkit. This is to inform research and the development of further resources. If you are happy to be identified you can fill in the name of the charity. By entering your email address you agree that we can send you updates about the project and further resources as they become available. Both these fields are optional and you can opt out at any time by contacting the email address below. 

Please contact Charlotte Clements via with any questions. 

If you are happy to proceed, the toolkit starts with a few questions about your organisation.

Email Address
Annual Income
Area of Activity
Area of Activity (Other)
Name of Charity (Optional)