Toolkit Part Two: Making and Implementing your Records Management Improvement Plan

Action points from self-assessment

Now that you have your list of action points, you have some idea what aspects of records management you are doing well at and what can be improved. 

Do not feel overwhelmed if you have a long list of action points. 

The idea of this toolkit is to work in stages to improve your record keeping

Implementing your action plan: Part 1: Assessing Risks and Auditing Records

To help you make a plan for what to do next we have broken down the drawing up of your improvement plan into four steps. 

One: Assessing risks and auditing records 

Many organisations undertake risk assessments and they can be used here to help you figure out how your biggest risks can be addressed by better record keeping, or what the priorities for your improvement plan are. 

If you do not have a risk assessment, you could use the information at the beginning of this toolkit on record keeping and regulation to help you think about where you are at most risk of non-compliance with the law. You may also have identified your own priorities based on the area that you work in. 

You can also think about risks in terms of some key issues and areas of regulation as summarised below.  

Key issue

What laws/regulation is applicable?


Charity Commission requirements, Freedom of Information Act, potential use as evidence or for future regulation


Charity Commission public benefit requirements

Donor Data

GDPR, Data Protection Act, financial reporting, Fundraising Regulator requirements


GDPR, Data Protection Act, potential use as evidence or for future regulation or investigations. Relevant safeguarding legislation of supervising authorities

Risks e.g. closure, fraud, whistleblowing

GDPR, Data Protection Act, Charity Commission requirements in the case of an investigation, in case of potential future regulation or litigation

Access to information (i.e. by those about whom data is held)

GDPR, Data Protection Act, in case of an investigation, Environmental Information Regulations, potential litigation or a request from the data subject

The next thing to think about is the current state of your records. You may have some idea of this already from the self-assessment, but it is also a good idea to conduct an audit of the information you hold. In addition to listing the areas of work you do, and documents you have, you might also want to think about the following questions:

  • What format is information in?
  • Is information protected by passwords?
  • Is information backed-up securely?
  • Are physical records safely stored away from major environmental hazards?
  • Are records in good condition or do they require active preservation?
  • Is material held in obsolete forms? 
  • What are your biggest challenges in managing information at present? 

Information should be collected from a range of people to make this as comprehensive as possible. You could include this exercise in any regular risk assessment undertaken within the organisation. Use this information, in conjunction with your colour coded action points to prioritise the most important things you need to do to manage your records. 

Part 2: Policy Development

The next step for most organisations will be to develop or revise policy and processes to guide implementation. It might be the case that some of the elements exist in other policies you already have and they simply need drawing together, or you may need to write a policy from scratch. When developing a policy the size and scope of your organisation will be very important as it will dictate the human and financial resources you have to do this work. It is important to be realistic about what you can achieve and to think about this as a foundation on which you can build further improvement. As well as thinking about the policy content consider how to make sure that everyone in the organisation knows about it. In particular make sure everyone knows what their individual role is in keeping better records. 

When putting together your policy, bear in mind the following points: 

  • Be realistic about what you can achieve given the size, scale and resources of the organisation.
  • Decide on clear priorities for work to be undertaken now and consider what might wait until you have some basic policies, systems and processes in place. 
  • Getting senior management or trustee buy-in for this work is essential. You may need to put together a case for the regulatory and business benefits of doing this work and present it a Board or senior management meeting. 
  • It is important to ask for adequate resources in terms of money and staff time to do this work. This is legitimate spending on improving governance and regulatory compliance and should be adequately resourced. It will result in efficiencies down the line. 
  • If you are a large enough organisation, you may wish to convene a working group of people with relevant responsibilities chaired by a senior manager to steer the initial project of drafting and implementing a new policy. 

You may wish to consult some of the further resources at the end of the toolkit for more information. 

Part 3: Implementation with (a) current and (b) legacy records

When you come to make changes to how you approach records you are likely to have two sets of plans to make. Firstly, you will need to make a plan for what you do now, with records you are currently using and generating. Secondly, you will need to make plans for records that are ready to be consolidated into permanent or long-term storage. 

Further guidance on archiving for voluntary organisations is available at: and in the further resources section. Implementation will depend on the size of the organisation, the type of work that it does and the resources you have available. 

Think about: 

• Making a project plan for handling your current records and a separate plan for legacy records (those no longer in daily use). Make sure your plan has realistic objectives and timescales. 

• Whether you need to buy software for managing your records (called Electronic Records Management (ERM) systems ) or whether you can use a system of files and folders. 

• Whether it is appropriate for you to get a consultant or company to help you get your system in place. 

• How you will back-up data off-site. Small charities might benefit from finding a local buddy to partner with to hold encrypted or password protected back-ups of each other’s data.

Part 4: Monitoring, review, feedback and maintenance

The final thing to do to consolidate your new plan is to commit to an ongoing process of improvement. Technology, staff and organisational needs will all change and it is important to acknowledge that your records management needs will change too. You will need to monitor how well your plan and policies are working and provide opportunities for staff, trustees and volunteers to give feedback. Unless you have a system that is working for everyone in the organisation, it is likely that it will not be fully used and records may be left on the hard drives of computers, deleted with emails or lost in other ways. Remember these are vital records which tell everyone about your organisation, what you do, what you have achieved and why the public should trust you. 

It would be a good idea to: 

• Provide an opportunity for people to tell you how you can make the system work better for them and see how it is actually being used. 

• Use this information to work out if and how to change your plans and policies. 

• Schedule a time to either review policies formally or complete another self-assessment questionnaire. If you have the resources, you might also consider keeping a track of the work via performance measures, but for small organisations this will be unnecessary. We would recommend revisiting the questionnaire either annually or every three years (depending on your size, risks and resources).