Data Policy Starter Template

By /

A One‑Page Guide for Charity Teams

Good data helps us raise more, reach the right people, stay compliant, and make better decisions. This guide explains what our Data Policy means in day‑to‑day charity work — without the jargon.

The basics (what everyone should know)

  • Data is an asset – like our people, money, and reputation. How we look after it affects trust.
  • If you can see data, you’re responsible for it – even if you didn’t collect it.
  • Just because we can collect data doesn’t mean we should. Purpose first.

What data are we talking about?

In charities, data often includes:

  • Supporter and donor details
  • Beneficiary and service‑user information
  • Campaign, fundraising, and volunteering data
  • Staff and trustee data
  • Monitoring, evaluation, and impact data

Some of this can be sensitive — especially beneficiary and safeguarding‑related data.

Common charity‑specific nuances (the bits that catch people out)

1. Fundraising vs engagement

Just because someone donated doesn’t always mean we can contact them freely. Consent, opt‑in, and expectations matter — especially across channels.

Tip: When in doubt, check the Privacy Notice or ask before using data for a new purpose.

2. Beneficiary data needs extra care

Beneficiary data often feels informal (“it’s just notes”), but it can be highly sensitive.

Tip: Write notes as if the person could read them one day.

3. Spreadsheets are still systems

Excel files, Google Sheets, and downloads from CRMs are still data systems.

Tip: If you wouldn’t leave it on a train, don’t leave it unsecured on your laptop.

4. Sharing data with partners

Working with agencies, consultants, or delivery partners is common.

Tip: If you’re sending data outside the organisation, pause and check there’s a clear reason and agreement in place.

5. “We might need it later” isn’t a reason

Holding on to data “just in case” increases risk and workload.

Tip: If you don’t know why you’re keeping it, that’s a sign it may be time to let it go.

Good everyday habits

  • Only access data you need for your role
  • Keep records accurate and up to date
  • Lock screens and protect passwords
  • Use approved systems, not personal accounts
  • Report mistakes or near‑misses early — it’s about learning, not blame

If something goes wrong

Mistakes happen. What matters is acting quickly.

  • Tell your manager or the data lead straight away
  • Don’t try to fix or hide it yourself
  • Early reporting helps protect people and the organisation

The takeaway

Good data practice isn’t about fear or red tape. It’s about:

  • Respecting the people behind the data
  • Making better decisions
  • Protecting trust in our charity

If you’re unsure — ask. That’s always the right first step.

Data Policy – Starter Template

Copy and use this starter template as a foundation — adapt it to fit your charity’s needs and context
Want a downloadable version? Grab the .docx template here

Data Use and Access Policy

Organisation Name: [Insert Charity Name]
Version: 1.0
Approved by: [Board / SMT]
Date Approved: [DD/MM/YYYY]
Next Review Date: [DD/MM/YYYY]

1. Purpose

This Data Policy sets out how [Organisation Name] collects, uses, manages, shares, and protects data. Its purpose is to ensure that data is treated as a valuable organisational asset, used responsibly, lawfully, and effectively to support our mission and improve outcomes for the people and causes we serve.

This policy provides a clear framework for decision‑making, accountability, and good practice across the organisation.

2. Scope

This policy applies to:

  • All staff, trustees, contractors, consultants, and volunteers
  • All data created, collected, processed, or stored by the organisation
  • All systems, tools, platforms, and formats (including paper records, spreadsheets, databases, and cloud systems)

3. Principles

[Organisation Name] manages data in line with the following principles:

  1. Lawful and Fair Use – Data is collected and processed in line with relevant legislation and regulatory guidance.
  2. Purpose‑Driven – Data is collected for clear, defined purposes that support organisational objectives.
  3. Proportionate – We only collect data that we genuinely need.
  4. Accurate and Reliable – Reasonable steps are taken to ensure data is accurate and kept up to date.
  5. Secure – Data is protected against unauthorised access, loss, or misuse.
  6. Accessible and Useful – Data is made available to those who need it to do their role effectively.
  7. Accountable – Clear ownership and responsibility for data is defined.

4. Data Types Covered

This policy covers, but is not limited to:

  • Personal data
  • Special category data
  • Supporter and beneficiary data
  • Staff and volunteer data
  • Financial and transactional data
  • Monitoring, evaluation, and impact data
  • Operational and performance data

5. Legal and Regulatory Framework

[Organisation Name] complies with all relevant data protection and information governance legislation, including:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)

Related policies include:

  • Privacy Notice
  • Data Retention Policy
  • Information Security Policy
  • Acceptable Use Policy

6. Roles and Responsibilities

Board of Trustees

  • Provide oversight and assurance that data is managed responsibly.
  • Approve this policy and any material changes.

Senior Management Team

  • Ensure this policy is implemented and resourced appropriately.
  • Promote a positive data culture across the organisation.

Data Owner(s)

  • Accountable for specific datasets or systems.
  • Ensure data quality, appropriate access, and compliance.

All Staff and Volunteers

  • Follow this policy and related procedures.
  • Complete relevant training.
  • Report data breaches or concerns promptly.

7. Data Collection

Data is collected:

  • For clear, legitimate purposes
  • Using fair and transparent methods
  • With appropriate consent or lawful basis

We aim to collect data at the right level of detail and avoid unnecessary duplication.

8. Data Quality

[Organisation Name] is committed to maintaining good data quality. This includes:

  • Clear definitions and standards
  • Routine checks for accuracy and completeness
  • Processes for correcting errors

Data quality issues should be reported to the relevant Data Owner.

9. Data Storage and Security

Data is stored securely using approved systems and tools. Controls include:

  • Role‑based access
  • Strong passwords and multi‑factor authentication where available
  • Regular backups
  • Secure disposal of data when no longer required

10. Data Sharing

Data is only shared:

  • Where there is a lawful basis
  • With appropriate safeguards in place
  • In line with data sharing agreements where required

Third‑party processors are assessed for compliance and security.

11. Data Retention and Disposal

Data is retained only for as long as necessary and in line with the organisation’s Data Retention Policy. When data is no longer required, it is securely deleted or destroyed.

12. Data Breaches and Incidents

All suspected or actual data breaches must be reported immediately in line with the organisation’s Data Breach Procedure. Appropriate action will be taken to assess, mitigate, and report incidents where required.

13. Training and Awareness

[Organisation Name] ensures that staff and volunteers receive appropriate training to understand their data responsibilities and maintain good data practices.

14. Review and Maintenance

This policy will be reviewed at least annually, or sooner if there are significant changes to legislation, systems, or organisational activities.

Approval

This Data Policy was approved by:

Name: ________________________
Role: ________________________
Date: ________________________

Scroll to Top