Incident Reporting Protocols for Charities: A Practical Guide | LegalDocuments.co.uk
We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.
If you run or sit on the board of a charity, incident reporting is one of those areas that tends to get overlooked until something goes wrong. By then, it's usually too late to build a decent process from scratch.
I've seen plenty of well-meaning charities scramble to piece together a report to the Charity Commission because no one thought through how incidents should be captured and escalated internally. This guide walks through what an incident reporting protocol actually needs to cover, the regulatory context in England and Wales, and how trustees can put something sensible in place without drowning in bureaucracy.
Whether you're a small community group with a handful of volunteers or a larger organisation with paid staff and multiple sites, the principles are much the same, the scale of the paperwork just shifts accordingly.
Overview
An incident reporting protocol is the internal framework a charity uses to capture, escalate, investigate and learn from events that affect its people, its work, or its standing. In the charity sector, 'incident' is a broad term. It covers safeguarding concerns, financial irregularities, data breaches, health and safety events, fraud, criminal activity, and situations that could damage public trust in the organisation.
The Charity Commission operates a separate regime called serious incident reporting, which sits on top of whatever internal process you run. Trustees have a duty to report serious incidents to the Commission promptly, and that duty doesn't go away just because the charity is small or volunteer-led.
A good protocol does three things at once: it tells staff and volunteers what to do when something happens, it gives trustees the information they need to make decisions, and it creates a documented trail if regulators, funders or insurers come asking questions later. Without it, charities tend to rely on individual judgment in the moment, which rarely ends well.
Key steps
- Map the incidents that are realistic for your charity. Start by listing the kinds of events that could plausibly occur given your activities, beneficiaries and operating environment. A homelessness charity will have a different risk profile to a heritage society or a grant-making foundation. Think about safeguarding, finance, data, reputation, staff and volunteer welfare, and operational disruption. This mapping exercise shapes everything that follows.
- Agree clear thresholds and definitions with your trustees. Vague definitions are the enemy of consistent reporting. Decide, as a board, what counts as a minor incident, a significant internal matter, and a serious incident that meets the Charity Commission's reporting threshold. Document those definitions with examples so that staff and volunteers aren't left guessing. The Commission publishes guidance on what it considers a serious incident, use that as your anchor point.
- Design a reporting route that people will actually use. If reporting an incident is awkward, slow or embarrassing, it won't happen. Create a simple form or online submission route, nominate a first point of contact (often the CEO or a designated trustee), and make sure there's a backup route for incidents involving that person. Confidentiality matters here, particularly for safeguarding and whistleblowing concerns.
- Set out who does what once a report comes in. Allocate responsibility for triage, investigation, communication with regulators, and communication with anyone affected. Trustees remain ultimately accountable, but day-to-day handling is often delegated. Make sure your protocol says when a matter must be escalated to the full board, and when it needs to be reported externally to the Charity Commission, the ICO, the police, the Fundraising Regulator, or a safeguarding authority.
- Record, review and learn from every incident. Keep a log of all reported incidents, the actions taken and the outcomes. Review the log at trustee meetings at an appropriate cadence, quarterly works for many charities. Look for patterns, near-misses and weaknesses in controls. A protocol that captures incidents but never learns from them is just paperwork; the point is to improve how the charity operates over time.
Common questions
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.
Common questions
Q What counts as a serious incident for Charity Commission purposes?
The Charity Commission describes a serious incident as an adverse event that results in, or risks, significant harm to beneficiaries, staff, volunteers or others who come into contact with the charity, significant loss of money or assets, damage to property, or harm to the charity's reputation. Safeguarding failures, fraud, terrorist links and significant data breaches are common examples. The Commission publishes current guidance setting out examples and reporting expectations.
Q Who within the charity is responsible for reporting a serious incident?
Ultimately, the trustees are responsible. In practice, reports are often submitted by the chair, CEO or a designated trustee on the board's behalf, but the duty sits with the trustees collectively. If you have delegated the day-to-day reporting function to a member of staff, that delegation should be clearly documented and the board should still see and approve reports before they are submitted where possible.
Q How quickly should a serious incident be reported?
The Commission's expectation is that serious incidents are reported promptly once the trustees become aware. There isn't a fixed number of days in the guidance, but unreasonable delay is itself a concern. The sensible approach is to report as soon as you have enough information to describe what happened, what the charity is doing about it, and what the potential impact is, rather than waiting for a full investigation to conclude.
Q Do small charities really need a written incident reporting protocol?
Yes, although the protocol should be proportionate to the size and complexity of the charity. Even a very small charity benefits from having a one-page document that sets out who to tell, what information to capture, and when trustees need to be involved. The Charity Commission expects all registered charities to have appropriate arrangements in place, and funders increasingly ask about this during due diligence.
Q What if an incident involves a trustee or senior staff member?
Your protocol needs to anticipate this. Build in an alternative reporting route so that concerns about a trustee, the chair or the CEO can be raised safely with another trustee or an independent person. Conflicts of interest should be managed carefully during any investigation, and in serious cases trustees may need to take external advice on how to handle matters involving one of their own number.
Q How does incident reporting interact with data protection obligations?
Incident records often contain personal data about staff, volunteers, beneficiaries or third parties. That data needs to be handled in line with UK GDPR and the Data Protection Act 2018, stored securely, accessed only by those who need to see it, and retained no longer than necessary. If an incident is itself a personal data breach, separate reporting obligations to the Information Commissioner's Office may apply, usually within 72 hours.
Q Can incident reports be used against the charity later?
They can be disclosed in litigation, regulatory investigations or freedom of information requests affecting public bodies, so they should be written factually and without speculation. That said, the value of a good reporting system far outweighs the risk. Regulators, courts and insurers generally take a more favourable view of charities that identified, recorded and addressed incidents than those that didn't.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.
Sources
This guide is based on primary UK law and official guidance.
- Guidance · UK GovCharity Commission, Report a serious incident in your charitygov.uk
- Guidance · UK GovCharity Commission, Safeguarding duties for charity trusteesgov.uk
- Official SourceInformation Commissioner's Office, Personal data breachesico.org.uk
- Guidance · UK GovHealth and Safety Executive, RIDDORhse.gov.uk
- Guidance · UK GovCharity Commission, The essential trustee (CC3)gov.uk
Legal helpline
Unsure whether your charity needs to report?
Incident reporting sits at the awkward intersection of safeguarding, data protection, Charity Commission duties and plain common sense, and it isn't always obvious where the thresholds lie for your particular situation. An experienced legal adviser can help you think through what you're dealing with and what your options look like, based on what you describe on the call.
- Plain-English answers to your specific questions about incident reporting
- Practical perspective on whether the situation you describe may meet serious incident thresholds
- Guidance tailored to what you describe about your charity's circumstances
- A clearer sense of what to watch out for as trustees handle the matter
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.