Guidance for charity trustees about serious incidents: how to spot them and how to report.
The responsibility to report
The Charity Commission requires charities to report serious incidents. If a serious incident takes place within your charity, it is important that there is prompt, full and frank disclosure to the Commission. You need to report what happened and, importantly, let the Commission know how you are dealing with it, even if you have also reported it to the police, donors or another regulator.
This guidance helps charity trustees identify serious incidents. It also explains how to report them and what to report.
What is a serious incident?
A serious incident is an adverse event, whether actual or alleged, which results in or risks significant:
- harm to your charity’s beneficiaries, staff, volunteers or others who come into contact with your charity through its work (who are collectively referred to throughout this guidance as people who come into contact with your charity through its work)
- loss of your charity’s money or assets
- damage to your charity’s property
- harm to your charity’s work or reputation
For the purposes of this guidance, “significant” means significant in the context of your charity, taking account of its staff, operations, finances and/or reputation.
Who should report?
The responsibility for reporting serious incidents rests with the charity’s trustees. In practice, this may be delegated to someone else within the charity, such as an employee or the charity’s professional advisers.
However, all trustees bear ultimate responsibility for ensuring their charity makes a report, and does so in a timely manner.
If you decide not to make a report about something serious that has happened in your charity and the Commission later becomes involved, you will need to be able to explain why you decided not to report it at the time.
Why must you tell the Commission?
Given the challenging nature of the work undertaken and the difficult context faced by many charities, the Commission understands that serious incidents will happen. When something serious happens, it is the Commission’s role to ensure that trustees comply with their legal duties and that the charity manages the incident responsibly. This means the Commission will be looking for assurance that the charity has taken steps to limit the immediate impact of the incident and, where possible, prevent it from happening again.
Most problems can be resolved by trustees themselves, in some cases with timely advice from professional advisers. Sometimes the Commission needs to use its powers to protect a charity. Taking action quickly will help protect your charity from further harm. Reporting also means the Commission can identify whether other charities might be affected, and can give better advice to all charities to help them protect themselves.
In more detail
Reporting serious incidents to the Commission has three main purposes, which enable it to meet its statutory objectives and functions:
The Commission needs to ensure trustees comply with their duties: By reporting a serious incident, you show that you have identified a risk to the charity that has materialised, and that the trustees are taking appropriate action to deal with it. This is very important because protecting the charity’s assets, reputation and people who come into contact with it through its work are essential trustee responsibilities. An incident is less likely to damage a charity’s reputation if trustees can show that they handled it well. If the media contact the Commission about an incident and it has been properly reported, we will be able to say that the trustees handled the situation responsibly and this will help protect the charity’s reputation. For detailed guidance on trustee duties, see The essential trustee: what you need to know, what you need to do (CC3)
The Commission may need to provide regulatory advice or guidance or use its statutory powers: Timely reporting allows the Commission to identify problems in charities at an early stage and, where appropriate, to provide regulatory advice and guidance to trustees. Any regulatory advice and guidance provided will normally be limited to ensuring the trustees meet their legal duties. In the most serious cases the Commission may need to use its statutory powers in order to protect the charity and put it back on track.
The Commission can assess the risk to other charities: Serious incident reporting helps the Commission to measure the volume and impact of incidents within charities, to identify trends and to understand the risks facing the sector as a whole. This insight helps the Commission to warn charities about risks and give trustees the information and tools they need to succeed.
When to report
You should report an actual or alleged incident promptly. This means as soon as is reasonably possible after it happens, or immediately after your charity becomes aware of it.
Whistleblowing – speaking out if you suspect wrongdoing
The serious incident reporting framework and this guidance is for trustees. If you’re an employee of a charity and you suspect serious wrongdoing within the organisation, for example criminal offences, malpractice/misconduct or health and safety breaches, you should usually raise this with your employers first, following the charity’s whistleblowing policy if it has one. If the charity fails to deal with your concerns appropriately or you continue to suspect serious wrongdoing, you can report this to the Commission – including anonymously if you wish to do so. In reporting your concerns to the Commission, you may be protected under the Public Interest Disclosure Act 1998. To find out more, read the Commission’s whistleblowing guidance.
Duties of auditors and independent examiners to report matters
If you’re an auditor or independent examiner of charity accounts, there are separate duties to report certain matters and related protections. For more information, read the Commission’s guidance on reporting matters of material significance and reporting relevant matters of interest to UK charity regulators.
What to report
This section tells you what types of incident the Commission expects you to report and outlines the different authorities or agencies that may be involved. When making your report, you should follow the advice below.
You should report an incident if it results in, or risks, significant:
- harm to people who come into contact with your charity through its work
- loss of your charity’s money or assets
- damage to your charity’s property
- harm to your charity’s work or reputation
The main categories of reportable incident are:
- protecting people and safeguarding incidents – incidents that have resulted in or risk significant harm to beneficiaries and other people who come into contact with the charity through its work
- financial crimes – fraud, theft, cyber-crime and money laundering
- large donations from an unknown or unverifiable source, or suspicious financial activity using the charity’s funds
- other significant financial loss
- links to terrorism or extremism, including ‘proscribed’ (or banned) organisations, individuals subject to an asset freeze, or kidnapping of staff
- other significant incidents, such as – insolvency, forced withdrawal of banking services without an alternative, significant data breaches/losses or incidents involving partners that materially affect the charity
It is the responsibility of the charity trustees to decide whether an incident is significant and should be reported. To help, there is guidance below in relation to each of the categories and an Examples Table.
The Examples Table is not a definitive list of reportable incidents but indicates the types of incidents that should and shouldn’t be reported. The trustees may also find the Commission’s guidance on decision making helpful when deciding whether to report an incident.
The trustees may delegate responsibility for deciding which incidents should be reported to others within the charity, such as employees. However decisions made by others in the charity should be reported back to trustees (particularly where incidents were ‘borderline’ and making a report was considered but it was decided not to make one).
Reporting criminal activity
If a reportable incident involves actual or alleged criminal activity then you must also report it to the relevant agencies:
- safeguarding incidents: you should report allegations or incidents of abuse or mistreatment of people who come into contact with your charity through its work to:
- the police and obtain a crime reference number (call 101 or make a report at a local police station), and
- the local authority and other relevant agencies, see Protecting people and safeguarding incidents below
- fraud and cyber-crime: you should report allegations or incidents of fraud and cyber-crime to Action Fraud via its online reporting tool, ensuring you obtain a crime reference number and making clear that you’re representing a charity.
- theft: you should report allegations or incidents of theft to the police (call 101 or make a report at a local police station) and obtain a crime reference number
- links to terrorism and extremism: you should report links or alleged links to terrorism and extremism to the police and obtain a crime reference number. If you don’t do this immediately, you may be committing a criminal offence under Section 19 of the Terrorism Act 2000. You can report this type of incident to the police in the following ways:
- via the National Crime Agency website
- call the Metropolitan Police Anti-Terrorist Hotline on 0800 789 321
- call 101 or report it at a local police station
- criminal activity overseas: you should usually report any actual or alleged criminal activity that takes place overseas to local law enforcement authorities and/or safeguarding organisations in the location where this occurred. There may also be circumstances where it is necessary to report this to UK authorities. For further guidance on this, please see the Commission’s guidance on criminal reporting.
An incident that involves actual or alleged criminal activity will usually be reportable to the Commission. Only in exceptional circumstances, such as where the crime and the impact on the charity are minor for example one-off theft of a very small amount of money, will the Commission consider an incident involving criminal activity is not reportable.
Even when other agencies are involved, it is important that charities report the incident promptly to the Commission themselves and do not wait until someone is arrested, charged or convicted before doing this. Always tell us what action you have taken or are planning to take at the time of reporting.
Remember – if reporting to the police, Action Fraud or the National Crime Agency, you should also make a serious incident report to the Commission, following the advice below.
Protecting people and safeguarding incidents
Protecting people and safeguarding responsibilities should be a key governance priority for all charities, regardless of size, type or income, not just those working with children or groups traditionally considered at risk. A charity should be a safe and trusted environment and trustees must take reasonable steps to protect the people who come into contact with their charity through its work from harm. These people include:
- the charity’s beneficiaries, including adults at risk and children
- the charity’s staff and volunteers
It may also include other people who come into contact with the charity through its work. This might be, for example, people who attend an event run by the charity who are not beneficiaries, staff or volunteers.
In some instances, charities may have a specific duty of care for certain people that come into contact with them through their work. However, even if a charity does not have a duty of care in relation to those who come into contact with it through its work, its trustees may still need to think about whether or not certain steps need to be taken to address a risk of harm to these people. The steps that need to be taken, if any, will depend on the nature of the charity’s work and who it comes into contact with.
For those charities providing activities and services to children or adults at risk, the term safeguarding has a particular meaning under UK legislation and practice guidance and may require reporting of incidents to statutory safeguarding agencies.
However, for the purposes of charity law and reporting obligations to the Commission as regulator, the Commission uses the term safeguarding as the range of measures in place to protect the people who come into contact with charities through their work from abuse and mistreatment of any kind (including neglect).
Failure by trustees to sufficiently manage safeguarding risks is of serious regulatory concern to the Commission and may be considered to be misconduct and/or mismanagement. It can also damage public trust and confidence in charities and impact upon the sector as a whole.
For further information about trustee duties in relation to safeguarding, you should read the Commission’s guidance Safeguarding and protecting people for charities and trustees.
Types of safeguarding incident to report
You need to make a report to the Commission if a serious safeguarding risk materialises. This will usually be if any of the following occur:
- incidents of abuse or mistreatment (alleged or actual) of beneficiaries of the charity (adults or children) which have resulted in or risk significant harm to them and:
- this happened while they were under the care of the charity
- someone connected with the charity, for example a trustee, staff member or volunteer, was responsible for the abuse or mistreatment (alleged or actual)
- other incidents of abuse or mistreatment (alleged or actual) of people who come into contact with the charity through its work, which have resulted in or risk significant harm to them and are connected to the charity’s activities
- breaches of procedures or policies at the charity which have put people who come into contact with it through its work at significant risk of harm, including failure to carry out relevant vetting checks which would have identified that a person is disqualified in law from holding their position within the charity. This might be, for example, because they are disqualified under safeguarding legislation from working with children and/or adults at risk
The above may include incidents in the workplace that have resulted in or risk significant harm to trustees, staff or volunteers. This does not mean that the Commission expects charities to report every internal staffing incident - charities need to make a judgement call about which incidents either individually, or as a collection, are serious in the context of the charity.
However, a report should always be made where the level of harm to the victims and/or the likely damage to the reputation of or public trust in the charity is particularly high (for example, sexual misconduct by the charity’s Chief Executive or another person in a senior position or position of specific responsibility, such as the head of safeguarding). The Commission would also expect to receive a report if the number and nature of staffing incidents indicate there are widespread or systematic issues connected to sexual harassment, abuse and/or other misconduct in a charity. The Examples Table contains some examples of the types of workplace incidents that should be reported.
If you have grounds to suspect that one of the types of incident listed above has occurred, it’s important to act responsibly and take action promptly: As well as reporting to the Commission, depending on the nature of the incident, you should also notify the police (see earlier in this section), the local authority and/or the relevant regulator or statutory agency.
The Commission’s role in relation to safeguarding incidents
The Commission’s role is to ensure the charity’s trustees are handling the incident appropriately and, where necessary, putting in place improved governance and internal controls, in order to prevent further harm.
The Commission is not responsible for dealing with incidents of actual abuse or mistreatment and it does not administer safeguarding legislation. It cannot prosecute or bring criminal proceedings, although it may refer concerns on to ‘lead agencies’, such as the police, local authorities and the Disclosure and Barring Service (DBS), as well as to specialist bodies responsible for designated areas, such as education or health and social care.
Safeguarding incidents that occur outside of the charity
Sometimes charities will become aware of safeguarding incidents that have occurred outside of the charity. This might be, for example, where:
the charity undertakes specialist work (in line with its charitable purposes) in providing safeguarding services and, as a result, deals routinely with safeguarding incidents that occur outside of the charity
the charity is alerted to alleged abuse of a beneficiary, staff member, volunteer or someone else who it comes into contact with through its work, which has occurred outside of the charity and:
the abuse was not connected to its activities in any way
the person responsible for the abuse was not a trustee, staff member or volunteer
If your charity becomes aware of such incidents, you would not normally be expected to report them to the Commission. However, you would be expected to do so if it’s found (or alleged) that the incident wasn’t handled appropriately by your charity and this resulted in harm to the person or persons concerned. In such circumstances, a report should also be made to the police and local authority.
Reporting safeguarding incidents to other regulators
Charities that carry out particular activities, such as providing care or education services, may also be accountable to other regulators and may be required to report safeguarding incidents to them as well as to the Commission. It’s important that these charities know what the different requirements are for each regulator and ensure they comply with these. You should let the Commission know which other agencies you have reported an incident to when you submit a report.
Financial crime: fraud, theft, cyber-crime and money laundering
Fraud, theft and cyber-crime are different criminal offences. They may relate not just to a charity’s funds and financial assets, but also to other assets, such as databases and confidential or sensitive information. The impact on a charity can be significant, going beyond financial loss. These crimes cause distress to trustees, staff, volunteers and beneficiaries; they may also bring adverse publicity to the charity and damage its good reputation with donors, beneficiaries and the public, as well as that of the charity sector more generally.
The main categories of reportable financial crimes are defined below:
- Fraud is dishonesty, involving either false representation, for example ‘identity fraud’, failing to disclose information, or abuse of position, undertaken in order to make a gain or cause loss to another
- Theft is dishonestly taking property belonging to another with the intention of permanently depriving the other of it
- Cyber crime is any criminal act involving computers and networks. These crimes can be quite complex and difficult to detect, often involving data breaches or identity fraud. It’s important to consider how best to protect your charity from harm online. Read more detailed advice on guarding against cyber-crime and how to become accredited under the government‘s Cyber Essentials Scheme
- ‘Money Laundering’ is the term used where criminals turn the proceeds of crime (‘dirty’ money) into property or money (‘clean’ funds) so that they seem lawful and legitimate - this avoids suspicion or detection. Unfortunately, the good reputation and public confidence enjoyed by a charity can also make it a target for criminals looking for a safe ‘hiding place’ for illegitimate funds. You can substantially reduce the risks of your charity being used as a vehicle for money laundering by following the due diligence ’know your donor’ principles set out in Chapter 2 of the Commission’s Compliance Toolkit
If you are reporting fraud or theft then you may find it helpful to refer to the Commission’s Fraud and Theft Reporting Checklist
There is no minimum loss figure that should be reported – you need to decide whether incidents are serious enough to report, in the context of your charity and its income, taking account of the actual harm and potential risks posed.
However, the higher the value of the loss, the more serious the incident is likely to be, indicating it should be reported. Other factors that are likely to indicate seriousness include:
- where the person accused of taking the funds/assets is involved in the charity, particularly if he/she holds a senior position, for example CEO or has responsibility for financial management, Treasurer on board of trustees etc
- where the person accused is involved with other charities
- numerous incidents have taken place that appear connected, indicating a pattern or trend
- a single incident has been committed repeatedly over a long period of time
- a number of separate incidents have occurred over a short period of time
- the funds lost/at risk are from a public appeal, collection or grant funding
- where there are signs of public interest, such as significant media reporting
- where the charity has had to take serious action against an individual, such as disciplinary action, investigation or suspension
Be aware that ‘low value’ incidents can pose serious risks - they may be a sign that individuals are trying to avoid detection. Repeated or frequent incidents can be symptomatic of weak financial controls and poor governance, leaving a charity more vulnerable to fraud, theft or cyber-crime. Therefore, if there have been repeated incidents of low value fraud, theft or cyber-crime in your charity, the Commission would expect you to report this.
For some charities, due to the nature of their activities, for example shops or trading outlets, the risk of incurring loss or being the victim of crime is higher. If your charity relies on cash-based fund raising, it may be more vulnerable to organised fraudsters, who can take advantage of the trust and honesty shown by trustees, staff or volunteers. For advice on protecting your charity from fraud and financial crime, see Chapter 3 of the Commission’s Compliance Toolkit. There is also helpful guidance on fraud prevention and a comprehensive A to Z of fraud types on the Action Fraud website.
If you decide that an incident is not serious enough to report, it’s still important that you handle the situation appropriately and take reasonable steps, perhaps by tightening financial controls and procedures, to ensure it doesn’t happen again. For further advice on improving your charity’s financial controls see Internal financial controls for charities (CC8).
Unverified or suspicious donations
While the vast majority of donations to charities will be made in good faith, charities can be abused by donors in a number of ways. Examples of this include money laundering but may also include use of donations to dispose of the proceeds of crime or to avoid/evade tax.
You should act with due diligence and be mindful of donations to your charity from sources that cannot be verified, or you may be in breach of your duties under the Finance Act 2011. This means you need to ensure appropriate checks are made before accepting any unverified, anonymous or suspicious donations. You will also need to keep records of substantial donors and transactions, in order to avoid a tax liability.
Be alert to unusual donor activity, such as a large, one-off donation or a series of smaller donations from an unfamiliar, unverified or anonymous source; donations may take forms other than money, for example shares or goods.
As a guide, trustees should report unverified or suspicious donations totalling £25,000 or more, providing the assurance outlined above that appropriate checks have been made before accepting/declining the donation.
However, remember that in the case of incidents under £25,000, you should use your own judgement to decide whether it’s serious enough to report, taking into account all the relevant factors.
For more information on donations and verification, see Chapter 2 of the Commission’s Compliance Toolkit: due diligence, monitoring and verifying the end use of charitable funds.
You should also report if you are concerned about other suspicious financial activity connected to the charity’s funds. This might include requests from third parties to:
- cash a cheque for a large sum of money
- convert large quantities of cash into another currency
- pay a fee to release funds to be donated to the charity
Other significant financial loss
You should report any significant financial loss due to other causes, where this threatens the charity’s ability to operate and serve its beneficiaries, or where the charity’s financial reserves are not sufficient to cover the loss. For example:
- significant fire, flood or storm damage destroying or seriously damaging the charity’s main premises
- having to abandon property, for example in a war zone overseas
- losing a court case and having to pay substantial legal fees or damages out of charity funds; charities incurring costs through routine litigation, undertaken in line with charitable aims and on behalf of beneficiaries, are not expected to report
- loss of significant institutional donors, public funding or key delivery contracts that threatens the charity’s ability to operate and being unable to replace these in order to ensure the charity’s survival
- significant financial penalties for breaches or non-compliance imposed by HMRC, Financial Conduct Authority, HSE, ICO, Fundraising Regulator or other regulators
In the most serious cases, the loss could mean your charity cannot continue to operate and may need to ‘wind up’.
For guidance on how to protect your charity, see Managing a charity’s finances (CC12) and Charity governance, finance and resilience: 15 questions trustees should ask.
As a guide for this type of incident, the Commission would expect you to report any loss of funds or property with a value:
- totalling £25,000 or more, or
- totalling less than £25,000 but which is in excess of 20% of the charity’s income
For amounts lower than the above, you should decide if they are significant and should be reported, taking the charity’s income, work and other factors into account. For example, damage to the charity’s main premises might be valued at less than £25,000 or 20% of the charity’s income but it might prevent the charity from delivering vital services to beneficiaries so may be reportable.
You don’t need to report financial loss such as a decrease in the value of investment funds, impairments, asset write-downs, pension deficits and bad debts, unless they pose a significant threat to the solvency of the charity. Remember, when reporting to the Commission, you should state what happened, the nature of the risk and the steps you’re taking to deal with the incident.
Links to terrorism and extremism
These types of incidents include discovering that someone within or connected to the charity does business with, or has links to, terrorist groups, or is subject to an asset freeze; also, where property has been stolen by terrorist groups, or charity money, personnel or other assets used to support terrorist activities.
You should report to the Commission if you become aware of allegations being made, or have evidence to suspect that:
- your charity (including trustees, members of staff, volunteers or anyone connected with the charity) has known or alleged links to a proscribed (banned) organisation or other terrorist/ unlawful activity
- someone within or closely connected to the charity, or one of your delivery partners, is placed on a UK or international terrorist list or is subject to an asset freeze
- charity funds or assets have been used to pay bribes, protection money or ransoms
- charity funds or assets have been used/ diverted (perhaps via a delivery partner) to support a terrorist group or for other terrorist purposes
- the charity has been used to circumvent asset freezing measures
- charity personnel have been kidnapped or harmed by terrorist groups, including overseas, when representing the charity or carrying out charity work
For more information about how to protect your charity from terrorist activity, see chapter 1 of the Commission’s Compliance Toolkit, protecting charities from harm.
You can find a list of proscribed (banned) organisations on GOV.UK.
You should also be aware of the risks to your charity of being abused for extremist purposes; for example, when carrying out activities and events involving guest speakers or when promoting literature and educational materials, perhaps via the charity’s website and on social media. You should report to the Commission if:
you know or suspect that your charity’s premises, or any of the activities that your charity runs, have been misused as a platform for the expression or promotion of extremist views, or the distribution of extremist materials
you become aware of media reports alleging that your charity has been misused for such purposes, particularly if you believe these could have a significant negative impact upon your charity’s reputation
For detailed advice about protecting your charity from extremism and what extremism means, see chapter 5 of the Commission’s Compliance Toolkit
Other significant incidents
You should make a report to the Commission if:
- you discover that a trustee or a senior manager of the charity is disqualified in law from holding that position; for example, because they have an unspent conviction for fraud or theft, they are an undischarged bankrupt, they are on the sex offenders register or are disqualified as a director under company law. For an explanation of when a person is disqualified from acting as a trustee or senior manager, see the Commission’s guidance on the automatic disqualification rules
- something has happened to force your charity into insolvency or to wind up, for example unmanageable debts or reduced income streams
- your charity’s operations are threatened because your main or only bank has withdrawn banking services, and you can’t find another bank that will accept you
- your charity is subject to a police investigation or a significant investigation by another agency/regulator. You do not need to report routine inspections by, for example, Ofsted, Care Quality Commission or Care Inspectorate Wales, unless they have resulted in significant adverse findings that:
- place the future of the charity in doubt, or
- are likely to damage the charity’s reputation or public confidence in the charity, or
- relate to any of the other categories of serious incidents set out in this guidance
- your charity has experienced major governance problems, such as mass resignation of staff or trustees, or other events, leaving it unable to operate
- your charity’s trustees or employees are the subject of criminal proceedings, in connection with the charity or their role in it
- you discover that there has been a significant data breach or loss within your charity
you discover that an incident has occurred involving one of the charity’s partners in the UK or internationally, which materially affects your charity, its staff, operations, finances and/or reputation, such that it is serious enough to be reported. Partners in this context includes the following and the people who come into contact with them through their work (such as their beneficiaries, staff and volunteers):
- a delivery partner of the charity
- a subsidiary trading company of the charity
- an organisation that receives funding from the charity
- another charity or organisation that is linked to your charity, for example as part of a federated structure
For further information on reporting incidents involving partners, see the Commission’s guidance on safeguarding and working with partners to be published in due course.
How to report
This section explains how to report a serious incident in your charity.
Action to take
If something does go wrong, you should take immediate action to:
- prevent or minimise any further harm, loss or damage
- report it to the Commission as a serious incident
- report it to the police (and/or other relevant agencies) if you suspect a crime has been committed, and to any other regulators the charity is accountable to
- plan what to say to your staff, volunteers, members, the public, the media and other stakeholders, such as funders
- review what happened and prevent it from happening again – this may include reviewing internal controls and procedures, internal or external investigation and/or seeking appropriate help from professional advisers
Use the ‘Report a serious incident’ online form to report serious incidents to the Commission
You should report what happened and explain how you’re dealing with it, even if you have already reported it to the police or another regulator.
If you’re reporting the incident as a trustee, you need to confirm that you have authority to report on behalf of the trustee body. If you’re not a trustee, you should explain who you are, your relationship with the charity and confirm that you have the authority of the trustees to report the incident.
There may be circumstances where a serious incident occurs involving more than one charity and the incident should be reported by each of those charities. This might be, for example, where the incident materially affects a number of charities in a federated structure or involves an activity funded by more than one charity. In these cases, the charities can agree for one of the charities to make the report on behalf of all of them, provided that they:
- make it clear to the Commission that they have the authority to do this, and
- tell us about the action that each of the charities are taking in response to the incident
When making a serious incident report, you’ll need to provide the following information.
Contact details, including:
- your own contact details
- the charity name and, if it’s registered, its registration number
- reference numbers and contact details if you’ve reported it to other organisations, like the police
- names and registration numbers of other charities involved in the incident, if relevant
You’ll also need details of the incident, including:
- date of the incident
- what happened
- date the charity found out about the incident
- how the charity found out about the incident
- what impact the incident has had on the charity’s beneficiaries, finances, staff, operations or reputation
- whether trustees are aware of the incident
You’ll also need details of how your charity is handling the incident, including:
- which of the charity’s policies or procedures relate to the incident and whether they were followed
- what steps the charity has taken to deal with the incident
- what steps the charity has taken to prevent similar incidents
- where applicable, the charity’s media handling or press lines, including a link to a press release if available
It’s important that you provide enough detail in your report to give the Commission a clear picture of what happened and when, the extent of any loss or harm, how you’re dealing with it and the possible next steps. It is not necessary to provide the names or any other personal details of any individuals involved in the incident in your initial report – the Commission will come back to you if it needs this information. Please read Data protection, confidentiality and data sharing below before submitting your report.
If you need to update your report
If, having submitted a report to the Commission, you become aware of any material changes to the facts that were reported, or any other significant developments, it’s important that you let the Commission know as soon as you become aware of these. This includes letting us know if individuals who were alleged to be responsible for wrongdoing are exonerated or the allegation was found to be false or groundless following further investigation by the charity, the police or another regulator/agency.
Use the same form to provide an update on a report you submitted. You’ll need your:
- contact details
- incident reference number from your confirmation email
What happens next?
The Commission will let you know that it has received your report. You’ll receive an incident reference number in your confirmation email. You’ll need this number if you want to make an update to your report.
It will assess the nature and level of any risks and look at how you’re dealing with the incident, and may take steps to verify the details, for example by contacting the police. Once the Commission has completed this assessment, it will let you know the outcome. It may come back to you first if it:
- needs more information about the incident
- considers your charity needs regulatory advice and guidance
- has to use its legal powers to protect your charity and/or the people who come into contact with your charity through its work
- requires you to provide future, timely updates, for example on the outcome of an investigation
- needs to monitor your progress in dealing with the incident
The Commission’s Regulatory and Risk Framework explains in more detail how it assesses risk and when it may become involved in charities.
Reporting multiple incidents
The Commission recognises that some incidents may occur more frequently within certain charities because of the scope and/or nature of their activities, or the size of the organisation. For instance:
- a charity may be more vulnerable to fraud if it undertakes a lot of complex financial trading
- where a charity is running services for children or adults at risk, there may be more allegations or incidents involving safeguarding failures
- where charities work overseas (particularly in high risk areas), they may be more vulnerable to harm and loss
In such instances, you can request the Commission’s permission to submit multiple reports. The Commission may agree to multiple reporting, provided that:
- the Commission is satisfied that the charity has appropriate policies and procedures, and mechanisms for the application of those policies/procedures, in place to deal with serious incidents
- particularly serious or significant incidents are reported straight away and separately
If the Commission agrees that your charity can submit regular multiple (‘bulk’) reports, you can submit these periodically rather than by making separate (‘single’) reports for each incident. Many larger and well established charities have accounting and audit systems in place for periodic reporting to their own boards. It may be possible for these reports to be used or adapted for the Commission, so long as they include the information outlined in section above, Action to take.
If you choose to submit a bulk report in this way, you should be confident that each incident listed is serious enough to report. You should also provide sufficient detail about each incident and the action taken to deal with it. The Commission may have to contact you for more information, and possibly to issue timely guidance, if the relevant and appropriate information is not provided.
Examples of particularly serious or significant incidents that should be reported straight away and not saved for a bulk report include the following:
- incidents that attract significant media attention that results in or risks significant harm to the charity’s reputation
- incidents involving a significant live and ongoing risk to the charity’s operations, money, assets, property or the people who come into contact with it through its work
- incidents that involve links to terrorism and extremism
If, after reading this guidance, you would like to start submitting bulk reports or you are unsure of the triggers for making a single report, you can get in touch with the Commission for more information via the Commission’s enquiry form.
Declaration in the annual return
As a matter of good practice, all charities, regardless of size or income, should report serious incidents to the Commission promptly.
If your charity’s income is over £25,000, you must, as part of the annual return, sign a declaration confirming there were no serious incidents during the previous financial year that should have been reported to the Commission but were not. If incidents did occur, but weren’t reported at the time, you should submit these before you file your charity’s Annual Return, so you can make the declaration.
Until all serious incidents have been reported, you will not be able to make this declaration, or complete the annual return, which is a statutory requirement under section 169 of the Charities Act 2011. It’s an offence under section 60 of the Charities Act 2011 to provide false or misleading information to the Commission, which includes through the annual return.
If trustees fail to report a serious incident that subsequently comes to light, the Commission may consider this to be mismanagement, for example where the trustees have failed to manage the risks properly and breached their legal duties. This may prompt regulatory action, particularly if further abuse or damage has arisen following the initial incident.
Data protection, confidentiality and data sharing
When you submit a serious incident report the Commission asks you to provide the following personal data:
- your name, telephone number, email address and your connection with the charity so that the Commission can contact you for clarification or further information if required (the Commission also needs a record of the person submitting the report on behalf of the charity)
- the name, date of birth and address of any trustees of the charity who are disqualified and the reason for disqualification so that the Commission can verify the information, assess any risks to other charities and determine whether any regulatory action is required
- where you have reported the serious incident to another regulator/agency, the name and contact details of your contact at that regulator/agency so that the Commission can contact them for more information if required and, in some cases, coordinate the response
The Commission does not otherwise require you to provide your or any third party’s personal data and no further personal data should be provided unless an incident cannot be reported without you doing so. If you do need to provide personal data, we ask that you limit the personal data you provide to the minimum amount necessary to submit your report.
The Commission will contact you to ask you for additional information or data if we consider it is necessary for us to have it.
The Information Commissioner’s Office sets out in its guidance what personal data is.
If you do provide personal data, the Charity Commission’s main privacy notice and its privacy notice for the Report a Serious Incident form explain how it processes information including information received in serious incident reports.
The Commission processes special categories of personal data and criminal conviction data in accordance with its respective policies.
Even where the Commission decides not to take immediate action in response to a report, it may store the information and process it in the future.
The Commission appreciates that the information provided when a charity reports a serious incident may be confidential or sensitive. However, the Commission often considers that sharing information is necessary in order to further its statutory functions and objectives and, in some cases, the Commission is required to share information by law. The Commission does not therefore routinely guarantee information provided will be kept confidential.
If the information you provide (or wish to provide) is particularly sensitive or confidential or if you feel a particular exemption applies, you should tell the Commission and explain why this is so.
You can read more about information sharing, how the Commission fulfills its obligations under data protection law and your rights in respect of personal data in our main privacy notice.