Home

Jump to heading

Share on LinkedIn Print page
Guidance

Data privacy and fundraising

A guide to help you meet the Code of Fundraising Practice when you are using personal data in your fundraising

Jump to heading

Last updated:

This guide is not legal advice, it is non-exhaustive and relates to data privacy when carrying out fundraising. It will help you comply with the Code of Fundraising Practice. If you are processing personal data for charitable fundraising purposes, you must follow the guidance provided by the Information Commissioner’s Office (ICO) and the applicable law.

Where we say ‘you’ or ‘your’ in this guide, it means a charitable fundraising institution and/or its trustees, a paid third-party fundraiser or commercial partner.

You may also find it helpful to read some of our other guides together with this one, including Documenting your fundraising decisions, Monitoring your fundraising partners, Due diligence and fundraising, and Donors in vulnerable circumstances. If your fundraising involves engaging with supporters and donors online also see our guides to Fundraising on social media and Online gaming and fundraising.

Contact the Code Advice Service with any enquiries about this guide and the Code of Fundraising Practice. 

Introduction

See more in the code, including rules: 1.1.1 and 2.1.1

This is a guide to data privacy to help you comply with the Code of Fundraising Practice (the code). All charitable fundraising organisations and third-party fundraisers must comply with code rule 1.1.1 as follows: 

“Your fundraising must be legal, open, honest and respectful”.

Whenever you use someone’s personal data for fundraising purposes or carry out electronic marketing relating to your fundraising activity with or without using someone’s personal data, privacy legislation is likely to apply. This means you must comply with the following legislation, as it applies to you: 

All three pieces of legislation were amended by the Data (Use and Access) Act 2025. As a consequence, for example, UK GDPR now includes ‘recognised legitimate interest’ as an additional lawful basis for processing personal data and PECR includes the ‘charitable purposes soft opt-in’ option for electronic direct marketing.

You must also meet any other legal and regulatory requirements that apply to your fundraising. If you fail to do so, you will be acting unlawfully and be in breach of the code. It is your responsibility to ensure you follow the requirements that apply to you, even if they are not covered in this guide.

The Information Commissioner’s Office (ICO) is the regulator of data privacy and information rights in the UK. This guide signposts you to some of the ICO’s key guidance material. You should follow their guidance whenever it applies to you even if it is not covered in this guide. 

Processing personal data for fundraising

See more in the code including rules: 2.1.1, 2.1.5, 3.5.1, 6.2.3, 12.1.1 and section 8

Every organisation, whether large or small, that processes personal data must comply with the UK General Data Protection Regulation (UK GDPR). It is your responsibility to have the right policies and procedures in place. This ensures you are protecting people’s data rights and privacy, meeting the law, and complying with the code.

Processing personal data in fundraising

Charitable fundraising organisations might process personal data in a range of ways, including for example:

  • Promoting the charity’s work to named individuals by email, phone, text, direct social media message, or post.
  • Carrying out research, for example when identifying individuals who might support your charity’s objectives or getting feedback about fundraising.
  • Making grant applications to Trusts and Foundations.
  • Storing personal data, for example when holding any records of directly or indirectly identifiable supporters and donors, contractors, volunteers, or beneficiaries.
  • Communicating with fundraising staff and volunteers.
  • Engaging with individuals that you are supporting to make a Will or communicating with Executors of a Will.

Whenever you process personal data, you must do so fairly and lawfully. You must also keep the data secure. This applies whether it is stored in an electronic filing system, such as in an online database or in a spreadsheet, or stored in a paper-based filing system. Take steps to regularly ensure it is accurate and up to date.

When processing personal data, you should first consider some important questions. These are:

  • Why do you want to process the personal data?
  • How will you demonstrate that the personal data has been processed lawfully?

If you can reasonably achieve the same purpose without processing personal data, you should do so instead.

Your on-behalf-of fundraising volunteers are hosting a stall at a summer fete to promote your charity and carry out a cash donations collection. While there, a cash donor asks one of the volunteers a simple question about your charity which can be easily and accurately answered there and then. There is no need to record the person’s contact details to provide a reply to them by email later. In this case it is not necessary to collect personal data to respond to the person’s question.

Key definitions 

There are some important legal terms to understand when processing personal data. When we use them in this guide they have the same meaning as in law.

These include: 

  • Personal data: This is any data relating to a living individual who can be directly or indirectly identified from it. See more from the ICO on recognising personal data.
  • Processing personal data: This means doing something with personal data, held in a digital or physical filing system, from which an individual can be directly or indirectly identified. See more from the ICO about processing personal data in accordance with the law.
  • Special category data: Some personal data requires extra protection and can only be processed in certain circumstances, in accordance with UK GDPR. You must know what special category data is, how to store and process it, and make sure you are only doing so when the law allows. See more from the ICO on special category data.
  • Data controller: a data controller is a person or organisation that decides the purposes and means of processing personal data. When you are a data controller you will need to follow the law as it applies to you. To help you identify if you are a data controller, see the ICO’s checklist

Data relating to any deceased person – such as someone who has died and left a legacy to your charity - is not personal data and falls outside of the scope of UK GDPR. You should still be aware that you may nevertheless have a Common Law duty of confidentiality towards a person, even in situations where they have died. However, any parties to the estate of a deceased person, including beneficiaries or executors to a Will; someone who intends to leave a legacy to your charity but is not yet deceased; and any other relevant living person, come within the scope of UK GDPR. 

Lawful bases for processing personal data

See more in the code including rules: 2.1.5, 2.1.6, 5.1.3, 6.2.3, 12.1.1 and section 8 

When you carry out fundraising involving processing someone’s personal data, it must be done fairly, lawfully, transparently and by respecting their privacy rights in accordance with UK GDPR and the Data Protection Act 2018. Additionally, if you are using personal data to carry out fundraising direct electronic marketing (or for any other direct electronic marketing purpose) you must comply with the Privacy and Electronic Communications Regulations 2003.

Under UK GDPR, charities can process personal data for fundraising purposes but must only do so if they have a lawful basis and there is no alternative way of achieving the same outcome without processing the personal data.

There are six lawful bases for processing personal data set out in UK GDPR. No single lawful basis is better or more important than another. You must decide which one to use before you start processing personal data as appropriate to the task and your relationship to the person whose data you would be processing.

Lawful bases

Lawful bases

Open all / Collapse all

Where a person freely agrees to you processing their personal data for a specific purpose or purposes.

It is necessary to process the personal data in order to fulfil a contract.

The processing of the personal data is necessary to comply with the law (excluding contractual obligations). 

The processing of the personal data is necessary to protect someone’s life.

The processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

The processing of a person’s personal data is necessary for your legitimate interests or the legitimate interests of a third party, unless the person’s interests or rights and freedoms override yours. You should carry out and document a legitimate interest assessment before choosing this legal basis.

A pre-approved list of specified ‘public interest’ legitimate interests, including relating to national security and to safeguarding, are set out in UK GDPR. A legitimate interests assessment is not required when using this lawful basis. Find out more from the ICO about the lawful basis for processing personal data.

You might have different purposes for processing data. One purpose, for example, could be fundraising marketing or communicating with on-behalf-of fundraising volunteers. Another might be registering donors for Gift Aid. Each purpose might have a different lawful basis or the same one under UK GDPR, it will depend on your purposes and your relationship with the person. However, any single purpose for processing personal data must only have one lawful basis and you cannot change it later.

You must also include each of the lawful bases you use or are likely to use in your privacy notice. This will enable you to be transparent with people about how you will or might process their data. 

Fundraising and lawful basis

See more in the code, including rules 2.1.1, 2.1.6, 5.1.3 and section 8

The most common and relevant lawful bases when processing personal data to carry out fundraising are likely to be consent, legitimate interest or contract. Be aware however that your circumstances may differ and another lawful basis may apply. 

Consent

To use consent as a lawful basis for processing personal data, you must obtain a positive 'opt-in' from the person whose data you will be processing. This must be obtained separately from any terms and conditions that are entered into. Your means of seeking consent must be prominent, concise and unambiguous. Consent is only valid if it meets the following requirement:

"Consent must be freely given. this means giving people genuine choice and control over how you use [their] data".

The length of time that consent remains valid will depend on the circumstances. 

You should only seek consent from a person to process their data if that is the most appropriate lawful basis in the circumstances. Sometimes it will be appropriate and other times it won't. 

Consent must always be a real choice for the person. Appearing to give someone a choice to consent or not and then using another lawful basis to process their data anyway would not be a real choice. You must not ask for consent if you intend to process their data anyway using a different lawful basis. To do so would be unfair and misleading. 

If you have sought consent as your basis for contact with a person and not received it, it also means that legitimate interest (see below) may be more difficult to show as a lawful basis for subsequent communication. Your legitimate Interests Assessment with need to take into account that consent was previously sought but not given by the individual. 

If someone has previously given consent and later withdraws it - depending on the circumstances - you may not be able to legally contact them again. 

See more information from the ICO about consent as a lawful basis.

Legitimate interest

Sometimes it may not be practical to use consent as the lawful basis. This might be because it would not be feasible to obtain consent from each person whose data you need to process up front, for example.

Where legitimate interest is your basis for processing personal data you need to:

  • Show you have considered the individual’s interests against your own by carrying out a legitimate interest assessment.
  • Let the person know that you are processing their data and for what purpose. This could be set out in a data privacy policy you have published on your website or made available to them in other ways, such as sending them a hard copy in the post. You should provide a link to it in your correspondence or signpost to it whenever you contact the person.
  • Offer the person the opportunity to opt out of further communication every time you contact them. 

Contract

If you have a contract with a person where you need to process their personal data so you can comply with contractual obligations, your lawful basis for processing their data is likely to be 'contract'.

Example: The 'contract' lawful basis could apply where someone has entered into an agreement with you to participate in an extreme charity fundraising challenge event that you are directly organising. You need to inform each participant about safety and travel arrangements, as well as how they should transfer the money raised to the charity after the event. You might not need to obtain consent or carry out a legitimate interests assessment to use their personal data to contact them about this. Because they have already signed up to take part, you may be able to use 'contract' as the lawful basis for processing their data to inform them of these arrangements. 

If the person has asked you to do something that might lead to them entering into a contract with you, the 'contract' lawful basis may still apply (e.g., providing information to someone interested in becoming an on-behalf-of-fundraising volunteer). This may be the case as long as you processed the data because you were potentially entering into a contract with the person. 

See more from the ICO about contract as a lawful basis for processing personal data. 

Special Category Data

Special category data is personal data that is more sensitive. If you are processing special category data, you need to meet more requirements to keep this kind of data safe.

Unlike other types of personal data, to process special category data you need to meet two requirements. These are: 

  1. Have a lawful basis for processing, as is the case for other types of personal data (see above), and
  2. Meet the conditions for processing special category data (see below).

These two elements must be in place to process special category data.

There are 10 types of special category data, which are:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Sex life
  • Sexual orientation

Data relating to criminal convictions and offences is not included in the list of special category data because it is covered by other data protection rules. Find out more from the ICO about processing criminal offence data.

Some data will be considered special category data whether it is clearly special category data or even if it just implies something that is special category data. Similarly, where something relates to special category data but is not the case, you must still treat it as special category data. 

Examples

Examples

Open all / Collapse all

A person donating to a charity advocating for certain beliefs could indirectly be assumed to be sharing those beliefs whether or not that is actually the case. In such a situation you would be processing special category data, based on 'religious or philosophical beliefs' regardless of the persons actual beliefs. 

You are a health charity, so your donors could be assumed to have personally experienced that condition, whether or not they actually have. In this situation you would still be processing special category data based on ‘health data’ because a health condition could be inferred from their support for the charity, whether or not it is the case.

A legacy fundraiser is told by a person (the testator) that they are leaving a gift in their Will to help cure a disease they have been diagnosed with. In this situation you would be processing special category data based on ‘health data’.

All data relating to any one of the ten types of special category data must be treated as special category data, even if you think some information appears to you to be less sensitive.

Data relating to someone's actual or perceived health status is treated as special category data because it is 'health data', regardless of the perceived severity of the health matter. 

Condition for processing special category data

See more in the code, including section 8

When processing special category data, it is not enough just to have a lawful basis for doing so. This type of data additionally requires an appropriate condition for processing to be identified. This is because special category data needs more protection to keep it safe and uphold a person’s legal rights. One of the conditions of processing is being a ‘not-for-profit-body’, which is likely to be applicable in many cases of charitable fundraising.

UK GDPR sets out a list of the conditions of processing special category data. These include:

  • explicit consent;
  • the ‘not-for-profit bodies’ condition;
    and
  • archiving, research and statistics.

If you are relying on the not-for-profit condition for processing special category data, this means you will normally be using the legitimate interests lawful basis.

You are a place of worship carrying out fundraising to make improvements to your building facilities. Personal data relating to your donors, who are mainly regular worship attendees, will be special category data because ‘religious or philosophical beliefs’ can be identified or inferred from their support for your fundraising campaign. Explicit consent may be impractical to obtain for everyone who has donated because they have been communicating with you in different ways. You think using the legitimate interest basis under the not-for-profit-bodies condition of processing may be more practical. To make sure you are not infringing your donor’s rights, and before processing anyone’s data, you carry out a legitimate interest assessment and keep a written record of it. 

You should document the reasons why a particular condition for processing applies to the situation by carrying out a legitimate interest assessment. See more in our guide to Documenting your fundraising decisions. Bear in mind that the use of this condition of processing only applies to special category personal data of individuals in regular contact with you regarding your purpose e.g., partners, supporters or beneficiaries. It does not apply to employee data or anyone who has not already had any contact with your organisation. 

Privacy Notices

See more in the code, including rules 2.1.1, 2.1.5, 2.1.6, 7.4.5 and section 8

Anyone whose personal data you process needs to be informed about how you will use their data. This is because under UK GDPR everyone has a legal right to be informed about how their personal data is being used. UK GDPR specifies what you need to tell people whenever you collect personal data from them.

You must tell people how and why you will use their personal data and the lawful basis you will rely on to do this in accordance with the law. This must be set out in one or more privacy notices. There are certain exceptions to the requirements to providing privacy information, however these can only be used where justified. It is important to be as clear as possible in your privacy statement about all the purposes you intend using the data for and your lawful bases for processing it. 

Depending on the range of personal data you intend to process and the different purposes you have for doing so, you may have more than one privacy notice for different groups of data subjects or at different times.

You may have a privacy notice for on-behalf-of fundraising volunteers and a separate one for donors that describe all the situations when you will process their data and your lawful basis for doing so. You should also provide privacy information for any instances, whether one-off situations or situations that are time-limited, where your existing privacy notices do not otherwise apply. This will enable you to meet the legal right to be informed of those whose data you process without you having to change your existing privacy notices for short-term purposes.

Your privacy notices should be clear and accessible to anyone whose data you will process. They must set out the following:

  • why you will/are process(ing) their personal data; 
  • which of the six lawful bases is the reason(s) you are processing it; and
  • the rights the data subjects have in relation to your use of their data

Also make sure your privacy notice is: 

  • concise, comprehensive and transparent
  • written in clear and plain language
  • easily accessible and free of charge

You must provide individuals with the necessary privacy information in an easily accessible form. If you publish this information on your website, which is recommended in addition to other means of making it accessible as appropriate, you must proactively let people know it is there and make sure they can access it easily. It is not sufficient to publish this information on your website and expect people to see it without directing them to it in all situations where it is relevant to them. 

Whenever you collect personal data from someone directly you must provide them with privacy information. If you collect personal data about someone from another source, you must still provide the data subject with this privacy information within one month of collecting the data, or whenever you use this data to communicate with the data subject - whichever is the soonest.

Be clear in your privacy notices about the purposes you envisage using the personal data for.

Do not forget to regularly review your privacy notices to ensure they are up to date. If any of your privacy notices become out of date and you do not update them, the lawful bases you rely on to process the data may no longer apply and you may find you are processing data unlawfully.

If you change your privacy notices you must let everyone whose personal data you already process know about the changes. 

A charity has recently subscribed to a new online Artificial Intelligence (AI) analysis tool, from a third-party supplier, to help them analyse the donation behaviour of their supporters. This analysis will help them to more easily deliver their relationship fundraising strategy by understanding their donors better. However, this means the personal data of their donors will be securely shared with the AI supplier to enable the tool to work. The charity assesses that it has a legitimate interest in sharing this data with the AI supplier because it will be done securely and for the limited purpose of enabling the AI tool to work. The charity updates its donor privacy notice to refer to this new personal data processing activity. It then emails all the donors in its database, telling them how the privacy notice has changed and with a link to the updated document on its website.

More information about what should be included in a privacy notice is provided by the ICO. You should obtain professional specialist advice when you are developing or updating your privacy notice(s) if you need to. This is particularly relevant where you will be processing large amounts of personal data or your processing requirements are complex.

If you are a small charity, you could use the ICO’s privacy notice generator to help you. 

Data controllers and processors

See more in the code, including rules 2.1.1 and 6.2.3

The obligations you have under UK GDPR will depend on how you process personal data. You may be a data controller, a joint controller, or a data processor and this may change depending on the circumstances. However, you cannot be both a controller and a processor at the same time for the same data processing activity. You are only one or the other. The ICO has created a checklist you can use to understand which of the roles your organisation may have for data processing purposes.

Data controllers make decisions and have control over the personal data being processed. Joint controllers share this responsibility because they process the same data for the same purposes.

When you are a data controller or joint data controller, you are responsible for complying with the UK GDPR.

Data processors act on behalf of and under the authority of a data controller. This means the data controller has responsibility for the actions of the data processor. This might be the case if you contract out some or all your fundraising activity to a professional fundraiser, for example. 

Time limits on keeping personal data

See more in the code including rules 2.1.1, 2.1.6, 3.5.1, 5.1.3, 6.2.3, and section 8

One of the data protection principles set out in the UK GDPR is storage limitation. This relates to the length of time you keep personal data before destroying, disposing of it or anonymising it. You must be able to justify how long you keep the personal data you hold and not keep it longer than necessary. Find out more advice from the ICO on data storage.

This means that you must only keep personal data if you still need it for the intended purpose. Once that purpose comes to an end, you must either delete the data or go back to the individual that it relates to, to let them know how your processing purpose has changed. 

To make sure you do not keep personal data longer than you need to, make sure you know the following:

  • what personal data you are holding
  • what lawful bases you are using to hold it
  • whether the purpose for which you have been processing it still applies
  • how you will keep the data accurate and up to date

When you no longer need the data, you must safely destroy or delete it. It is not lawful to keep it anyway or just in case you might need it. You can only keep personal data for longer if you are keeping it for public interest archiving, scientific or historical research, or statistical purposes. If one of these is relevant you should keep a written record of this with your reasons for keeping the data.

Some organisations, particularly larger ones or those processing multiple different types of data and information, keep a list of the types of information and data records they keep and details about how long they will keep them for. This is normally called a data retention policy, and it might include one or more data retention schedule(s) setting out each type of record they keep, how long they will keep it, and what they will do with it once it is no longer needed. 

Some of the fundraising-related records you keep may contain personal data and some might not. Where they do so, a data retention policy will help you to meet the legal principle of only keeping personal data for as short a time as is needed. This is known as the storage limitation principle.

Having a data retention policy is part of good information management and being transparent. Your policy should set out the following:

  • the types of records you keep and the type of data it contains, including personal data
  • the purposes for processing each type of record
  • the length of time each type of record will be kept, and
  • what will happen when that time expires.

A data retention policy will help you to keep track of the types of personal data you hold relating to your fundraising activity. It will also help you to make sure you do not keep data longer than is necessary by setting out timescales for securely destroying or deleting the data or anonymising it. If you process different types of personal data for your fundraising purposes, we recommend you have a data retention policy in place, stick to it, and keep it up to date.

The length of time you keep any data, including personal data, may be determined by:

  • Legislation
  • Charity or fundraising regulation, and/or
  • Recognised good practice

In cases where these do not apply, you will need to decide for yourself in advance how long you will keep the data for and what you will do with it once that time has expired. This is to make sure you meet the requirements of UK GDPR and any other applicable requirements. 

Find out more from the ICO about the storage limitation principle and data retention. See more about fundraising record keeping in our guide to Documenting your fundraising decisions

Children and data protection

See more in the code, including rules 2.1.1, 5.1.2, 5.1.3

If your fundraising activity involves processing the personal data of children, whether they are your intended audience or not, you must follow UK GDPR and any other legislation that applies. A child is anyone under the age of 18 years old.

UK GDPR says: “Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data…”.

This means having greater protections in place where the data you are processing relates to a child, including those described below.

You should consider the age of your supporters and donors as far as possible and design your approach to processing their personal data for your fundraising purposes with that in mind.

Always follow the ICO’s guidance on processing children’s personal data.

Make sure you communicate your approach to processing the personal data of children in your privacy notice, where that applies (see above). This is so everyone knows what to expect when you are processing their personal data. If you do not know if you will be processing personal data relating to a child you should assume that you may do so and put appropriate protections in place.

If you use consent as the legal basis for processing children’s personal data, unless other legal requirements apply, you should consider whether the individual child has the competence to understand and give consent for themselves. See guidance from the ICO on valid consent

If your fundraising activity involves taking photographs of children in school settings see the ICO’s guidance on taking photos in schools.

Remember that children (any person under the age of 18 years old) must not carry out certain fundraising activities, including:

  • Street and house-to-house collections
  • Lotteries or raffles, or
  • Events involving alcohol. 

There are also fundraising activities where children should be supervised by a responsible adult. The age at which a child is capable of giving consent may be set out in law and you must follow the law in those cases. Where no minimum age is set out in law or where a child is above that age, a child’s capability to give consent may vary between children and in the light of your particular fundraising activity. If you reasonably believe a child does not have the capability to give consent themselves, a responsible adult may do so on their behalf, where the law allows. See more in our guide to Donors in vulnerable circumstances

Handling complaints about data privacy

A change to data privacy legislation will come into effect in 2026 relating to data privacy complaints. This means that if you are a data controller (see above) you will need to have processes in place to help people easily make complaints to you about your handling of their personal data.

Once this new law starts, if you are a data controller, you must:

  1. Acknowledge any complaint to you about how you have processed a person’s data within 30 days, and
  2. Take appropriate steps to respond to the complaint without undue delay.

If you do not already have such a process in place, you must take steps to do so in time for this new legal requirement starting. This could be, for example, by setting up a privacy complaints’ form on your website. You should make your data privacy complaints process as clear, easy and accessible as possible.

See more from the ICO about handling data privacy complaints