If you are aware of a known or potential breach of the Code of Fundraising Practice (the code) at a fundraising organisation, you can tell the Fundraising Regulator. You must have authority from the trustees or senior management to report the matter. If you do not have authority, please use our complaints form instead.
There is no formal obligation to self-report incidents to us. By letting us know, we can provide you with advice on the appropriate steps to take if your organisation has breached the code.
What incidents should be reported?
Organisations are asked to report incidents where they consider:
- the incident relates to charitable fundraising;
- they have, or may have, breached the fundraising standards in the code; and
- where these breaches have posed an actual or potential risk to the public, the charity sector, or public confidence in fundraising more generally.
You may become aware of an incident following receipt of a complaint from a member of the public. However, you do not need to report to us every time your organisation receives a complaint about charitable fundraising.
If you have a question about the fundraising standards or our guidance rather than an incident you want to self-report, please contact our enquiries team for advice.
Fundraising method/s: Addressed mail
Code theme/s: Handling personal data
The charity sent a mailing to supporters with a donation form which was pre-populated with donor contact details. The data included information about the amount of regular gift donated and the supporter’s name, address and email address, where known. The data on the form was printed incorrectly. This meant supporters received another person’s data.
How did the organisation respond?
The organisation reported the personal data breach to the Information Commissioner’s Office (ICO). They self-reported to the Fundraising Regulator to confirm they had responded to any complaints received from supporters, investigated the reasons why the breach happened and had amended their internal procedures to prevent this happening again in the future.
The organisation correctly recognised that they had breached the code in relation to handling personal data and reported to the appropriate regulators. The information provided reassurance that the incident was being dealt with appropriately and further investigation by the Fundraising Regulator would not be required.
Fundraising method/s: Events
Code theme/s: Potential fraud
Someone contacted the charity to ask if they could raise funds for them at their place of work. The organisation agreed to the fundraising taking place and were told the supporter had raised at least £1,000. The organisation made many attempts to obtain the money raised but has not received any donations. It believes that the person has spent they money raised.
How did the organisation respond?
The organisation reported the incident to the Police and Action Fraud and self-reported to the Fundraising Regulator.
The Fundraising Regulator was assured that the organisation had dealt with the incident appropriately. We provided support and advised the organisation to contact the Charity Commission for England and Wales.
Which organisations should self-report?
Organisations that carry out charitable fundraising in England, Wales and/or Northern Ireland and are concerned that they have, or may have, breached the code should consider whether an incident is appropriate to self-report.
Organisations that carry out fundraising in Scotland should:
- contact the Fundraising Regulator about an incident if they are a charity registered primarily with the Charity Commission for England and Wales or the Charity Commission for Northern Ireland and have their main office in those countries; or
- contact the Scottish Fundraising Adjudication Panel if they are a charity based in Scotland and are registered in Scotland with the Scottish Charity Regulator (OSCR).
More information about which organisations are regulated by us and how fundraising regulation differs in Scotland, is available on our who we regulate page.
Who should report?
The person completing our self-reporting form must have the appropriate level of responsibility to make the report on behalf of the organisation. For example, you will be in a senior role or be instructed to report the incident by your senior management or trustees.
- If your organisation is a registered charity, we would expect you to inform your trustees about the incident before contacting the Fundraising Regulator.
- If your organisation is a third-party fundraiser that raises funds on behalf of a charity, we would expect you to discuss with your charity partners whether it is more appropriate for them to lead on self-reporting, or for your organisation to make a report, depending on the nature of the incident.
You should not use this form to raise concerns as an individual, for whistleblowing or to make a complaint as a member of the public. Instead, please complete our complaints form.
What will happen when you self-report an incident to us?
Our casework team will assess the information you provide, including information about any steps you have taken to resolve the incident and prevent future occurrences. If appropriate, we will provide or signpost you to further advice or guidance.
Our approach will be fair and proportionate in handling these cases and in most circumstances formal regulatory action will not be necessary. In exceptional cases where we do need to take action, we will consider that a charity has demonstrated its openness and desire to put things right.
We intend to use anonymised intelligence gathered from these reports to share learning across the charitable fundraising sector about potential risks, best practice and uphold good standards. This will support all organisations to fundraise in line with the code and maintain public confidence.
What information will I need to provide?
Our self-reporting form will ask for:
- Your contact details
- Details about the organisation you are reporting on behalf of, including your registered charity, company or CIC number and office address(es)
- Information about the incident, including when and where it took place
- Information about any action taken in response, including reports to other regulatory or relevant bodies.
You can also upload documents as supporting evidence and highlight any specific areas you would like help and support with.
Who else should be notified?
We appreciate organisations may be obliged to report to a number of regulatory bodies, depending on the circumstances of an incident. For example:
- the Information Commissioner’s Office (ICO) about personal data breaches
- the Charity Commission in England and Wales or Northern Ireland about issues of charity law and governance
- the Gambling Commission about lotteries
You may also want to report issues to other similar sector bodies. For example: Action Fraud, the national fraud and cybercrime reporting centre. If you need to report or have already reported the incident to another body, please let us know. We can speak with directly with the other organisation(s) if needed.