What Policies Are Required by Law for UK Charities?
There is no single list of "policies required by law" for UK charities. The Charity Commission has confirmed that it "doesn't publish a list of policies required" — instead, individual statutes, regulatory guidance, and good governance practice combine to create the policy landscape charities need to cover.
That makes the question harder than it sounds. Some policies are legally required by general UK law that happens to apply to charities (data protection, health and safety). Some are required by the Charity Commission as a matter of regulatory expectation. Some are recommended best practice but not strictly mandatory. Trustees need to know which is which to prioritise correctly.
This guide separates the three categories.
Policies legally required by general UK law
These apply because the charity is an organisation, not because it is a charity. The legal duty exists regardless of charitable status.
Health and safety policy (if 5+ employees)
The Health and Safety at Work etc Act 1974, section 2(3) requires every employer to "prepare and as often as may be appropriate revise a written statement of his general policy with respect to the health and safety at work of his employees."
The Employers' Health and Safety Policy Statements (Exception) Regulations 1975 exempt employers with fewer than 5 employees from this written policy duty. The duty to provide a safe workplace still applies — only the written policy requirement is exempted.
Practical implication: if your charity has 5 or more employees (paid staff, not volunteers), you must have a written H&S policy. If you only have volunteers and trustees, the written policy is not legally required but is still good practice.
Data protection policy (effectively required by UK GDPR)
The UK GDPR and the Data Protection Act 2018 apply to any organisation that processes personal data — donor records, beneficiary records, employee data, mailing lists. There is no charity exemption and no minimum size threshold.
The UK GDPR does not literally require a "policy document" — it requires the controller to demonstrate compliance through documentation. In practice, that means having a written data protection policy, a privacy notice, records of processing activities, and procedures for subject access requests and breaches.
For more on what this looks like for small charities, see our GDPR guide for charities.
Employment policies (if you employ staff)
If your charity employs anyone, employment law triggers additional policy requirements: a written statement of employment particulars (legally required from day one), a disciplinary and grievance procedure (the ACAS Code of Practice applies and tribunals can adjust awards by up to 25% if the procedure is ignored), and equality-related policies covering the protected characteristics in the Equality Act 2010.
Policies the Charity Commission expects
These are not statutory requirements in the strict legal sense, but the Charity Commission treats them as expected for a well-run charity. Missing them can trigger regulatory action and they are routinely examined during inquiries.
Safeguarding policy
The Charity Commission's safeguarding guidance states that "Protecting people and safeguarding responsibilities should be a governance priority for all charities" and that trustees must ensure their charity "has appropriate policies and procedures in place, which are followed by all trustees, volunteers and beneficiaries."
This means every charity should have a safeguarding policy — not only those working with children or vulnerable adults. For charities with direct contact with at-risk groups, the policy needs to be detailed (DBS checks, reporting procedures, designated safeguarding lead). For others, a basic safeguarding statement is appropriate.
See our charity safeguarding policy guide for what to include.
Reserves policy disclosure
Reserves disclosure is mandatory in the trustees' annual report under Charity Commission guidance CC19 and the Charities SORP. CC19 states that "All charities must include in their annual report their policy on reserves, stating the level of reserves held and why they are held" and that "Where the charity does not have a reserves policy in place, it should include a statement to that effect."
So the policy itself is not strictly mandatory, but the disclosure is. In practice, charities are expected to have a policy and report on it. See our charity reserves policy guide.
Conflict of interest policy
Under CC29 (Conflicts of interest: a guide for charity trustees), "Trustees must make decisions based only on what is in their charity's best interests. This is one of their legal duties." Managing this duty in practice requires a written conflict of interest policy — declarations at meetings, a register of interests, procedures for managing conflicts when they arise.
CC29 does not literally mandate a written policy, but the Commission expects one and routinely examines them.
Complaints procedure
The Charity Commission expects charities dealing with the public to have a formal complaints process. The expectation is not codified as a statutory requirement, but it is a near-universal expectation for charities of any size. See our complaints policy template.
Financial controls policy
Trustees have a legal duty under the Charities Act 2011 to manage the charity's resources prudently. In practice, this means a financial controls policy covering authorisation levels, segregation of duties, bank account management, and expense procedures. The Commission expects this; charities below £25,000 income face less scrutiny but the duty still applies.
Policies for charities that take particular activities
Some policy requirements apply only if your charity does specific things.
Fundraising compliance (if you fundraise from the public)
If your charity fundraises from the public, you must comply with the Code of Fundraising Practice maintained by the Fundraising Regulator. Charity Commission guidance CC20 states charities "should register with the Fundraising Regulator and follow the Code of Fundraising Practice."
Larger charities (those required to have audited accounts under the Charities Act 2011) must state in their trustees' annual report whether they follow the fundraising code. A written fundraising policy is not literally mandatory, but the trustees' annual report disclosure effectively requires one.
Working with children or vulnerable adults
If your charity works with children or vulnerable adults, you need a detailed safeguarding policy, DBS checks for relevant roles, and procedures for reporting safeguarding concerns. The DBS eligibility guidance sets out who needs which level of check. This guidance covers check types, fees, volunteer free checks, and how regulated activity applies to trustees.
Trading subsidiaries or significant trading activity
Charities with trading subsidiaries face additional governance requirements — conflicts of interest between charity and subsidiary boards, related-party disclosures, and intra-group financial controls.
Good practice policies (not mandatory but recommended)
These are widely adopted but not specifically required:
- Volunteer policy — covers recruitment, induction, supervision, expenses, dispute resolution
- Trustee code of conduct — expected behaviour, declarations, decision-making
- Risk management framework — required for larger charities through the trustees' annual report risk disclosure; recommended for all
- Equality and diversity policy — beyond the legal duty, helps demonstrate organisational commitment
- Whistleblowing policy — strongly recommended for charities with employees. The Public Interest Disclosure Act 1998 protects workers who raise concerns regardless of employer size, but a written policy is not literally mandatory for general employers. A policy is recommended to set out how concerns are raised and handled, and is increasingly expected by funders. (Some regulated sectors have specific rules — check your sector.)
- Bullying and harassment policy — supports the legal duty to provide a safe workplace
- Privacy notice — required by UK GDPR (technically a notice, not a policy, but often grouped together)
A practical priority order for small charities
If you are starting from scratch, the order to write or adopt policies:
- Safeguarding statement or policy — universally expected, low cost
- Data protection policy + privacy notice — UK GDPR requires demonstrable compliance
- Financial controls policy — protects the charity and trustees
- Conflict of interest policy — required at every trustee meeting
- Reserves policy — disclosure is mandatory in the annual report
- Complaints procedure — expected by the Commission and public
- Equality and diversity policy — covers Equality Act 2010 obligations
- Volunteer policy (if you have volunteers in regular roles)
- Health and safety policy (mandatory if 5+ employees, otherwise good practice)
- Fundraising policy (if you fundraise from the public)
Check which policies your charity needs with our free Compliance Checklist Generator, and see our full charity compliance checklist for the broader picture.
What "required by law" actually means in practice
The honest answer to "what policies are required by law" is shorter than most lists suggest. Only health and safety (for employers with 5+ staff) is literally required by statute as a written policy. Everything else sits on a spectrum: regulatory expectation, Code of Practice compliance, evidence of meeting a statutory duty, or good governance practice.
This is not a loophole. The Charity Commission and other regulators can act on charities that lack appropriate policies even where no single statute says "you must have policy X." The duty to act in the charity's best interests, manage resources prudently, and protect beneficiaries means appropriate policies are necessary in practice — but the legal framework reaches them indirectly.
For trustees, the practical implication is: focus on having the policies that match your charity's actual activities, keep them current, and ensure they are followed. A short policy that is actively used beats a long policy that no one has read.
This guide applies to charities operating in England and Wales. Charity policy requirements in Scotland (OSCR) and Northern Ireland (CCNI) differ in some respects. This is general guidance based on the published Acts, SIs, and Charity Commission guidance — verify against your charity's specific circumstances. Not legal advice; for specific situations, consult a charity law specialist or the relevant regulator.
Sources
- Health and Safety at Work etc Act 1974, section 2 — legislation.gov.uk
- Employers' Health and Safety Policy Statements (Exception) Regulations 1975 — legislation.gov.uk
- Data Protection Act 2018 — legislation.gov.uk
- Equality Act 2010 — legislation.gov.uk
- Charities Act 2011 — legislation.gov.uk
- Charity reserves: building resilience (CC19) — GOV.UK
- Conflicts of interest: a guide for charity trustees (CC29) — GOV.UK
- Safeguarding duties for charity trustees — GOV.UK
- Code of Fundraising Practice — Fundraising Regulator
- DBS eligibility guidance — GOV.UK
Last reviewed: 23 May 2026
Related guides
The Complete Charity Compliance Checklist for 2026
A practical compliance checklist for small UK charities — annual returns, governance code, required policies, Gift Aid, DBS checks, and SORP 2026 changes.
Charity Whistleblowing Policy: Guide and Template
How to write a charity whistleblowing policy — what whistleblowing means, the PIDA legal protection, reporting to the Charity Commission, and a free template.
Charity Trustee Roles and Responsibilities Explained
What charity trustees actually do — the six main legal duties, the roles of chair and treasurer, collective decision-making, and trustee responsibilities in UK law.
Stop tracking compliance in spreadsheets
CharityProof brings annual returns, policy reviews, DBS renewals, and trustee admin into one dashboard — built for small UK charities.