Data ethics and sharing: can charities use beneficiary data responsibly?
Charities hold sensitive data on some of the most vulnerable people in the UK. Sharing data can improve services and reduce duplication, but it raises serious questions about consent, power, and the rights of people who often have little choice but to hand over personal information.
The debate in brief
Charities collect deeply personal information. Homelessness services record mental health histories and substance use. Domestic abuse organisations hold addresses that must never be disclosed. Food banks log financial circumstances. Refugee charities store immigration status details. The data charities hold is often more sensitive than anything held by the private sector, yet the sector's data governance capacity lags well behind.
The case for sharing data between organisations is strong on paper. When someone experiencing homelessness moves between services, repeating their story to each new provider is not just inefficient -- it is retraumatising. Joined-up data could reduce duplication, identify patterns, and help charities intervene earlier. But sharing also creates risk: of breaches, of function creep, of data being used in ways beneficiaries never anticipated, and of reinforcing the surveillance of already-marginalised populations.
The fundamental tension is one of power. People accessing charity services are rarely in a position to refuse consent meaningfully. When someone needs emergency housing or food, being asked to agree to data processing is not a free choice. Charities must navigate the gap between what data can do and what it should do -- and the sector does not yet have a consistent answer.
Quick takeaways
| Question | Answer |
|---|---|
| Do charities handle data well? | Inconsistently. The ICO has issued enforcement notices to charities for data misuse, and the Charity Digital Skills Report 2025 found only 38% of charities were confident in their data governance. |
| Is data sharing between charities legal? | Yes, where there is a lawful basis under UK GDPR. Legitimate interests and vital interests can support sharing, but charities frequently default to consent even where it is not the most appropriate basis. |
| What are the risks? | Breaches of sensitive data, function creep, erosion of trust, reputational damage, and the reinforcement of surveillance dynamics affecting vulnerable populations. |
| Can beneficiaries meaningfully consent? | Often not. When someone needs an urgent service, agreeing to data processing is not a free choice. The ICO recognises that consent may not be valid where there is a clear imbalance of power. |
| What should charities do? | Invest in data governance capacity, choose the correct lawful basis rather than defaulting to consent, conduct data protection impact assessments for vulnerable groups, and involve beneficiaries in decisions about how their data is used. |
The arguments
The case for sharing data to improve services
The fragmentation of the charity sector means beneficiaries often interact with multiple organisations, each collecting the same information independently. Someone experiencing homelessness might engage with a rough sleeping outreach team, a housing association, a mental health charity, a substance use service, and a benefits advice provider -- telling their story from scratch each time.
The Greater Manchester Combined Authority's data sharing framework has shown what is possible when organisations pool information responsibly. By linking data across homelessness, health, and criminal justice services, the region has been able to identify people at risk of rough sleeping before they reach the streets. Similar approaches in Bristol and Liverpool have demonstrated measurable improvements in outcomes when data flows between services.
The argument is not abstract. The National Data Guardian's 2023 report emphasised that failing to share data has real costs: missed safeguarding referrals, duplicated assessments, and people falling through gaps between services. For charities working with complex needs populations, the status quo of siloed data is not a neutral position -- it actively harms the people they serve.
The case for extreme caution
The charity sector's track record on data is not reassuring. In 2016, the ICO investigated 13 major charities -- including the RSPCA, Cancer Research UK, and Oxfam -- for sharing donor data with wealth screening companies without adequate consent. The resulting enforcement notices and public backlash fundamentally damaged trust. More recently, the ICO has continued to find charities falling short: a 2024 audit of small and medium charities found widespread gaps in data protection impact assessments, staff training, and records of processing.
For beneficiary data specifically, the risks are magnified. A data breach at a domestic abuse charity could be life-threatening. The disclosure of immigration status from a refugee charity could lead to deportation. Even aggregated data about rough sleeping hotspots can be used by hostile actors to target vulnerable people. The sensitivity of the data charities hold demands a standard of care that much of the sector is not resourced to provide.
There is also a philosophical objection. Charities exist to serve people, not to monitor them. When organisations build detailed profiles of vulnerable individuals -- tracking their movements between services, their health conditions, their housing status, their family circumstances -- they are constructing a surveillance infrastructure regardless of intent. The power to hold that data is the power to define, categorise, and make decisions about people who have very little power themselves.
The consent problem
UK GDPR provides six lawful bases for processing data, but charities have historically over-relied on consent. This creates a specific problem with vulnerable populations. The ICO's guidance is explicit: consent must be freely given, and where there is a significant imbalance of power between the controller and the data subject, consent is unlikely to be valid.
A person presenting to a homelessness service in crisis is not freely consenting when they sign a data sharing form. They need help, and the implicit message is that help depends on agreement. This is not a hypothetical concern -- research by Groundswell, a charity led by people with experience of homelessness, has documented how beneficiaries feel they have no real choice about sharing personal information.
The alternative -- using legitimate interests or vital interests as the lawful basis -- is legally sound but requires charities to conduct balancing tests and document their reasoning. Many smaller charities lack the expertise or resource to do this properly, defaulting to consent forms that provide legal cover without genuine ethical protection.
The evidence
The ICO's enforcement history provides the clearest evidence of sector-wide problems. The 2016 investigation into charity data sharing practices resulted in enforcement notices against 13 organisations and led directly to the Fundraising Regulator's creation. The Fundraising Preference Service, launched in response, received around 19,500 suppression requests in its first year -- a measure of public concern about how charities use data.
The Charity Digital Skills Report 2025 found that only 38% of charities were confident in their data governance arrangements, with smaller organisations particularly exposed. Just 29% of charities with income under 100,000 had conducted a data protection impact assessment in the previous year, despite many handling sensitive beneficiary information.
DataKind UK's work with the homelessness sector has demonstrated both the potential and the pitfalls of data sharing. Projects linking rough sleeping data with health records have identified patterns that would be invisible to individual organisations, but have also raised questions about whether beneficiaries understood how their data would be used and who would see it.
The Data Ethics Framework published by the Centre for Data Ethics and Innovation provides a national standard, but adoption in the charity sector remains low. A 2025 survey by the Institute of Fundraising found that fewer than one in five charities had a formal data ethics policy that went beyond GDPR compliance.
Current context
The UK Government's Data (Use and Access) Act, which received Royal Assent in June 2025, introduced changes to data sharing provisions that affect charities. The Act relaxed some consent requirements for research purposes and introduced a "recognised legitimate interest" category that allows processing without a balancing test in specified circumstances. Charity sector bodies, including NCVO and the Charity Finance Group, have raised concerns that these changes could encourage data sharing without adequate safeguards for vulnerable populations.
The ICO published updated guidance for charities in late 2025, specifically addressing data sharing in multi-agency partnerships. The guidance emphasises data protection impact assessments as mandatory for processing that is likely to result in high risk to individuals, and notes that most charity beneficiary data falls into this category.
The growing adoption of AI tools in the sector adds urgency. The Charity Digital Skills Report 2025 found that 76% of charities were using AI tools in some capacity, with many feeding beneficiary data into third-party platforms without clear data processing agreements. The intersection of data ethics with AI governance is an emerging challenge that few charities have addressed.
Meanwhile, place-based data sharing initiatives continue to expand. Integrated Care Systems in England are increasingly expecting voluntary sector partners to contribute data to population health management systems. This creates pressure on charities to share data as a condition of partnership, raising questions about whether the sector's voice in data governance arrangements is proportionate to the sensitivity of the data it holds.
Last updated: April 2026
What this means for charities
The starting point is honesty about current practice. Many charities collect more data than they need, store it for longer than they should, and share it without adequate safeguards. Addressing this does not require large budgets -- it requires attention, governance, and a willingness to treat data ethics as a board-level concern rather than a compliance checkbox.
Charities should audit what beneficiary data they hold, why they hold it, and whether their lawful basis for processing is genuinely appropriate. Where consent is being used with vulnerable populations, organisations should consider whether legitimate interests or another basis would be more honest. Data protection impact assessments should be conducted for any processing involving vulnerable groups, regardless of organisational size.
Data sharing should not be avoided, but it should be governed. Multi-agency data sharing agreements need to specify what data is shared, with whom, for what purpose, and with what safeguards. Beneficiaries should be involved in designing these arrangements wherever possible -- not as a consultation exercise, but as a recognition that the people whose data is being discussed have a right to shape how it is used.
Trustees have a specific responsibility. Data governance should appear regularly on board agendas, and trustees should be asking management to demonstrate not just legal compliance but ethical practice. The reputational and human cost of getting this wrong -- as the 2016 investigations showed -- is severe.
Common questions
What is the difference between data protection and data ethics?
Data protection is a legal framework. UK GDPR sets rules about how personal data must be processed, stored, and shared, and the ICO enforces compliance. Data ethics is a broader question about whether something should be done, not just whether it legally can be. A charity might have a lawful basis to share beneficiary data with a partner organisation, but the ethical question is whether the beneficiary would expect or want that sharing, and whether it serves their interests. Legal compliance is necessary but not sufficient.
Can charities share data without explicit consent?
Yes. UK GDPR provides six lawful bases for processing, and consent is only one of them. Legitimate interests, vital interests, and the performance of a task in the public interest can all support data sharing without explicit consent. The ICO's guidance for charities specifically notes that consent may not be appropriate where there is a power imbalance, and encourages organisations to consider alternative bases. However, any processing must still comply with data protection principles, including purpose limitation, data minimisation, and transparency.
How should charities handle data about vulnerable people?
With particular care. The ICO expects organisations processing data about vulnerable people to conduct data protection impact assessments, implement enhanced security measures, and provide clear and accessible privacy information. Special category data -- including health information, ethnic origin, and data about criminal convictions -- requires additional legal conditions for processing. Charities working with vulnerable populations should treat all beneficiary data as potentially high-risk and govern it accordingly.
What happened in the 2016 charity data scandal?
The ICO investigated 13 major charities, finding that they had shared donor data with wealth screening companies and other charities without adequate transparency or consent. Some had traded donor lists, allowing organisations to target each other's supporters. The resulting enforcement notices, combined with media coverage and public outcry, led to the creation of the Fundraising Regulator and the Fundraising Preference Service. The episode remains the most significant data governance failure in the UK charity sector and continues to shape public attitudes toward charity data use.
Is anonymised data safe to share?
Not necessarily. True anonymisation -- where individuals cannot be re-identified by any reasonably likely means -- removes data from GDPR scope entirely. But genuine anonymisation is harder than many charities assume. Pseudonymised data, where identifying information is replaced with codes, still counts as personal data under GDPR. Research has repeatedly shown that individuals can be re-identified from supposedly anonymised datasets, particularly where small populations or unusual characteristics are involved. Charities should seek specialist advice before assuming that removing names and addresses is sufficient.
Should beneficiaries have a say in how their data is used?
Yes, and this is where much of the sector falls short. Transparency is a legal requirement, but meaningful involvement goes further. Organisations like Groundswell have pioneered participatory approaches to data governance, involving people with lived experience in decisions about what data is collected, how it is shared, and what safeguards are in place. This is not just ethically sound -- it produces better data governance, because the people most affected by data practices are best placed to identify the risks that professionals may overlook.
Key sources and further reading
ICO enforcement actions against charities (2016-2024) -- Information Commissioner's Office. The ICO's published enforcement notices provide the most direct evidence of data governance failures in the charity sector, including the 2016 investigation into donor data sharing.
Charity Digital Skills Report 2025 -- Charity Digital/Skills Platform. Annual survey covering data governance confidence, AI adoption, and digital skills across the charity sector. The data governance findings are particularly relevant to this debate.
UK GDPR guidance for charities -- Information Commissioner's Office, updated 2025. The ICO's sector-specific guidance covers lawful bases for processing, data sharing, and the particular considerations for vulnerable populations.
Data Ethics Framework -- Centre for Data Ethics and Innovation. The government's framework for ethical data use, applicable to all sectors including charities, covering transparency, accountability, and fairness in data processing.
"It's your data" research -- Groundswell, 2023. Participatory research with people experiencing homelessness about their experiences of data collection and sharing by services, documenting the gap between organisational policy and beneficiary experience.
Data (Use and Access) Act 2025 -- UK Parliament. The legislative changes to data sharing provisions, including the recognised legitimate interest category and relaxed research consent requirements that affect charity data practice. (Note: the earlier Data Protection and Digital Information Bill lapsed at the 2024 general election; this successor Act received Royal Assent on 19 June 2025.)
Greater Manchester Combined Authority data sharing framework -- GMCA. A practical example of multi-agency data sharing in homelessness and health services, demonstrating both the benefits and governance challenges of pooling data across organisations.