Charities & non-profits

NDA for UK Charities and Non-Profits: Protecting Donors, Partners and Sensitive Data

UK charities share sensitive information with corporate sponsors, grant bodies, delivery partners and trustees before formal contracts exist. This guide explains when a charity needs an NDA, what information to protect, how charity law limits some clauses, and which template to use.

By Richard Wood, Founder8 min readUpdated 18 June 2026Last reviewed 18 June 2026NDAcharitiesnon-profitvoluntary sector

UK charities and non-profits operate in a world of pre-contractual disclosure: grant applications, corporate social responsibility partnerships, service delivery agreements, joint bids and technology collaborations all require sharing sensitive information before any formal agreement is signed. Without an NDA, a prospective partner, sponsor or contractor receives that information with no legal obligation to keep it confidential — leaving the charity exposed if the relationship does not proceed.

This is general information, not legal advice

NDASafe is a document preparation service, not a law firm. Our templates are legally reviewed against applicable UK law at the point of release, but every situation is different. Where significant value, unusual risk or a cross-border element is involved, take independent legal advice before you sign.

Why UK charities and non-profits need NDAs

A charity's charitable status does not automatically protect its confidential information. The Charities Act 2011 imposes duties on trustees to protect the charity's assets — and confidential information, proprietary methodologies, donor data and strategic plans are assets in the same way as equipment or intellectual property. Without a written contract, there is no binding obligation on a third party to keep information confidential.

The situations in which a UK charity typically needs an NDA before sharing sensitive information include:

  • Corporate CSR and sponsorship negotiations: before a charity shares unreleased fundraising campaigns, audience insight data or co-branding plans with a prospective corporate partner.
  • Grant applications and joint bids: when two charities or a charity and a public sector body co-author a tender or grant application and share programme methodologies, cost models and strategic plans.
  • Technology and platform partnerships: when a charity licenses or co-develops a digital platform, beneficiary management system or EdTech product with a technology provider.
  • Research collaborations: when sharing unpublished research findings, data sets or evaluation methodologies with a university, think tank or policy body.
  • Commissioning and procurement: when a charity as commissioner shares specifications, pricing benchmarks or service delivery data with prospective providers before a contract award.
  • Trustee recruitment: when a prospective trustee is given access to board papers, financial projections or strategic plans before formal appointment.

What a charity NDA typically protects

A charity NDA's confidential information definition should expressly cover the categories of sensitive information the charity actually handles. Generic definitions are weaker than specific ones. Common categories include:

  • Fundraising strategies and donor data: donor acquisition and retention strategies, major donor pipelines, legacy programme plans, and the identities of named donors who have not consented to disclosure.
  • Programme methodologies: proprietary service delivery approaches, intervention models, assessment tools and impact measurement frameworks.
  • Financial and operational data: budget forecasts, reserve policies, cost-per-beneficiary data and grant pipeline information.
  • Strategic plans: unreleased geographic expansion plans, merger or partnership discussions, campaign plans and product development roadmaps.
  • Technology and systems: proprietary software, databases, beneficiary management systems and any EdTech or social technology platform the charity operates.
  • Third-party confidential information: beneficiary personal data (which also requires a UK GDPR data processing agreement) and information shared in confidence by funders, partners or commissioners.
An NDA is not a substitute for a UK GDPR data processing agreement

Where personal data — donor details, beneficiary records or staff information — is shared with a third party who will process it, a data processing agreement under the Data Protection Act 2018 and UK GDPR is required as a separate instrument. The NDA covers commercial confidentiality; the data processing agreement covers lawful processing. Both are needed. An ICO-registered charity that shares personal data without a data processing agreement risks enforcement action regardless of whether an NDA is in place.

Trustees and board confidentiality

Charity trustees have a fiduciary duty to protect the charity's assets, which includes its confidential information. Board minutes, financial forecasts, governance discussions and strategic plans shared in trustee meetings are confidential by nature — but that implied confidentiality is strengthened by a written agreement.

For prospective trustees who are given access to board papers or financial information before formal appointment, a short one-way NDA is good practice. It makes explicit what information is confidential, how long the obligation runs, and what happens if the trusteeship does not proceed.

Once appointed, trustees are subject to the charity's governance framework — typically a code of conduct that incorporates a confidentiality obligation. Where a trustee also has a commercial relationship with the charity as a supplier or partner, a formal NDA covering that relationship is separately appropriate, to avoid mixing fiduciary and commercial duties.

Volunteers, staff and NDAs: who you can bind

Charities have a more complex workforce than many businesses: paid employees, self-employed contractors, short-term volunteers, long-term volunteers who may have ‘worker’ status, and specialist pro bono advisers. The right NDA — and the carve-outs required — differ by category:

  • Paid employees: use an employee NDA, which must include statutory carve-outs for whistleblowing (PIDA 1998), victim reporting (Victims and Prisoners Act 2024) and regulator cooperation. Employees of charities have the same whistleblowing rights as any other worker.
  • Contractors and consultants: use a freelancer NDA, which includes IR35 acknowledgement language, an IP assignment clause for work product, and PIDA 1998 carve-outs. Contractors who access donor data or beneficiary records should also sign a UK GDPR data processing schedule.
  • Volunteers: volunteers are not employees. A simple one-way NDA or a freelancer-style confidentiality agreement is appropriate. Include PIDA 1998 carve-outs where the volunteer could be classified as a ‘worker’ — volunteers with structured, regular roles and some form of reward may qualify. Asking a volunteer to sign an employment NDA risks creating implied employment rights.
  • Pro bono advisers: treat as contractors. A freelancer NDA or mutual NDA is appropriate depending on whether the adviser also shares their own sensitive information — for example, a law firm disclosing its precedent documents while advising pro bono.

Corporate partnerships and CSR sponsorship

Corporate and charity partnerships typically involve two-way disclosure: the charity shares unreleased campaign plans, beneficiary insight and co-branding proposals; the corporate shares its communications strategy, brand guidelines, employee engagement plans and sometimes commercial terms. A mutual NDA is appropriate from the first substantive meeting.

Large corporates may propose using their own NDA template. Review it carefully before signing: charity-specific carve-outs for Charity Commission reporting, HMRC and PIDA 1998 may be absent. The charity's own template, which already includes these carve-outs, is generally more appropriate. Where the corporate insists on using its own template, negotiate the insertion of the mandatory carve-outs before signing.

Multi-year partnership agreements often include a confidentiality clause within the main agreement. An NDA signed at the outset governs the pre-contract evaluation period; the partnership agreement's confidentiality clause governs the ongoing relationship. Both should be consistent in scope and duration.

What a charity NDA cannot lawfully restrict

Regardless of what the NDA says, certain disclosures cannot be contractually restricted by a UK charity NDA:

  • Reporting to the Charity Commission: the Charity Commission of England and Wales (or OSCR in Scotland, CCNI in Northern Ireland) cannot be excluded from regulatory oversight by a private contract. Trustees, employees, volunteers and contractors retain the right to report serious incidents, governance failures and safeguarding concerns to the regulator.
  • HMRC reporting: disclosure to HMRC for tax purposes — including reporting Gift Aid irregularities or charitable status fraud — cannot be prevented by an NDA.
  • Whistleblowing under PIDA 1998: any qualifying protected disclosure to an appropriate person under the Public Interest Disclosure Act 1998 cannot be blocked. For workers (including some volunteers and contractors), this protection is statutory and overrides any contractual restriction.
  • Reporting a criminal offence: any clause purporting to prevent reporting a criminal offence to the police or another appropriate authority is void as contrary to public policy.
  • Safeguarding disclosures: disclosures to social services, the police or other agencies where there is a child protection or adult safeguarding concern cannot be prevented by an NDA. Clauses that purport to cover safeguarding situations are void and may breach the charity's statutory safeguarding obligations.
  • Cooperation with the ICO and other regulators: cooperation with the Information Commissioner's Office, Competition and Markets Authority or any other regulatory body acting in the course of their statutory functions cannot be contractually restricted.

Which NDA template to use

NDASafe offers four variants that charities most commonly use:

  • Mutual NDA (£29): use for corporate CSR partnerships, joint bids, research collaborations and co-delivery agreements where both parties share sensitive information.
  • One-Way NDA, Disclosing (£29): use when the charity is the disclosing party — sharing grant application data, programme methodologies or strategic plans with a third party who is not disclosing anything in return.
  • Freelancer NDA (£29): use for engaging contractors, consultants and specialist volunteers. Includes IR35 acknowledgement, IP assignment for work product and PIDA 1998 carve-outs.
  • Employee NDA (£29): use for paid employees. Includes mandatory whistleblowing (PIDA 1998) and victim-reporting (Victims and Prisoners Act 2024) carve-outs, plus optional non-compete and IP-assignment blocks.
  • Complete NDA Bundle (£79): all eight NDA variants. Suitable for charities that regularly engage a mix of corporate partners, contractors, employees and pro bono advisers.
NDA templates for UK charities — legally reviewed, instant download

NDASafe's templates include mandatory regulatory carve-outs (Charity Commission, HMRC, PIDA 1998) and are editable Word documents you adapt for each relationship. Single template £29. Complete bundle (all 8 variants) £79. Delivered instantly as an editable .docx file.

Step by step

  1. 1
    Map the charity's confidential information

    Identify the sensitive information your charity generates or receives: unreleased funding proposals, donor acquisition strategies, beneficiary programme methodologies, corporate partnership terms, strategic plans, technology systems and research data. The NDA can only protect what is properly identified — a vague ‘all information shared’ clause is weaker than a specific definition that names the categories of information your charity actually handles.

  2. 2
    Choose the right NDA type for each relationship

    Use a mutual NDA for corporate partnerships, joint bids and co-delivery agreements where both parties share sensitive information. Use a one-way NDA (disclosing) when the charity shares sensitive information with a third party who is not disclosing their own confidential information in return — for example, briefing a new supplier on an unreleased campaign. Use a freelancer NDA for contractors, consultants and specialist volunteers who will access donor data, beneficiary records or proprietary systems.

  3. 3
    Add carve-outs for statutory reporting and whistleblowing

    Any NDA used by a charity must include carve-outs for: disclosures to the Charity Commission, OSCR or CCNI; reporting a criminal offence to the police; HMRC reporting; and protected disclosures under the Public Interest Disclosure Act 1998 for workers. These carve-outs are mandatory — any clause purporting to block them is void regardless of what the NDA says.

  4. 4
    Add a data processing agreement where personal data is transferred

    If the NDA relationship involves transferring personal data — donor details, beneficiary records or staff information — to a third party, a UK GDPR data processing agreement is required in addition to the NDA. The NDA covers commercial confidentiality; the data processing agreement covers lawful data processing under the Data Protection Act 2018. Where a third party will access and process personal data, both documents must be in place before any data is shared.

  5. 5
    Keep the scope proportionate to the relationship

    A charity NDA should protect genuinely sensitive information, not attempt to bind every piece of information the other party learns in the relationship. Courts are less likely to enforce an overbroad NDA than a narrowly tailored one. A proportionate scope also makes the NDA more acceptable to large corporate partners and institutional funders, who may push back on broad confidentiality obligations that conflict with their own governance or reporting requirements.

Frequently asked questions

Does a UK charity really need an NDA?

Yes — if the charity shares commercially or operationally sensitive information before a formal contract is signed. Grant application data, service delivery methodologies, donor acquisition strategies and corporate partnership terms are all examples of information that benefits from NDA protection. A charity's charitable status does not give its confidential information automatic legal protection without a written agreement.

Can a charity make a volunteer sign an NDA?

Yes. Volunteers are not employees, so employment NDA requirements don't apply, but charities can ask volunteers to sign a confidentiality agreement. A simple one-way NDA or freelancer-style confidentiality agreement is typically appropriate. Include PIDA 1998 whistleblowing carve-outs where the volunteer could be classified as a 'worker' — volunteers with structured, regular roles and some form of reward may qualify for worker status.

Can an NDA prevent someone reporting concerns to the Charity Commission?

No. Any clause that purports to prevent a trustee, employee, worker or volunteer from reporting a serious incident, regulatory concern or safeguarding issue to the Charity Commission (or OSCR in Scotland, CCNI in Northern Ireland) is void. Regulatory reporting cannot be blocked by a private contract. NDAs also cannot prevent reporting to the police, HMRC, or any other statutory authority.

Which NDA template should a charity use for a corporate partnership?

A mutual NDA is typically most appropriate for corporate partnerships, where both the charity and the corporate share sensitive information — campaign plans, audience data, commercial terms. Use a one-way NDA (disclosing) when only the charity is sharing sensitive information with a third party who is not disclosing anything in return. A freelancer NDA is appropriate for engaging contractors and consultants who will access donor data or proprietary systems.

Does an NDA protect donor information under UK GDPR?

An NDA protects donor information as confidential information between the charity and the third party who receives it — creating a contractual obligation not to disclose or misuse it. However, an NDA is not a substitute for a UK GDPR data processing agreement where personal data is actually transferred to a third-party processor. Both are needed: the NDA for the commercial confidentiality layer, the data processing agreement for compliance under the Data Protection Act 2018.

Can a charity use the same NDA for all its external relationships?

One template can cover many situations with minor adaptations, but the party structure matters. A mutual NDA works where both parties share confidential information. A one-way NDA is simpler where only one party discloses. Volunteers and contractors need different treatment from corporate partners — particularly around whistleblowing carve-outs and IP assignment. The governing law clause should match the jurisdiction of the relationship.

Templates mentioned in this guide

Mutual NDA

From £29

Both parties share information. The default for partnerships, joint ventures, and exploratory conversations.

View template

One-Way NDA, Sharing

From £29

You're sharing confidential information. Strong protection on outbound data.

View template

Freelancer NDA

From £29

IR35-aware. Includes IP assignment for project work. Clear contractor status.

View template

Related guides

Employer guide
NDA for Employees (UK): What's Enforceable in 2026
What a UK employee NDA can and cannot do, the mandatory whistleblowing and sexual harassment carve-outs (updated for Employment Rights Act 2025), and how confidentiality interacts with non-compete clauses after Tillman v Egon Zehnder.
R&D guide
NDA for Research and Development UK: Protecting Innovation Before It's Patented
How UK businesses, universities and research teams use NDAs to protect inventions, datasets and know-how before patent filing — including industry-academia partnerships, Innovate UK collaborations and pre-patent disclosure risks.
Education guide
NDA for Education UK: Protecting Research, EdTech and Academic Partnerships
Universities, schools and EdTech companies share commercially sensitive information — research findings, technology prototypes, curriculum systems and investor pitches — before formal agreements are signed. This guide explains when UK education sector organisations need an NDA and how to protect academic and commercial disclosures under English law.
Compliance
Whistleblowing and NDAs: What a UK NDA Can Never Stop
UK law protects whistleblowers, and no NDA can override it. The Employment Rights Act 2025 extended protection to sexual harassment disclosures from 6 April 2026. Here is what the carve-out must say and why it is mandatory.