The UK’s volunteering sector has long been associated with village fêtes, tea urns and bunting. Despite the fact that these stereotypes remain an important part of the UK charity landscape, the traditional image of a volunteer no longer adequately reflects the reality. Just as likely to be moderating your charity’s social media from their bedroom in Brighton as they are to be manning the tombola stall at your Bolton fête, your volunteers are working in a far wider range of environments than is sometimes assumed. However, many organisations’ existing risk frameworks are inadequate to modern volunteering practices, often using templates and policies that are completely unfit for the realities of online moderation, remote admin support roles, and online campaigning and advocacy work.
In the UK, charities have a legal duty of care to the volunteers they work with. This duty of care isn’t simply about making sure that the tea urn doesn’t electrocute someone. The Health and Safety at Work Act 1974, the Charity Commission guidance, and the common law of negligence all mean that trustees and volunteer managers have legal responsibilities which, if they don’t take them seriously, they could find themselves in serious difficulty. In this article, I set out a practical framework for safeguarding volunteers which UK charities should implement when working with volunteers outside traditional roles, and that also includes specific guidance on the volunteer risk assessment UK charities must carry out in order to remain compliant, but also to protect people and to secure the public’s trust, without which there can be no social licence to operate.
Get this wrong and you’ll not only risk the wellbeing of your volunteers, you risk your charity’s reputation, your trustees’ sleep, and potentially your organisation’s very existence.
Understanding your legal duty of care to volunteers
The Health and Safety at Work Act 1974 makes no distinction between your staff and your volunteers. Section 3(1) of the Act clearly states that you must conduct your undertaking in a way that persons “not in your employment” are not exposed to risks to their health and safety. They are your volunteers.
This has long been an issue charity trustees and charity volunteer managers get wrong. In the minds of many trustees, the fact that a volunteer is not an employee seems to allow the organisation’s legal responsibilities to them to disappear into the ether. This is completely wrong. In fact, if anything, these facts increase an organisation’s legal responsibility for volunteer wellbeing. Volunteers are not employees and therefore do not have employment rights such as protection from unfair dismissal or statutory sick pay. However, they are absolutely entitled to the same safe working environment and expectation of appropriate risk mitigation as any employee. In its guidance, the Charity Commission has repeatedly made it clear that trustees have a legal duty to protect volunteers from harm, and that failure to do so can amount to mismanagement.
The question of vicarious liability further complicates matters. If a volunteer causes a member of the public or a beneficiary to be harmed whilst acting within the scope of their volunteer role, your charity could be held legally liable. This means that safeguarding volunteers UK charities engage with, not just out of moral duty, but because it is a legal necessity. The example of a 2019 case involving a volunteer driver for a disability charity who was driving a beneficiary and caused a serious accident. Their volunteer risk assessment UK processes and risk mitigation measures were not adequate to the role, and the charity ended up facing significant legal costs and reputational damage as a result.
Charities have faced real-world consequences as a result of failing to appreciate the extent of their duty of care to volunteers. These include Charity Commission inquiries, lost funding, volunteer exodus, and reputational damage that has sometimes taken years to repair. This matters even more in a world where a single tweet or Facebook post can reach thousands, if not millions, of people.
Volunteers are not employees, but if you involve them in your work, you are legally responsible for their safety and wellbeing. That duty is not mitigated by the fact that they’re not paid, or that they work remotely, or only volunteer once a month. In many cases, these factors actually increase your duty to think carefully about the risks they might face.
The modern volunteer landscape
Volunteering has changed. Whilst the retired volunteer with time on their hands is not quite a stereotype, they do represent an increasingly small proportion of the volunteer population. The modern volunteer is a much more diverse and complex beast. The modern volunteer might be the working parent moderating your Facebook group whilst on their lunch break, the university student creating your Instagram graphics from their halls of residence, the professional providing pro bono consultancy over Zoom, or the isolated older person providing telephone befriending from their living room.
These roles are good, flexible and are in many cases now essential to how charities operate. There are also roles which are invisible to traditional risk assessment processes, which tend to focus around the organisation’s physical premises, face-to-face contact, and supervised, in-person activities. When your volunteer risk assessment UK asks about manual handling and lone working in beneficiary homes, what does that even look like for someone moderating your Twitter account? Or someone providing online peer support?
The risks to these modern volunteers are not imagined. They are real and can be serious. For volunteers moderating social media, for example, this can include online harassment and abuse, threats, and the legal risk that a lawsuit gets put in your charity’s name. A volunteer managing responses to domestic abuse survivors via Facebook Messenger might be exposed to vicarious trauma and experience burnout. Remote administrative volunteers who work with beneficiary or member data face data breach risks. Digital campaigners face the risk of being doxxed or other forms of online pile-on. Even lower-risk roles such as online befriending can result in boundary violations, emotional exhaustion, and safeguarding issues.
To illustrate these risks, one of my clients was a mental health charity which recruited volunteers to moderate their online support forum. Within six months, three volunteers had resigned due to emotional distress from exposure to suicidal ideation and graphic self-harm discussions. The charity had provided no training on vicarious trauma, no supervision structure, and no escalation protocols. When one volunteer had a mental health crisis of their own, the charity faced serious questions about whether they had adequately safeguarded their volunteers. It became clear that they had not.
In a different example, a volunteer social media manager for an environmental charity received death threats after posting about a contentious campaign. This charity had no protocols for online abuse, no support mechanisms, and had not considered this a risk when recruiting the volunteer. The volunteer left traumatised and the charity’s reputation was dented when the story was shared widely with others in the sector.
Neither of these stories are edge cases. They are increasingly common scenarios which are occurring across the sector, and which require a fundamental shift in the way we approach the safeguarding of volunteers upon which our UK charities depend.
A framework for risk assessing non-traditional volunteer roles
Effective volunteer risk assessment UK charities should implement needs to be systematic and take into account the specific nuances of these modern volunteering roles. The framework below provides a practical, step-by-step process for charities which is proportionate and manageable, but which also covers all of the areas the Charity Commission will expect you to have considered.
Step 1: Role definition and hazard identification
Begin by defining what the volunteer role actually involves in practical terms. For a social media volunteer, this means: which platforms will they use? What type of content will they be creating or moderating? Are they going to be responding to messages? What hours will they be active? After you have clearly defined the role, identify hazards specific to that role. For a social media volunteer this could include online abuse, exposure to distressing content, working in isolation, screen fatigue, data protection risks and reputational risk to the volunteer personally.
Step 2: Risk evaluation
For each hazard, consider the likelihood of it occurring and the potential severity of harm. For example, a social media volunteer for a cancer charity is very likely to be exposed to distressing content (high likelihood) but this would only cause moderate psychological harm (medium severity). A volunteer working remotely who manages donor data faces lower likelihood of data breach if systems are in place but the severity could be high due to GDPR issues and reputational damage.
Step 3: Control measures
For each risk, put in place control measures that bring the risk down to an acceptable level. For remote volunteers, this might include: mandatory information security training, secure access to systems rather than emailing sensitive documents, a clear policy on use of personal devices, regular supervisor check-ins, and access to a debriefing support person. For social media volunteers: information handling training, a clear escalation process, boundaries on response times and content moderation guidelines, plus access to counselling if needed.
Step 4: Documentation
Record it. Document the risk assessment, the control measures you have implemented, training provided, and any incidents or near misses. This is not only essential for Charity Commission compliance purposes, but it also demonstrates that your organisation is taking its duty of care responsibilities seriously. It also creates an audit trail if something does go wrong.
Step 5: Review and update
Risk assessments are not a one-and-done thing. They should be reviewed at least annually, or if there is a material change in the role or operating environment, or following an incident. The online environment changes rapidly – a platform that was perfectly safe to use last year might have a completely different moderation climate this year.
Specific considerations by volunteer type
Remote admin volunteers: Focus on data protection, information security, isolation and ergonomics. These people need secure access to systems, a clear understanding of GDPR obligations, regular contact with a supervisor, and guidance on setting up a safe home workspace.
Digital and social media volunteers: Focus on online safety, vicarious trauma, boundary management, and reputational risks to the volunteer themselves. Training on online abuse, clear escalation guidelines, defined boundaries around “offline” hours, content moderation guidelines, and counselling if needed.
Online befriending/support volunteers: Safeguarding (both ways), boundary management, vicarious trauma, and supervision. These roles will often need enhanced DBS, comprehensive training, regular supervision, and clear safeguarding protocols.
Event based occasional volunteers: Don’t assume risk is low just because someone is only there once or twice a year. Do they have adequate induction? Do they understand emergency procedures? Do they know who to contact if something goes wrong? Is your insurance adequate for their presence?
The Charity Commission has made it clear that trustees need to be able to evidence that they have given proper consideration to the safety of their volunteers. Your risk assessments, policies, and training records provide that evidence. The Charity Commission treats the safeguarding of volunteers as seriously as the safeguarding of beneficiaries, so treat it that way yourselves too.
UK Volunteer Manager’s Toolbox: Software for Compliance & Care
If running a modern volunteer programme is a bit more complex than opening a spreadsheet and good intentions, what else do you need? As the roles your volunteers do become more complex and compliance demands increase, technology is rapidly becoming essential to keep on top of everything from maintaining oversight to demonstrating duty of care to proving Charity Commission compliance.
A good, robust nonprofit crm is the volunteer management hub to which all activities should be connected. A system that allows you to keep track of the entire volunteer lifecycle, from initial enquiry to exit interviews, is essential. A good CRM system also allows you to keep track of safeguarding and safeguard volunteers UK at all times by tracking DBS checks, training completion, risk assessments, supervision notes, and incident reports. When the Charity Commission arrives at your door, or the DUTY of care assessment form comes through, having all of this data ready and clearly evidenced in the system is crucial.
Integrated charity management software goes a step further by integrating volunteer management with other organisational processes and systems. When your volunteer system interfaces with your finance system, events management system, and communications tools, you build a silo-free ecosystem that minimises admin time whilst maximising oversight. For instance, when someone volunteers for an event, the system will automatically check whether their DBS is current, whether they’ve done the required training, and whether any risk assessments need updating. It’s not a replacement for a human checking everything, but it will help ensure nothing slips through the net.
There are several key features to look for when considering the best crm for charities in the uk to use. For safeguarding volunteers, GDPR compliance is a non-negotiable requirement GDPR-compliant software must have a robust security protocol, transparent consent management, and audit trails showing who accessed information and when. A volunteer portal where volunteers can self-update details, access policies and training, and log hours is a great way to reduce admin burden and empower volunteers. Reporting functions need to be capable of quickly identifying volunteers who are coming up for DBS renewal, who have yet to complete mandatory training, or who haven’t received supervision in a specified time period.
In addition, a solid charity system should have features that support your duty of care towards volunteers. Incident reporting modules should allow volunteers to report concerns, accidents, or near misses easily and without fear, automatically creating an audit trail of your response and allowing you to identify patterns. Communication logs can provide evidence of supervision and support given and information sharing where volunteers are working remotely or alone. Consent management features should keep on top of any consent for how you use volunteer data and images, while document management can provide a central repository for all policies, risk assessments, and training materials to ensure people are always working from the most up to date version.
Apps and software can also help support volunteer wellbeing with better communication and support. Automated reminders for supervision check-ins can help you ensure that volunteers working remotely don’t become isolated. Having a secure messaging system within the software can provide a professional communication channel where boundaries are maintained. Feedback channels also allow volunteers to raise concerns in a confidential way. Training tracking allows you to know with confidence that your volunteers have the knowledge and skills they need to stay safe in their roles.
One final benefit of technology for managing volunteers is that for charities that have volunteers in different roles, multiple locations, or both, it gives you consistency. You have the same risk assessment templates, the same policies and procedures, and all training can be centrally delivered and tracked. Reporting allows for oversight of volunteer safety throughout the entire organisation, so trustees can carry out their governance roles with more confidence.
It’s easy to see why the right technology isn’t just a nice to have but a fundamental requirement for modern volunteer management. In fact, it’s hard to overstate the importance of it as the cost of inadequate systems in terms of volunteer harm, legal liability, regulatory scrutiny, and reputational damage are a very real risk and so much greater than the cost of getting fit for purpose software in place.
