Case Management, GDPR, and Data Protection for Charities
A practical guide to UK GDPR compliance for charities and nonprofits using case management software. How to handle personal data lawfully, manage access controls, respond to subject access requests, and avoid common compliance pitfalls.
The personal data held in case management systems is among the most sensitive data that any organisation handles. Case records contain information about health, family circumstances, financial situations, housing status, mental health, relationships, and sometimes criminal history. Getting data protection right is not a bureaucratic obligation — it is a fundamental requirement of ethical, professional practice.
What you'll learn: The UK GDPR requirements most relevant to case management, how to apply them in practice, and the common compliance gaps that put organisations at risk.
Important note: This guide provides general guidance for charities and nonprofits. It is not legal advice. Organisations with complex data protection requirements should seek specialist advice from a qualified Data Protection Officer or solicitor.
Plinth's approach: Plinth is built with data protection principles at its core — secure UK data storage, role-based access controls, complete audit trails, and no use of your data to train AI models.
The UK GDPR Framework for Case Management
The UK General Data Protection Regulation (UK GDPR), implemented through the Data Protection Act 2018, governs how personal data is collected, stored, used, and shared in the UK.
The Six Data Protection Principles
Every organisation processing personal data must comply with the six principles of the UK GDPR.
Lawfulness, Fairness, and Transparency: You need a lawful basis for processing personal data. You must be transparent with service users about what data you collect and why.
Purpose Limitation: Data collected for case management should only be used for case management purposes. Using it for other purposes — such as marketing — requires a separate lawful basis.
Data Minimisation: Collect only the data you actually need for the purpose. Recording extensive personal information that serves no specific support function is a compliance risk.
Accuracy: Personal data should be kept accurate and up to date. Outdated information in case records can lead to poor decisions and compliance risk.
Storage Limitation: Personal data should not be kept longer than necessary for the purpose. Define retention periods for different types of case records and apply them consistently.
Integrity and Confidentiality: Personal data must be protected against unauthorised access, loss, or damage through appropriate technical and organisational measures.
These principles apply to everything stored in your case management system — every note, every assessment, every record.
Lawful Basis for Case Management Data
Processing personal data requires a lawful basis. For most charity case management, the relevant bases are:
Consent: The service user explicitly agrees to their data being processed. Consent must be freely given, specific, informed, and unambiguous. Consent can be withdrawn at any time.
Contract: Where your service is delivered under a contractual arrangement (such as a commissioned service), processing necessary for the contract is lawful.
Legal Obligation: Where processing is required to comply with a legal obligation — such as safeguarding duties — this provides a lawful basis.
Vital Interests: Where processing is necessary to protect someone's life or that of another, this may provide a basis, particularly in safeguarding contexts.
Legitimate Interests: For some processing, legitimate interests may apply — but this requires a balancing test against the rights and freedoms of the data subject, and is not a catch-all basis.
Special Category Data: Mental health, health data, racial or ethnic origin, sexual orientation, and criminal records are "special categories" requiring either explicit consent or a specific Schedule 1 condition under the DPA 2018. Most safeguarding and support charity work relies on substantial public interest conditions.
For most charities, a combination of consent, legitimate interests, and (for safeguarding) vital interests and legal obligation will cover the main processing activities in case management.
Privacy Notices and Transparency
Service users must be told what data you collect about them and why.
Privacy Notice Requirements: Your privacy notice should cover: what data you collect, the lawful basis for processing, how long you retain it, who you share it with, and service users' rights.
When to Provide It: Provide the privacy notice at the point of first contact — ideally as part of the intake process.
Plain Language: Privacy notices should be understandable to your service user group, not written in legal language. If your service users include people with limited literacy or English as a second language, consider accessible versions.
Case Management System Inclusion: Ensure your privacy notice references your case management system and explains how data is stored and secured.
Access Controls and Security
Role-Based Access
Not all staff should have access to all case records. Access should be determined by role and justified by the principle of minimum necessary access.
Case Worker Level: Case workers should have full access to cases assigned to them, and read access to others in their team where needed for cover.
Manager Level: Managers need oversight access across their team's caseload, including all cases.
Senior Management: Senior staff may need reporting access without needing to read individual case notes.
Volunteer and Sessional Staff: Part-time and volunteer staff should have access limited to the cases they are directly involved with.
Plinth's role-based permissions allow granular control of who sees what, supporting the minimum necessary access principle.
Protecting Highly Sensitive Records
Some case records contain particularly sensitive information that requires additional protection.
Private Notes: Plinth's private note function allows sensitive notes to be restricted to named individuals — preventing general team access to, for example, a disclosure of domestic abuse or a note containing information about a third party's risk.
Safeguarding Records: Records relating to safeguarding concerns may require additional access controls and longer retention periods.
Third-Party Information: Notes that contain information about people other than the named service user — family members, partners, neighbours — should be handled with particular care.
Data Breach Prevention and Response
A personal data breach is any incident where personal data is accessed, altered, lost, or disclosed without authorisation.
Prevention: Strong access controls, secure storage, no sharing of data through insecure channels (personal email, WhatsApp), and clear policies about how data is handled.
Detection: Organisations need mechanisms to detect breaches — including logging of access and alerts for unusual activity.
Response: UK GDPR requires notification to the ICO within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. High-risk breaches also require notification to the affected individuals.
Case Management Breaches: The most common case management data breaches involve spreadsheets sent to the wrong recipient, laptops with unencrypted data lost or stolen, and unauthorised access by disgruntled ex-staff.
Cloud-based case management systems like Plinth significantly reduce breach risk by centralising data in a secure, access-controlled environment rather than distributing it across laptops and file shares.
Subject Access Requests
Under UK GDPR, individuals have the right to request access to personal data held about them. This is called a Subject Access Request (SAR).
Timeframe: You must respond within one month of receiving the request (extendable by two months in complex cases).
What to Provide: A copy of all personal data held about the individual, in a format they can understand.
Responding from Case Management Systems: A well-organised case management system makes SAR responses much easier. Plinth's structured records can be exported in response to SARs.
Exemptions: Some information may be exempt from disclosure — for example, information about third parties, or information that could harm the individual or others. Take legal advice in complex cases.
Private Notes: Notes marked as private in your case management system still fall within the scope of a SAR unless an exemption applies. Do not use private note functionality to conceal information from service users without proper justification.
Data Retention
Personal data should not be kept longer than necessary for the purpose for which it was collected.
Retention Periods for Case Records
Retention periods vary by organisation type and the nature of the records. Common guidance suggests:
Adult Service Records: Generally 7 years from last contact, though this varies by service type.
Children's Records: Often longer — frequently until the subject is 25, or in some cases longer for records relating to significant events.
Safeguarding Records: Typically retained for longer periods — seek specific guidance from your sector body.
Financial Records: Retain in line with legal requirements (typically 6–7 years).
What to Do at Retention End: Securely delete or anonymise data that has reached the end of its retention period. A formal deletion process is part of good data governance.
Plinth supports configurable retention policies so organisations can manage data lifecycle appropriately.
Special Considerations for AI and Case Management
If your case management system uses AI — as Plinth does — there are additional data protection considerations.
AI Training Data: The biggest risk with AI in case management is whether your service users' personal data is used to train the AI model. This would require a specific lawful basis and transparency to service users.
Plinth's Commitment: Plinth does not use your data to train AI models. AI analysis in Plinth is applied to your data to produce outputs for you — the data does not leave your control or contribute to model training.
Data Processing Agreement: If you use a cloud-based case management system, ensure you have a Data Processing Agreement (DPA) in place with the provider, as required by UK GDPR when a data processor processes data on your behalf.
Before using any AI-enabled case management tool, confirm explicitly whether your data will be used for model training — and refuse to accept a system that cannot give you a clear answer.
Frequently Asked Questions
Do we need a Data Protection Officer?
Under UK GDPR, a DPO is required for public authorities and organisations whose core activities involve large-scale processing of special category data. Many charities will not meet this threshold, but should appoint a named data protection lead regardless.
Can we use WhatsApp or personal email for case management communications?
No. Consumer messaging apps and personal email accounts do not meet the security standards required for sensitive personal data. All case-related communication should use organisational email and secure channels.
What is a Data Processing Agreement and do we need one?
A DPA is a contract between you (the data controller) and a software provider (the data processor) that sets out the terms on which the provider handles your data. Under UK GDPR, you must have a DPA in place with any processor handling personal data on your behalf — including your case management software provider.
Plinth provides a Data Processing Agreement to all organisations using the platform, setting out clearly how your data is handled and protected.
How do we handle data about family members and third parties?
Information about third parties — family members, partners, neighbours — must be handled with care. Third parties have data protection rights too, even if they are not the primary subject of the case record.
Practical Guidance: Record third-party information only where it is directly relevant to the support being provided. Consider whether the third party would object to how their information is being recorded. Treat third-party information with the same confidentiality as information about the primary service user.
Recommended Next Pages
Case Management and Safeguarding – How data protection and safeguarding obligations interact.
How to Track Case Interactions and Notes – Best practices for recording that supports GDPR compliance.
Best Case Management Systems for UK Charities – How to evaluate systems for data protection compliance.
The Complete Guide to Case Management – Comprehensive coverage of case management principles and features.
Last updated: February 2026
This guide provides general information and does not constitute legal advice. For complex data protection matters, seek specialist advice from a qualified DPO or solicitor.
To learn about Plinth's data protection approach, contact our team or book a demo.