How Do Charities Track Beneficiaries?
A practical guide to how UK charities track beneficiaries, covering methods from spreadsheets to case management software, what data is typically collected, GDPR requirements, and best practices for beneficiary data management.
Tracking beneficiaries — the people a charity exists to help — is one of the most fundamental operational requirements for any charity delivering direct services. Without reliable records of who you are supporting, what services they are receiving, and what outcomes they are achieving, it becomes impossible to deliver consistent support, demonstrate impact, or comply with data protection law.
TL;DR: UK charities track beneficiaries using methods ranging from paper records and spreadsheets to dedicated CRM and case management software. Spreadsheets remain widely used across the sector — particularly among smaller organisations — despite the significant risks to data security, accuracy, and GDPR compliance that this creates.
What Methods Do Charities Use to Track Beneficiaries?
Most UK charities use one of four approaches to beneficiary tracking, depending on their size, budget, and the complexity of their services. The right method depends on how many people you support, how sensitive the data is, and what you need to report on. There are 170,862 charities on the Charity Commission register as at March 2025 (Charity Commission Annual Report 2024-25), and the vast majority of those delivering direct services need some form of beneficiary tracking.
Paper Records and Filing Systems
Some smaller charities still maintain paper-based records — physical files stored in filing cabinets. While this approach is simple and requires no technology investment, it creates significant challenges: records cannot be searched efficiently, they are vulnerable to loss or damage, they cannot be accessed remotely, and they make GDPR compliance — particularly subject access requests and data deletion — extremely difficult.
Spreadsheets
Spreadsheets (typically Microsoft Excel or Google Sheets) remain the most common method for smaller and medium-sized charities. The Charity Digital Skills Report 2025, surveying 672 charities, found that 68% of small charities remain in the early stages of digital adoption — a figure that includes widespread reliance on spreadsheets for core operations. They are flexible, familiar, and free. However, spreadsheets were never designed to manage personal data at scale. They lack access controls, audit trails, and structured data validation. A single accidental deletion or a shared file sent to the wrong email address can constitute a data breach.
CRM Systems
Customer Relationship Management (CRM) systems — such as Salesforce, Microsoft Dynamics, or charity-specific platforms — provide a structured database for managing contact information, interactions, and relationships. A CRM for charities is typically strongest for managing donors, supporters, and partner organisations, but may lack the depth of functionality needed for complex service delivery.
Case Management Software
Purpose-built case management software is designed specifically for tracking individuals through support journeys. It provides structured intake forms, case notes, outcome tracking, safeguarding workflows, and reporting — all within a system designed for sensitive personal data. For charities delivering direct services, this is the most appropriate tool.
Definition: Beneficiary tracking is the systematic process of recording and managing information about the individuals a charity supports, including their personal details, the services they receive, the interactions they have with staff, and the outcomes they achieve.
| Method | Best for | Strengths | Weaknesses |
|---|---|---|---|
| Paper records | Very small, low-complexity services | Simple, no tech needed | Unsearchable, no remote access, GDPR risk |
| Spreadsheets | Small charities, simple data | Flexible, familiar, free | No access controls, no audit trail, error-prone |
| CRM systems | Donor/supporter management | Relationship tracking, communications | Often lacks case-level depth for service delivery |
| Case management software | Direct service delivery | Structured workflows, safeguarding, outcomes | Requires investment and implementation time |
What Data Do Charities Typically Collect About Beneficiaries?
The data collected varies by charity type and service, but falls into several broad categories. The Charity Commission's 2024 guidance on data governance emphasises that charities should collect only what they genuinely need — the GDPR principle of data minimisation.
Personal identifiers: Name, date of birth, contact details, and a unique reference number. These enable the charity to identify and communicate with the individual.
Demographic data: Gender, ethnicity, disability status, first language, and postcode. This data is typically collected for equality monitoring and funder reporting. Many grant-makers now require charities to report on the demographic profile of their beneficiaries as a condition of funding.
Needs and circumstances: The specific issues or challenges the person is facing — housing status, employment situation, health conditions, family circumstances, or legal issues. This data informs the support provided.
Service history: What services the person has accessed, when, and with whom. This includes appointment records, case notes, referrals, and communications.
Outcomes and progress: Changes in the person's circumstances, wellbeing, or situation over time. This might be measured through validated tools (such as the Warwick-Edinburgh Mental Wellbeing Scale), or through simpler before-and-after assessments.
Consent and preferences: Records of what the person has consented to, their communication preferences, and any restrictions on data sharing.
The sector has seen a clear shift from tracking activities to tracking outcomes over the past decade. Funders increasingly want to know not just how many people a charity supported, but what changed as a result — making robust beneficiary tracking essential for demonstrating impact.
What Are the GDPR Requirements for Beneficiary Data?
Charities handling beneficiary data must comply with the UK GDPR and the Data Protection Act 2018. The ICO received 12,412 personal data breach reports in 2024-25 (ICO Annual Report), with health, education, and childcare sectors the most frequent reporters. The most frequent causes of breaches remain data sent to the wrong recipient and unauthorised access to personal records.
Lawful Basis
Every piece of personal data you collect requires a lawful basis for processing. For beneficiary tracking, the most common bases are:
- Consent: The individual agrees to their data being collected and used. Must be freely given, specific, informed, and withdrawable.
- Legitimate interests: The charity has a legitimate interest in providing effective support, balanced against the individual's rights. Requires a documented Legitimate Interest Assessment.
- Legal obligation: Where recording data is required by law — for example, safeguarding duties.
- Vital interests: In emergencies where data processing is needed to protect someone's life.
For special category data (health, ethnicity, criminal records), additional conditions under Schedule 1 of the DPA 2018 must be met — typically the substantial public interest condition for charities delivering welfare services.
Data Minimisation
Collect only what you need. This is one of the most commonly breached principles in charity beneficiary tracking. Many charities collect demographic data fields that they never actually use in reporting or service delivery — often because intake forms were designed once and never reviewed. Every unnecessary data field increases your compliance burden and your exposure in the event of a breach.
Consent and Transparency
Individuals must be told clearly what data you collect, why, how long you keep it, and who you share it with. This information should be provided at the point of first contact — typically through a privacy notice given during the intake process. The notice must be written in plain language appropriate to your service user group.
Data Security
Beneficiary data must be protected by appropriate technical and organisational measures. This includes access controls (ensuring staff can only see the data they need), encryption (particularly for data in transit), secure storage, and regular security reviews. Using a purpose-built case management platform with role-based permissions and GDPR compliance features is significantly more secure than spreadsheets or shared drives.
Retention and Deletion
Data should not be kept longer than necessary. Define clear retention periods — typically 6–7 years after case closure for adults, and until age 25 for children's records — and ensure data is securely deleted when the period expires. Spreadsheet-based systems make consistent deletion extremely difficult in practice.
How Should Charities Choose a Beneficiary Tracking Method?
The right approach depends on the complexity of your services and the sensitivity of the data you handle. As a general guide:
If you support fewer than 50 people at a time and your services are straightforward (for example, a community group providing social activities), a well-structured spreadsheet with appropriate access controls may be sufficient — provided you have a clear data protection policy and your staff are trained to follow it.
If you deliver structured support services — housing support, advice, counselling, mentoring, substance misuse treatment, or any service that involves ongoing casework — you need a dedicated system. The complexity of managing individual support journeys, recording sensitive information securely, and reporting on outcomes requires tools designed for the purpose.
If you work across multiple sites or with partner agencies, the need for a centralised, cloud-based system becomes even more pressing. Spreadsheets on individual laptops create data silos and make consistent reporting nearly impossible.
Anecdotal evidence from charities that have moved from spreadsheets to dedicated case management software consistently points to significant reductions in administrative time and greater confidence in the accuracy of impact data.
Plinth provides a purpose-built case management platform for UK charities, with structured intake, AI-powered case notes, outcome tracking, safeguarding workflows, and built-in reporting — designed to make beneficiary tracking both effective and compliant.
Common Mistakes in Beneficiary Tracking
Collecting data you do not use. Every unnecessary field is a GDPR liability. Review your data collection annually and remove anything that does not serve a specific, documented purpose.
Inconsistent recording. If different staff members record information in different ways — or do not record it at all — your data becomes unreliable. Standardise your intake forms, case note templates, and outcome measures.
No retention policy. Keeping data indefinitely is a GDPR breach. Define retention periods and enforce them.
Over-reliance on individual knowledge. If beneficiary information exists primarily in a worker's memory rather than in the system, the organisation is vulnerable to staff turnover and service gaps.
Failing to plan for subject access requests. Under GDPR, individuals can request all data held about them. If your records are scattered across spreadsheets, emails, and paper files, responding within the statutory one-month deadline becomes extremely difficult.
Frequently Asked Questions
Do charities need consent to collect beneficiary data?
Not necessarily. Consent is one lawful basis under GDPR, but charities can also rely on legitimate interests, legal obligation, or vital interests depending on the context. In practice, many charities use legitimate interests as their primary basis for beneficiary data, with consent used for specific purposes such as marketing communications or data sharing with third parties. Whatever basis you use, you must document it and communicate it clearly to the individual.
How do charities report on beneficiary numbers to funders?
Most funders require regular reports on the number of beneficiaries supported, their demographics, and outcomes achieved. Charities typically generate these reports from their case management or CRM system. Where spreadsheets are used, this often involves significant manual effort. Using a system with built-in reporting dramatically reduces the time and error associated with funder reporting.
Can charities share beneficiary data with other organisations?
Only where there is a lawful basis and appropriate safeguards in place. Data sharing typically requires either the individual's explicit consent, a formal data sharing agreement, or a legal obligation (such as safeguarding duties). The ICO publishes a data sharing code of practice that charities should follow. Multi-agency working — common in safeguarding and complex needs services — requires particular care around information sharing protocols.
What is the difference between a beneficiary and a client?
The terms are often used interchangeably. "Beneficiary" is the more common term in charity governance and funder reporting — it refers to the people who benefit from the charity's work. "Client" or "service user" is more common in frontline service delivery contexts. Some organisations prefer "participant", "member", or simply "the people we support". The terminology matters less than the consistency of its use within your organisation.
Recommended Next Pages
CRM for Charities: A Complete Guide – Detailed comparison of CRM options for UK charities.
Case Management Software for Charities – How to choose the right case management platform.
Case Management, GDPR, and Data Protection for Charities – In-depth guidance on GDPR compliance for charity data.
What is Case Management? – A clear definition of case management and its core components.
Last updated: February 2026
For more information about beneficiary tracking for your organisation, contact our team or schedule a demo.