Return to current edition of Know Your Stuff

Edition: Thursday 16th March 2023

Ransomware attacks continue to plague businesses

Read this short article about them, how serious they can be and what to do about them.

Managing fraud risk in five steps

Fraud is a very real risk but something that tends not to be discussed enough in charities despite figures showing it’s on the rise. Here are top tips for how to prevent fraud in your organisation.

Combatting fundraising fraud

Fundraising fraud is an inherent and unique risk in the charity model. How do you know who is fundraising in your charity’s name? How do you know how much they actually raised? How do you know you are getting all the income due to you? For charities reliant on traditional fundraising in their income risk, it has never been more important to do all you can to manage this risk. In this piece from the ICAEW, experts give their tips as to what a charity can do in practice to manage this risk more effectively. Also here is a recent webinar on the subject of charity fraud.

Free Cyber Security Support

Charities continue to come under attack from cyber criminals with reports that 31 per cent of businesses and 26 per cent of charities estimate they were attacked at least once a week. One in five businesses and charities said they experienced a negative outcome as a direct consequence of a cyber-attack, while more than a third of businesses and almost four in ten charities experienced at least one negative impact. Charities are among organisations that can secure 20 hours of free cyber security through Dorset-headquartered C3IA Solutions. It can enable them to work towards the Cyber Essentials and Cyber Essentials-Plus certification, the minimum standards recommended by the government.

The free engineering and support are being funded through the National Cyber Security Centre (NCSC) and IASME, the accreditation body for the Cyber Essentials Scheme. C3IA Solutions, which is based in Poole, is assured by the NCSC and an IASME accredited Certification Body and has helped over 150 regional organisations to become more cyber-secure.  To check if you qualify for the free cyber-security you need to contact: [email protected]


Edition: Thursday 9th March 2023

Free Cyber Security Support

Charities continue to come under attack from cyber criminals with reports that 31 per cent of businesses and 26 per cent of charities estimate they were attacked at least once a week. One in five businesses and charities said they experienced a negative outcome as a direct consequence of a cyber-attack, while more than a third of businesses and almost four in ten charities experienced at least one negative impact. Charities are among organisations that can secure 20 hours of free cyber security through Dorset-headquartered C3IA Solutions. It can enable them to work towards the Cyber Essentials and Cyber Essentials-Plus certification, the minimum standards recommended by the government.

The free engineering and support are being funded through the National Cyber Security Centre (NCSC) and IASME, the accreditation body for the Cyber Essentials Scheme. C3IA Solutions, which is based in Poole, is assured by the NCSC and an IASME accredited Certification Body and has helped over 150 regional organisations to become more cyber-secure.  To check if you qualify for the free cyber-security you need to contact: [email protected]

Safeguarding eLearning Courses

Ann Craft Trust now has an e-learning course that is ideal for those who live or work with adults or where adults are present, from the care sector and charities to sport and activity organisations. It costs £25.

Protecting pregnant workers and new mothers

The HSE is reminding employers that you must carry out an individual risk assessment for pregnant workers and new mothers. This individual risk assessment covers a worker’s specific needs, when they inform you in writing that they:

  • are pregnant
  • have given birth in the last 6 months, or
  • are breastfeeding

Their website guidance provides advice for employers on talking to workers, and protecting them from common risks like working at height and lifting heavy loads. There is dedicated advice for workers themselves. They also have a video with practical advice on how to keep pregnant workers and new mothers safe.


Edition: Thursday 2nd March 2023

Cyber security challenges charities are facing in 2023

Charity Digital explores the threats and challenges that charities are presently facing in the world of cyber security.

Health and safety law poster

Employers must have a poster at each workplace or provide each worker with a leaflet. The HSE is reminding employers of this and not to buy ‘fake’ posters or leaflets.

King's Coronation: Organising a Safe Event

Short useful article setting out what to think about.


Edition: Thursday 23rd February 2023

Data sharing: 10 point checklist

Many of you need to share personal data with other organisations, be this reciprocal, one-way, a regular activity or ad hoc. Data protection law doesn’t stop us doing this, but we need to be sure our sharing of data is lawful and transparent. We need to keep in mind other key data protection principles, such as minimisation and security. Here are some quick pointers.

Top 10 Data Protection Tips for SMEs

If you have fewer than 250 employees (we’re 99.9% sure you are) than this is a useful quick checklist!


Edition: Thursday 16th February 2023

Young workers’ safety

Workers are as likely to have an accident in the first 6 months at a workplace as they are during the whole of the rest of their working life. The HSE have got a wide range of guidance on their young people (under 18s) at work website, including:

Tax and VAT on Gift Aid

HMRC has updated Chapter 3: Gift Aid of its detailed guidance notes for charities to clarify when donations made under the Gift Aid scheme may incur an administration fee and when these fees are treated as charitable expenditure (in Chapter 3.4 Methods of donation).

Top tips for safely analysing sensitive personal data

If you’re working with people you’re likely to be capturing their personal data. This type of data holds insights into them and your impact on their lives. Analysing it for insights can help improve your services but this also brings risks. This resource explores those risks and gives recommendations on overcoming them. It covers:

  • What sensitive personal data is
  • Whether it’s necessary to analyse data
  • Running a data protection impact assessment
  • Informing people of how you’ll use their data
  • Anonymising data
  • Why you should go slowly
  • Supporting your analysts’ wellbeing
  • How one charity analysed their data.


Edition: Thursday 9th February 2023

Volunteering: guidance on how to manage the risks

HSE has guidance on how to manage the risks to volunteers. The guidance explains how health and safety law applies to volunteering. There is also information on:

  • when to report incidents involving volunteers
  • including volunteers in your risk assessments

The pages provide some specific advice for volunteers who manage non-domestic premises such as village and community halls, as well as guidance on charity retail and fundraising. For further information visit their Volunteering website.

Check they have the right data protection practices in place

Blog from ICO with 7 key questions.

Discrimination against disabled users

What legal obligations do businesses’ owe disabled service users and what are the reputational risks of getting it wrong?

Edition: Thursday 2nd February 2023

Cyber Threat Report: UK Charity Sector

A report from the NCSC, with the Charity Commission, outlines the cyber threat that charities of all sizes now face. The purpose of this report is to help charities understand current cyber security threats, the extent to which the sector is affected and whether it is being targeted, and where charities can go for help. It’s a useful summary of the risks, types of attack, links to advice, guidance and training.

Cost-of-living: rising cyber threats

Cyber criminals have been quick to exploit the cost-of-living crisis to find new victims. Here’s what you need to know to protect yourself and your charity.

Bust the myths on portable appliance testing

Portable appliance testing (PAT) is the examination of electrical appliances and equipment to ensure they are safe to use. There are many common myths about PAT (like all electrical equipment must be tested every year) - use HSE’s FAQs to find the key facts about the inspection and testing of portable electrical equipment.

You can download their leaflet Maintaining portable electric equipment in low-risk environments. It sets out simple and sensible precautions you should take to prevent danger from portable or movable electrical equipment. HSE's website also has general advice on electrical safety at work.

Reporting accidents and illness at work

Make sure you submit a RIDDOR report for a workplace accident or illness where necessary. RIDDOR puts duties on employers and people in control of work premises to report certain serious workplace accidents, occupational diseases and specified dangerous occurrences. Visit the HSE website to find out:

Their publication 'Reporting accidents and incidents at work' explains what is required from employers and provides information about RIDDOR.


Edition: Thursday 26th January 2023

There were no significant legal updates this week


Edition: Thursday 19th January 2023

Make sure you are working safely with DSE

Reminder from HSE that all employers must protect workers from the health risks of working with display screen equipment (DSE). Incorrect use of DSE or poorly designed workstations or work environments can lead to pain in necks, shoulders, backs, arms, wrists and hands, as well as fatigue and eye strain.

Check out the HSE guidance, and in particular guidance on what employers and workers need to know about working with DSE from home (there is an excellent video on posture that we get all CAN staff to view). At CAN we have just introduced a checklist for those who chose to work at home with a checklist that we are happy to share (please contact Steve)

New hiring toolkit supports care providers with safer recruitment

The government has launched this free resource which some of you may find useful.

Top tips for working with sensitive text data

Some top tips for charities that work with sensitive data and look at a case study that shows data safeguarding in action


Edition Week Commencing: Thursday 12th January 2023

Cybersecurity and why the little things matter

Some steps that trustees and senior management can take to ensure that information held on their computer systems is protected.

Top tips for an effective Digital Safety Policy

This short article looks at some of the ways organisations can protect themselves and others, including through having a Digital Safety Policy.

Cyber security actions charities can take right now

Explore steps that charities can take to mitigate the risks posed to them by cyber threats

Fully funded Cyber Essentials for small charities

A programme of funding has been launched to help UK organisations gain vital Cyber Essentials Plus certification.  This Funded Cyber Essentials Programme will initially target small and micro organisations in two key sectors  – charities and legal aid. These sectors were identified as ‘high risk’ if targeted by a cyber attack, often with limited financial resources and highly sensitive data.

The funding will enable organisations to work with Cyber Essentials Certification Bodies to implement baseline security controls, helping to prevent the most common types of cyber attack. Organisations that are eligible have until the end of March to apply to be part of the programme. To find out more about the fully Funded Cyber Essentials Programme, or to register your interest, visit our funded Cyber Essentials programme landing page. Find out more about Cyber Essentials.

Preventing work-related stress: the leading cause of illness at work

HSE's stress website has plenty of advice and includes examples of stress risk assessments tailored to different business sizes, as well as case studies and much more. The stress talking toolkit shows how line managers can have simple, practical conversations with employees to help prevent stress at work. Their Working Minds campaign aims to prevent work-related stress and encourage good mental health. The latest episode of the HSE Podcast sees HSE Chair Sarah Newton and Professor Cary Cooper discuss the importance of working in partnership to prevent work-related stress and to promote good mental health.

Almost 6 in 10 charities expect fraud to rise in 2023

Almost six in ten charities believe the risk of fraud will increase in 2023 with misappropriation of funds by staff now posing the biggest threat, according to a new survey.


Edition Week Commencing: Thursday 15th December 2022

Keep safe when working in wintry conditions

With low temperatures and less daylight, winter can make surfaces perilous, and slip and trip accidents increase significantly. There are plenty of factors to consider when avoiding these sorts of accidents. Ice and snow, poor lighting, excess water from rain and even gritting can all cause problems. Take a look at HSE’s online guide to avoiding slips and trips in winter weather.

Cyber Crime

In October 2022, 134 organisations reported cyber crimes to Action Fraud.  Organisations with less than a £1.5 million turnover continue to be the most targeted by threat actors, accounting for 54% of reporting, with 58 of the reports coming from ‘Micro’ businesses (Sole Traders, and businesses with 1-9 employees). If your account is hacked check out the NCSC recovering a hacked account guidance.

Most charity fraud perpetrated by staff or volunteers

This year, the survey estimated that financial losses from fraud for the respondents totalled up to £3.5m but the majority (28%) lost between £1,000 and £9,999. Over half believe that the biggest barrier to good fraud prevention is a culture of “over-reliance on trust”, followed by a lack of internal resources (45%) and a lack of fraud awareness (43%).

Tax and VAT for social enterprises

Pioneers Post, in partnership with Buzzacott, has published this short  four minute video which explores seven tips on tax and VAT for social enterprises. They include:

  • Deciding whether to be a charity, or not;
  • Minimising tax with a well-planned corporate structure;
  • Taking advantage of tax relief;
  • Getting clarity on VAT;
  • Knowing how to deal with business and non-business income;
  • Understanding zero rate relief; and finally
  • Always checking with an expert.

How to set up a guest WiFi network for volunteers

Explores how charities can set up guest networks for volunteers and remote workers to keep themselves cyber secure.

Handling employee subject access requests

Explains how employers can best handle subject access requests from staff


Edition Week Commencing: Thursday 8th December 2022

Treasurer jailed after stealing over £100,000 in donations meant for Cancer Research UK

Chelmsford Crown Court sentenced Ian Smith to three years and four months in prison for the offence. Relay for Life Clacton, which is a volunteer-led organisation as opposed to a registered charity in itself, was gathering funds from the fundraising event to donate to CRUK. 

Safeguarding and the Law

Bates Wells has worked with NCVO to publish Safeguarding and the Law. This online guide helps trustees, staff and volunteers involved in safeguarding in charities or voluntary organisations in England understand their legal duties and the duties of public and regulatory bodies.

Creating Safer Organisational Cultures

Ann Craft Trust have put together a range of resources to help organisations work towards improving their cultures. While some of these resources have been put together with sport and activity groups in mind, many of the tools are applicable to organisations from other sectors.

New VAT Penalties and VAT Interest Charges

HMRC is changing the way penalties are issued for submitting late VAT returns and paying VAT late, which will affect all VAT registered businesses from 1 January 2023. For VAT periods starting on or after 1 January 2023, HMRC is replacing the default surcharge with separate penalties for late returns and late payment of VAT. At the same time, HMRC is introducing a new approach to VAT interest. Read more, here

Food safety and hygiene guidance for food banks and charities

New guidance from the Food Standards Agency, specifically targeted to support food aid charities.

Keeping workplace temperature reasonable

As winter takes hold, you can find helpful advice from HSE on keeping people as comfortable as possible when working in the cold. There is also guidance on protecting workers from hot temperatures. Their guidance has been refreshed to make it easier to find and understand advice on how to protect workers in both low and high temperatures.

Data Protection Basics

Two good and simple summaries from Data Protection Network, the 7 data protection principles and the 6 lawful bases.


Edition Week Commencing: Thursday 1st December 2022

Is your data use compatible with what you collected it for?

A recent ICO reprimand serves as a reminder not to use data in unexpected ways. The DoE was reprimanded after a database containing the learning records of up to 28 million children had been used to check whether people who opened online gambling accounts were aged 18 or over. This serves as a welcome reminder to be careful about what we’re using data for, who we’re sharing it with, and what they might use it for.


Edition Week Commencing: Thursday 24th November 2022

Help to support workers with long-term health conditions and disabled workers

The HSE has published new principles and guidance to support employers to create an inclusive approach to workplace health. Employers can use the simple principles to create an enabling workplace culture, where disabled workers and workers with long-term health conditions feel valued and thrive.


Edition Week Commencing: Monday 14th November 2022

Health and safety is vital for all seasonal and temporary workers

It is important that employers protect the health and safety of gig economy, agency and temporary workers. Workers are as likely to have an accident in their first 6 months at work as during the whole of the rest of their working life. HSE have further advice around protecting those who are new to the job, including 6 ways to protect new starters. Their website has guidance to help users and suppliers of agency and temporary workers understand their health and safety responsibilities.


Edition Week Commencing: Monday 7th November 2022

Feedback on claiming gift aid

An HMRC digital service design team is looking at how to make it easier to use the Gift Aid Claim online service. The team is keen to hear from individuals who are involved in claiming Gift Aid on behalf of their charity. They would like to understand what works and what doesn’t work so well. Ultimately, HMRC would like to hear first-hand how they can improve the service to make it easier, quicker, and more efficient to claim vital income through Gift Aid. There are 2 ways to share feedback, either: 

  1. Email [email protected] from the HMRC Gift Aid team who will arrange a convenient time for a conversation with you.
  2. Additionally, if you can spare 5 minutes or so, please access a short survey by clicking here to provide essential insight.

Safeguarding Adults Week 2022

Run by Ann Craft Trust is 21-27 November. Have a look at their list of recourses.

New guidance for conducting direct marketing by email and live calls

The ICO has published two new sets of detailed guidance on how to comply with the requirements under the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (as amended) (PECR) for conducting direct marketing by email and live calls:

  • Guidance on direct marketing using electronic mail explains essential terminology such as the meaning of electronic mail, direct marketing, solicited and unsolicited, the PECR rules for sending direct marketing by email, text and in-app messages, and the relationship between the PECR and data protection regimes.
  • Guidance on direct marketing using live calls similarly provides practical guidance on the PECR rules for performing direct marketing via live calls, an overview of essential terminology, and organisations with all the information required to help avoid being in breach of PECR and exposed to the risk of enforcement action from the ICO.

Helping you with cyber security – a webinar for small organisations

The NCSC and ICO have collaborated to provide a webinar on the 22nd November 2022 at 10:30. The webinar will focus on practical advice to help you improve your cyber security and data protection compliance in your organisation.


Edition Week Commencing: Monday 31st October 2022

ICO direct marketing guidance for email and other electronic mail

DPN has summarised the ICO’s guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more. Direct marketing has a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.

Monitoring staff emails – intrusive or proportionate?

You may have good reasons for wanting to monitor staff emails and other internal messages. Data protection law doesn’t stop you doing this. However, employers must take a transparent, justified and proportionate approach. This equally applies to any form of monitoring from login/logout time, internet usage, vehicle tracking and so on. Read this short article.

Coronavirus is still with us

In terms of people coming into your buildings remind them not to come in if they feel at all unwell.  Far fewer people are wearing face coverings, but wearing them in crowded indoor places, particularly with people you don't normally mix with, is still a good idea so support people who feel this way.  Good ventilation and good hand hygiene are also still important, so keep an eye on people using your spaces and be vigilant where you see someone who is clearly unwell.  In these cases it would be prudent to clean any shared surfaces once the person has left your building. It is likely that your staff team, unless prompted otherwise, may turn up for work while they have the symptoms of a cold/cough or similar, so look at the ACAS link below for useful information relating to Covid and work. The location of the advice has changed so please read more from ACAS and HSE.

Home working guidance and resources

As an employer, you have the same health and safety responsibilities for people working at home as for any other worker. HSE’s home working guidance provides details on straightforward actions to manage home workers’ health and safety.


Edition Week Commencing: Monday 24th October 2022

Health and safety law poster – what you need to know

The poster explains British health and safety laws and lists what workers and their employers should do. If you employ anyone, you must either:

  • display the health and safety law poster where your workers can easily read it or
  • provide each worker with the equivalent health and safety law leaflet

Older workers: health and safety

Employers have the same responsibilities for the health and safety of older workers as they have for all workers. HSE’s older workers webpage offers advice on what you need to consider, as well as linking to relevant information on:

  • the law
  • worker responsibilities
  • equality law


Edition Week Commencing: Monday 17th October 2022

New VAT assessment method ‘impinges’ on charities

HMRC admits this is the case! Read this article in Civil Society

10 Data Subject Access Requests Tips

As seven organisations are ordered by the ICO to up their game when handling DSARs, get some quick tips for fulfilling them effectively.


Edition Week Commencing: Monday 10th October 2022

Subject Access Requests

The Information Commissioner’s Office (ICO) has issued a press release detailing reprimands to seven organisations for failures to handle subject access requests (SARs) in compliance with statutory requirements.  The ICO has also taken the opportunity to blog a reminder on SAR good practice.

Help to prevent fraud in your charity

Every charity, NGO and not-for-profit is susceptible to fraud and cybercrime by criminals who exploit every opportunity they get. Prevent charity fraud has lots of free resources to help you, your board and staff understand the risks and take action. During Charity Fraud Awareness week (17-21 October) they’re also running additional events including Combating cybercrime: A charity board toolkit (a live free webinar) 20 October 10:00 am - 11:00 am.

Make sure you have the right workplace facilities

You must provide the right facilities for everyone in your workplace, including people with disabled people. You must have:

  • welfare facilities
  • a healthy working environment
  • a safe workplace

View HSE’s simple advice on exactly what must be provided for a safe and healthy workplace, including required toilet and washing facilities.

Managing violence

HSE defines work-related violence as any incident in which a person is abused, threatened or assaulted in circumstances relating to their work. This can include verbal abuse or threats, as well as physical attacks. Their website has a toolkit to help reduce the risk of work-related violence in licensed or retail premises. So of particular relevance if you run shops etc but also useful in any public facing setting and although the legislation covers staff is also useful when thinking about your volunteers.


Edition Week Commencing: Monday 3rd October 2022

Safeguarding Children and Young People with SEND

Delegates will only be charged £25 to access and complete the NSPCC e-learning module (Part 1). The local Safeguarding Partnership will subsidise the live virtual session (Part 2) - a saving of £50 on the normal course price! This ‘blended learning’ offer will help you identify safeguarding concerns and risks associated with children and young people with SEND, understand the reasons behind these concerns, develop effective communication with this cohort and create a safer culture in your organisation to help protect them. Part One is an online learning module on the NSPCC platform that will provide the foundation elements of safeguarding children with a wide range of SEND needs, who may be in mainstream schools and early years’ settings, or those that accommodate specialist needs. Part Two is a live learning 3-hour session on Zoom where the learning from Part One is contextualised to the participants’ own agency or setting and applied to local learning from case audits and Serious Case Reviews. PLEASE NOTE - Participants must complete both parts of the learning to gain full certification. Book here.

Working Together to Safeguard Children

Please see 'Working Together to Safeguard Children' Guidance, which was updated on 1st July 2022 to reflect changes in legislation in relation to 'Working Together to Safeguard Children 2018'.

Overcoming the challenges of data retention

How long should we keep our data? A simple question, but one which often causes confusion and angst. Personal data can often be kept for longer than we actually need it. This short article helps you decide.

'Health and Safety Made Simple'

HSE’s website outlines the basics for your business, whatever industry you work in. One topic that is featured is first aid at work, where other step-by-step guide offers advice on having the right arrangements, including:

  • a first aid kit
  • training workers
  • first aid for homeworkers
  • appointing first aiders

Controlling noise at work

Many people are exposed to noise levels at work that may be harmful, leading to permanent and incurable hearing damage. HSE’s publication Controlling noise at work is aimed at employers and other duty holders. It includes the Control of Noise at Work Regulations alongside guidance on what they mean. This sets out an employer’s legal obligations to control risks to workers’ health and safety from noise. For more information about controlling noise at work, visit their noise at work webpages, which include their noise exposure calculator.


Edition Week Commencing: Monday 26th September 2022


See what some charity leaders think about it and CIPD sets out what it means for employers and employees.

Paying more than the 45p/mile rate?

With the increase in the cost of fuel there have been calls to increase the tax free rate. Charity specialist accountants Sayer Vincent give some advice.

Being a company director

If you are a charitable company, a CIC or a not for profit company then you will have directors (charitable company trustees will also be directors). Companies House have updated their introductory guidance including a 2 minute video.