How Often Should Policies Be Reviewed? UK Guide for Regulated Organisations

Your organisation has 150 policies. Some were last reviewed three years ago. An inspection is due next quarter. Which ones need updating first — and how often should you be reviewing them?

This guide covers the actual review requirements for CQC-regulated GP practices, Ofsted-inspected schools, Charity Commission-registered charities, and local councils, with direct references to the regulations that apply to each. No generic advice — just the rules, the frequencies, and a practical framework for keeping on top of them.

The Short Answer: It Depends on Your Regulator

There is no single UK law that says "review all policies every 12 months." The review frequency depends on which regulatory framework your organisation operates under, the type of policy, and how your operating environment changes.

Here is how it breaks down:

Regulator / Framework	Key Requirement	Typical Review Cycle	Trigger for Immediate Review
CQC (Regulation 17)	Systems must keep records "up to date"	Annual minimum recommended	Incidents, complaints, regulatory changes
Ofsted	Statutory policies must be current at inspection	Annual for most; safeguarding reviewed termly by many schools	Changes to DfE guidance, safeguarding concerns
Charity Commission	Governance Code recommends regular review	Annual for key policies; full governance review every 3 years	Changes in charity activities, new legislation
HSE	Health & safety policy must reflect current risks	Annual minimum	Workplace incidents, changes to processes or premises
ICO	Data protection policies must reflect current processing	Annual recommended	New data processing activities, breaches, regulatory updates

The common thread: annual review is the practical minimum for most policies, but certain categories need more frequent attention, and any significant change to your organisation should trigger an immediate review regardless of schedule.

CQC-Regulated Organisations: What Regulation 17 Actually Requires

If you run a GP practice, dental practice, or other CQC-registered service, Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 is the relevant provision.

Regulation 17 does not specify a calendar frequency. Instead, it requires providers to:

Assess, monitor and improve the quality and safety of services through regular audits
Maintain records that are "complete, legible, indelible, accurate and up to date"
Identify risks to health, safety, and welfare, and implement proportionate mitigation
Respond to findings without delay — waiting until an annual review date does not satisfy this requirement

In practice, CQC inspectors check whether your policies reflect your current operations. A policy written in 2022 that references pre-pandemic procedures will raise questions. The standard is currency, not a specific interval.

What this means for your review schedule: Set an annual review cycle as a baseline, but build in triggered reviews whenever your services, staffing, or clinical protocols change. CQC inspectors will look at the date on your policies, but more importantly they will check whether the content matches what they observe during inspection.

For a detailed breakdown of the policies CQC inspectors expect to see, read our CQC policy requirements guide.

High-priority policies for GP practices:

Safeguarding (adults and children)
Infection prevention and control
Medicines management
Complaints procedure
Information governance and data protection
Health and safety
Staff recruitment and training

Ofsted-Inspected Schools: Statutory Policies and Review Cycles

Schools face a specific obligation: certain policies are statutory — meaning the school must have them by law. Ofsted inspectors confirm these are in place, current, and followed.

The DfE's governance guide for maintained schools and academy trust governance framework set out which policies schools and trusts must publish. Safeguarding is the area where currency is most heavily scrutinised.

Annual review (minimum) — these policies should be reviewed at least once per year:

Child protection and safeguarding policy (many schools review termly)
Behaviour policy
SEND (Special Educational Needs and Disabilities) policy
Complaints procedure
Admissions policy (for admission authorities)
Pay policy

Review when legislation changes:

Relationships, Sex and Health Education (RSHE) policy — check the latest DfE RSHE guidance for current requirements and implementation dates
Data protection policy — review whenever data processing activities change

Review when circumstances change:

Accessibility plan — when building modifications or new SEND needs arise
Health and safety policy — after incidents or changes to premises

Safeguarding deserves special attention. The DfE's Keeping Children Safe in Education guidance is updated regularly. When a new version is published, your safeguarding policy needs reviewing against the updated requirements — not at the next scheduled annual review, but immediately.

Governing bodies are ultimately responsible for ensuring statutory policies are in place and reviewed. In practice, school business managers often maintain the review schedule, chasing policy owners for sign-off before deadlines. Our Ofsted Statutory Policies Checklist lists every statutory policy schools need to have in place.

Charities: The Governance Code and Trustee Obligations

For Charity Commission-registered organisations, the Charity Governance Code is the primary best-practice framework. Compliance is voluntary (the code operates on an "apply or explain" basis), but the Charity Commission expects trustees to demonstrate good governance.

The code recommends:

Full governance review every three years — covering board effectiveness, policies, and procedures
Annual review of key policies by trustees — including safeguarding, conflicts of interest, reserves, and risk management
Continuous monitoring — policies should be updated whenever the charity starts new activities, changes its operating model, or faces new legal requirements

Beyond the code, certain policies are mandatory under general UK law:

Safeguarding policy — required if working with children or vulnerable adults (Charity Commission safeguarding guidance)
Health and safety policy — written policy required for organisations with 5 or more employees
Data protection policy — required under UK GDPR if processing personal data
Equality and diversity policy — Equality Act 2010 obligations apply

The Charity Commission's essential trustee guidance (CC3) makes clear that trustees have a duty to ensure their charity is well run. Outdated policies are evidence of poor governance — and in serious cases, the Commission can intervene.

Local Councils: Audit and Governance Obligations

Small parish, town, and district councils face governance obligations through the Governance and Accountability for Smaller Authorities framework (published by the Smaller Authorities Proper Practices Panel) and their internal audit requirements.

Key review points:

Standing orders and financial regulations — review annually, typically at the annual council meeting
Risk management policy — review annually as part of the Annual Governance and Accountability Return (AGAR)
Data protection policy — review annually
Health and safety policy — review annually
Code of conduct — review when local government standards guidance changes
Complaints procedure — review annually

Internal auditors will check that policies are current as part of the annual audit cycle. The external auditor (appointed by Smaller Authorities' Audit Appointments Ltd) expects evidence that the council has reviewed its governance arrangements.

Building a Practical Review Schedule

Rather than reviewing all 150 policies in January, spread the workload across the year. Here is a framework:

Step 1: Categorise by Review Frequency

Category	Review Frequency	Examples
Critical / Safeguarding	Every 6 months or when triggered	Safeguarding, child protection, infection control
Regulatory / Statutory	Annually	H&S, data protection, SEND, complaints, admissions
Operational	Every 18-24 months	IT acceptable use, travel, expenses, uniform
Strategic / Governance	Every 2-3 years	Constitution, scheme of delegation, strategic plan

Step 2: Stagger Reviews Across the Year

Assign each policy a review month based on its category and natural timing:

September — safeguarding and child protection (aligns with new school year and DfE guidance updates)
October-November — operational policies (before winter term)
January — financial policies (before year-end)
March-April — data protection (aligns with ICO review cycles)
May-June — governance policies (before AGM or annual council meeting)

Step 3: Set Up Triggered Reviews

Calendar-based reviews are not enough on their own. Build in triggers:

Incident trigger — any safeguarding incident, data breach, or workplace accident triggers immediate review of the relevant policy
Legislation trigger — new or amended legislation triggers review of affected policies within 30 days
Organisational change trigger — new services, restructuring, or premises changes trigger review of operational policies
Staff change trigger — new policy owners should review their inherited policies within their first month

Step 4: Track It

A review schedule only works if someone tracks it. Spreadsheets break down at scale — review dates get missed, version history is unclear, and there is no audit trail showing who approved what.

If you are evaluating tools, our guide to policy management software covers the features that matter for small UK organisations.

At minimum, your tracking system needs:

Each policy's review date and review frequency
The policy owner responsible for the review
A clear approval workflow (who reviews, who approves)
Automated reminders before review dates
An audit trail for inspections (when was it reviewed, by whom, what changed)

What Happens When Policies Expire

The consequences of an expired policy depend on which regulator finds it:

CQC: An outdated policy contributes to a finding of inadequate governance under Regulation 17. In serious cases, this can lead to enforcement action, requirement notices, or conditions on registration. CQC inspection reports are public — a governance failure is visible to patients, commissioners, and the public.

Ofsted: Missing or outdated statutory policies will be noted in the inspection report. For safeguarding policies specifically, an out-of-date policy can contribute to a "safeguarding is not effective" judgement — one of the most serious findings a school can receive.

Charity Commission: Failure to maintain adequate governance can lead to the Commission opening a regulatory compliance case. In serious cases, trustees can be suspended or removed. The Commission's annual return asks whether the charity has reviewed its governing document — a "no" answer invites scrutiny.

Internal/external audit: For councils and other audited bodies, an expired policy is a governance weakness that will appear in the audit report. Persistent issues can lead to a qualified audit opinion.

A Sector-by-Sector Summary

Sector	Minimum Review Cycle	Critical Policies	Biggest Risk
GP practices (CQC)	Annual + triggered	Safeguarding, infection control, medicines	Regulation 17 enforcement action
Schools (Ofsted)	Annual + triggered	Safeguarding, SEND, behaviour	"Safeguarding not effective" judgement
Charities	Annual for key policies; 3-year governance review	Safeguarding, reserves, conflicts of interest	Commission regulatory case
Councils	Annual + audit cycle	Standing orders, financial regulations, risk	Qualified audit opinion
All sectors	Annual for H&S and data protection	Health & safety, data protection	HSE enforcement, ICO fines

Next Steps

Audit your current policies — list every policy, its last review date, and its owner. Identify anything overdue. Not sure where to start? Read our guide to what policy management covers.
Map to your regulator's requirements — use the sector-specific guidance above to set the right frequency for each policy.
Stagger your review calendar — spread reviews across the year so they are manageable alongside day-to-day work.
Set up reminders — at minimum, calendar alerts 90, 60, and 30 days before each review date.
Document your reviews — keep an audit trail showing when each policy was reviewed, by whom, and what changed. This is what inspectors look for.

Tracking policy review dates in spreadsheets works for small portfolios, but once you have 50 or more policies across multiple categories, a purpose-built system saves hours and removes the risk of something slipping through. Try our free Policy Review Schedule Generator to calculate your review dates, or explore all our free policy management tools. PolicyBoard is designed to automate review reminders, approval workflows, and compliance dashboards for exactly this situation — join the waitlist to be notified when it launches.

Sources

CQC Regulation 17: Good Governance
DfE: Keeping Children Safe in Education
DfE: Governance in Maintained Schools
DfE: Academy Trust Governance
Charity Governance Code
Charity Commission: The Essential Trustee (CC3)
Charity Commission: Safeguarding and Protecting People
Smaller Authorities Proper Practices Panel (JPAG)

This article covers general guidance for UK regulated organisations. It is not legal advice. Always check the specific requirements of your regulator and seek professional advice where needed.