Your Charity should implement a data protection policy to tell staff how to deal with data.
Consider that (mental) health data that you probably handle is a particular category of data that is under article 9 GDPR (also known as sensitive data). These data need to be processed under the consent of data subject and require additional precaution for their security because the risk for freedom and right of individuals is high.
In these tragic circumstances, due to the COVID-19 pandemic, each Data Protection Authority is giving some advice to organizations working from home, so firstly you should check the website of your Data Protection Authority.
In general, you should try to keep separate charity data from personal data belonging to your staff. In case of emergency, maybe your staff is working from home with their own device. Therefore, ask them to avoid leaving their device accessible to their family members, to make a separate account on Windows for work tasks and to avoid to save data on their hard disk. They should also implement security measures, like antivirus, antispam and antimalware and two factors authentication methods.
WhatsApp allows encryption end to end, and if the mobile phone is used with fingerprint authentication can be a way to communicate with clients.
You should always make aware clients that they are communicating with staff using their own device and through WhatsApp and offer different methods in case they don’t feel confident about it (i.e. email or telephone).