Data Protection Impact Assessment (DPIA)

1. Key Information

Title of Project / Product

reporthate.scot Website

Reference Number

DPIA-RHS-001

Version Control

V1.0

Date Approved

20/01/2026

Owner

reporthate.scot Project / Governing Organisation [TBC]

Completed By

Ameer Din

Information Governance Lead / DPO

Ameer Din

2. Revision History

3. Glossary

Personal Data

Information that relates to an identified or identifiable individual.

Special Category Personal Data

Personal data requiring a higher level of protection, such as data revealing racial or ethnic origin, religious beliefs, or data concerning mental health.

Processing

Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Controller

The organisation that determines the purposes and means of processing personal data.

Processor

An organisation that processes personal data on behalf of the controller.

4. What are you trying to do and why?

reporthate.scot is an online reporting platform designed to allow individuals to report incidents of hate, discrimination, or hate-motivated behaviour occurring in Scotland.

The purpose of the website is to:

• Provide a safe and accessible way for individuals to report hate incidents
• Collect information that can help identify patterns, trends, and areas of concern
• Enable appropriate onward referral to relevant organisations or authorities (where applicable and lawful)
• Support awareness, prevention, and policy development relating to hate crime and discrimination

The platform is intended to be inclusive and accessible to people from diverse backgrounds, including those who may be reluctant to report incidents directly to statutory bodies.

5. What personal identifiable information will be collected and used?

5.1 Categories of Personal Data

Depending on how a user chooses to engage with reporthate.scot, the following data may be collected:

Personal Data

• Name (optional)
• Email address (optional)
• Contact number (optional)
• Location of incident (general area, not precise address unless provided voluntarily)
• Date and time of incident
• Description of the incident

Special Category Personal Data (optional and user-provided)

• Racial or ethnic origin
• Religion or belief
• Sexual orientation
• Disability or health-related information
• Other characteristics related to protected characteristics under equality legislation

Users are not required to provide all fields and may submit reports anonymously.

5.2 How the data is collected

• Data is collected directly from users via online forms on reporthate.scot
• Forms are submitted over encrypted HTTPS connections

5.3 How the data is used

Personal data will be used to:

• Record and understand reported hate incidents
• Identify trends and recurring issues
• Enable follow-up where a user has requested contact
• Produce anonymised reports and statistics

Personal data will not be used for marketing purposes.

5.4 Data sharing

Personal data may be shared:

• With partner organisations or authorities only where lawful, necessary, and proportionate
• With explicit user consent where required
• In anonymised or aggregated form for reporting and research

Details of specific data-sharing agreements are available on request.

5.5 Data storage and hosting

• Data is stored securely in Supabase PostgreSQL (EU region)
• Access is restricted to authorised administrators only
• No personal data is intentionally transferred outside the UK unless safeguards are confirmed

5.6 Data retention

Personal data will be retained only for as long as necessary to fulfil the purposes of the service.

Retention periods:

• Identifiable reports: [TBC - e.g. 12-24 months]
• Anonymised data: may be retained longer for statistical purposes

Retention schedules will be confirmed and documented.

6. Are there any risky aspects to this project?

Yes. The key risks relate to:

• Handling sensitive and potentially distressing information
• Processing special category personal data
• Risk of unauthorised access or data breach
• Risk of re-identification where detailed narratives are provided

These risks are addressed through technical and organisational controls outlined in this DPIA.

7. What are the benefits of this processing?

• Provides a safe reporting route for individuals affected by hate
• Supports under-reported communities
• Improves understanding of hate incidents in Scotland
• Enables evidence-based responses and policy development
• Encourages early intervention and prevention

8. Harm

Potential harms include:

• Emotional distress if personal data were mishandled
• Loss of trust if confidentiality is breached
• Risk to individuals if identifying information is disclosed improperly

These harms are mitigated through security controls, anonymisation, and strict access management.

9. Individual Rights

Individuals have the right to:

• Be informed about how their data is used
• Access their personal data
• Request correction of inaccurate data
• Request erasure where appropriate
• Object to or restrict processing
• Withdraw consent where processing is consent-based

Clear information on how to exercise these rights will be provided in the Privacy Notice.

10. Organisational and Technical Controls

10.1 Organisational controls

• Data protection and privacy policies in place
• Limited staff/volunteer access on a need-to-know basis
• Training and awareness for those with access to data
• Incident and breach reporting procedures

10.2 Technical controls

• HTTPS encryption for all data in transit
• Strong authentication for admin access
• Regular updates and security patches
• Secure hosting environment
• Regular backups
• Malware and intrusion protection

11. Assessing the level of risk

Risk scoring approach

Risk is assessed based on:

• Likelihood of occurrence
• Impact on individuals

Key identified risks (summary)

Risk 1: Unauthorised access to sensitive reports

• Mitigation: Role-based access, strong authentication, hosting security
• Residual risk: Low

Risk 2: Inappropriate data sharing

• Mitigation: Clear data-sharing rules, consent-based sharing
• Residual risk: Low

Risk 3: Excessive data collection

• Mitigation: Data minimisation, optional fields, anonymous reporting
• Residual risk: Low

Risk 4: Retention beyond necessity

• Mitigation: Defined retention periods and review process
• Residual risk: Low