Data Protection Impact Assessment (DPIA)

  1. Key Information

Title of Project / Product
reporthate.scot Website

Reference Number
DPIA-RHS-001

Version Control
V1.0

Date Approved
20/01/2026

Owner
reporthate.scot Project / Governing Organisation [TBC]

Completed By
Ameer Din 

Information Governance Lead / DPO

Ameer Din

  1. Revision History

Version

Date

Summary of Changes

V0.1

01.01.2026

Initial draft of public-facing DPIA

V1.0

20.01.2026

Final version approved for publication

  1. Glossary

Personal Data
Information that relates to an identified or identifiable individual.

Special Category Personal Data
Personal data requiring a higher level of protection, such as data revealing racial or ethnic origin, religious beliefs, or data concerning mental health.

Processing
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Controller
The organisation that determines the purposes and means of processing personal data.

Processor
An organisation that processes personal data on behalf of the controller.

  1. What are you trying to do and why?

reporthate.scot is an online reporting platform designed to allow individuals to report incidents of hate, discrimination, or hate-motivated behaviour occurring in Scotland.

The purpose of the website is to:

  • Provide a safe and accessible way for individuals to report hate incidents
  • Collect information that can help identify patterns, trends, and areas of concern
  • Enable appropriate onward referral to relevant organisations or authorities (where applicable and lawful)
  • Support awareness, prevention, and policy development relating to hate crime and discrimination

The platform is intended to be inclusive and accessible to people from diverse backgrounds, including those who may be reluctant to report incidents directly to statutory bodies.

  1. What personal identifiable information will be collected and used?

5.1 Categories of Personal Data

Depending on how a user chooses to engage with reporthate.scot, the following data may be collected:

Personal Data

  • Name (optional)
  • Email address (optional)
  • Contact number (optional)
  • Location of incident (general area, not precise address unless provided voluntarily)
  • Date and time of incident
  • Description of the incident

Special Category Personal Data (optional and user-provided)

  • Racial or ethnic origin
  • Religion or belief
  • Sexual orientation
  • Disability or health-related information
  • Other characteristics related to protected characteristics under equality legislation

Users are not required to provide all fields and may submit reports anonymously.

5.2 How the data is collected

  • Data is collected directly from users via online forms on reporthate.scot
  • The website is built on WordPress and hosted by IONOS
  • Forms are submitted over encrypted HTTPS connections

5.3 How the data is used

Personal data will be used to:

  • Record and understand reported hate incidents
  • Identify trends and recurring issues
  • Enable follow-up where a user has requested contact
  • Produce anonymised reports and statistics

Personal data will not be used for marketing purposes.

5.4 Data sharing

Personal data may be shared:

  • With partner organisations or authorities only where lawful, necessary, and proportionate
  • With explicit user consent where required
  • In anonymised or aggregated form for reporting and research

Details of specific data-sharing agreements are available on request.

5.5 Data storage and hosting

  • The website is hosted by IONOS (UK/EU data centres)
  • Data is stored within WordPress databases
  • Access is restricted to authorised administrators only
  • No personal data is intentionally transferred outside the UK unless safeguards are confirmed.

5.6 Data retention

Personal data will be retained only for as long as necessary to fulfil the purposes of the service.

Retention periods:

  • Identifiable reports: [TBC – e.g. 12–24 months]
  • Anonymised data: May be retained longer for statistical purposes

Retention schedules will be confirmed and documented.

  1. Are there any risky aspects to this project?

Yes. The key risks relate to:

  • Handling sensitive and potentially distressing information
  • Processing special category personal data
  • Risk of unauthorised access or data breach
  • Risk of re-identification where detailed narratives are provided

These risks are addressed through technical and organisational controls outlined in this DPIA.

  1. What are the benefits of this processing?
  • Provides a safe reporting route for individuals affected by hate
  • Supports under-reported communities
  • Improves understanding of hate incidents in Scotland
  • Enables evidence-based responses and policy development
  • Encourages early intervention and prevention
  1. Harm

Potential harms include:

  • Emotional distress if personal data were mishandled
  • Loss of trust if confidentiality is breached
  • Risk to individuals if identifying information is disclosed improperly

These harms are mitigated through security controls, anonymisation, and strict access management.

  1. Individual Rights

Individuals have the right to:

  • Be informed about how their data is used
  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure where appropriate
  • Object to or restrict processing
  • Withdraw consent where processing is consent-based

Clear information on how to exercise these rights will be provided in the Privacy Notice.

  1. Organisational and Technical Controls

10.1 Organisational controls

  • Data protection and privacy policies in place 
  • Limited staff/volunteer access on a need-to-know basis
  • Training and awareness for those with access to data 
  • Incident and breach reporting procedures

10.2 Technical controls

  • HTTPS encryption for all data in transit
  • Strong authentication for WordPress admin access
  • Regular updates and security patches
  • Secure hosting environment via IONOS
  • Regular backups 
  • Malware and intrusion protection 
  1. Assessing the level of risk

Risk scoring approach

Risk is assessed based on:

  • Likelihood of occurrence
  • Impact on individuals

Risk Rating

Score

Treatment

High

15–25

Immediate mitigation required

Medium

9–12

Proactive management required

Low

1–8

Monitor and review

Key identified risks (summary)

Risk 1: Unauthorised access to sensitive reports

  • Mitigation: Role-based access, strong authentication, hosting security
  • Residual risk: Low

Risk 2: Inappropriate data sharing

  • Mitigation: Clear data-sharing rules, consent-based sharing
  • Residual risk: Low

Risk 3: Excessive data collection

  • Mitigation: Data minimisation, optional fields, anonymous reporting
  • Residual risk: Low

Risk 4: Retention beyond necessity

  • Mitigation: Defined retention periods and review process
  • Residual risk: Low
  1. Conclusion

This DPIA concludes that, with the controls identified and once outstanding items are confirmed, the processing of personal data by reporthate.scot is necessary, proportionate, and designed with privacy by default and by design.

Any significant changes to the website, data processing activities, or data sharing arrangements will trigger a review and update of this DPIA.

Scroll to Top