Missing People UK & IRMissing People UK & IR

Data Protection Impact Assessment (DPIA)

Last updated: 01/03/2026

Export PDF
Created by
Missing People UK & IR10/01/2026
Last edited by
Josh Storer • 22/01/2026
Review by
01/07/2026
Staff activity
2 record(s)
Viewed / edited by staff
  • Josh Storer viewed this DPIA
    22/01/2026, 10:10
  • Josh Storer edited this DPIA
    22/01/2026, 10:30
(This is placeholder data until we wire staff view/edit logs to your database.)

This DPIA summarises the key privacy risks and safeguards for Missing People UK & IR. Because the platform supports sensitive safeguarding activity, we apply strict access controls, auditing, and security measures to reduce risk and protect the public.

Contents

Tap an item to jump to that section.

1. Purpose and scope2. What data is processed3. Lawful basis and responsibilities4. Key privacy risks5. Safeguards and mitigations6. Retention and deletion7. Individual rights and requests8. Freedom of Information (FOI)9. Contact us

1. Purpose and scope

A Data Protection Impact Assessment (DPIA) is used to identify and reduce privacy risks. This DPIA covers how Missing People UK & IR processes information submitted by users, and how staff handle that information to support safeguarding and missing person activity.

Why this DPIA matters
The information handled by this service may be sensitive. The aim is to reduce the risk of harm to individuals, minimise unnecessary data collection, and ensure robust controls are in place.

2. What data is processed

Depending on what a user submits, the platform may process:

User-provided information
Names, contact details, narrative descriptions, last-seen information, images, and other details provided in reports or updates.
System and security data
Basic logs needed to maintain security and stability (for example, login/session events, anti-abuse controls, and audit trails for staff actions).
Special category / sensitive data
Some reports may include sensitive safeguarding indicators (for example, health or vulnerability information) if a user chooses to provide it. Where present, we apply stricter controls and limit access.

3. Lawful basis and responsibilities

We aim to process data lawfully, fairly, and transparently. The specific lawful basis will depend on the type of processing and the context (for example, consent for certain optional features, and legitimate interests for security and safeguarding controls).

UK GDPR principles
We apply data minimisation, purpose limitation, storage limitation, integrity/confidentiality, and accountability.
Governance
Access to staff tools is restricted by role and logged. Staff are expected to follow safeguarding procedures and internal policies when handling reports.

4. Key privacy risks

Unauthorised access
Risk that personal data could be accessed by someone without permission (external attack or internal misuse).
Misuse of user-submitted content
Risk that content submitted by users could include inaccurate, harmful, or inappropriate data, or be used in ways that cause harm.
Email and communications privacy
Risk that emails or notifications could expose personal information if sent to the wrong address or displayed on a shared device.

5. Safeguards and mitigations

Role-based access control (RBAC)
Access is restricted by account type (user, admin, super admin, and other portals). Only authorised staff can access sensitive management features.
Secure authentication
We use secure login practices, password hashing, and session controls. Additional protections such as 2FA may be offered where appropriate.
Secure storage and encryption
Data is stored with appropriate access restrictions. Where technically feasible, sensitive data is encrypted in transit and at rest, and storage is segmented to reduce risk.
Audit trails and staff accountability
Staff access and changes should be logged. This supports accountability, safeguarding oversight, and investigation of incidents.

6. Retention and deletion

We aim to keep information only as long as needed for the purpose it was collected. Retention periods may vary depending on safeguarding needs, legal requirements, and operational necessity. Where possible, data will be anonymised or deleted when it is no longer required.

7. Individual rights and requests

Individuals have rights under UK GDPR, including access to their data, correction, deletion (where applicable), and objections to certain processing. Requests can be made by contacting the team.

View Privacy Policy

8. Freedom of Information (FOI)

If you want more information about governance and how this DPIA is managed, you can contact us. Where Freedom of Information applies, requests can also be made via our FOI page.

FOI Page

9. Contact us

If you have questions about this DPIA, data protection, or safeguarding governance, please contact the team.

Contact Us
Back to top