Name of Process: Use of Report and Support software for reporting sexual violence and harassment, bullying and hate crime.

Description of Process: The University has purchased a third party external software system called Report and Support to facilitate the reporting of sexual violence, bullying and harassment.

Data Controller Edinburgh Napier University

Purposes for collection/processing?

  • Helping us to identify the best person for you to speak to in relation to your report. This will be either a trained Sexual Violence/Misconduct Liaison Officer (SVMLO) or a member of staff in our Student Wellbeing and Inclusion team, or in the ENSA Advice team.

Making a report does not initiate a formal process, and we will not take any action until we have spoken with you to discuss your report. We will not disclose any personal data to any other parties unless we believe there is a genuine threat to a person’s health and safety.

The University will provide support and signpost individuals to other agencies, etc. as required.

  • Monitoring patterns or trends in data that will be used to inform our proactive and preventative work. When reporting anonymously, we will not ask you for any personally identifiable details. We will not be able to offer direct advice or take any action on the report. We will keep an anonymised record of your report to identify whether there have been/are other similar reports and whether there is a pattern of behaviour or trends that should be addressed.

Legal basis?

By submitting this form you consent to Edinburgh Napier University processing the personal and special category (sensitive) personal data that you enter into this report - GDPR Articles 6(1)(a) and (2)(a) refer.

You have the right to withdraw consent at any time and can do this by contacting the SVMLO staff member or the Head of Student Wellbeing and Inclusion.

Perpetrators’ personal data is collected under Schedule 1 Part 2 Section 12 of the Data Protection Act 2018: Regulatory requirements relating to unlawful acts and dishonesty, malpractice or other seriously improper conduct.

Whose information is being collected?

Individual making the report and details of any person being reported.

What type/classes/fields of information are collected?

Name, contact details, University student/staff number, information provided in the report (incident type, incident details, what, where, when, reported elsewhere) and subsequently collected during investigation/further action (perpetrator and relevant demographic details).

Who is the information being collected from?

Data Subject



How is the information being collected?

Online form/system (Report and Support) provided by CultureShift under contract with the University.

Reports may also be made in person.

Who is personal data shared with?

Your personal and other data will be shared within the University on a strictly “need to know” basis only with appropriate staff involved in supporting you and investigating your report. With your permission this may also be shared with the ENSA Advice team.

Student complaints are dealt with by the University’s Appeals, Complaints and Conduct processes.

Staff complaints are dealt with through the HR team.

Your personal data will not be disclosed to any third parties without your consent unless there are legitimate reasons requiring the University to do so, for example, where the information you have provided highlights a potential risk to a person’s health and safety or in emergency situations.

How secure is the information?

The University has conducted the necessary checks to ensure that the Report and Support platform is secure and will hold your data confidentially.

Further information will be kept in secure University systems.

Who keeps the information updated?

Please advise the University if any information needs to be updated that you cannot update yourself. The University will update its records from information provided by you and that it provided in the course of investigating and/or taking action on your report.

How long is the information kept for?

We will retain your personal information for a period of six years after graduation (for students) - in line with university policy. After six years, we will delete what personal data you have provided. We may retain some information in order to monitor our work in this area but you will not be identifiable from this information.

Will the data be used for any automated decision making?


Is information transferred to a third country? Outside the EEA and not included in the adequate countries list?


You can access all the University’s privacy notices using the following link:

You have a number of rights available to you with regards to what personal data of yours is held by the University and how it is processed – to find out more about your rights, how to make a request and who to contact if you have any further queries about Data Protection please see the information online using the following URL:

Policy Statement as required by Schedule 1 Part 2 Section 12 of the Data Protection Act 2018

  1. Procedure for compliance with the Data Protection Principles
    1. Lawfulness, Fairness and Transparency – the University publishes this Privacy Notice and Policy Statement online and links it, as appropriate to relevant systems and communications. The lawful bases for processing are included above.
    2. Purpose limitation – the personal data collected and processed for the purposes mentioned above are only collected and processed for these specific purposes.
    3. Data minimisation – whilst the University has no control over the information provided by individuals reporting sexual violence and harassment, bullying and hate crime, the Controller does not specifically request any more detail than is strictly necessary for the purposes.
    4. Accuracy – as detailed above.
    5. Storage limitation – as detailed above.
    6. Security, integrity and confidentiality – the University has taken measures to ensure that the system/s used provide appropriate security, integrity and confidentiality.
  1. Retention and Erasure of Personal Data – personal data is retained for the period detailed above. The University has detailed Records Retention Schedules which refer:

Personal data is confidentially destroyed as per the following:

    1. Destruction of Personal data Guidance - , and
    2. Information Security Policies -

There are two ways you can tell us what happened