Data Protection Notice
Last updated: 09 July 2026 — Dialogue Fiji, IMPACT Initiative
This notice explains, in technical detail, the security and data protection measures in place to protect your information on this platform.
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
HURIDOCS
Documentation standards
Encryption at Rest
All sensitive fields — including your name, contact information, and the detailed description of the incident — are encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) before being written to the database. This is the same standard used by financial institutions and government agencies worldwide. Even if someone obtained raw access to the database, they could not read your personal information without the encryption keys, which are stored separately from the data.
Encryption in Transit
All data transmitted between your browser and this platform is encrypted using TLS (Transport Layer Security). This prevents interception of your data while it is travelling across the internet. You can verify this by the padlock icon in your browser's address bar.
Access Controls
Access to submission data is restricted by a role-based access control (RBAC) system. Staff are assigned roles (Officer, Manager, Admin, Super Admin) and can only access data appropriate to their role. All access to case files is logged in an immutable audit trail. Two-factor authentication (2FA) is enforced for all staff accounts. Administrators are required to set up 2FA before accessing any case data.
Evidence File Security
Files you upload as evidence are stored in a private, non-public storage location on the server. They cannot be accessed directly via a URL — every file request is authenticated and authorised by the application before the file is served. Uploaded files are validated for file type and size. Each file's integrity is verified using a SHA-256 hash stored alongside the file, so any tampering or corruption can be detected.
Audit Logging
Every significant action taken on the platform — including viewing a submission, creating a case, uploading evidence, and changing a case status — is recorded in an immutable audit log. Logs record who performed the action, when, and what changed. Audit logs cannot be deleted or modified by regular staff.
Spam & Abuse Prevention
The submission form includes rate limiting, a honeypot field, and CSRF (Cross-Site Request Forgery) protection to prevent automated abuse. IP addresses are collected for spam detection purposes only and are not used to identify or track individual reporters.
Infrastructure Security
The platform runs on hardened server infrastructure with regular security updates applied. The application follows the OWASP Top 10 security guidelines. Database queries are parameterised to prevent SQL injection. All user input is validated and sanitised. Content Security Policy (CSP) headers restrict which resources the browser may load, reducing the risk of cross-site scripting (XSS) attacks.
Data Breach Response
In the event of a suspected data breach, Dialogue Fiji will:
- Contain and assess the breach within 24 hours of discovery
- Notify affected individuals as soon as practicable
- Report to the Fiji Human Rights & Anti-Discrimination Commission if required
- Publish a transparency notice on this platform
Data Minimisation & Retention
We only collect data that is directly necessary for the purpose of human rights documentation. Anonymous submissions contain no personal identifiers at all. Technical metadata (IP address, user-agent) is retained for 90 days for spam prevention and then purged. Personal identifiers (name, contact) in non-anonymous submissions are retained only for as long as the case is active, or until deletion is requested.
Standards Compliance
This platform is designed in alignment with:
- HURIDOCS — Human Rights Information and Documentation Systems standards for case documentation
- UN Principles on the effective prevention and investigation of extra-legal executions
- Istanbul Protocol — documentation of torture and ill-treatment
- Fiji Constitution 2013 — Chapter 2 Bill of Rights
Data protection enquiries: impact@dialoguefiji.org