Your responsibilities for managing personal data continue after the end of a project or phase. There are things you need to do to wrap-up your research, and there may be things you need to do at a later time.
- Don't delete personal data after research
- If a participant withdraws their consent
- Sharing research outputs with other people
- Re-contacting participants for further research
- Requests from communications teams, policy teams, or other teams
- Subject access requests
Don't delete personal data after research
Our retention policy is 2 years, so you must keep your data for 2 years. Do not delete it sooner than this.
Simply ensure that all personal data you have gathered has the correct 'user research' retention label, and the only people who have access to the data are people who might need access in the future. Remove access from other team members.
If a participant withdraws their consent
If an individual withdraws the consent they initially gave, you must stop using their data.
If this is before you have begun analysing your research, then you must not use this data in your analysis.
If it is already anonymised as part of your analysis, then you only need to the original stored data.
Do not delete their data before the two year retention period, but mark it as not to be used. For example, you could move it into a folder within your SharePoint library called "Consent withdrawn – do not use".
Sharing research outputs with other people
Anonymised research outputs containing no personal data can be shared inside and outside the Department, following the rules and limitations set by your own programme and leadership. Speak to your own stakeholders about this.
For any research reports with pseudonymous data (e.g. faces in videos, if a participant has consented to this), then you require consent from the individual to share with other people. If you did not initially ask the person for this consent, you can contact them and ask for further consent.
You must provide all details of the personal data you hold about the individual, including video or audio recordings, transcripts, and consent forms.
See also: sharing participant lists with other user researchers and teams
Re-contacting participants for further research
As long as they haven't explicitly told you they don't want to be contacted, and as long as it is within the retention period, you can re-contact a participant for further research.
You must ask for their consent again for each new piece of research.
Don't over-use individual participants: this risks introducing bias into your research. Also ensure you are not over-burdening your users by contacting them too often.
Requests from communications teams, policy teams, or other teams
Sometimes our Comms or Policy colleagues will ask to speak to a specific participant, to understand more about their experiences, or to use their story for Comms purposes.
If this outside what the participant originally consented to, you can contact the participant on behalf of the colleague for this purpose, and gain a new consent from them.
Subject access requests
An individual person can ask the Department for a copy of the personal data we hold about them. If somebody who has taken part in user research does this, you may receive a request from the Information Rights Team, or you may receive a request directly from the research participant.
You must follow the guidance on the Subject Access Request (SAR) Portal (DfE users only).
You will need to provide all details of the personal data you hold about the individual. For a user research participant, this could include video or audio recordings, transcripts, consent forms, pseudonymised reports, etc.
You do not have to supply any findings or reports where the person's data has been fully anonymised.