Your responsibilities for managing personal data continue after the end of a project or phase. There are things you need to do to wrap-up your research, and there may be things you need to do at a later time.

Page contents

Don't delete personal data after research

Our retention policy is 2 years, so you must keep your data for 2 years. Do not delete it sooner than this.

Simply ensure that all personal data you have gathered has the correct 'user research' retention label, and the only people who have access to the data are people who might need access in the future. Remove access from other team members.

If an individual withdraws the consent they initially gave, you must stop using their personal data.

If this is before you have begun analysing your research, then you must not use this data in your analysis.

If their data has already been anonymised, then you can continue to use this anonymised data.

Do not delete an individual's data before the two year retention period, but clearly mark it as not to be used. For example, you could move it into a folder within your SharePoint library called "Consent withdrawn – do not use".

Sharing research outputs with other people

Anonymised research outputs containing no personal data can be shared inside and outside the Department, following the rules and limitations set by your own programme and leadership. Speak to your own stakeholders about this.

For any research reports with pseudonymous data (e.g. faces in videos, if a participant has consented to this), then you require consent from the individual to share with other people. If you did not initially ask the person for this consent, you can contact them and ask for further consent.

You must provide all details of the personal data you hold about the individual, including video or audio recordings, transcripts, and consent forms.

See also: sharing participant lists with other user researchers and teams

Re-contacting participants for further research

As long as they haven't explicitly told you they don't want to be contacted, and as long as it is within the retention period, you can re-contact a participant for further research.

You must ask for their consent again for each new piece of research.

Don't over-use individual participants: this risks introducing bias into your research. Also ensure you are not over-burdening your users by contacting them too often.

Requests from communications teams, policy teams, or other teams

Sometimes our Comms or Policy colleagues will ask to speak to a specific participant, to understand more about their experiences, or to use their story for Comms purposes.

If this outside what the participant originally consented to, you can contact the participant on behalf of the colleague for this purpose, and gain a new consent from them.

Subject access requests

An individual person can ask the Department for a copy of the personal data we hold about them. If somebody who has taken part in user research does this, you may receive a request from the Information Rights Team, or you may receive a request directly from the research participant.

You must follow the guidance on the Subject Access Request (SAR) Portal (DfE users only).

You will need to provide all details of the personal data you hold about the individual. For a user research participant, this could include video or audio recordings, transcripts, consent forms, pseudonymised reports, etc.

You do not have to supply any findings or reports where the person's data has been fully anonymised.