After you have set up your data storage and conducted the DPIA screening or full DPIA, you can start gathering personal data in your user research activities.

Page contents

Check you are still acting within your high risk screening or DPIA

Every time you write a research plan, you should check that the research method and data you plan to collect is still within your high risk screening or full DPIA.

If you are significantly changing your research method, or the categories of data you plan to collect, then you should submit a new high risk screening, to check your new plans are not considered high risk.

We have created a set of combined consent forms and information sheet templates. These are fully assured to meet our personal data handling standard, and have been usability tested and written with the suport of content designers. You should use these, unless you have a good reason not to. If you decide not to use these templates, your consent form and information sheet must meet the same standards, as described below.

Standard consent form and information sheet templates (DfE users only).

Information sheet and privacy notice

All participants must be given an information sheet which contains a clear description of what you will do with their data. This must include a link to the DfE privacy notices on GOV.UK.

You must ask every participant for their consent to gather and use their data in your research. You must keep a record of this consent.

Note that this is not a requirement under the department's data policies, because we use the Public Task legal basis to gather user research data. However, gathering consent is an ethical requirement of all user research in DfE, in order to meet our [personal data handling standard](/standards-and-principles/personal-data-handling)

Consent forms contain personal data. You should store and manage them in the same place and in the same way as any other personal data generated in your research.

Save and organise your data properly, and delete copies

Anything you capture that contains personal data must be kept in the SharePoint library you set up for this project.

The files you need to save could include:

  • participant lists or other recruitment data
  • video or audio recordings
  • notes or transcripts, including those made by yourself or other team members, and any auto-generated transcripts from Teams or the specialist software you are using
  • any research data entered directly by participants that contains or could contain personal data for example survey responses or diary study entries
  • data exported from software or web tools you have used in your research.

Keep your files well organised, so you can easily find a specific participant's data, if asked. Make sure all files have the 'user research' retention label.

Delete any copies of data

Ensure any copies of files outside of the SharePoint library are deleted. This could be in emails, Teams messages, etc.

Don't keep data in 3rd party software longer than is necessary. For example, raw survey data, or videos of research sessions in a remote research tool: once you have finished analysing in the tool, export the data, move it in your SharePoint library, and delete the original copy in the tool.

Ensure any other team member who has copies of any personal data (e.g. videos, copies of files, participant lists) also does this.

Emailing or sharing participant details

You will sometimes need to share details of your participants with other team members who are taking notes or observing the research.

You must always ensure that you these details are shared in a password protected file.

Make sure you and the other team members delete any copies of the file in Outlook (including the deleted items folder), and anywhere else you may have stored or shared them, such as Teams messages etc.

Researching with internal DfE staff

We frequently perform user research with DfE staff. You must manage your data in the same way as with external participants.

Additionally, there are some different ethical concerns and considerations with internal research, particularly in how to ensure your participants remain fully anonymous when you play back your research findings to people who may know them. Read our guidance on research with internal users.