As a user researcher, you will collect lots of data from and about your research participants, much of which is 'personally identifying'.
This could be captured in video or audio recordings, or notes and transcripts.
You and your team are responsible for managing the data you collect. As you plan and deliver your user research, you must meet the UR personal data handling standard. Meeting this standard ensures user research always complies with the Department's data policies under UK GDPR law, and meets high ethical standards in the way we treat our user research participants.
This applies to all civil servants and contractors working in DfE.
If you have questions about this guidance, or the tools and templates that go with it, first speak to the Research Operations team.
If they cannot answer your question, contact the DfE Office of the Data Protection Officer team (DfE users only).
- Personal data likely to be gathered in user research
- UK GDPR law and DfE data management policies
- Informed consent
- Roles and responsibilities
Personal data likely to be gathered in user research
Personal data is any information that could be used to identify a living individual. This includes information that could be used to indirectly identify someone when matched with other information about them.
Personal data that we may collect in user research includes:
- data that could be used to identify somebody, like their name, address, occupation, date of birth, etc
- 'special category data'. This includes data about somebody's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health (including topics like disability, pregnancy, gender reassignment), sex life or sexual orientation.
- Data that requires further protection, like criminal conviction and offences data.
- unedited video or audio with people's faces and voices
- recruitment trackers which include names and contact details
- participants' IP addresses and any data from cookies collected by user research software or tools
In user research, you might see personal data referred to as:
- personal identifiers (PID)
- personally identifiable information (PII)
- raw data
UK GDPR law and DfE data management policies
UK General Data Protection Regulation (UK GDPR) is the law that governs the way data is collected and managed by any organisation in the UK.
The DfE Office of the Data Protection Officer (DfE users only) has created policies, processes and support that ensure any data collected in the department is managed legally.
Following this guidance for user researchers will ensure you meet the departmental policies, and therefore meet UK GDPR.
Personal data can only be gathered if there is a lawful basis to do so. There are six lawful bases in UK GDPR. DfE has decided which lawful basis we use for user research.
Any data we collect in user research in DfE is collected under the public task lawful basis.
You must never use a different lawful basis to gather personal data your user research.
As part of our ethical approach to user research at DfE, it is a requirement that you always gather consent from every participant for how you will collect and use their data, even when this is not required under UK GDPR. How we do this is described later in this guidance.
Roles and responsibilities
As the user researcher on the project, you are responsible for ensuring that all personal data in your research is collected in a way that is legal and ethical, following this guidance and meeting the user research data management standard, and all departmental policies and guidelines.
If you are a contractor user researcher , then a civil servant in your team or business area will need to submit the documentation described in this guidance. It is still your responsibility to manage the data correctly.
A more senior person in your business area , for example a G6 lead user researcher, or other G6 leadership role like a programme delivery manager, lead delivery manager or your deputy director or senior responsible officer, will be ultimately accountable for any risks or issues with how the data is managed and used.
The delivery manager in your team should be aware of your plans and procedures for managing your data.
You are responsible for ensuring other people who access the personal data you gather, like team members or observers in research sessions , handle it correctly, and only have access to what they need, when they need it.
The research operations team can advise on the correct templates and documents to use and on the user research data management standard, but can't advise on departmental data management policy or UK GDPR. For these questions, you are supported by the team in the DfE Office of the Data Protection Officer. The DfE Knowledge and Information Management team will support you with setting up the correct file storage, and any problems with SharePoint.