There are several activities you must do when planning your project. You must do these before you start collecting any personal data in your research.
- Complete your mandatory training
- Perform a 'high risk screening' of your data management plans
- Set up your file storage, access and retention label
- Ensure any third-party software you are using has been assured for use in DfE
- Ensure your team has a record of your SharePoint library and high risk screening or DPIA
Complete your mandatory training
DfE Civil servants must take the data awareness refresher training. You must take this training annually, and before you begin handling any personal data.
Contractors and other contingent workers, as well as civil servants working within DfE for one of our Arms Length Bodies (ALBs), must take the Data Protection Awareness Training for Temporary Staff, Contractors, Consultants, Contingent Workers and ALBs. You must complete this training within one month of starting at DfE, and before you begin handling any personal data.
Perform a 'high risk screening' of your data management plans
When you start a new research project or move to a new phase of research (e.g. moving from Alpha to Beta), you must check whether the personal data you expect to gather, and the way you plan to gather it, is considered a high data protection risk. This is called the 'high risk screening process'.
Data protection risk is determined by a number of criteria, including the type of user group, which protected characteristics you're gathering, the research method, the volume of data, and other factors. Most user research will not be considered high risk. If, however, your plans are considered high risk, you will need to complete a full data protection impact assessment (DPIA).
The high risk screening process can take up to 5 working days to be returned to you.
If you are required to complete a full DPIA for high risk research, this can take a number of weeks to be processed. You should therefore complete your high risk screening well ahead of conducting any research.
Information you will need for the high risk screening
You will need to know:
- the name of your service or project
- which directorate and group your service or project is in
- the name of the Senior Responsible Officer (SRO) service or project
- whether there are any other existing DPIAs, for example for the service itself
Your delivery manager can help you answer these questions.
You will need to provide basic information such as:
- what you are planning to do in your research, and why
The screening asks a series of questions to determine the data protection risk. You will need a good idea of your likely research methods and participants, particularly any special category data or criminal offence data you will be using in your participant recruitment, or discussing in your research.
You will need to say who the information asset owner is. This person is accountable for the data. This will be someone in your programme of work at Grade 7 or above. It might be a senior or lead user researcher, or your senior responsible officer (SRO). Speak to your senior or lead user researcher first, and then your delivery manager, to find out who this should be. The ODPO can give you advice on this.
Higher risk user research requiring a full DPIA
If your data collection is identified as being higher risk, you will be asked to complete a full data protection impact assessment (DPIA) before your research activity can start.
The team in the Office of the Data Protection Officer will support you to do this.
If you are working on a service that collects personal data, the service itself will also need to go through the DPIA process (a 'service DPIA').
This is a different activity to the user research screening, and will usually be managed by your delivery manager or service owner.
When a service is live or in public beta, your service's DPIA may cover your user research activity. If so, you don't need to perform a high risk screening. Ensure you check this with your service's information asset owner.
You are responsible for ensuring your user research activity has been screened or is covered by a DPIA.
Set up your file storage, access and retention label
Set up your secure file storage SharePoint library
Check with your lead user researcher, delivery manager, or programme delivery manager.
The Department's SharePoint has been configured to ensure that user research personal data can be managed in the correct way.
You can set up a the correct storage my making a service request on the DfE IT service portal.
You should request:
- A 'workplace library' (This is a specific type of file storage used in SharePoint)
- The 'UR personal data' retention label added to files by default
Every workplace library needs at least one, and ideally two or more, content managers. Content managers can manage access to workplace libraries.
You (or a civil servant in your team or programme, if you are a contractor) will need to be a Content Manager.
You should also assign at least one more content manager, to ensure that if you leave DfE or are not available, somebody is able to manage your file storage. This could be
- a responsible person in your team, for example your delivery manager or a second user researcher
- your senior or lead user researcher
- a member of Research Operations
Decide who else in your team can access the data
You are responsible for who accesses the data you are managing. You should limit access to only to people who need to use it. This could be notetakers in your research sessions, or people helping you analyse the research.
When they no longer need to use the data, remove their access.
Make sure you always follow the Knowledge Information Management team's guidance on sharing files and folders in SharePoint (DfE users only).
Retention period and retention label
The retention period for personal data gathered in user research is 2 years.
All personal data gathered during user research must have the ' UR personal data' retention label applied to it. If your SharePoint Workplace library has been set up correctly as described above, this label will be applied automatically to all files. You must never replace this retention label with a different one.
Applying the retention label means that the data will be automatically deleted from DfE servers after 2 years. You must not delete the data any earlier than this.
Update the information asset register
If you have a full DPIA, you also need to update the Record of Processing Activities (RoPA) (DfE users only).
IAR and ROPA are records of personal data being managed across the department.
If the person whose name is in the IAR or ROPA leaves the project (the user researcher, or another civil servant in the team if the UR is a contractor), then the IAR or ROPA should be updated.
Ensure any third-party software you are using has been assured for use in DfE
You might use software that collects and stores personal data, such as:
- research video and audio recordings
- participant details
- survey responses
Before using any software, it must be fully privacy assured for use in the Department.
Ensure your team has a record of your SharePoint library and high risk screening or DPIA
You should give your delivery manager details of your high risk screening outcome or full DPIA, the location of your SharePoint library, and details of your IAR or RoPA registration.
This means that if you are away from work, or if you leave a project and a new user researcher takes over, they will have access to the important details about the data management on your project.