There are several activities you must do when planning your project. You must do these before you start collecting any personal data in your research.

Warning Not doing these activities before starting your research could be a serious disciplinary offence.

Page contents

Complete your mandatory training

DfE Civil servants must take the data awareness refresher training. You must take this training annually, and before you begin handling any personal data.

Contractors and other contingent workers, as well as civil servants working within DfE for one of our Arms Length Bodies (ALBs), must take the Data Protection Awareness Training for Temporary Staff, Contractors, Consultants, Contingent Workers and ALBs. You must complete this training within one month of starting at DfE, and before you begin handling any personal data.

Perform a 'high risk screening' of your data management plans

If your service is in live or beta, it will have a data protection impact assessment (DPIA) covering all personal data in the service. This DPIA may also cover user research activity. If this is the case, you don't need to do the high risk screening process. Check with your delivery manager.

When you start a new research project or move to a new phase of research (e.g. moving from Alpha to Beta), you must check whether the personal data you expect to gather, and the way you plan to gather it, is considered a high data protection risk. This is called the 'high risk screening process'.

Data protection risk is determined by a number of criteria, including the type of user group, which protected characteristics you're gathering, the research method, the volume of data, and other factors. Most user research will not be considered high risk. If, however, your plans are considered high risk, you will need to complete a full data protection impact assessment (DPIA).

The high risk screening process can take up to 5 working days to be returned to you.

If you are required to complete a full DPIA for high risk research, this can take a number of weeks to be processed. You should therefore complete your high risk screening well ahead of conducting any research.

Perform a high risk screening (DfE users only)

Information you will need for the high risk screening

You will need to know:

  • the name of your service or project
  • which directorate and group your service or project is in
  • the name of the Senior Responsible Officer (SRO) service or project
  • whether there are any other existing DPIAs, for example for the service itself

Your delivery manager can help you answer these questions.

You will need to provide basic information such as:

  • what you are planning to do in your research, and why

The screening asks a series of questions to determine the data protection risk. You will need a good idea of your likely research methods and participants, particularly any special category data or criminal offence data you will be using in your participant recruitment, or discussing in your research.

You will need to say who the information asset owner is. This person is accountable for the data. This will be someone in your programme of work at Grade 7 or above. It might be a senior or lead user researcher, or your senior responsible officer (SRO). Speak to your senior or lead user researcher first, and then your delivery manager, to find out who this should be. The ODPO can give you advice on this.

Higher risk user research requiring a full DPIA

A DPIA is the "process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan" (ICO definition).

If your data collection is identified as being higher risk, you will be asked to complete a full data protection impact assessment (DPIA) before your research activity can start.

The team in the Office of the Data Protection Officer will support you to do this.

Service DPIAs

If you are working on a service that collects personal data, the service itself will also need to go through the DPIA process (a 'service DPIA').

This is a different activity to the user research screening, and will usually be managed by your delivery manager or service owner.

When a service is live or in public beta, your service's DPIA may cover your user research activity. If so, you don't need to perform a high risk screening. Ensure you check this with your service's information asset owner.

You are responsible for ensuring your user research activity has been screened or is covered by a DPIA.

Set up your file storage, access and retention label

It is important that you store your user research personal data correctly. This means:

  • You use a Workplace (SharePoint), not an MS Teams site
  • There are at least two content managers who can manage the Workplace
  • Restricting access to the Workplace to only the people who need it
  • You apply the ‘UR personal data’ retention label to all personal data files

To request a new Workplace (Sharepoint), you (or another content manager in your team) should make a service request on the DfE IT service portal.

You will need to make three separate requests:

  1. A new Workplace (SharePoint) site
  2. The ‘UR personal data’ retention label to be made available to select within the Workplace
  3. A restricted folder to be set up in the Workplace

Request your file storage (DfE users only)

Use Workplace (SharePoint) for file storage, not Teams

User research personal data must always be stored in a Workplace (SharePoint) site, not an MS Teams site. The department's Workplace (SharePoint) sites have been configured to ensure that user research personal data can be managed in the correct way. The difference between Workplace (SharePoint) and Teams is described here (DfE users only)

Your programme or portfolio already may already have secure file storage for user research data, where each team's data is managed in a separate restricted folder or library, and you can apply the 'UR personal data' retention label. If so, use this instead of setting up a new Workplace (SharePoint) site. Check with your lead user researcher, delivery manager, or programme delivery manager.

Have at least two content managers

Every Workplace needs at least two content managers. Content managers can manage access to the Workplace.

You (or a civil servant in your team or programme, if you are a contractor) will need to be a Content Manager.

You should also assign at least one more content manager, to ensure that if you leave DfE or are not available, somebody is able to manage your file storage. This could be

  • a responsible person in your team, for example your delivery manager or a second user researcher
  • your senior or lead user researcher
  • a member of Research Operations

There is a 1-hour mandatory training for new content managers (DfE users only).

Decide who else in your team needs to access the data

You are responsible for who accesses the personal data you are managing. You should limit access to only to people who need to use it. This could be notetakers in your research sessions, or people helping you analyse the research.

When they no longer need to use the data, remove their access.

Make sure you always follow the Knowledge Information Management team's guidance on sharing files and folders in SharePoint (DfE users only).

Retention period and retention label

The retention period for personal data gathered in user research is 2 years.

All personal data gathered during user research must have the ' UR personal data' retention label applied to it. If your SharePoint Workplace library has been set up correctly as described above, this label will be applied automatically to all files.

You must never replace this retention label with a different one.

Applying the retention label means that the data will be automatically deleted from DfE servers after 2 years. You must not delete the data any earlier than this.

More information about retention periods and labels (DfE users only).

Update the information asset register

You must register that you are managing personal data on the Information Asset Register (IAR) (DfE users only).

If you have a full DPIA, you also need to update the Record of Processing Activities (RoPA) (DfE users only).

IAR and ROPA are records of personal data being managed across the department.

If the person whose name is in the IAR or ROPA leaves the project (the user researcher, or another civil servant in the team if the UR is a contractor), then the IAR or ROPA should be updated.

Ensure any third-party software you are using has been assured for use in DfE

You might use software that collects and stores personal data, such as:

  • research video and audio recordings
  • participant details
  • survey responses

Before using any software, it must be fully privacy assured for use in the Department.

Ensure your team has a record of your SharePoint library and high risk screening or DPIA

You should give your delivery manager details of your high risk screening outcome or full DPIA, the location of your SharePoint library, and details of your IAR or RoPA registration.

This means that if you are away from work, or if you leave a project and a new user researcher takes over, they will have access to the important details about the data management on your project.