Skip contents

Overview

Warning Incorrectly handling personal data in your user research could be a serious disciplinary offence

You must always gather, store and use the personal data gathered in your user research ethically and compliantly under DfE data management policies. This applies to the personal data you gather directly in your research and when recruiting participants.

Following this guidance correctly ensures that:

  • you are handling individuals' personal data legally under UK data laws
  • we are treating our research participants ethically and with respect
  • we can audit and have oversight of how we are handling personal data in user research

You must:

  • Check if you need a DPIA (data protection impact assessment) and get one if required
  • Store all personal data you collect correctly in DfE SharePoint, or in approved 3rd party tools
  • Keep the personal data for no longer than 2 years, by using the correct retention labels on files in SharePoint or manually deleting it
  • Gather, use and share personal data appropriately throughout and after your research
  • Delete an individual's personal data if they ask you to

Retention period

The retention period for personal data gathered in user research in DfE is up to 2 years.

You must apply the correct retention label to any file stored in DfE SharePoint that contains personal data. These files will be automatically deleted at 2 years.

If you no longer need the personal data you have collected, you should manually delete it before 2 years.

For any personal data stored in other approved software or tools, you may need to manually delete the data within the retention period.

Types of personal data gathered in user research

In user research, we collect and manage personal data in lots of ways. This could include (but is not limited to):

  • transcripts or automated summaries of interviews
  • video or audio recordings
  • surveys
  • participant recruitment emails, panels, lists and trackers
  • consent forms

Personal data is any information that could be used to identify a living individual. This includes information that could be used to indirectly identify someone when matched with other information about them.

Personal data is:

  • data that could be used to identify somebody, like their name, address, occupation or date of birth
  • data that when combined with other data could identify someone, like their school, job role, dietary restrictions, access needs or ethnicity
  • special category data, which includes an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health (including topics like disability, pregnancy, gender reassignment), sex life or sexual orientation

Further help and advice

Related content