Check if you need a DPIA
Before you conduct any research, you must make sure the data you collect is covered by a DPIA (data protection impact assessment).
There are 2 overarching DPIAs for user research that cover data collected in most user research across DfE. Our DPIAs cover both internal and external user research.
You must check whether your planned user research meets the criteria for using the overarching DPIA. If it does, your research is covered and you do not need to do anything else.
However, if your planned activity does not meet the criteria for the overarching DPIA, your research is not covered. You must go through the standard DfE data protection processes.
A DPIA assesses the risks in handling personal data in a project. The overarching DPIA only covers user research activity. Your product or service, if processing personal data, should have a separate DPIA/DPIA screener.
Confirm you can use the overarching DPIA for user research
You must use the DPIA checker tool to confirm your user research is considered low risk and is therefore covered by the overarching DPIA for user research.
Check if you can use the overarching DPIAThe process takes a few minutes and includes next steps to ensure your user research is compliant.
You cannot use the overarching DPIA if your user research involves:
- High-volume processing (e.g. surveys where you expect to receive more than 5000 responses)
- Participants under 18
- Non-user research activities
- Non-DfE-approved suppliers or systems
- Profiling or automated decision-making (e.g. participant recruitment activity that is completely automated with no human oversight)
What to do if your research is not covered by the overarching DPIA for user research
If the checker tool identifies that your user research is potentially high risk, you must follow the normal DfE DPIA process (managed by the data protection team).
You will need to complete a high-risk screener document and allow at least 5 working days for the data protection team to review it.
Follow this guidance: Data Protection Impact Assessment (DPIA) portal (opens in a new tab, DfE SharePoint users only)
If the data protection team identifies that your planned research is high risk, you will then need to complete a full DPIA, which can take several weeks. You may find it quicker to combine your user research DPIA with your service DPIA. Speak to your delivery manager to do this, or to research operations for more information.