Set up the correct type of restricted folder in DfE SharePoint
All files containing personal data related to your user research must be stored in a restricted folder in DfE SharePoint. This restricted folder must:
- be in a Workplace (SharePoint) library
- only be accessible to people in DfE who need to use it
- have the 'User Research 2 Years' retention label available to apply to files
A Workplace (SharePoint) library is not the same as the file storage that comes with a Teams site, and works differently. You must not use Teams to store user research personal data in DfE.
Check if your project already has a restricted folder for user research
If you join a team or portfolio that already has a Workplace library with a restricted folder for user research, continue to use it. Ask your delivery manager or lead user researcher.
Once you have access to the folder, check it meets the requirements below. Also check who has access to it and the permissions they have, how old the documents are, and the retention labels applied to them.
How to set up a new restricted folder
To correctly set up a restricted folder for user research personal data, you or a team member must make a series of service requests to the Workplaces (Sharepoint) team in MyDfE.
The service requests must be made by a content manager. This is a DfE civil servant who has taken the content manager online training. Any civil servant user researcher can be a content manager:
Content manager training (opens in a new tab, DfE SharePoint users only)
1. Make a service request for a new Workplace (if required)
If your team already uses a Workplace library (not a Teams site) to store files, skip this step.
In MyDfE, make a 'Workplaces (SharePoint)' service request. Select 'Create a new Workplace (SharePoint) site' in the dropdown.
Request a new Workplace (SharePoint) library2. Create a new folder with the correct naming format
In the Workplace library, create a new folder.
The name of this folder must start with "RF" - e.g. "RF UR personal data", "RF-curriculum-project-ur-data", etc.
3. Make a service request to restrict the folder
In MyDfE make a 'Workplaces (SharePoint)' service request. Select 'Restricted folder or document library Requests Workplaces (SharePoint) site' in the first dropdown, then 'Create a new restricted folder or document library'.
In the field titled 'Please provide the name of the folder or document library that is to be restricted', enter the name of the folder you created in step 2, above.
Request to make a folder restricted4. Make a service request to make the retention label available
If the 'User Research 2 Years' retention label is already available to apply to files in your Workplace library, skip this step.
In MyDfE, make a 'Workplaces (SharePoint)' service request. Select 'General enquiries & support' in the first dropdown.
In the field titled 'Please provide a detailed explanation of your request...' write:
Please make the 'User Research 2 Years' retention label available in this Workplace:
[URL of your Workplace library]
Request to add a retention label
Make sure only the right people can access the data
Only give access to the restricted folder to people who need to use the personal data.
For example, this could include:
- team members attending research sessions, or taking part in analysis
- a content manager in your team or portfolio who is not directly involved in the research but is helping to manage it
- colleagues helping with participant recruitment
Regularly review who has access to the folder and remove permissions from anybody who no longer needs it.
You may find it helpful to have more than one restricted folder, e.g. one containing recordings and transcripts which is available to your team, and one containing recruitment data available to fewer people.
To add and remove access permissions on a restricted folder, make a 'Workplaces (SharePoint)' service request in MyDfE:
Request to add or remove access permissionsSelect 'Restricted folder or document library Requests Workplaces (SharePoint) site' in the first dropdown, and 'Add users…' or 'Remove users from an existing restricted folder or document library'.
Every person with access to personal data must follow all DfE data policies.