Personal data handling in user research
DfE's standard to ensure all participant data gathered during user research is handled securely, legally and ethically.
Status
BetaLast updated
21 Feb 2024Summary
As a user researcher, you will collect lots of data from and about your research participants, much of which is 'personally identifying'.
This could be captured in video or audio recordings, or notes and transcripts.
As user researchers, it is our responsibility to handle this data in a way that:
- meets UK GDPR law and the Department's data policies and processes
- is ethical, treating our users safely and respectfully.
Why this standard is important
If we fail to correctly manage personal data gathered in user research, this presents risks to our research participants, to the Department, and to ourselves:
- we could be breaking UK GDPR law, opening up the Department to legal challenges, fines, and negative publicity. Handling personal data incorrectly could be a serious disciplinary offence
- if people don't understand what we are using their data for, we are not treating them ethically or with respect
- if a person's personal data is accessed or used in a way that it shouldn't be, this could put the person at risk
How to meet this standard
To ensure you are meeting this standard you must complete the following checklist. If you select yes for all questions, you have met the DfE standard. If you select no to anything or you're unclear, seek the advice of a senior or lead UR.
Read this related guidance
- Managing participants' personal data in user research in DfE - full guidance
- Gaining informed consent
You must:
- have completed your mandatory data protection awareness training
- have completed a 'high risk screening' of your plans for collecting personal data
- if required after the high risk screening, you have completed a full data protection impact assessment (DPIA)
- have the correct personal data file storage, using a SharePoint workplace library with the 'UR personal data' retention label applied to all files
- have more than one content manager set up for your personal data file storage
- only give access to your personal data storage to the people who need it
- ensure any software or web tools you are using to collect personal data is privacy assured
- gather informed consent from all participants, using our standard consent form templates where appropriate, including an information sheet which links to the DfE privacy policy on GOV.UK
- anonymise all personal data during your analysis or, if you are pseudonymising, ensure you have the correct consent from participants
- know what to do if a participant withdraws their consent after research has taken place, or asks for a copy of their data
If you are building a panel or other large list of people, you must:
- have permission to do this from your lead user researcher or the head of user research
If you are sharing any lists of people with other user researchers or teams, you must:
- have the correct consent from every person in the list
Download this checklist as a spreadsheet
Templates and tools to help you meet this standard
Using these templates and tools will help you meet this standard. (Links for DfE employees/contractors only)
Where to get advice
If you need advice on meeting this standard, you should contact:
- The senior user researcher for your team or programme
- The lead user researcher in your portfolio, or the head of user research
- The Research Operations team #research-ops-support, in DfE Slack (opens in a new tab)
Discuss this standard
This user research standard is in beta, and we are actively seeking any feedback and suggestions. You can do this in the #developing-user-research-standards channel in DfE Slack (opens in a new tab), or by using the 'give us feedback' link at the top of this page.