Personal data handling in user research
As a user researcher at DfE, you must handle all participant data gathered during user research securely, legally and ethically.
Status
BetaLast updated
8 Aug 2024Summary
As a user researcher, you will collect lots of data from and about your research participants, much of which is 'personally identifying'.
This could be captured in video or audio recordings, or notes and transcripts.
As user researchers, it is our responsibility to handle this data in a way that:
- meets UK GDPR law and the Department's data policies and processes
- is ethical, treating our users safely and respectfully.
Why this standard is important
If we fail to correctly manage personal data gathered in user research, this presents risks to our research participants, to the Department, and to ourselves:
- we could be breaking UK GDPR law, opening up the Department to legal challenges, fines, and negative publicity. Handling personal data incorrectly could be a serious disciplinary offence
- if people don't understand what we are using their data for, we are not treating them ethically or with respect
- if a person's personal data is accessed or used in a way that it shouldn't be, this could put the person at risk
How to meet this standard
To ensure you are meeting this standard you must complete the following checklist. If you select yes for all questions, you have met the DfE standard. If you select no to anything or you're unclear, seek the advice of a senior or lead UR.
Read this related guidance
- Managing participants' personal data in user research in DfE - full guidance
- Gaining informed consent
You must:
- have completed a 'high risk screening' of your plans for collecting personal data
- if required after the high risk screening, you have completed a full data protection impact assessment (DPIA)
- have the correct personal data file storage, using a SharePoint workplace library with:
- the 'UR personal data' retention label applied to all files
- at least two content managers set up
- access restricted to only the people who need it
- only use user research software or web tools that have been assured for use in DfE when collecting personal data
- include a link to the DfE privacy policy on GOV.UK in the information you give to participants
- keep a record of consent showing that participants understand and agree to how you plan to use their data
- anonymise all personal data during your analysis or, if you are pseudonymising, ensure you have a record of appropriate consent from participants
If you are building a panel or other large list of people, you must:
- have a record of permission to do this from your lead user researcher or the head of user research
If you are sharing any lists of people with other user researchers or teams, you must:
- have a record of appropriate consent from every person in the list
Download this checklist as a spreadsheet
Templates and tools to help you meet this standard
Using these templates and tools will help you meet this standard. (Links for DfE employees/contractors only)
Where to get advice
If you need advice on meeting this standard, you should contact:
- The senior user researcher for your team or programme
- The lead user researcher in your portfolio, or the head of user research
- The Research Operations team #research-ops-support, in DfE Slack (opens in a new tab)
Change log
- v1 (8 Aug 2024. Current version). Removed mandatory data protection awareness point, because this is already covered by seperate DfE data policy and standards. Reworded some points to ensure all are easily checkable.
- v0.2 (21 Feb 2024). Minor wording changes
- v0.1 (6 Dec 2023). First beta version
Discuss this standard
This user research standard is in beta, and we are actively seeking any feedback and suggestions. You can do this in the #developing-user-research-standards channel in DfE Slack (opens in a new tab), or by using the 'give feedback about this page' button at the bottom of this page.