DfE user research standards

Personal data handling in user research

As a user researcher at DfE, you must handle all participant data gathered during user research securely, legally and ethically.

Status

Published

Last updated

17 Sep 2024

Summary

As a user researcher, you will collect lots of data from and about your research participants, much of which is 'personally identifying'.

This could be captured in video or audio recordings, or notes and transcripts.

As user researchers, it is our responsibility to handle this data in a way that:

  • meets UK GDPR law and the Department's data policies and processes
  • is ethical, treating our users safely and respectfully.

Why this standard is important

If we fail to correctly manage personal data gathered in user research, this presents risks to our research participants, to the Department, and to ourselves:

  • we could be breaking UK GDPR law, opening up the Department to legal challenges, fines, and negative publicity. Handling personal data incorrectly could be a serious disciplinary offence
  • if people don't understand what we are using their data for, we are not treating them ethically or with respect
  • if a person's personal data is accessed or used in a way that it shouldn't be, this could put the person at risk

How to meet this standard

To ensure you are meeting this standard you must complete the following checklist. If you select yes for all questions, you have met the DfE standard. If you select no to anything or you're unclear, seek the advice of a senior or lead UR.

You must:

If you are building a panel or other large list of people, you must:

  • have a record of permission to do this from your lead user researcher or the head of user research

If you are sharing any lists of people with other user researchers or teams, you must:

  • have a record of appropriate consent from every person in the list

Download this checklist as a spreadsheet

Templates and tools to help you meet this standard

Using these templates and tools will help you meet this standard. (Links for DfE employees/contractors only)

Where to get advice

If you need advice on meeting this standard, you should contact:

Change log

  • v1 (Current version. Released on 08 Aug 2024, approved as a published DfE DDT standard on 17 Sep 2024) Removed mandatory data protection awareness point, because this is already covered by seperate DfE data policy and standards. Reworded some points to ensure all are easily checkable.
  • v0.2 (21 Feb 2024). Minor wording changes
  • v0.1 (6 Dec 2023). First beta version

Discuss this standard

This user research standard has been formally approved and adopted as a DfE Digital, Data, Technology standard. It will be iterated and improved over time, so please give us any feedback and suggestions. You can do this in the #developing-user-research-standards channel in DfE Slack (opens in a new tab), or by using the 'give feedback about this page' button at the bottom of this page.