Protecting participant privacy

When we do research, we must carefully manage participants’ contact details and other personal data to protect their privacy and comply with the law.

This guidance explains how we collect and use information about research participants at dxw. It builds on the general guidance on managing participant privacy in the Service Manual.

Collecting only the participant details we need #

We collect as little information about participants as possible. And only the information we really need to manage their participation. For example, collecting just the participant’s name and email address to arrange a video call.

When we use a screening questionnaire, we ask only the questions we need to select participants. For example, we don’t ask for a date of birth if we only need an age range.

We avoid keeping participants’ personal details as a record of who we spoke to, or to manage subject access or deletion requests. We may keep counts of numbers and types of participants, but these should not include any personal details.

Storing participant details securely #

We usually store participants’ details in the Google Drive folders for the relevant project, for example in a spreadsheet in a Research subfolder. We limit access to just the colleagues who need to use them to help people participate.

The Google Drive Help Centre has a useful guide on ways to stop, limit, or change sharing of files and folders.

When using an online questionnaire tool to recruit and screen participants, transfer the responses from the tool to Google Drive as soon as possible, and securely delete the original responses from the tool.

When sending calendar invites to participants, we restrict access to the guest list so that only colleagues involved in the research will see participants’ contact details.

We avoid sharing email conversations that include participants’ contact and other personal details.

And we avoid sharing participants’ details in any other tool, such as Slack or Trello.

Deleting participant details when no longer needed #

We delete participants’ details from Google Drive, Gmail and Calendar as soon as we no longer need the details to manage their participation in research.

Labelling emails exchanged with participants is a good way to find and delete them. For example, in Google Gmail you might create ‘Participant’ and ‘RODA’ labels and search for them using ‘label:(participant RODA)’.

Identifying calendar events that might contain participants’ details is not so easy. In Google Calendar you can create a personal Research calendar and add all research activities involving participants to that calendar. Or you might adopt a naming convention such as ‘Research:’.

Doing fully confidential research #

We sometimes do research where the participants are known only to the researchers. Other members of the team will not know who participated in the research.

When doing fully confidential research:

  • we strictly limit access to participant details
  • use private meeting invites
  • share only fully anonymised findings