Taking care of research data
When we do research, we must manage the data we collect so that we protect participants’ privacy and comply with the law.
This guidance explains how we manage research data at dxw. It builds on the general guidance on managing research data in the Service Manual. These is also useful advice in The User Researcher’s Guide to GDPR.
Agreeing who controls the research data #
There are two basic options:
The client is the data controller for the research data, and we are a processor.
This is the best approach when we are working in a blended team for a client with an established user research practice. It allows the client and team to continue accessing and using the research data independent of dxw.
In this case we use the client’s consent materials and store the research data in their systems.
We are the data controller for the research data, and we limit the client’s access to the research data.
This is the best approach when we are working in a dxw staffed team for a client with a limited or no user research practice. It reduces the burden on the client and reduces our dependence on their practices.
In this case we use dxw consent materials and store the research data in our systems along with the records of consent.
We will agree on the approach for the project as early as possible. Ideally as part of the statement of work, but at the latest during inception.
Storing research data securely #
We store research data that we control in the Client work area of the dxw Google Drive.
We limit access to folders and files containing research data to colleagues who need to access and use the data to complete their work.
The Google Drive Help Centre has a useful guide on ways to stop, limit, or change sharing of files and folders.
When we capture research data on a device or in another online service, we move the data to Google Drive as soon as possible, and securely delete the research data from the device or service.
If moving research data to Google Drive is not immediately possible, we move the data to our dxw provided laptop. For example, if we collect videos during pop-up research at a location with no reliable Internet connection.
Keeping records of consent #
We store records of consent along with the research data they relate to.
The consent record might be a scan of a paper consent form, a saved copy of an email, or some other suitable record.
We delete the consent record when we have deleted that participant’s research data and contact details.
Identifying research data clearly #
To identify research data in Google Drive, we follow our general file naming convention.
We keep research data in subfolders identified by the date of the research, the project and the research activity. For example:
2021 04 - Research - BEIS ODA - Observing the ODA QA process
We name individual files with the date collected, the project and the research activity. For example:
2021 04 - Notes - BEIS ODA - Observing the ODA QA process
If needed, we add participant numbers to identify the different data files within a research activity. For example:
2021 04 08 - P2 - Recording - BEIS ODA - Observing the ODA QA process
We use matching file names to keep records of consent. For example:
2021 04 08 - P2 - Consent - BEIS ODA - Observing the ODA QA process
Be careful not to use a participant’s personal details, such as their name or organisation, to identify the data we collect during research activities.
Sharing anonymised extracts #
We often use extracts from research data to illustrate findings and other project outputs. These extracts might be quotes, photos, video clips, screenshots, or copies of artefacts like documents.
In any material that may go outside of the immediate team, we use only fully anonymised extracts, where the participant cannot be identified.
The UK Data Service has useful guidance on anonymising both quantitative and qualitative research data.
We sometimes do show identifiable extracts within a team, and where we have consent. For example, showing clips from a usability testing session during a closed playback with the team.
Deleting research data when no longer needed #
We delete research data from Google Drive as soon as we no longer need it for our work. Or at the latest by the end of the declared retention period, usually 1 year.
Research data files may be owned by different members of staff. To delete files owned by colleagues, including those who have left dxw, contact the technical operations team at #help-internal-tech-support.
Processing access requests and withdrawal of consent #
Participants can withdraw their consent or ask us to share any personal data we have about them.
If a participant withdraws their consent, or if it is not clear that we have a participant’s consent, then we must find and delete any personal data we have, including notes, recordings, emails, calendar events, records in spreadsheets, etc.
If a participant asks to see the personal data we have about them, then we must find and share any personal data we have, including notes, recordings, emails, calendar events, records in spreadsheets, etc.
To identify the participant’s data, we may need to ask them for details of the research activities they were involved in.
And we may need to separate data about one participant from data about other participants. For example, if we have notes or voice recordings from a group workshop.