Guidance

User research privacy notice

Updated 10 January 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/government-digital-service-user-research-privacy-notice/user-research-privacy-notice

The Government Digital Service (GDS) and Central Digital and Data Office (CDDO) carry out research to test and improve services, both internally and for other government departments.

GDS and CDDO are part of the Cabinet Office. The data controller for GDS and CDDO is the Cabinet Office. A data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

We also do user research on behalf of other government departments. In these situations we will either be a joint controller with the other government department or data processor acting on behalf of the other government department. Where this is the case you’ll be notified in the information sheet for specific projects.

This privacy notice gives you general information on how we handle research data at GDS and CDDO. For more details about a specific piece of research, you can refer to the information sheet provided when you’re invited to take part in that project. This should also include contact details for the researcher and their team in case you have any further questions.

Why we need your data

We need information about you when inviting you to take part in research to ensure that:

  • you meet the criteria for this piece of research
  • we are including a wide range of people

We need to collect data during the research session to ensure that we have an accurate record of what happened and what was said. This is important, because we then analyse this information and use it to draw conclusions about what we should do next.

We use your data because you have consented for us to do so for this particular piece of research.

What data we collect from you

When inviting you to take part

The personal data we collect from you at this stage could include information about your:

  • name
  • age
  • gender
  • ethnicity
  • disabilities, such as details of any condition that can affect your ability to use a computer
  • job title
  • email address
  • phone number

We may collect additional information, based on the specific topic being researched. For example, if we’re conducting research on a specific government service, we might want to know whether you’ve used this service in the past.

We sometimes work with other organisations to carry out research. This can include companies that help us recruit people to take part in research. If we do this, these companies may also collect additional data for which they are the data controller, and their privacy policy will also apply.

During the research session

In most cases, we’ll collect personal data during the research session. This could be in the form of:

  • audio recordings
  • video recordings
  • screen recordings
  • written notes
  • photos

What we do with your data

Collecting and analysing

We sometimes use external organisations to book a venue for the research outside of our offices, and external tools to conduct remote research sessions. This means that a limited number of staff in other organisations may have access to your data - for example, when we use the recording equipment at an external venue.

We may also use the following third party tools and services to collect, transcribe or analyse your data:

  • survey tools
  • online collaboration tools, including video conference and virtual whiteboard tools
  • transcription services, including automatic transcription and analysis tools
  • consent management tools

If we do any of the above, we will monitor and limit the access that people outside GDS and CDDO have to your data. The privacy policies of these external organisations will also apply.

Reporting the results

When using your responses in reports or presentations, or sharing with other government departments, we will make sure you cannot be identified from your data. Each person taking part in a piece of research will be assigned a number, and any names or other personal and identifiable data will be removed.

Only researchers working at GDS and CDDO will have access to the full original recordings though we may share short audio or video clips with other colleagues within GDS and CDDO and other government departments if we have your express permission to do so. The only exception to this is during the transcription and analytics phase (described above) when transcription and analytics services may be used.

If we do any of the above, we will monitor and limit the access that people outside GDS and CDDO have to your data. The privacy policies of these external organisations will also apply.

We will share your data if we’re required to do so by law - for example, by court order, or to prevent fraud or other crime. We will also share your data in the event of a serious safeguarding concern - for example, if we are concerned about the welfare of a child or vulnerable adult.

We will not:

  • sell or rent any of your data to third parties
  • share your data with third parties for marketing purposes

Where your data is processed and stored

Your personal data will be stored on our IT systems, which are provided by third party email, document management and storage service providers.

Your personal data may be transferred outside the United Kingdom while being processed by GDS and CDDO. If this happens, it will be subject to equivalent legal protection through the use of adequacy decisions. If no relevant adequacy decision exists, standard contractual clauses will be used instead.

How long we keep your data

The data collected when we invite you to take part will be held for a maximum of 6 months. After this point, we will delete this but will keep a record of consent, your name, and the data gathered during the research session.

We will hold the data from research sessions, your name, and a record of consent for a maximum of 3 years. After this point, we will delete all personal data relating to you, but we might retain reports that contain your anonymised quotes.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access to or disclosure of the data we collect about you. For example, we protect your data using varying levels of encryption. All third parties that process personal data for GDS and CDDO are also required to keep that data secure.

Your rights

You have the right to withdraw consent to the processing of your personal data - for example original recordings and notes where you can be identified. If a report with anonymised quotes has been published (internally or externally) we will not be able to remove this as it does not constitute personal data.

You also have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data
  • that this copy be provided in a structured, commonly used and machine-readable format
  • that anything inaccurate in your personal data is corrected without delay

  • that your personal data is erased if there is no longer a justification for holding it
  • that the processing of your personal data is restricted in certain circumstances (for example, where accuracy is contested)

If you have any of these requests, please contact us using the details in the information sheet provided to you, or the contact details listed below.

Questions and complaints

If you have questions about research that you’ve been invited to participate in, you can contact the researcher named on the information sheet provided to you.

Contact the GDS Privacy Team if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SARS)

Email: gds-privacy-office@digital.cabinet-office.gov.uk

The data controller for your personal data is the Cabinet Office. The contact details for our Data Protection Officer are:

Data Protection Officer

Cabinet Office
70 Whitehall
London
SW1A 2AS

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

You can also complain to the Information Commissioner, who is an independent regulator.

Information Commissioner's Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo...

Telephone 0303 123 1113

Textphone 01625 545 860

Changes to this privacy notice

We may change this privacy notice. When we make changes, the ‘last updated’ date at the top of the page will also change.

Any changes to this notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Back to top