GDPR

Protecting user data before, during & after research

An article by Konrad Black 22-05-2018

If you are up to speed with GDPR - great. If not, I suggest you start by reading the ICO’s GDPR compliance guidelines and exemplary blog explaining GDPR by People for Research

Ok, so now you’re a GDPR guru, have you considered any research data you collect may also covered by GDPR too!? If so, what are you doing about it? Do your participants know what data is being collected on them and what’s going to happen to it?

In this blog we’ll unpack our own compliance journey with regard to research audience data, and hopefully suggest a few things to help you along your own journey.

What do we mean by research audiences? Who are they?

Basically anyone. They could be external audiences, found either by yourself, by a specialist 3rd party recruitment consultancy (e.g. People For Research) or by the client you’re working with/for. They could be remote - people you’ve never met or will ever meet. They could even be internal members of staff you’re interviewing or conducting ethnographic studies with.

Don’t just assume that because an internal member of staff is participating in research or that because the data you’ve got comes from raw analytics the data is somehow less important or not applicable under the GDPR regulations. In all respects, you’ll need explicit permission to collect, store data on your user research participants.

What data might be captured during research?

GDPR protects all personally identifiable data that can be linked to a living individual. Here are some basic examples of personally identifiable data which you may capture during primary user research;

  • Full name
  • Picture
  • Postal Address
  • Phone number
  • Email address
  • NHS number
  • IP address
  • Personal situation / background
  • Signature
  • etc

It’s also worth noting you may end up capturing what’s likely to be personally identifiable information and sensitive data in your research notes, for example if you’re conducting research relating to a medical or health diagnosis. It may be that there’s not one specific piece of data that identifies someone, but piecing the data together could formally identify someone.

How might this personal data be stored or shared?

Examples of data capture may include online forms, audio/visual recordings etc, or offline via paper forms, various forms of paper communications (e.g. letters), analytics, social media activity/profiles etc.

Storage of this data could be just as varied, including cloud storage of audio/video recordings or transcripts, notes taken during a research session written in a notebook, spreadsheets etc.

Some of this data may also need to be shared between multiple parties. For example, when conducting face to face research it’s usually very helpful for the recruiter and practitioner to share a time plan for when participants should arrive on the day. There’s usually background information on each participant as well as their contact details.

What we’re doing at Edo:

People for Research conduct most the recruitment on our behalf and so we co-designed a series of updated working procedures and policies as part of our wider GDPR compliance journey.

Here are some examples of our updated policies and procedures. It’s not exhaustive but it might be helpful to use as a guide if you’re not doing these things already;

Before research

  • It’s best to ensure the privacy policies and terms of service between all partners who may need to access this data are up to date and relevant. Policies should clearly state what data might be collected, the intended purpose of use, whether or not data may be stored and if so for how long. It’s also necessary to provide a clear and easy way for participants to get in touch and request to see their data or have their data removed.
  • All participant screeners and research time plans must be owned by whom ever is completing recruiting. Documents to be shared via Google Docs only with researcher as ‘view only’. All document access rights to be revoked once project ceases. Never use email to share the details of participants openly.
  • Only anonymised participant details to be shared with wider project team and/or client.
  • Never share any participant details with clients. During screening advise clients over the suitability of each participant, including some background details, but ensure none of it is personally identifiable.
  • It can be very handy to print/download a copy of the research time plan and audience background document if you aren’t sure you can view it online. We’d suggest to only print immediately before the session(s) and keep it on your person at all times.

During research

  • All research notes captured during activities such as interviews, ethnographic research, usability testing etc are to be kept as anonymous as possible - consider using acronyms or pseudonyms.
  • If recording a research session (video/audio) attempt to omit or edit out any personal data unless it’s critical to the research. As a rule of thumb, we start recording once the user has formally introduced themselves.
  • Try not to capture any real personal data unless it’s critical to the nature of the research. For example, when testing the usability of an input form, we may ask users to input a fake/dummy name or an email address other than their own but one which is still valid (so still testing validation/error states).
  • When conducting online surveys anonymise data collection by not capturing IP, GeoLocation and switching off audience profiling analytics. Never ask for participants for their name, gender etc. If offering a prize draw as incentive for participating, create a second survey to act as a collector for the name and email address of those who opt in. The two surveys must be kept independent of one another so prize draw participants cannot be linked back to their entry in the main survey.
  • For all research, whether face to face or online/remote, always inform participants of your privacy policies or where they can access them. Also, clarify with participants which details may need to captured and what you’ll do and not do with them. For example, it’s best to state that you will never share usability recordings beyond the immediate project team and only then all personal data will be anonymous. You should never publicise or market the videos online or elsewhere - remember it’s purely to inform the design of the product/service.
  • If recording a session, you must always ask for permission to do so. If face to face, this is usually a form which participants complete and generally asks for name, address and a signature by way of proof of consent.
  • When offering an incentive to participants in person you must receive confirmation that they have both received and accepted it. This too may require a name, address and signature - so follow the same procedure as gathering recording permissions.

After research

  • Ensure note books, transcripts, video/audio recordings etc are kept anonymous by removing all references to participants where possible. If it’s not possible to remove personal data, the file must be password protected and/or encrypted.
  • If participant time plans are printed, we recommend they are shredded immediately after the research session. If downloaded to a laptop, these again should go immediately into your computer’s ‘trash’ and the trash emptied.
  • All research permission slips and incentive confirmations that contain personal data, should be kept under lock and key. Ideally your office manager should receive them and be the only person with access to them. It’s also probably best to agree a policy that details how and when they would be destroyed - usually by shredding within five to ten years.
  • Store all video/audio files on a separate drive, not on the researchers local machine in case the machine is lost or stolen. If using a cloud based service, ensure their policy meets GDPR guidelines. You should also limit who has access to the files.
  • On completion of a project, any / all shared documents should have access permissions revoked, preventing ongoing access to user data (e.g. participant screeners, time plans etc)
  • Any data collected as part of a survey prize draw must be shared only with the research company (or client if surveying internal staff) in order to issue the prize. The prize draw collector survey itself must be deleted from the program used (e.g. Survey Monkey, Smart Survey etc) and the file shared must be password protected and/or encrypted.

Summary

OK so there you have it. GDPR isn’t the most sexy or glamorous subject out there, but it is extremely important to be aware of if you wish to stay on the right side of the law.

If nothing else, simply informing participants about what data might be captured during research, what’s going to happen to it and knowing how you’re going to manage it, will leave participants with a better experience overall.

This article was originally published on People for Research's blog. You can see the original article here.

Get in touch

Contact us