User research privacy notice
Updated 10 January 2022
The Government Digital Service (GDS) and Central Digital and Data Office (CDDO) carry out research to test and improve services, both internally and for other government departments.
GDS and CDDO are part of the Cabinet Office. The data controller for GDS and CDDO is the Cabinet Office. A data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.
We also do user research on behalf of other government departments. In these situations we will either be a joint controller with the other government department or data processor acting on behalf of the other government department. Where this is the case you’ll be notified in the information sheet for specific projects.
This privacy notice gives you general information on how we handle research data at GDS and CDDO. For more details about a specific piece of research, you can refer to the information sheet provided when you’re invited to take part in that project. This should also include contact details for the researcher and their team in case you have any further questions.
Why we need your data
We need information about you when inviting you to take part in research to ensure that:
- you meet the criteria for this piece of research
- we are including a wide range of people
We need to collect data during the research session to ensure that we have an accurate record of what happened and what was said. This is important, because we then analyse this information and use it to draw conclusions about what we should do next.
Our legal basis for using your data
We use your data because you have consented for us to do so for this particular piece of research.
What data we collect from you
When inviting you to take part
The personal data we collect from you at this stage could include information about your:
- name
- age
- gender
- ethnicity
- disabilities, such as details of any condition that can affect your ability to use a computer
- job title
- email address
- phone number
We may collect additional information, based on the specific topic being researched. For example, if we’re conducting research on a specific government service, we might want to know whether you’ve used this service in the past.
We sometimes work with other organisations to carry out research. This can include companies that help us recruit people to take part in research. If we do this, these companies may also collect additional data for which they are the data controller, and their privacy policy will also apply.
During the research session
In most cases, we’ll collect personal data during the research session. This could be in the form of:
- audio recordings
- video recordings
- screen recordings
- written notes
- photos
What we do with your data
Collecting and analysing
We sometimes use external organisations to book a venue for the research outside of our offices, and external tools to conduct remote research sessions. This means that a limited number of staff in other organisations may have access to your data - for example, when we use the recording equipment at an external venue.
We may also use the following third party tools and services to collect, transcribe or analyse your data:
- survey tools
- online collaboration tools, including video conference and virtual whiteboard tools
- transcription services, including automatic transcription and analysis tools
- consent management tools
If we do any of the above, we will monitor and limit the access that people outside GDS and CDDO have to your data. The privacy policies of these external organisations will also apply.
Reporting the results
When using your responses in reports or presentations, or sharing with other government departments, we will make sure you cannot be identified from your data. Each person taking part in a piece of research will be assigned a number, and any names or other personal and identifiable data will be removed.
Only researchers working at GDS and CDDO will have access to the full original recordings though we may share short audio or video clips with other colleagues within GDS and CDDO and other government departments if we have your express permission to do so. The only exception to this is during the transcription and analytics phase (described above) when transcription and analytics services may be used.
If we do any of the above, we will monitor and limit the access that people outside GDS and CDDO have to your data. The privacy policies of these external organisations will also apply.
Legal obligations
We will share your data if we’re required to do so by law - for example, by court order, or to prevent fraud or other crime. We will also share your data in the event of a serious safeguarding concern - for example, if we are concerned about the welfare of a child or vulnerable adult.
We will not:
- sell or rent any of your data to third parties
- share your data with third parties for marketing purposes
Where your data is processed and stored
Your personal data will be stored on our IT systems, which are provided by third party email, document management and storage service providers.
Your personal data may be transferred outside the United Kingdom while being processed by GDS and CDDO. If this happens, it will be subject to equivalent legal protection through the use of adequacy decisions. If no relevant adequacy decision exists, standard contractual clauses will be used instead.
How long we keep your data
The data collected when we invite you to take part will be held for a maximum of 6 months. After this point, we will delete this but will keep a record of consent, your name, and the data gathered during the research session.
We will hold the data from research sessions, your name, and a record of consent for a maximum of 3 years. After this point, we will delete all personal data relating to you, but we might retain reports that contain your anonymised quotes.
How we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access to or disclosure of the data we collect about you. For example, we protect your data using varying levels of encryption. All third parties that process personal data for GDS and CDDO are also required to keep that data secure.
Your rights
You have the right to withdraw consent to the processing of your personal data - for example original recordings and notes where you can be identified. If a report with anonymised quotes has been published (internally or externally) we will not be able to remove this as it does not constitute personal data.
You also have the right to request:
- information about how your personal data is processed
- a copy of that personal data
- that this copy be provided in a structured, commonly used and machine-readable format
- that anything inaccurate in your personal data is corrected without delay
- that your personal data is erased if there is no longer a justification for holding it
- that the processing of your personal data is restricted in certain circumstances (for example, where accuracy is contested)
If you have any of these requests, please contact us using the details in the information sheet provided to you, or the contact details listed below.
Questions and complaints
If you have questions about research that you’ve been invited to participate in, you can contact the researcher named on the information sheet provided to you.
Contact the GDS Privacy Team if you:
- have any questions about anything in this document
- think that your personal data has been misused or mishandled
- want to make a subject access request (SARS)
Email: [email protected]
The data controller for your personal data is the Cabinet Office. The contact details for our Data Protection Officer are:
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.
You can also complain to the Information Commissioner, who is an independent regulator.
Information Commissioner's Office
Email [email protected]
Contact form https://ico.org.uk/glo...
Telephone 0303 123 1113
Textphone 01625 545 860
Changes to this privacy notice
We may change this privacy notice. When we make changes, the ‘last updated’ date at the top of the page will also change.
Any changes to this notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.