We invited Konrad Black, freelance Principal Experience Consultant (previously at Edo), to take control over the People for Research blog for a day and share some insights on how to protect user data at all stages of user research in accordance to the General Data Protection Regulation (GDPR).
If you are up to speed with General Data Protection Regulation, great. If not, I suggest you start by reading the ICO’s GDPR compliance guidelines and exemplary blog explaining the new rules by People for Research.
Ok, so now you’re a GDPR guru, but have you considered any research data you collect may also be covered by GDPR too!? If so, what are you doing about it? Do your participants know what data is being collected on them and what’s going to happen to it?
In this blog we’ll unpack our own compliance journey with regard to research audience data, and hopefully suggest a few things to help you along your own journey.
What do we mean by research audiences? Who are they?
Basically anyone. They could be external audiences, found either by yourself, by a specialist third-party recruitment consultancy (e.g. People for Research) or by the client you’re working with/for. They could be remote – people you’ve never met or will ever meet. They could even be internal members of staff you’re interviewing or conducting ethnographic studies with.
Don’t just assume that because an internal member of staff is participating in research or that because the data you’ve got comes from raw analytics the data is somehow less important or not applicable under the GDPR regulations. In all respects, you’ll need explicit permission to collect and store data on your user research participants.
What user data might be captured during research?
GDPR protects all personally identifiable data that can be linked to a living individual. Here are some basic examples of personally identifiable data which you may capture during primary user research:
1. Full name
2. Picture
3. Postal address
4. Phone number
5. Email address
6. IP address
7. Personal situation / background
8. Signature
9. Etc.
It’s also worth noting you may end up capturing what’s likely to be personally identifiable information and sensitive user data in your research notes, for example if you’re conducting research relating to a medical or health diagnosis. It may be that there’s not one specific piece of data that identifies someone, but piecing the data together could formally identify someone.
How might this personal data be stored or shared?
Examples of user data capture may include online forms, audio/visual recordings, etc., or offline via paper forms, various forms of paper communications (e.g. letters), analytics, social media activity/profiles, etc.
Storage of this data could be just as varied, including cloud storage of audio/video recordings or transcripts, notes taken during a research session written in a notebook, spreadsheets, etc.
Some of this user data may also need to be shared between multiple parties. For example, when conducting face-to-face research it’s usually very helpful for the recruiter and practitioner to share a time plan for when participants should arrive on the day. There’s usually background information on each participant as well as their contact details.
Before research
+ It’s best to ensure the privacy policies and terms of service between all partners who may need to access this data are up to date and relevant. Policies should clearly state what data might be collected, the intended purpose of use, whether or not user data may be stored and if so for how long. It’s also necessary to provide a clear and easy way for participants to get in touch and request to see their data or have their data removed.
+ All participant screeners and research time plans must be owned by whom ever is completing recruiting. Documents to be shared via Google Docs only with researcher as ‘view only’. All document access rights to be revoked once project ceases. Never use email to share the details of participants openly.
+ Only anonymised participant details to be shared with wider project team and/or client.
+ Never share any participant details with clients. During screening advise clients over the suitability of each participant, including some background details, but ensure none of it is personally identifiable.
+ It can be very handy to print/download a copy of the research time plan and audience background document if you aren’t sure you can view it online. We’d suggest to only print immediately before the session(s) and keep it on your person at all times.
During research
+ All research notes captured during activities such as interviews, ethnographic research, usability testing, etc. are to be kept as anonymous as possible – consider using acronyms or pseudonyms.
+ If recording a research session (video/audio) attempt to omit or edit out any personal data, unless it’s critical to the research. As a rule of thumb, we start recording once the user has formally introduced themselves.
+ Try not to capture any real personal data, unless it’s critical to the nature of the research. For example, when testing the usability of an input form, we may ask users to input a fake/dummy name or an email address other than their own, but one which is still valid (so still testing validation/error states).
+ When conducting online surveys anonymise user data collection by not capturing IP, GeoLocation and switching off audience profiling analytics. Never ask participants for their name, gender etc. If offering a prize draw as incentive for participating, create a second survey to act as a collector for the name and email address of those who opt in. The two surveys must be kept independent of one another so prize draw participants cannot be linked back to their entry in the main survey.
+ For all research, whether face-to-face or online/remote, always inform participants of your privacy policies or where they can access them. Also, clarify with participants which details may need to be captured and what you’ll do and not do with them. For example, it’s best to state that you will never share usability recordings beyond the immediate project team and only then all personal data will be anonymous. You should never publicise or market the research videos online or elsewhere – remember it’s purely to inform the design of the product/service.
+ If recording a session, you must always ask for permission to do so. If face-to-face, this is usually a form which participants complete and generally asks for name, address and a signature by way of proof of consent.
+ When offering an incentive to participants in person you must receive confirmation that they have both received and accepted it. This too may require a name, address and signature – so follow the same procedure as the one used to gather recording permissions.
After research
+ Ensure notebooks, transcripts, video/audio recordings, etc. are kept anonymous by removing all references to participants where possible. If it’s not possible to remove personal data, it must be password protected and/or encrypted, or kept in a safe place.
+ If participant time plans are printed, we recommend they are shredded immediately after the research session. If downloaded to a laptop, these again should go immediately into your computer’s ‘trash’ and the trash emptied.
+ All research permission slips and incentive confirmations that contain personal data, should be kept under lock and key. Ideally someone outside the research team, such as the office manager, should receive them and be the only person with access to them. It’s also probably best to agree a policy that details how and when they would be destroyed – usually by shredding within a previously agreed period of time.
+ Store all video/audio files on a separate drive, not on the researcher’s local machine in case the machine is lost or stolen. If using a cloud-based service, ensure their policy meets GDPR guidelines. You should also limit who has access to the files.
+ On completion of a project, any / all shared documents should have access permissions revoked, preventing ongoing access to user data (e.g. participant screeners, time plans etc.)
+ Any data collected as part of a survey prize draw must be shared only with the research company (or client if surveying internal staff) in order to issue the prize. The prize draw collector survey itself must be deleted from the program used (e.g. Survey Monkey, Smart Survey etc.) and the file shared must be password protected and/or encrypted.
Summary
Ok, so there you have it. GDPR isn’t the most sexy or glamorous subject out there, but it is extremely important to be aware of if you wish to stay on the right side of the law.
If nothing else, simply informing participants about what data might be captured during research, what’s going to happen to it and knowing how you’re going to manage it, will leave participants with a better experience overall.
If you would like to find out more about our in-house participant recruitment service for user testing or market research get in touch on 0117 921 0008 or info@peopleforresearch.co.uk.
At People for Research, we recruit participants for UX and usability testing and market research. We work with award winning UX agencies across the UK and partner up with a number of end clients who are leading the way with in-house user experience and insight.
