Data protection guidelines for user research activities

Version 1.0

These guidelines are to help service teams to ensure that any user research activities done are GDPR compliant to protect user research participants’ data and confidentiality. 

User research activities include: 

  • Setting up user research 
  • Doing user research with participants
  • Note-taking
  • Storing user research data from participants (including video recordings, and consent)
  • Recruiting participants and creating research participant panels

First and foremost, the data collected by participants during user research must be GDPR compliant, respected and protected by the full-service team. Participants should never be re-identifiable by note-taking, synthesis reports or playback sessions.

The whole service team should be working in accordance with GDPR rules. However, the responsibility for implementing GDPR compliance of user research data usually sits with the User researchers in the team. 

Setting up user research with participants

All participants should be referred to by an alias (eg. Participant 1, Participant 2). Only the user researchers will have access to knowing the names of each participant and their corresponding alias. Names of participants should only be used when user researchers are communicating directly with the participants.

Getting participant consent

Researchers must get consent from participants to record the audio and video of the research sessions. Only if participants agree, should you then start the recording.

There are two ways to typically get consent for recordings:

  1. Participants sign and return a consent form before the session. Consent forms can be physically shown and signed at the beginning of an in-person session, or sent and returned via email ahead of the session. 
  1. User researchers get the participant to record their consent during the research session. Typically this involves:
    • asking for the participants’ consent to record  
    • verbally getting agreement from the participant 
    • starting the recording 
    • re-asking their consent while recording has started

Doing User research

Recording user research 

Recordings that are shown to the team or stakeholders (eg. during playback) should not show participant names. 


Notes should never refer to participants by name, only by alias (eg. Participant 1) as specified by the user researchers. 

  • Notetakers will be asked to not use names in their notes
  • User researchers will confirm that no names are in the notes when cleaning up the notes from the sessions

Notes taken by multiple note-takers should be consolidated into a central note-taking space as specified by the user researchers (Eg. Word, spreadsheets, Mural or Trello). Once consolidated, any notes taken elsewhere (eg. in notepads, notebooks) must be destroyed.  

Storing user research data
(incl. Notes, recordings, consent forms)

Only the user researchers should have access to the full participant data, including user research session notes, session recordings, consent forms, participant contact data and participant lists/panels. The wider service team should not have access to the data, to minimise any risk of misusing the data. 

User researchers should have access to a secure physical and digital location to store data that only they are able to access: 

  • Physical location: Locked cabinet in office space where user researchers have key
  • Digital location: A user research data folder that can be restricted for only user researchers to access

Notes will be held for a duration of 2 years maximum before being deleted, or as soon as is no longer needed for your project. 

Participants always have the option to request the deletion of notes, recordings and contact details relating to themselves. 

  • Participants should have the contact details of the user researchers, to request the deletion of their data at any point. 
  • If there is a request to delete data, the user researchers must respect the request and delete the specified data immediately.

Logging participant information

It is very useful to keep a log consolidating information about each research round, session and type of participant who is involved in the research. Research logs hold cohort-type information of participants (eg. nationality, language spoken, age, residential state, gender), but should not contain any personal identifying information like name or contact details.

Recruiting participants and creating research panels

A research panel is a list of potential participants. A panel helps researchers to have easy access to participants without starting engagement from scratch for every round of research. 

Setting up a panel involves having potential participants to express their interest in participating in future rounds of research. To do this, participants can fill out a short survey detailing their contact and some demographic information (eg. contact details, age, education/work status, residential location, special needs etc) so that the user researchers know when to select these panellists for research sessions that are best suited to their circumstances.

This survey information should be collated and only accessible by the user researchers.

Data collected as part of research panels must be easy to update and updated frequently. If participants want to be removed from the panel, the user researchers must immediately be able to locate the participant’s information to be deleted. 

Print Friendly, PDF & Email