dwp logo

Ethics – Confidentiality

users in focus groups

How must you treat the information you are given?

You’ve identified your user group, persuaded participants to engage with your project and obtained their consent. Now you must ensure privacy and confidentiality in handling the information you learn about them.

Key Principles

The collection, storage, disclosure and use of research data, which falls within the definition of Personal Data (see Glossary of terms), must comply with the Data Protection Act 1998 and its eight key principles, which are explained below.

Researchers should be aware of the risks of identification and breach of privacy and confidentiality posed by all kinds of information storage and processing, including computer and paper files, e-mail records, photographic material, audio and videotapes and any other information in which an individual is named, or from which an individual could be identified.

Market research in many aspects closely resembles the type of user-centred research that designers are likely to undertake. The Market Research Society’s Code of Conduct (see Key Sources) is perhaps the best source of detailed guidance on all practical aspects. It spells out a researcher’s key obligations:

Principle 1

Personal data shall be processed fairly and lawfully.

This means that you must:

  • Have legitimate grounds for collecting and using it
  • Not use the data in ways that have adverse effects on the individuals concerned
  • Be transparent about how you intend to use the data, and tell them what to expect when you collect personal information
  • Handle people’s personal data only in ways they would reasonably expect
  • Make sure you do not do anything unlawful with the data.
  • Not pass on data to another third party for research or any other purposes without the prior consent of the respondent
  • Keep video/audio recordings in a secure place and not release them for use by third parties without prior consent

Principle 2

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

This means that you must:

  • Be clear from the outset about why you are collecting personal data, what you intend to do with it, how you will process it. If someone has given consent for data to be passed on in a form which allows them to be personally identified, you must demonstrate that you have taken all reasonable steps to ensure the data will only be used for the purpose for which it was collected and fully inform them as to what will be revealed, to whom and for what purpose.
  • Keep information obtained about a participant confidential unless otherwise agreed in advance
  • Preserve the subject’s anonymity unless they have given their informed consent for their details to be revealed or for attributable comments to be passed on

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This means that:

  • You do not hold more information than you need for that purpose

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

This means that you must:

  • Take reasonable steps to ensure the accuracy of any personal data you obtain
  • Ensure that the source of any personal data is clear
  • Carefully consider any challenges to the accuracy of information
  • Consider whether it is necessary to update the information

Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This means that you must:

  • Review how long you keep personal data
  • Consider why and for how long you should hold it
  • Securely delete information that is no longer needed
  • Update, archive or securely delete information if it goes out of date.

Principle 6

Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.

This means that your data subject has the right to:

  • Access a copy of the personal information you hold on them
  • Object to processing that is likely to cause or is causing damage or distress
  • Prevent processing for direct marketing
  • In certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • Claim compensation for damages caused by a breach of the Act

Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This means that you must:

  • Have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised
  • Make sure you have the right physical and technical security, backed up by robust policies and procedures, and reliable, well-trained staff ready to respond to any breach of security swiftly and effectively. Read more on security measures

Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.