Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Protecting people’s privacy and data

Protect people’s privacy and data during user research. Keep them informed so they understand what they’re agreeing to.

Legal requirements and principles

Keeping people’s data safe and managing it appropriately is an important part of user research. You must be transparent with how you’ll use their data.

It’s important that you:

adhere to the Privacy Act (2020)
consider the 5 principles of the Data Protection and Use Policy (DPUP)
protect people’s data during and after the study
use people’s data ethically and make sure your processes are transparent.

Privacy Act (2020) — Privacy Commissioner

Read the DPUP Principles

Privacy statements

If you’re doing remote testing or surveys, you’ll need a clear privacy statement. This explains to participants:

what the data is for and why you’re asking for it
how you’ll keep their information safe and confidential
what data you do not want them to give. For example, addresses, names or phone numbers
their rights to access their data if they choose to.

Your privacy statement should be written in plain language so your participants understand what you’re asking of them.

Keeping people’s data safe

How we store data during the study and what happens to it afterwards are key parts of the research process. This can be broken into 3 separate processes.

1. Storing data

During the study, data should be stored securely with restricted access. Only people who are running the study should be able to view the data.

This data could include:

Excel spreadsheets with contact details
recorded video (Teams or Zoom calls)
audio recordings of interviews or focus groups
survey data with email addresses and names.

2. Anonymising data

Keep people’s data safe during your study by anonymising participants’ Personal Identifiable Information (PII).

To do this you might:

refer to participants by a number or letter in your file management system
Delete PII in user interview notes or transcripts. Participants may say things about their workplace, where they live or their family during a user interview.

3. Deleting data

Once your study is complete you should delete:

recordings of online interviews or focus groups
email addresses of participants from all data sources (For example, Excel spreadsheets)
email chains or other written communications.

Further guidance to support you:

Informed consent

Getting consent from participants is an important part of user research. They need to know what you’re researching and how their data will be used.

Informed consent means making sure participants clearly understand what they’re agreeing to. Write your consent form in plain English, and be prepared to explain it in conversation before they sign.

Getting informed consent for user research — UK Government

Consent forms

When doing user research interviews, usability tests or focus groups make sure all your participants sign a consent form. Your consent form should be easy to understand so people know what they’re agreeing to.

Consent forms should include:

the purpose of the research
what you’ll use the data for
how you’ll keep their data safe:
- their data will be stored safely
- their personal details will be anonymised (for example, their name replaced by ‘Participant A’)
how long you’ll keep their data for and how you’ll dispose of it
their rights to:
- withdraw at any time
- access their data from the study
getting consent from the participant to:
- record the session with video or audio
- take notes.
a way for the participant to get in touch if they need to — which includes making a complaint. This could be an email address or a phone number.

This template can help you create your own consent form for your user research study:

User research consent form (DOCX 23KB)

Consent forms for people under 18

To work with children under the age of 18 without a parent or guardian, you must complete a Children’s Worker Safety Check.

Children’s Worker Safety Checks — Accident Compensation Corporation (ACC)

When your research includes rangatahi (youth) you should go through another organisation such as a school or a youth support service who have the above checks in place. They can supervise the research as required.

Your consent form will need to include a way for parents or caregivers to give consent for their child to be a part of the user research.

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 26 January 2026