For employers, adopting a Diversity and Inclusion (D&I) policy can prove to be imperative in driving initiatives to promote an inclusive workplace. Employers increasingly collect D&I data to support and inform this invaluable work, and its collection and use must be handled with care to ensure compliance with the UK GDPR and the Data Protection Act 2018 (Data Protection Law).
Here are some of our best practices to consider if your organisation collects, or intends to collect, D&I data:
1. Conduct a Data Protection Impact Assessment (DPIA)
Before initiating the collection of any D&I data, consider conducting a DPIA. Article 35 of the UK GDPR states organisations must conduct a DPIA where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
A DPIA helps to identify and mitigate any potential risks from the outset. For example, a DPIA can set the tone in relation to establishing data security matters such as strict access and technical controls to ensure only authorised personnel can access the personal data sets. Where third party service providers are used, contractual controls must be established to keep personal data safe.
DPIAs help to demonstrate accountability and compliance with the data protection principles, and by ensuring use of D&I data follows a ‘privacy by design’ approach, organisations can maintain employee trust when handling their sensitive D&I information.
2. Identify a clearly defined purpose and lawful basis
Before collecting D&I data, organisations must establish a clear purpose and lawful basis for its use. Whether the use of this information is intended to develop a diversity initiative, or meet a legal requirement, documenting the defined purpose for collection and the corresponding lawful basis under Data Protection Law, helps to ensure the use of D&I data is lawful and limited to only what is necessary.
D&I data often contains special category personal data related to race, ethnicity, gender, sexual orientation, or information relating to disabilities. This data is considered more sensitive and organisations are required to identify a second lawful basis for processing this type of information. The lawful bases relied upon will depend on the context of processing, which might be to comply with an employer’s legal obligations, for equality of opportunity and treatment of employees, or, in some cases, consent. If relying on legal obligation, be sure to document what that legal obligation derives from e.g. which piece of legislation and be transparent about it in your privacy notices and ROPA.
3. Consider reliance upon consent
Consent (or explicit consent for special category data) can be problematic in an employment context, as there will generally be an imbalance of power in an employer-employee relationship. If employees felt they had no choice but to agree to provide D&I data, for fear of jeopardising their career, consent would not be freely given and wouldn’t meet the consent requirements of Data Protection Law.
Employers seeking to rely on consent, or explicit consent to collect D&I data must therefore emphasise that disclosure is voluntary and that there will be no adverse effects on an employee if they do not consent. If carrying out an employee D&I survey, it is good practice for each question to have a ‘prefer not to say’ option to allow participants to keep some characteristics private if they choose. Think about the content and tone of your communications to staff around collection of this information and ensure there is no pressure to provide the information if consent is being relied upon.
4. Only collect what is necessary
In line with the data minimisation principle, organisations must identify the minimum amount of personal data necessary to fulfil the purpose for collection and processing. Ensuring a clearly defined purpose, will help your organisation to ensure it limits its data collection to what is necessary.
Requesting excessive or irrelevant information from employees is not only a contravention of this principle but can also undermine employee trust as well as increase risk in the event of a personal data breach.
5. Be transparent
Organisations must inform employees about why and how their D&I data will be used. Ensure a clear, accessible employee privacy notice is in place and provide employees with a copy at the time of collecting their information.
The privacy notice must be kept up to date and set out in a way that is easy for people to understand.
6. Anonymised reporting
Where possible, D&I data should be anonymised to protect employee identities. This can be particularly challenging when reporting on small data pools. To mitigate the risk of identifying individuals, it can be less risky to report using only larger samples of data, where anonymisation can’t be achieved.
It is recommended that employers aggregate their results prior to publishing reports to avoid sharing information that could lead to the identification of specific employees.
The insights gained from D&I data can drive meaningful, positive changes within an organisation. D&I monitoring enables the development and implementation of invaluable initiatives that promote diversity, equality and inclusion, and allows for the regular measuring and reporting on progress.
Collecting and using D&I data in a way that is ethical and lawful will not only ensure that employees’ data protection rights are respected, but it will also build trust and enhance the credibility and success of the D&I initiative.
Thorntons’ data protection team support several organisations in meeting their obligations under Data Protection Law and are on hand to provide tailored advice if your organisation requires support with the lawful collection of D&I data. Please call us on 03330 430 350.