Under the UK GDPR and the Data Protection Act 2018, data controllers must have a specific legal basis for processing personal data and the personal data must only be used for defined purposes which are notified to staff.
Additionally, some categories of data typically collected as part of a diversity survey (for example racial or ethnic origin, sexual orientation, or religious or philosophical beliefs) are likely to be classified as ‘special category data’ under the GDPR, which require an additional legal basis.
While UK legislation permits the processing of special category data for the purposes of identifying or keeping under review equality of opportunity or treatment between groups of people to promote and maintain equal opportunities, this is relatively limited in scope. For example, personal data collected on this basis, for this particular purpose, cannot be used for other purposes, such as collecting and reporting diversity statistics for publication to customers, employees and other third parties. Moreover, this legal basis will not cover the range of data collected in many diversity surveys. For example, some employers use broader questions relating to educational background and responsibilities as a parent or carer, to monitor social diversity and mobility and general workforce wellbeing.
Alternatively, employers may seek to rely on employees’ explicit consent to collect and process sensitive personal data (which is required even if the data is subsequently anonymised and presented as aggregate statistics). Employee consent is generally a difficult basis to rely on in an employment context, given the imbalance of power in the employer-employee relationship. Employers seeking to rely on consent therefore need to ensure that participation in the survey is voluntary and that staff may choose not to respond to specific questions in the survey – for example, while they may be happy to disclose their race and ethnicity, they may want to keep their sexual orientation private.
Many staff privacy policies do not cover diversity data (and the appropriate legal basis for collecting it) in sufficient detail and frequently need to be updated. Furthermore, many organisations need to supplement their existing data security and data handling policies.
While collecting diversity data can help organisations implement and monitor policies intended to increase workforce diversity, it comes with specific risks. In respect of employment law risks, diversity data is likely to be protected under the Equality Act 2010 as one of the protected characteristics (such as race and ethnicity, religion, or sexual orientation). Employers that collect diversity data from employees should consider whether obtaining this information increases the risk of discrimination claims being brought against the company.
In respect of data protection risks, most obviously the more data is collected, the greater the risk of disclosure in a data breach. While technical security measures need to be implemented, the most difficult element in practice is to ensure appropriate staff training to prevent any inadvertent disclosure or use of the personal data for purposes other than those for which they were collected. In particular, rigorous access controls need to be applied, for example limiting access to the raw data to a very small group of appropriately trained HR professionals – while providing aggregate anonymised statistics to management. This is one of the most important steps that can be taken in practice to mitigate both employment law and data protection risks.
Agreements with third parties (for example, electronic survey platforms) will need to be reviewed carefully to ensure that they include sufficient requirements in respect of data security. Additionally, basic data protection obligations such as ensuring the accuracy of personal data and responding to data subject requests need to be managed carefully when dealing with diversity data. It takes a high level of trust for an employee to provide highly personal details to their employer. Therefore, employers need to take additional steps to be as transparent as possible about the purposes of collection, the legal basis, and the security measures.
Huw Beverley-Smith is a partner, Charlotte Marshall an associate, and Elise Lanteri a trainee solicitor at Faegre Drinker