Diversity and Inclusion Data

Diversity and inclusion data: unlocking the power to widen opportunities for all

September 1st, 2021 Posted in Compliance, Data Protection

The case for supporting a diverse and inclusive workplace is highly compelling. From a moral sense, fostering diversity and equal opportunities is simply the right thing to do. Every single individual should feel equal, able to participate and achieve their potential at work. Moreover, from a productivity standpoint, it’s been shown time and time again that diverse companies outperform their competitors.  

Creating a truly diverse workplace – and overhauling internal biases and barriers that might have led to a so-far uniform culture – takes work, time and data. After all, how can you learn about how your employees feel, or what the current state of play in your organisation is, without thorough analysis? 

Of course, with data – particularly data of a sensitive nature – comes concerns about regulatory compliance. Ensuring individuals’ data protection rights are adhered to is of the utmost importance. In this diversity and inclusion data blog, we dive into everything you need to know about collecting employee data for your diversity and inclusion strategy.  

Read or download a free copy of our extensive Guide To Demonstrating GDPR Accountability here to learn more from our Data Protection SMEs.

Diversity and inclusion data is special category data

Data about a person’s disabilities, ethnicity, religion or sexual orientation all fall into the class of special category data under the United Kingdom’s General Data Protection Regulation (“UK GDPR”). Special category personal data must be handled very carefully, and in order to lawfully process it, you must identify a lawful basis under Article 6 of the UK GDPR, as well as a separate condition for processing under Article 9 of the UK GDPR, which will fall under one of the below:  

a. Explicit consent 

b. Employment, social security and social protection (if authorised by law) 

c. Vital interests 

d. Not-for-profit bodies 

e. Made public by the data subject 

f. Legal claims or judicial acts 

g. Reasons of substantial public interest (with a basis in law) 

h. Health or social care (with a basis in law) 

i. Public health (with a basis in law) 

j. Archiving, research and statistics (with a basis in law) 

It may also be necessary to comply with specific sections of the Data Protection Act 2018 (“DPA 2018”) in certain circumstances when relying on the above conditions – for example, where you are relying on the substantial public interest condition, or your processing is in the context of employment. To learn whether you need an appropriate policy document and what to include, read our latest blog “What is an APD and when is it needed?“.

Why are the rules more stringent around special category data?

Your employees will expect you to process this data with extra care and sensitivity – as it’s highly personal information. If it were to be mishandled or leaked, this could cause great distress to your employees, who could potentially have the right to take legal action against you.  

Furthermore, the UK’s data protection authority, the Information Commissioner’s Office (ICO), is likely to take harder action in instances where special category data has not been processed in a compliant manner. Under the UK’s Data Protection Act and GDPR, the ICO can hand out fines of up to 4% of an organisation’s annual turnover for non-compliance.  

While this might appear slightly scaremongering, we are not trying to discourage you from collecting this type of data. We’re simply underlining the importance of doing so compliantly and lawfully – to ensure that your D&I efforts are truly ethical and fair.   

Consider an anonymised strategy

Under UK employment law, there are no limitations regarding carrying out diversity monitoring. However, as noted above, data protection law does put restrictions in place to safeguard rights and personal data.  

For this reason, for many organisations, the best way to carry out diversity monitoring is to do so anonymously, using surveys, where it is impossible to identify employees from the data shared. If you conduct a survey anonymously, then the UK GDPR does not apply.  

It’s worth mentioning that the survey needs to be truly anonymous to fall outside of UK GDPR. For small companies, in particular, special care will need to be taken to ensure survey participants cannot be identified. For example, if there is only one woman in a company, and the survey asks employees to disclose their genders, then the survey will not be truly anonymous.   

To help organisations understand anonymisation, the ICO is working on new anonymisation, pseudonymisation and privacy-enhancing technologies guidance. This is expected to be published in Autumn 2021.  

Client Spotlight: Flair – promoting racial inclusivity and awareness

One of Evalian’s clients, Flair, is leading the way in harnessing D&I data to help organisations measure and build anti-racist cultures: 

“Flair is a black-owned people analytics company. Using Flair’s anonymous survey, dashboard and recommendations, our clients are able to gather the correct data on how anti-racist their culture is. This then guides informed decisions to counter racial biases within organisations. 

Our dashboard allows clients to track progress across the 4 key components of an anti-racist culture: racial awareness, racial diversity, racist behaviour & racial inclusion barriers. Results are benchmarked against industry norms and previous performance. 

We then provide guidance to help organisations interpret and present results, along with high-impact, practical recommendations to drive change. 

Evalian is our first point of contact for any questions we or our clients have regarding data protection and information security. Ray has been exceptionally helpful as our DPO. We like to get him involved early in the sales process to help alleviate any client concerns around data protection. He is always quick to respond to our queries and definitely has our best interest at heart.” – Nii Cleland, CEO and Co-founder at Flair 

How your company can process D&I data lawfully

Before embarking on your diversity and inclusion data strategy, you first need to establish clear purpose(s) for processing special category data. You should then match your purpose(s) to the most relevant condition within Article 9 of the UK GDPR (and Article 6 as mentioned above).

Because special category data is sensitive, each condition has detailed criteria. It will require you to implement certain safeguards and accountability measures to qualify. Moreover, for some of the conditions, you need to specify a reason why you did not provide data subjects with the choice and obtain explicit consent for processing. This is because, with special category data, there can be a greater emphasis on gaining individual consent. However, for diversity and inclusion programmes, attaining individual consent may not always be the right approach in order to achieve the most beneficial outcomes.  

Explicit consent requires a higher threshold of consent such as, for instance, an individual’s signature. Consent can be withdrawn at any time and must be freely given to be valid. While this may be achievable in smaller organisations, in larger companies, obtaining consent from thousands of employees – which can be withdrawn at any time – may present operational challenges. 

As an alternative to explicit consent, you will likely want to consider Article 9(g), which permits the processing of special category data where it is necessary for reasons of substantial public interest, on the basis of domestic law. The domestic law to consider here is the DPA 2018, Schedule 1, Part 2 which sets out the permitted ‘substantial public interest conditions’. Within this part, paragraph 8 covers equality of opportunity and paragraph 9 covers racial and ethnic diversity at senior levels of organisations.  

When identifying an appropriate condition, you must make sure that processing special category data is absolutely necessary for the purpose of your activity. If your justification cannot be covered by any of the conditions, and you are unable to gain explicit consent, then you cannot process special category data – no matter how valid your reason for processing may be.  

It’s worth reiterating, here, that the conditions in Article 9 of the UK GDPR do not supersede the need to have a lawful basis for processing as outlined in Article 6. These two rules work in tandem, meaning you must identify a lawful basis under Article 6 and a condition for processing under Article 9.  

Not only should you be looking at diversity from a GDPR perspective, but when you are working hard to entice more diverse applicants and accelerate the pace of change in their organisation, it’s important to stay on the right side of the law. LegalEdge has put together nine practical tips to help increase diversity in the right wayLegalEdge regularly helps clients draft and review their equality and diversity policies as well as review their recruitment procedures.

Remember to perform a DPIA

We strongly recommend undertaking a data protection impact assessment (“DPIA”) before processing special category data. In particular, the ICO stipulates that you must carry out a DPIA if you plan to process special category data: 

  • on a large scale 
  • to govern who has access to a product, service or benefit 
  • that includes genetic or biometric data  

Prioritise data protection

As well as ensuring that your processing is lawful, fair and transparent, there are other considerations to bear in mind under the UK GDPR, which we’ve detailed in the below checklist. All of these items work to ensure that you process special category data as securely and ethically as possible:  

  • Data minimisation: You must collect and store only the minimum amount of special category data that is necessary for the intended purpose. As mentioned above, you must have a justification and lawful basis for processing.  
  • Security measures: Depending on the sensitivity of the data collected, you will need to establish security measures to ensure it is only accessible on a need-to-know basis and protected from theft.  
  • Transparency: You must inform the individuals whose data you are processing of your activities in a clear and specific way, including your lawful bases for processing. Where relevant, you must also update your privacy notice to include information about the categories of data collected. 
  • Documentation: When processing special category data, it is imperative you keep records, including documenting the categories of data you collect. Under the DPA 2018, you may also need to create an ‘appropriate policy document’ if you rely on the substantial public interest conditions listed at Schedule 1, Part 2. Within this, you will need to include your UK GDPR Article 9 conditions for processing, how you meet the lawful basis for processing, and specific details on your retention and deletion policies.  
  • Data Protection Officer (“DPO”): If you process large amounts of special category data, you will need to appoint a DPO to meet UK GDPR compliance.   

Ultimately, data protection should not be seen as a barrier to diversity and inclusion data monitoring, but as a way to enhance fairness and equality. Data protection legislation and guidance, after all, is there to protect individuals, and provide a framework for using special category data in a lawful, safe way.  

Need Help?

If you need help with incorporating data protection into your diversity and inclusion strategy, then we can help. Please get in touch if you’d like to discuss your diversity and inclusion programme or require any assistance 

Raymond Orife Evalian 250x250

Written by Ray Orife

Ray specialises in data protection and information rights law. He is a qualified solicitor and worked in private practice and in-house in commercial law roles before focusing on data protection. Before joining Evalian™ he was in-house counsel and Data Protection Officer for a high street financial services organisation and their associated businesses. His qualifications include a First Class Honours Degree in Law, LPC (Distinction), Practitioner Certificate in Data Protection (PC.dp) and IAPP CIPP/E.