22 September 2021
Law at Work - September 2021 – 2 of 4 Insights
Helen looks at the benefits to employers of unlocking diversity and inclusion data while ensuring they are GDPR-compliant.
ESG reporting drives value: more investment, better staff retention and advantages in the procurement process. This is resulting in a boom in reporting on ESG data which includes information about diversity and inclusion (D&I). Businesses that can provide accurate, timely and understandable information on diversity and inclusion are going to be the clear winners. For example, BT has reported that it will offer automatic renewals to law firms on their panel who have the most diverse working population.
Social mobility is an increasing area of focus. On 9 September 2021, there was a report that KPMG is aiming for 29% of its partners and directors to be appointed from working-class backgrounds by 2030. It marks the first such socio-economic target introduced by a big business in Britain.
Investors are increasingly incorporating assessments of companies’ gender diversity and equality to determine how they might respond to ESG risks and opportunities. Companies are facing external pressures from institutional investors, activist shareholders, and potential employees and customers to increase the representation of women on corporate boards, in C-suite positions, and across executive leadership, as well as equal compensation and mobility for women.
We anticipate regulation in this area will increase. Businesses in all sectors are becoming used to collecting data about gender. In addition, to monitoring data about female progression, data about gender is required to enable every UK business with more than 250 employees to comply with the gender pay reporting requirements. Mandatory reporting on any pay gap due to race and ethnicity is expected to become a legal requirement in the UK soon.
We also expect new regulatory requirements for financial services businesses to report on diversity and inclusion matters as a result of a recent discussion paper published by the three financial services regulators. In July 2021, the FCA, PRA and Bank of England published a discussion paper "Diversity and inclusion in the financial sector- working together to drive change". As suggested by the title the three regulators focus on the need to drive diversity and inclusion in the financial sector. They point to the link between diversity and inclusion and positive outcomes in risk management, conduct, healthy working cultures and innovation.
All these outcomes contribute to the stability of business. The regulators' expectation is that diversity and inclusion will become part of both how they regulate and how the UK Financial Services Sector does business. The regulators are also asking for views on what data businesses should collect and report on to measure progress that the regulators want to see.
For all these reasons having proper systems for reporting on diversity, inclusion and wider ESG issues is essential to unlocking value and driving business growth.
There is no obligation to carry out D&I monitoring in the UK. This means the only option is to ask employees to self-identify and to collect data from them on a voluntary basis. The usual way to obtain this information is as part of the job application process. Employees can be asked to complete an Equality and Diversity monitoring form, often when they join the organisation.
Even when employees provide D&I information on a voluntary basis, employers need to ensure they comply with applicable data protection law. Information about a worker's racial or ethnic origin, physical or mental health, religion or similar beliefs and sexual orientation is sensitive personal data and is treated as special category personal data under the UK GDPR.
This means that processing data relating to these characteristics must satisfy a sensitive data condition: for example, that the collection and processing of the data is necessary for performance of rights and obligations under employment law. However, as there is often no legal requirement for employers to monitor this data (other than data about gender) it can be difficult to fall within one of the required data processing conditions.
The UK's government guidance states that equality monitoring of the protected characteristics of job applicants and workers can be used to: establish whether an employer's equality policy is effective in practice, analyse the effect of other policies and practices on different groups, highlight possible inequalities and investigate their underlying causes, set targets and timetables for reducing disparities and send a clear message to job applicants and workers that equality and diversity issues are taken seriously within the organisation. Any or all these reasons can be used to justify collecting data.
This is backed up by the Data Protection Act 2018 (Schedule 1 Part 2) which provides that processing will meet the substantial public interest condition (9(2)(g) where it is necessary to monitor, review, promote or maintain equal opportunity or treatment. It will also be satisfied where data revealing racial or ethnic origin is used as part of a process to monitor and improve racial and ethnic diversity at senior levels of organisations. There are a number of protections in place to protect the rights of individuals related to processing as required under the UK GDPR.
There are clear business and public policy reasons for collecting data to demonstrate diversity and inclusion within business but there is currently no legal requirement to do so. Without this it may be difficult to process special categories of personal data lawfully.
For now, employers are best advised to keep data anonymous to avoid the data falling into the definition of personal data as far as possible. Having said that, even if data is collected on an anonymous basis it may still be possible for certain employees to be identified from the data. Therefore, advice should be taken to assess whether there is a fair and lawful reason for processing the data. In addition, access to this data should always be restricted, the data should be safely stored, ideally on a pseudonimised basis, and the information should be kept accurate and up to date.
Given this trend for diversity and inclusion reporting it will be interesting to see whether the government introduces legislation that requires businesses to monitor the diversity and inclusion of its workforce. This would certainly help ensure that employers do have a legally fair reason for monitoring the personal data which is vital if ESG goals on diversity and inclusion are to be realised.
by Sean Nesbitt
by Helen Farr
by multiple authors