Danger: diversity monitoring and data protection
Posted by Allison Wooddisse, head of practice compliance at Legal Futures Associate LexisNexis
Diversity monitoring: do you know your Data Protection Act?
It’s the hottest summer since the end of the Ice Age and the cold dark misery of winter seems a long way off. Try, if you can, to cast you mind forward to January 2014. A depressing month at any time, we can rely on the Solicitors Regulation Authority (SRA) to make January just that little bit less endurable – last January it was the COLP and COFA regime, next year it’s diversity monitoring.
That’s right; the new deadline for reporting your workforce diversity data is 31 January 2014.
To be fair to the SRA, you can report your diversity data now, so why not make a pre-New Year resolution and get on with the job sooner rather than later? If it turns out to be easier that you expected, it’s off your desk; if it turns out to be harder, the more time you have the better.
Below I explain how to comply with the new diversity monitoring requirements whilst navigating some tricksy data protection issues.
The data protection minefield
The SRA has published a template diversity questionnaire which lists the categories of data you’re expected to collect and report.
Hurrah, you think, the SRA’s doing something helpful for me! Well, yes and no. Setting the categories of data is the easy part. Dealing with data protection is the hard bit and the SRA neatly sidesteps all things Data Protection Act 1998 (DPA). The SRA’s template questionnaire starts like this: “Firms to add their own background information and guidance and data protection warnings here.”
Here’s what you actually need to know. The information you’re expected to collect from your workforce falls within the scope of ‘sensitive personal data’ for the DPA – meaning that to collect, aggregate or publish it (all are types of ‘processing’), you need to satisfy one of the conditions in schedule 3 of the Act. The safest bet is to get explicit consent from individual staff members.
According to the Information Commissioner, explicit consent should be absolutely clear and should cover:
- The specific processing details;
- The type of information (or even the specific information);
- The purposes of the processing; and
- Any special aspects that may affect the individual, such as any disclosures that may be made.
You cannot assume an individual who is willing to complete a diversity questionnaire explicitly consents to you storing, analysing, reporting and publishing their data. You must give clear information on the questionnaire about how you will use the data and how long you will store it.
Explicit consent does not necessarily have to be written consent, but it must clearly be distinguishable from normal consent. Signed or written consent is obviously safer than electronic consent or consent obtained by using wording such as “by completing this survey you consent to the processing of data”.
But there’s more to the DPA than consent. Other requirements include:
- You must comply with eight data protection principles (this includes processing data fairly and lawfully);
- Individuals have a right to know what information is held about them;
- You must explain what the data will be used for; and
- You must explain who will have access to it.
Can you fall outside the scope of the DPA by collecting, reporting or publishing data in an anonymised form?
The DPA doesn’t apply if you process diversity data in a way that can’t be used to identify a living person, ie if the data is anonymised.
Alas, having decided to lob the data protection grenade in your direction, the SRA primes it for detonation by creating a questionnaire that makes it virtually impossible to anonymise your results. This is because the SRA expects you to collect the data against 12 different role categories:
- Chartered legal executive/legal executive;
- Costs Lawyer;
- IT/HR/other corporate services role;
- Licensed conveyancer;
- Managerial role;
- Other fee-earning role;
- Patent or trade mark attorney;
- Role directly supporting a fee-earner;
- Solicitor (sole practitioner, partner, member, director); and
Regardless of your firm’s size, you’ll find it hard to process diversity data in an anonymised form. Smaller firms have a limited pool of workers from whom they can collect data and there is a very high risk that individuals will be identifiable from their responses to the diversity questionnaire. Even the largest firms may only have one or two individuals in less common role categories, eg notary or trade mark attorney; if so, those individuals will be readily identified.
It’s difficult to see how using an online survey provider can avoid these problems – the survey provider may be able to collect diversity data for you but you’ll need access to the data for the purpose of reporting and publishing, meaning that you’ll still be processing sensitive personal data..
The three stages
So, now you know where you stand on data protection – on quick sand – let’s look at the three stages of diversity monitoring:
- Collecting diversity data
- Aggregating and reporting the data to the SRA
- Publishing the data
Stage 1: Collecting diversity data
You’re under a regulatory obligation to participate in the diversity data exercise; your staff aren’t and you can’t collect any data without their participation.
In your enthusiasm for promoting staff participation, don’t forget data protection; you can’t assume that by completing a diversity questionnaire your staff also agree to you storing, analysing, reporting and publishing their responses. So, to avoid falling into the first data protection trap, make your staff aware that:
- The data will be aggregated and reported to the SRA;
- The SRA will collate and publish the data from all firms within England and Wales;
- You will publish your firm’s data (probably in a summarised form);
- Your firm’s aggregated data will only be available to your firm’s SRA authorised signatories or organisational contacts; and
- You intend to store the results for a specified period of time (see below: Retaining diversity data).
There are no rules on how you should collect the data, so you’re free to be as creative as you like. You can e-mail the questionnaire, distribute paper copies or use a third party to create an online survey. If you do outsource data collection, you need to be even more vigilant about data protection issues.
Although the SRA has published a template questionnaire, for the free-spirited firm there’s also the option to create your own, as long as it still covers the required SRA categories.
Stage 2: Aggregating and reporting data to the SRA
Once you’ve collected your data, the joy of online reporting via mySRA awaits you.
The portal for reporting diversity data opened in July 2013. The SRA has issued a data entry user guide, which divides the reporting process into 12 steps:
- Steps 1 and 2 explain how to log into the relevant part of mySRA and select your organisation;
- Step 3 should be answered on the basis of your own data of the total number of individuals working at your firm (not the total number of responses you have had to your diversity survey);
- Step 4 should also be answered on the basis of your own data of the total number of individuals working at your firm (not the total number of responses you have had to your diversity survey) – this is not explained in the data entry user guide but was confirmed during a telephone call with the SRA in July 2013
- steps 5-12 should be answered on the basis of the total number of responses you’ve had to your diversity survey
You cannot outsource diversity data reporting. It can only be done by your SRA authorised signatory and/or organisation contacts. In other words – the reporting buck stays rests you.
Stage 3: Publishing data
Once you’ve completed the SRA’s 12 steps of diversity reporting, you may wish to consider the Twelve Steps of Alcoholics Anonymous – you’re certainly going to need your wits about you when you publish your diversity data.
Unlike data collection and reporting, it may be possible to publish data in an anonymised form, as the SRA has qualified the requirement to publish diversity data in the following ways:
- You’re not required to publish a summary of workforce diversity data relating to the sexual orientation, religion or belief of your staff (but this must still be reported to the SRA); and
- You may combine some of the role categories or publish the data for your whole firm without breaking it down into role categories at all.
Sole practitioners and smaller firms have a special ‘get out of publishing free’ card. If you can’t publish workforce diversity data without the risk of identification, you’re not expected to publish at all. In fact, the SRA says you should only publish if you have the express consent of all staff involved in the survey.
If this doesn’t apply to you and you intend to publish data in an anonymised form, you should:
- make this clear to your staff;
- be very careful that no individual can be identified from the way in which you have published the data; and
- remember that publishing data in an anonymised form will not bring you wholly outside the scope of the DPA – you’ll still need explicit consent for collecting and reporting your data.
Retaining diversity data
The SRA doesn’t say you must monitor trends in the diversity of your workforce BUT it does say you should have a written equality and diversity policy “that includes your arrangements for workforce diversity monitoring”. It amounts to the same thing.
Once again, think data protection: if you intend to retain data for the purpose of monitoring diversity trends, this should be made clear to staff and explicit consent obtained (assuming the data you retain can’t be anonymised).
Monitoring the diversity of your workforce will inevitably involve retaining diversity data over a period of time and you should be aware of the DPA requirement not to keep data for longer than necessary.
The SRA doesn’t provide guidance on the period of time over which you should monitor your diversity data, if indeed you monitor at all. If you do monitor your firm’s diversity trends, any meaningful changes could take years to materialise, which will involve retaining data for a lengthy period.
You should not retain data going further back than the period you intend to monitor, so if you want to monitor data over a five-year period, you should not retain data going back more than five years.
My 12 steps
The motto of this article is ‘Think Diversity, Think Data!’. But if you need a bit more to go on, take a look at the twelve steps in our Diversity monitoring checklist. If you don’t currently subscribe to PSL Practice Compliance and you’d like a copy, feel free to e-mail me at firstname.lastname@example.org.
Tags: diversity, diversity monitoring, Solicitors Regulation Authority
Leave a comment
* Denotes required field