Those are two of the practical steps employers can take to address the challenges associated with complying with data protection law when engaging in equal opportunities monitoring.
There are other data protection issues for employers to navigate, however.
Equal opportunities monitoring
While the majority of employers have, for some time, been conducting general equal opportunities monitoring, the issue of diversity in the UK is now firmly in the spotlight and becoming increasingly important as a result of the implementation of the gender pay gap reporting regime and the government's plans to extend this to ethnicity pay gap reporting.
Equal opportunities monitoring and ethnicity pay gap reporting involves the processing of 'special categories' of data, such as information about individuals' race, ethnic origin, health and sexual orientation. Gender pay gap reporting does not involve the processing of special category data, but salary information is nevertheless sensitive data.
Individuals will have a greater expectation of privacy when it comes to the processing of their special category data or salary information. In addition, they are more likely to suffer damage or distress and are more likely to take action against an employer if something goes wrong, such as if that data is lost, stolen or unlawfully disclosed, for example.
The UK's data protection authority, the Information Commissioner's Office (ICO), is also more likely to take a harder line in its enforcement action where special category data or other sensitive information has not being processed in accordance with UK data protection law. Fines of up to £17 million, or 4% of an organisation's annual global turnover, whichever is highest, can be levied under the General Data Protection Regulation (GDPR) and UK's Data Protection Act 2018.
A lawful basis for data processing
Before engaging in an equal opportunities monitoring exercise, employers first need to establish that they have a lawful basis for processing the data they are seeking to collect.
The Data Protection Act 2018 makes provision for the processing of personal data where it is for the purpose of equality of opportunity or treatment. If an employer is processing personal data to comply with a legal obligation, such as the gender pay gap reporting regulations, then this is also a lawful ground for the processing.
However, there are further data protection considerations for employers.
Data protection impact assessments
Employers that engage in general equal opportunities monitoring or ethnicity reporting may be under a legal obligation to carry out a data protection impact assessment (DPIA) before carrying out that activity. This is because DPIAs are mandatory under the GDPR where an employer is processing special categories of data on a large scale. Even if the legal obligation to carry out a DPIA under the GDPR is not triggered, it is best practice to conduct one when engaging in a new data processing activity.
A DPIA should consider, amongst other things, how any data will be kept secure, how long it will be kept for and who it will be shared with.
Have a documented policy
Employers also need to have a policy document in place specifically for equal opportunities monitoring. The policy should explain to employees what you are doing with their data, including how you collect, use, store and share the data, as well as how long it is retained for.
Maintaining the policy will help employers meet their obligations on transparency under data protection law and also help to reassure staff and improve employee engagement.
Challenge justification for data processing
To ensure that data processing for the purpose of equal opportunities monitoring is legally compliant, employers must also be able to justify that the data they are gathering is necessary.
For example, keeping track of religious beliefs, even if done in good faith with the intent to help the employee, may not be lawful unless the organisation has legitimate organisational reasons to monitor and address any underrepresentation.
In short, if an employer is not going to use the data, they should not collect it.
Best practice is to collect the data on a genuinely anonymous basis and to ensure that it is not identifiable. Data that cannot be traced back to identify a living individual is not personal data and so the Data Protection Act would not apply to its processing.
Anonymising the data would also mean that the data retention principle of not keeping data for longer than is necessary would not apply.
Seek alternatives to consent
The ICO has commented previously that consent should be considered a last resort; and only used when one of the lawful conditions is not available. In the circumstances of equality reporting and pay gap reporting there is a legal duty to rely on. Where consent may be relevant is if the information a controller wishes to collect is wider than that required to fulfil the duty, or if they wish to share that data with a third party and so the purpose of processing is then different, In these circumstances consent could be considered – however consent can be difficult in this context.
The GDPR standard of consent provides that this has to be 'freely given' – it has to be a decision the employee is in control of, genuinely voluntary, and such that the employee's failure to give consent will not result in any detriment to the employee.
Not just this though, the effect of consent is that it can be withdrawn, it has a shelf life in terms of duration and consent is specific to the purpose described. Any further use, widening of the use by the original collector and indeed any party with whom that data was shared would, unless such further purpose is considered 'compatible' with the original purpose, require the employer to look for additional consent.
In some cases, employers may elect to use third parties external to their business to collect and process data for equal opportunities monitoring on their behalf. This is perfectly legitimate under data protection laws, but employers must be aware that they will remain the 'controller' of the data and are responsible for ensuring it is processed in accordance with the GDPR.
When engaging data processors, controllers are required to have a written contract in place with those third parties to regulate their processing. Controllers must also ensure the contract commits processors to meet their legal obligations under the GDPR and that the processors also enable them to fulfil their own obligations. For example, it will be necessary for the contract to set out processors' duties on notifying a data breach and to prohibit them sharing data without the permission of the controller.
Employers are not relieved of their responsibilities just because someone else is processing the data for them.
Observe data security obligations
Employers have an overarching duty to preserve the security of personal data they are responsible for under the GDPR, and further security of processing rules set out in the Regulation further explain the requirements they must meet.
Specific data security measures are not prescribed in the GDPR. Instead, organisations must ensure that the organisational and technical security measures they implement are 'appropriate' to address the specific risks they are presented with, considering the measures available to them at the time. In the context of equal opportunities monitoring, the sensitivity of the data collected heightens risks and therefore requires employers to put in place extra safeguards to keep data secure.
Access to the data collected should be on a 'need-to-know' basis only; it should be processed securely through, for example, password protected and encrypted systems and networks; and, unless anonymised, not kept for longer than is necessary.
Control data sharing
Employers should also be careful about who they share the data with. They need to have a lawful basis for sharing the data as well collecting it.
It is likely to be lawful for employers to share data collected for equal opportunities monitoring purposes with their employment lawyers where it is necessary for the establishment, exercise or defence of a legal claim. However, sharing the data in other circumstances may be more difficult to justify, even if it is just to be shared with other companies in the same group.
Transferring the data to other companies within a group of companies may not be necessary, and where the data is to be transferred outside the European Economic Area (EEA), such as to offices in the US or Australia, additional privacy safeguards, such as EU model clauses or binding corporate rules, will need to be in place to ensure that data benefits from equivalent protection in those jurisdictions as to what is available in the EEA.
Leanne Francis is an expert in employment law at Pinsent Masons, the law firm behind Out-Law.com.