Collecting D&I data: 6 Things to Know Beforehand

D&I data can be a powerful tool that offers valuable insights to help shape your D&I strategy. For example, understanding your employees better allows you to develop effective action plans, including prioritising key focus areas and setting the correct measurements for success. Diversity data can also help you uncover what’s working well and identify how engaged your employees are with your D&I programmes.

Of course, understanding the correct processes for collecting diversity and inclusion data before you begin is crucial. 

While it may initially seem overwhelming to get your head around the legalities and regulations required when dealing with sensitive data, it doesn't have to be.

In this blog post, we cover the basics every HR professional out there should know before collecting diversity and inclusion data.

1. What is considered D&I data?

Let’s first make sure we’re on the same page here.

D&I data refers to two separate data sets - diversity data and inclusion data. 

Diversity data typically relates to characteristics that help distinguish people from each other. This includes characteristics such as gender, disability, age, race, religion, sexual orientation, pregnancy or marital status. It can also relate to the social and demographic background of an employee, along with ethnicity and cultural background.

On the other hand, inclusion data explores how an organisation provides equal access, fair treatment, involvement, and respect to all of its employees.

A lot of D&I data is classified as 'special category’ data 

Under the Data Protection Act 2018 (UK’s implementation of the General Data Protection Regulation), data that relates to an employee's race or ethnicity, sexual orientation, religious or political beliefs or disability or health is listed as 'special category' data. 

Although not all D&I data is classified as 'special category’ data under data protection law, a high proportion of it will be as it deals with employees' sensitive personal information.

Usually, gender doesn't fall under this category, although it does if it relates to gender identity or gender reassignment. 

Suppose you're processing personal data that falls into the 'special category'. In that case, you'll need to identify a lawful basis for processing this data, which for HR professionals typically relates to equality monitoring. 

The two most relevant conditions for ‘special category’ data include:

• Carrying out UK employment law rights and obligations: monitoring data to prevent workplace discrimination based on protected characteristics and facilitating equal opportunities. To process data using this condition, you'll need to establish an appropriate policy document that explains your procedures for complying with data protection principles and sets out a policy for retaining and erasing personal data. Typically, the most effective way to meet this requirement is to establish an employee-facing privacy notice that needs to be updated regularly. 
• Substantial public interest for UK law: some provisions allow for processing data that reveals the racial or ethnic origin, religious or philosophical beliefs concerning health and a person's sexual identity. The purpose must be to identify and review equality of opportunity and treatment between those groups. There are some restrictions to be aware of under this condition. For example, if processing data is likely to cause distress to an employee or if the employer is going to make decisions regarding a particular employee. You'll need to develop an appropriate policy document and record your data processing activities to rely on using this condition. 

Anonymous data can be treated differently

The DPA 2018 doesn't apply to anonymous data.

What we call anonymous data

Anonymous data means there are no identifying values within the information provided that can be linked to an individual employee. 

So if you're collecting anonymous information and you can ensure that it can be kept anonymised when processing and analysing the findings, then you don't need to follow the stringent requirements per the DPA 2018.

However, anonymous data can sometimes be challenging to achieve if you're working with small data sets. If you can quickly work out who the employee is, then it's not anonymous. Often anonymous data is also not as useful, as it doesn't allow you to determine which areas of your organisation to immediately focus your D&I efforts.

2. Collecting D&I data is good governance

Good corporate governance helps to ensure that your organisation's environment is transparent and fair and that all employees are accountable for their actions.

By documenting governance protocols and ensuring regular monitoring and reviews, all employees can understand their responsibilities and the responsibility of board members and executive leaders.

When analysed effectively, your D&I data can help develop strategies to improve equality and diversity within your business, making it a key component of responsible governance.

For example, by analysing your candidate pipeline, you can determine if and where diverse candidates drop out of the process. If you notice a drop-off between the interview and offer stage, it may indicate an issue during the interview process that needs to be addressed, such as personal biases from the hiring panel. By amending recruitment policies and protocols, your organisation can take action to remove this issue and recruit a more diverse team.

3. Collecting D&I data is legal (if you to it right)

We hear too often from data protection officers or people working in legal or risk teams that collecting personal data isn't legal. And that’s a problem, because it’s not true.

While there are processes to follow to ensure you're collecting the data correctly, it definitely is legal to collect personal data from your employees. We recommend establishing robust processes and data storage to ensure everything you do is compliant.

Following data protection legislation is paramount

As stated above, while it's perfectly legal to collect and analyse D&I data, it's essential to follow the rules when you do so. 

This is because collecting, storing, studying, sharing and publishing any information is classified as 'processing' personal data under the Data Protection Act (DPA) 2018. Which means it's subject to the requirements of UK data protection law. 

Of course, if you work in HR, you'll likely be responsible, or at least have access to, information related to employees and people applying to work in your organisation. 

Consequently, you need to understand how to deal with sensitive personal information correctly.

Compliance is key 

If you don’t comply with the data collection principles of the UK GDPR your organisation could face substantial fines. In the most serious cases, this could mean a maximum fine of £17.5 million or 4% of the total annual global turnover in the last financial year, whichever is higher.

As an employer working in an HR team, it's essential to take care when processing personal D&I data to help safeguard the rights of employees who share personal and sensitive information and to protect your employer's risk of litigation. But with careful planning and preparation before, during and after collection, it's relatively straightforward to mitigate the risk of litigation. 

4. You can share D&I data with third parties … BUT

Sharing D&I data with third parties is possible, under specific conditions, including making sure your employees know about it.

To share any data with third parties, you need:

• To be clear about your intentions, so your employees understand how you'll use their personal information. 
• To provide this information when you collect the data. 
• A lawful basis to collect personal data, usually consent, from the individual providing. 
• To ensure you have explicit permission each time you collect, process and store data. 

In addition, some companies have mandatory reporting requirements regarding their D&I data. For example, if you work in an organisation with over 250 employees, it's compulsory to report annual gender pay gap figures.

If you're undertaking a D&I survey, it's also necessary to communicate with employees as part of the survey. Sharing how you'll use the data, who you'll share it with and why you're collecting it can help to encourage participation and promote trust with your employees.

A perfect segway to our next point: Communication.

5. Co-mmu-ni-ca-tion

Without your employees’ trust and buy-in, your D&I data collection plan will not go far. You need to work on a clear and transparent communication plan.

• Communicate the why: if your motivations are unclear, employees might find it difficult to share personal information.
• Be transparent with your goals: a good practice is to write down your plan and make it accessible to employees.
• Get the buy-in from senior leadership: the more, the merrier! Effective change requires the buy-in from the chain of command. 
• Talk about the types of data you're collecting: personal data is a hot topic at the moment and people will easily get triggered by it if they don’t understand what you’re after in the first place. Take the time to explain each and every bit of information and don’t forget to emphasize the importance of anonymacy.

6. Undertake a Data Protection Impact Assessment (DPIA)

A DPIA is a helpful way to identify and minimise any data protection risks before collecting any D&I data. 

While no explicit definitions of risk are outlined in the UK GDPR, a DPIA allows teams to screen for various factors with the potential for a severe impact on individuals. Factors can include:

• An organisation is introducing a new data processing technology
• There’s a large volume of special category data being processed
• Information is of a highly personal nature
• Data relates to vulnerable people

In addition, it's useful to help you demonstrate your compliance with the UK GDPR.

Ready to start collecting D&I data?

You now know the essentials of diversity and inclusion data collection. Now, of course, this is only covering the surface. If you want to take the conversation further and discuss how you could start collecting and analysing your organisation’s D&I data, let me know! 

Before processing any data, remember to:

• Consider your D&I strategy and what you want to achieve from collecting, analysing and storing information, including identifying what data you need to help you achieve your goals. 
• Determine the lawful basis for processing personal data under UK GDPR and put this in writing to demonstrate your compliance.
• Update your privacy notice and ensure it's publicly available to all employees.
• Don’t underestimate the importance of communicating your motivations.
• Consider if you need to share any data, either internally or externally, and put data-sharing arrangements in place.
• Establish data security measures to ensure you are compliant with storing the data.
• Undertake a DPIA.