D&I data can be a powerful tool that offers valuable insights to help shape your D&I strategy. For example, understanding your employees better allows you to develop effective action plans, including prioritising key focus areas and setting the correct measurements for success. Diversity data can also help you uncover what’s working well and identify how engaged your employees are with your D&I programmes.
Of course, understanding the correct processes for collecting diversity and inclusion data before you begin is crucial.
While it may initially seem overwhelming to get your head around the legalities and regulations required when dealing with sensitive data, it doesn't have to be.
In this blog post, we cover the basics every HR professional out there should know before collecting diversity and inclusion data.
Let’s first make sure we’re on the same page here.
D&I data refers to two separate data sets - diversity data and inclusion data.
Diversity data typically relates to characteristics that help distinguish people from each other. This includes characteristics such as gender, disability, age, race, religion, sexual orientation, pregnancy or marital status. It can also relate to the social and demographic background of an employee, along with ethnicity and cultural background.
On the other hand, inclusion data explores how an organisation provides equal access, fair treatment, involvement, and respect to all of its employees.
Under the Data Protection Act 2018 (UK’s implementation of the General Data Protection Regulation), data that relates to an employee's race or ethnicity, sexual orientation, religious or political beliefs or disability or health is listed as 'special category' data.
Although not all D&I data is classified as 'special category’ data under data protection law, a high proportion of it will be as it deals with employees' sensitive personal information.
Usually, gender doesn't fall under this category, although it does if it relates to gender identity or gender reassignment.
Suppose you're processing personal data that falls into the 'special category'. In that case, you'll need to identify a lawful basis for processing this data, which for HR professionals typically relates to equality monitoring.
The two most relevant conditions for ‘special category’ data include:
The DPA 2018 doesn't apply to anonymous data.
What we call anonymous data
Anonymous data means there are no identifying values within the information provided that can be linked to an individual employee.
So if you're collecting anonymous information and you can ensure that it can be kept anonymised when processing and analysing the findings, then you don't need to follow the stringent requirements per the DPA 2018.
However, anonymous data can sometimes be challenging to achieve if you're working with small data sets. If you can quickly work out who the employee is, then it's not anonymous. Often anonymous data is also not as useful, as it doesn't allow you to determine which areas of your organisation to immediately focus your D&I efforts.
Good corporate governance helps to ensure that your organisation's environment is transparent and fair and that all employees are accountable for their actions.
By documenting governance protocols and ensuring regular monitoring and reviews, all employees can understand their responsibilities and the responsibility of board members and executive leaders.
When analysed effectively, your D&I data can help develop strategies to improve equality and diversity within your business, making it a key component of responsible governance.
For example, by analysing your candidate pipeline, you can determine if and where diverse candidates drop out of the process. If you notice a drop-off between the interview and offer stage, it may indicate an issue during the interview process that needs to be addressed, such as personal biases from the hiring panel. By amending recruitment policies and protocols, your organisation can take action to remove this issue and recruit a more diverse team.
We hear too often from data protection officers or people working in legal or risk teams that collecting personal data isn't legal. And that’s a problem, because it’s not true.
While there are processes to follow to ensure you're collecting the data correctly, it definitely is legal to collect personal data from your employees. We recommend establishing robust processes and data storage to ensure everything you do is compliant.
As stated above, while it's perfectly legal to collect and analyse D&I data, it's essential to follow the rules when you do so.
This is because collecting, storing, studying, sharing and publishing any information is classified as 'processing' personal data under the Data Protection Act (DPA) 2018. Which means it's subject to the requirements of UK data protection law.
Of course, if you work in HR, you'll likely be responsible, or at least have access to, information related to employees and people applying to work in your organisation.
Consequently, you need to understand how to deal with sensitive personal information correctly.
If you don’t comply with the data collection principles of the UK GDPR your organisation could face substantial fines. In the most serious cases, this could mean a maximum fine of £17.5 million or 4% of the total annual global turnover in the last financial year, whichever is higher.
As an employer working in an HR team, it's essential to take care when processing personal D&I data to help safeguard the rights of employees who share personal and sensitive information and to protect your employer's risk of litigation. But with careful planning and preparation before, during and after collection, it's relatively straightforward to mitigate the risk of litigation.
Sharing D&I data with third parties is possible, under specific conditions, including making sure your employees know about it.
To share any data with third parties, you need:
In addition, some companies have mandatory reporting requirements regarding their D&I data. For example, if you work in an organisation with over 250 employees, it's compulsory to report annual gender pay gap figures.
If you're undertaking a D&I survey, it's also necessary to communicate with employees as part of the survey. Sharing how you'll use the data, who you'll share it with and why you're collecting it can help to encourage participation and promote trust with your employees.
A perfect segway to our next point: Communication.
Without your employees’ trust and buy-in, your D&I data collection plan will not go far. You need to work on a clear and transparent communication plan.
A DPIA is a helpful way to identify and minimise any data protection risks before collecting any D&I data.
While no explicit definitions of risk are outlined in the UK GDPR, a DPIA allows teams to screen for various factors with the potential for a severe impact on individuals. Factors can include:
In addition, it's useful to help you demonstrate your compliance with the UK GDPR.
You now know the essentials of diversity and inclusion data collection. Now, of course, this is only covering the surface. If you want to take the conversation further and discuss how you could start collecting and analysing your organisation’s D&I data, let me know!