UK financial regulators will run a pilot project this autumn to collect sensitive employee diversity data from firms, with a view to making it a recurring regulatory reporting obligation. The move will add to firms' compliance workload and increase the risk of falling foul of the General Data Protection Regulation (GDPR).
Firms face a potential minefield, said Robert Baugh, founder and chief executive at data privacy consultancy Keepabl in London.
"This is a rapidly evolving area and a key one for organisations of all shapes and sizes. There are clear data protection law repercussions and, given the sensitivity of the data, it's a potential minefield for employers. They're likely very scared of the legalities on the way in, the security during the lifecycle, the legalities on use and the huge risk if they get it wrong," Baugh said.
The plans, set out in chapter four of their discussion paper "Diversity and inclusion in the financial sector — working together to drive change" (DP 21/2), form part of the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and Bank of England's efforts to improve diversity of thought, gender, race and socio-economic backgrounds in financial services firms.
"Gathering data on diversity of thought, through proxies such as demographic and socio-economic diversity, will enable firms and regulators to monitor progress. In turn, data on inclusion will provide information on whether the firm culture is conducive to diverse views being incorporated in decision-making," said the paper, published on July 7.
Voluntary pilot survey
The regulators will launch a voluntary pilot survey this autumn. For the purposes of the pilot, they are considering whether to gather data on all, or a subset of, the nine protected characteristics under the UK Equality Act 2010 — age, disability, gender reassignment, marriage or civil partnership, pregnancy and maternity, race, religion or belief, sex — plus socio-economic background. Firms will be asked about their ability to collect information on all of the nine protected characteristics, plus socio-economic background, to understand more about what is collected or what is intended to be collected and available in the near future.
UK data privacy laws, however, prohibit employers from systematically collecting and processing sensitive employee data without consent or a legal basis. The kinds of information the regulators would like firms to supply — ethnicity, sexual orientation, gender, age, religion and more — are all deemed sensitive by the UK's GDPR law.
"We believe that firms will be able to respond to the pilot survey in a way that meets their obligations under such legislation, for example, providing data that is aggregated to a level where it is non-identifying or by identifying an appropriate lawful basis under art 6 and/or condition under art 9 of the UK GDPR. The FCA has policies and processes in place to ensure data is processed lawfully. Deletion of data will be carried out according to our published records retention policy," said a spokesperson for the FCA.
The pilot would be planned in discussion with the UK's Information Commissioner's Office, the regulators said.
“We have been approached by the FCA and expect to have further engagement on the data protection issues raised in the discussion paper," an ICO spokesperson said.
Data privacy and protection laws
The discussion paper seems to acknowledge the issues associated with collecting and processing sensitive employee data.
"Any future proposal for a regular data collection would most likely involve firms approaching staff to complete a questionnaire. We recognise that this would require individuals to self-identify and are mindful that individuals might be reticent. We hope that firms will create a culture to encourage their staff of the benefits of making such a declaration," the regulators wrote in the paper.
Firms would then need to anonymise the data they are able to collect to be reported on a minimum aggregate level so that it is unlikely to identify individuals.
The paper points to the example of the Solicitors Regulation Authority (SRA), which it says has been undertaking mandatory diversity data collection, reporting and disclosure from law firms since 2012.
"The self-reporting form currently includes ethnicity, sexual orientation, gender, age, religion, and belief, disability, social mobility criteria and caring criteria. The SRA requires firms to make public disclosures and also aggregates law firm information, disclosing it to stakeholders via their website. Stakeholders can then manipulate the data to show diversity stats for various categories of law firm staff. We think this an innovative and useful initiative to assess the state of play and progress across the sector," the regulators said in the paper.
The SRA warns law firms that it cannot compel their staff to provide their diversity data. It suggests that adding a "prefers not to say" option to any questions could help reassure staff about participating. Firms are also required to tell employees how the information will be used and who will have access to it.
The SRA also says that while firms can collect diversity information on an anonymous basis, the data would be much more useful if it is linked to an individual by a confidential reference number.
"Then it can be used to monitor a range of employment activities over time, such as promotion, pay rates, or recruitment practices," the SRA said on its website.
The FCA said that it saw great value for financial firms in collecting and monitoring diversity data.
It is possible to assign staff confidential reference numbers. New York-based privacy-by-design group SafePorter helps firms with tracking their diversity and inclusion data. SafePorter already works with firms to produce the kind of time trackable data the regulators are hoping to reach, said Shoshana Rosenberg, the company's founder. Employees are assigned a number in SafePorter's system, which is separate from an employer's systems. The diversity data can then be customised to meet the requirements of a specific regulator, Rosenberg said.
Employers need to reassure individuals that they cannot be identified by the information they provide by explaining to them that they are not tracked with the number, Rosenberg said.
"We can't track them as an individual. What we track is their organisation. So, we can say if their organisation is advancing people of colour, or non-binary individuals. We can track trends, but you are not going to see anything about an individual because we completely take that apart," Rosenberg said.
The regulators are considering whether to extend the scope of their diversity reporting requirement to include overseas firms that serve UK customers, they said in chapter five of their discussion paper.
"We want to gather views on bringing overseas firms that provide services in the UK into scope," the regulators said.
Any such requirement which necessitated the transfer of personal data across borders could potentially cause problems for firms in their home states. Last month, the European Commission amended its rules for transferring data out of the European Union, after the Schrems II ruling by the European Court of Justice in 2020 had invalidated the EU-U.S. data transfer deal known as Privacy Shield.
National data privacy regulators in some EU states have recently fined companies for collecting too much employee data, or for processing it too extensively. Germany's data authority fined fashion retailer H&M 35 million euros in October 2020, and last month French authorities fined furniture chain IKEA £861,000.
Linking diversity and inclusion to senior leaders' objectives would help drive diversity, the regulators said in chapter five of the discussion paper. They also set out their current thinking on incorporating progress with achieving diversity targets into remuneration scorecards.
"It could be helpful for the regulators to develop guidance on how metrics linked to advancing diversity and inclusion can be used as part of non-financial criteria when setting variable remuneration awards. Similarly, poor performance in this area could be grounds for adjustment. We do not intend to be prescriptive, but to provide insight on good practice at both the individual and firm level," the regulators said.
At present the proportion of chief executive pay that is linked to hitting diversity, conduct and culture targets is negligible.