In July last year the SRA added yet another requirement to your Pile of Compliance – workforce diversity data monitoring.
But with two thirds of firms yet to return their questionnaire , it may well be that it’s slipped off your to-do list.
Trouble is, TODAY IS THE DEADLINE, and you could face regulatory action for non-compliance – so we thought we’d heroically jump in and help.
This advice is taken from one of our COLP reports – our monthly series supporting you with practice compliance (and available completely free if you sign up to the Business of law blog). If you’re a subscriber, you got this in your in-box way back in August last year. If you’re not, or if you happen to be in a mad dash to meet the deadline today, here is our demystification of the process you need to go through to comply.
The three stages
So you’re sufficiently panicked about the deadline. Let’s begin with the practical bit – looking at the three stages of diversity monitoring:
- Collecting diversity data
- Reporting the data to the SRA, and publishing the data (we’ve got some good news for you on this last bit)
Stage 1: Collecting diversity data
You’re under a regulatory obligation to participate in the diversity data exercise; your staff aren’t and you can’t collect any data without their participation.
In your enthusiasm for promoting staff participation, don’t forget data protection; you can’t assume that by completing a diversity questionnaire your staff also agree to you storing, analysing, reporting and publishing their responses. So, to avoid falling into a data protection trap, make your staff aware that:
- The data will be aggregated and reported to the SRA
- The SRA will collate and publish the data from all firms within England and Wales
- You will publish your firm’s data (probably in a summarised form)
- Your firm’s aggregated data will only be available to your firm’s SRA Authorised Signatories or Organisational Contacts.
- You intend to store the results for a specific period of time (see below: Retaining diversity data)
There are no rules on how you should collect the data so you’re free to be as creative as you like. You can email the questionnaire, distribute paper copies or use a third party to create an online survey. If you do outsource data collection, you need to be even more vigilant about data protection issues.
Although the SRA has published a template questionnaire, for the free spirited firm there’s also the option to create your own, as long as it still covers the required SRA categories.
Stage 2: Aggregating and reporting data to the SRA
Once you’ve collected your data, the joy of online reporting via mySRA awaits you.
The portal for reporting diversity data opened in July 2013. The SRA has issued a Data entry user guide, which divides the reporting process into 12 steps:
- Steps 1 and 2 explain how to log into the relevant part of mySRA and select your organisation.
- Step 3 should be answered on the basis of your own data of the total number of individuals working at your firm (not the total number of responses you have had to your diversity survey).
- Step 4 should also be answered on the basis of your own data of the total number of individuals working at your firm (not the total number of responses you have had to your diversity survey) – this is not explained in the Data entry user guide but was confirmed during a telephone call with the SRA in July 2013.
- Steps 5 -12 should be answered on the basis of the total number of responses you’ve had to your diversity survey.
You cannot outsource diversity data reporting. It can only be done by your SRA Authorised Signatory and/or Organisation Contacts. In other words – the reporting buck stops with you.
Stage 3: Publishing data
Once you’ve completed the SRA’s twelve steps of diversity reporting, you may wish to consider the Twelve Steps of Alcoholics Anonymous – you’re certainly going to need your wits about you when you publish your diversity data.
Unlike data collection and reporting, it may be possible to publish data in an anonymised form, as the SRA has qualified the requirement to publish diversity data in the following ways:
- you’re not required to publish a summary of workforce diversity data relating to the sexual orientation, religion or belief of your staff (but this must still be reported to the SRA)
- you may combine some of the role categories or publish the data for your whole firm without breaking it down into role categories at all
Now here’s the good news: Sole practitioners and smaller firms have a special get out of publishing free card. What? The SRA have considered the special requirements of sole practitioners and smaller firms? Can this be?
We kid you not. If you can’t publish workforce diversity data without the risk of identification, you’re not expected to publish at all. In fact, the SRA says you should only publish if you have the express consent of all staff involved in the survey.
However, if this doesn’t apply to you and you intend to publish data in an anonymised form, you should:
- Make this clear to your staff
- Be very careful that no individual can be identified from the way in which you have published the data
- Remember that publishing data in an anonymised form will not bring you wholly outside the scope of DPA 1998 – you’ll still need explicit consent for collecting and reporting your data.
Retaining diversity data
The SRA doesn’t say you must monitor trends in the diversity of your workforce BUT it does say you should have a written equality and diversity policy ‘that includes your arrangements for workforce diversity monitoring’. It amounts to the same thing.
Once again, think data protection: if you intend to retain data for the purpose of monitoring diversity trends, this should be made clear to staff and explicit consent obtained (assuming the data you retain can’t be anonymised).
Monitoring the diversity of your workforce will inevitably involve retaining diversity data over a period of time and you should be aware of the DPA 1998 requirement not to keep data for longer than necessary.
The SRA doesn’t provide guidance on the period of time over which you should monitor your diversity data, if indeed you monitor at all. If you do monitor your firm’s diversity trends, any meaningful changes could take years to materialise, which will involve retaining data for a lengthy period. You should not retain data going further back than the period you intend to monitor, eg if you want to monitor data over a five-year period, you should not retain data going back more than five years.
So – that’s your diversity monitoring out of the way for this year.
Or is it?
The data protection minefield
The SRA neatly sidesteps all things DPA. The SRA’s template questionnaire starts like this:
Firms to add their own background information and guidance and data protection warnings here
Here’s what you actually need to know. The information you’re expected to collect from your workforce falls within the scope of ‘sensitive personal data’ for DPA 1998 – meaning that to collect, aggregate or publish it (all are types of ‘processing’) you need to satisfy one of the conditions in Schedule 3 of the Act. The safest bet is to get explicit consent from individual staff members.
According to the Information Commissioner, explicit consent should be absolutely clear and cover:
- The specific processing details
- The type of information (or even the specific information)
- The purposes of the processing, and
- Any special aspects that may affect the individual, such as any disclosures that may be made.
You cannot assume an individual who is willing to complete a diversity questionnaire explicitly consents to you storing, analysing, reporting and publishing their data. You must give clear information on the questionnaire about how you will use the data and how long you will store it.
Explicit consent does not necessarily have to be written consent, but it must clearly be distinguishable from normal consent. Signed or written consent is obviously safer than electronic consent or consent obtained by using wording such as ‘by completing this survey you consent to the processing of data’.
But there’s more to DPA 1998 than consent; other requirements include:
- You must comply with eight data protection principles (this includes processing data fairly and lawfully)
- Individuals have a right to know what information is held about them.
- You must explain what the data will be used for.
- You must explain who will have access to it.
Can you fall outside the scope of DPA 1998 by collecting, reporting or publishing data in an anonymised form?
DPA 1998 doesn’t apply if you process diversity data in a way that can’t be used to identify a living person, i.e if the data is anonymised.
Alas, having decided to lob the data protection grenade in your direction, the SRA primes it for detonation by creating a questionnaire that makes it virtually impossible to anonymise your results. This is because the SRA expects you to collect the data against 12 different role categories:
1. Solicitor (sole practitioner, partner, member, director)
3. Other fee earning role
4. Role directly supporting a fee earner
5. Managerial role
6. IT / HR / other corporate services role
8. Chartered legal executive / legal executive
9. Licensed conveyancer
10. Patent or trade mark attorney
11. Costs lawyer
Regardless of your firm’s size, you’ll find it hard to process diversity data in an anonymised form. Smaller firms have a limited pool of workers from whom they can collect data and there is a very high risk that individuals will be identifiable from their responses to the diversity questionnaire.
It’s difficult to see how using an online survey provider can avoid these problems – the survey provider may be able to collect diversity data for you but you’ll need access to the data for the purpose of reporting and publishing, meaning that you’ll still be processing sensitive personal data.
Last but not least
Meeting the all the requirements of the SRA’s Outcomes Focused Regulation is a moving target. No doubt there will be more compliance thrills and spills throughout 2014.
The best way to keep abreast of the changes is to sign up for the monthly COLP report. It’s free, produced by experts (the in-house Practice Compliance team at LexisNexis) and we email it to you once a month. What could be simpler?