D&I in FS: Data protection and D&I reporting

The UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) are consulting on proposals to introduce a new financial services regulatory framework on diversity and inclusion (D&I) in the financial sector. These would require in-scope firms to, among other things: establish, implement and maintain a D&I strategy; determine and set appropriate D&I targets; and collect, report and disclose certain D&I data. 

In this post we outline some of the key data protection considerations in respect of the D&I data collection, reporting and disclosure requirements in the regulators’ proposals.

Data reporting

Whilst under the proposals the UK financial services regulators require all firms to report on employee numbers, the bulk of the proposed data reporting requirements apply only to large firms (ie all firms granted permissions under Part 4A Financial Services and Markets Act 2000 who have 251 or more employees, excluding all Limited Scope SMCR firms). Large firms must:

  • annually collect and report data across a range of demographic characteristics, inclusion metrics and targets via a regulatory return;
  • during the first year the requirements are in place, report such data as is reasonably practicable and explain the reasons for any gaps and how they will be closed; and
  • report data to the FCA and PRA using a single data return via the designated platform.

The regulators will then use this data to produce regular aggregated reports to provide industry-wide insights.

Relevant data elements

Firms will need to use the joint FCA and PRA regulatory return to report on the following mandatory and voluntary metrics, with the expectation that, over time, an increasing number of firms will report data against the voluntary metrics.

  • Mandatory: age, sex or gender, ethnicity, religion, disability or long-term health condition(s), and sexual orientation.
  • Voluntary: parental responsibilities, sex and gender, gender identity, socio-economic background and carer responsibilities.

Although these data elements are designated as “mandatory” or “voluntary” for reporting purposes under the proposals, firms are expected to collect the data from employees on an anonymous and voluntary basis, and should give employees the option to choose not to respond to the internal data collection questions or indicate that they “prefer not to say”. It is worth noting that, in practice, although the data collection questions may not require any explicit identifiers such as name and employee ID, the data collected by the firm may in fact comprise personal data at the data collection stage if, for example, limited diversity in the employee demographic makes the diverse employees identifiable from the questionnaire responses.

Nonetheless, the data return through which firms need to report the data is designed to comprise only data that has been aggregated according to the level of seniority of the underlying individuals. The FCA and PRA envisage that all of these data elements are to be reported at: (i) board and senior leadership level as a combined category (other than in respect of sex / gender, and ethnicity, which will need to be reported at the board level and senior leadership levels separately); and (ii) employee-level for all other employees.

Key data protection considerations

  • What is your lawful basis for processing? The type of mandatory and voluntary data elements identified by the financial services regulators is classed as “special category personal data” under the UK General Data Protection Regulation (UK GDPR). When processing special category personal data, you need to be able to invoke a lawful basis under the UK GDPR, as well as to satisfy one of the processing conditions for special category personal data set out in the UK GDPR / Data Protection Act 2018 (DPA). Many of the lawful bases for processing depend on the processing being ‘necessary’; whilst this does not mean that processing must be “absolutely essential”, it must be more than just useful, and more than just standard practice, so it must be a targeted and proportionate way of achieving a specific purpose.

The regulators’ proposals are helpful in providing firms with clarity as to the ‘necessity’ of their processing of D&I data, so is conducive to a firm establishing a lawful basis under the UK GDPR. Additionally, the most applicable special conditions under the DPA are likely to be: the employment, equality or senior level conditions or explicit consent. Ultimately, firms will need to assess on a case-by-case basis which of these (or other) legal basis would be most appropriate in their scenario.

  • Would it be appropriate for you to seek consent? To be valid under the UK GDPR, consent must be a specific, informed, freely-given and unambiguous indication of wishes. However, this can be difficult (although not impossible) to achieve in an employment context, where there is an imbalance of power between an employer and employee. Another legal basis may therefore be more appropriate in the circumstances.
  • Carry out your legitimate interests assessment. To the extent you determine that legitimate interests would be the most appropriate legal basis for your processing of D&I data, as contemplated in the proposals, you should carry out a legitimate interests assessment (LIA). An LIA is a type of light-touch risk assessment and balancing exercise based on the specific context and circumstances of the processing, and can help a firm to establish an audit trail of its decisions and justification for processing on the legitimate interests legal basis.
  • Carry out your own data protection impact assessment in respect of the design and deployment of your data strategy – For example, are any individuals identifiable in practice by the D&I data you have or want to collect? Have you informed employees, senior leadership and the board about the purposes for which you are collecting their data, and how you will be processing it? Do they understand their choices to provide/decline to provide their data? What measures will you implement to mitigate any potential harm to individuals as a result of your collection of their D&I data?
  • Don’t forget about data minimisation and retention. Firms should consider the way in which they collect the D&I data listed above such that they do not inadvertently end up processing more sensitive data than anticipated – for example, because they have made inferences about pregnancy and maternity (both of which are protected characteristics under the Equality Act 2010) from data about care responsibilities.

Whilst the proposals introduce voluntary reporting on the demographic characteristics of parental responsibilities, care responsibilities, gender identity and socio-economic background and gender identity, they do not include protected characteristics of pregnancy and maternity, marriage, civil partnerships or gender reassignment.

Note also that firms should, over time, seek to retain only the anonymised data.

In practice many firms will already be collecting some D&I data. However, these proposals would extend firms’ regulatory obligations within the D&I space, so firms should undertake their own assessments of associated data protection risks and impacts on the underlying individuals based on their specific circumstances, taking into account considerations such as the firm’s culture.

The next post in this series will explore the operational implications of the FCA and PRA’s proposals targeting inclusion. 

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger