The dangers of diversity data collection
By Brian Rogers
Brian Rogers advises on how to avoid breaching the Data Protection Act while aggregating diversity statistics for the SRA
It has been four years since the Legal Services Board first set out their expectations for measuring diversity and social mobility within legal practices and the process has evolved year on year. Law firms now face the dual challenges of improving their data collection processes while avoiding any issues around data protection breaches.
Firms need to provide all staff with the ability to report to the Solicitors Regulation Authority (SRA) on diversity and social mobility, with the aggregated data being fed to the regulator and certain aspects published by the individual firms. A tool was initially provided to help firms with the data collection aspect, but this now falls upon firms to deal with independently.
The process has presented practices with a challenge to reconcile the need to collect data and protect it at the same time. Some 9,408 law firms participated in the survey in its first year (2012), with 93,074 individuals completing the survey - an average response rate per firm of just 42 per cent.
In 2013 the second data collection exercise took place, with 9,383 firms participating and 159,791 individuals completing the survey, with an average response rate per firm of 79 per cent. This appeared to show that firms were getting their houses in order; however, the average response rate increase may have been skewed by some firms who were unsure how to reconcile and report their total staff numbers.
The SRA's 'Risk Outlook 2014/15' report commented: 'There is limited evidence that improvements are being made to enhance the diversity of the legal services workforce. Making the profession more diverse and representative will lead to benefits in quality and access to justice. We have a clear regulatory rationale to focus on this issue, but it is also in the interest of law firms to ensure they are recruiting and retaining the best talent in their workforce.'
The current year data collection should provide a more accurate picture, with a growing number of firms signing up to the Law Society's diversity and inclusion charter and the collection exercise becoming an annual fixture. People are becoming more familiar with the exercise, which leads to a sense that, as long as the data is dealt with sensitively, the profession may become more comfortable with responding to the questions accurately.
The SRA has a clear focus on this area and continues to drive the agenda. Some of the lessons learned and feedback received has led to a redesign of the portal used by firms to report their aggregated data, which has delayed the 2015 exercise by several months.
The latest advice from the SRA is that the new portal will be available from mid-August, with the deadline for submissions at the end of September, giving firms a real incentive to at least start the data collection as early as possible.
Meeting your obligations
Most firms have chosen to use third-party survey systems to collect their data and some have reverted to the use of paper, but both pose potential data protection risks if they are not handled carefully. Paper-based data collection is fraught with issues around anonymity and the security of personal details. On top of this, it makes the task of collating the results and forming an aggregated data report both laborious and time-consuming.
Arguably, though, it is the use of some online survey tools which produces the most alarming risks around data protection. Some firms could unwittingly be using systems that may not be secure or do not allow the data to be collected anonymously, leaving both the business's and individual's data vulnerable. If the surveys are completed using a unique identifier, such as an email address, it is very likely that individuals and their responses can be identified, which casts doubt on the validity of the responses.
Read the small print
It is important to read the terms and conditions carefully and not just tick an agreement box. Some services will have provisions that at best create doubts about what they can do with your data, and at worst vest ownership with the third party, or even the individual within your firm who signed up to the service on your behalf.
The diversity data collection process is a very sensitive matter, and one which can make people uncomfortable and unsure about its intention. Clear communication and assurance from the firm that it has thought about the reporting tool and the data implications will go a long way to ensuring that respondent participation is high and the responses are authentic. This requires a lot of thought among those responsible for surveying employees, and it is important that firms fully understand their data protection and regulatory obligations and are clear about the ownership and potential use of the collected data.
To ensure your firm meets it obligations it should address the following questions:
-
Have we offered everyone working at the firm the ability to complete a diversity survey?
-
Have we provided staff with plenty of time to participate in the survey?
-
Have we reassured our staff about the use of their collected data?
-
Have we complied with the Data Protection Act, particularly in relation to the publication of aggregate data?
-
Have we ensured that those responsible for signing up to third-party survey tools have read all the terms and conditions, and that the ownership of collected data remains with the firm and not the provider?
Firms and their senior managers have obligations under outcome 7.5 of the SRA Code of Conduct to ensure they 'comply with legislation applicable to the business, including data protection legislation'. Clearly an understanding of, and compliance with, the Data Protection Act 1998 is essential.
The Information Commissioner is a robust regulator and has not been frightened to issue significant fines to organisations for failing to store and manage data properly. Many firms are potentially at risk if they are unclear about their data protection obligations; some have even published diversity data on their websites without any thought as to the possibility of individuals being identified from the aggregated data.
To ensure firms can justify why they may have chosen not to publish data under the Data Protection Act, they must keep a record of the decision-making process, including a copy of the assessment undertaken to review the potential risk of employees being identified.
Firms must ensure they meet their SRA obligations, but at the same time ensure they comply with their data protection obligations, with the latter overriding the SRA publication requirements.
An important piece of advice is that firms should not focus solely on compliance with their SRA obligations and then find they have breached the Data Protection Act by doing so. SJ
Riliance, the Law Society endorsed provider of risk and compliance software, can help you and your firm to avoid the potential pitfalls around collecting and publishing your diversity data. Over half of the profession used our secure data collection tool during 2014 and we have the experience and knowledge to ensure you navigate through regulatory and data protection obligations. For more information please contact us.
Brian Rogers is director of risk and compliance at Riliance
@RilianceSL