As a regulated law firm, the SRA principle 9 states you must ‘run your business or carry out your role in the business in a way that encourages equality of opportunity and respect for diversity’. http://www.sra.org.uk/solicitors/handbook/handbookprinciples/part2/content.page
To ensure firms comply with this mandatory principle, the SRA imposes a requirement on all regulated firms to collect, report and publish data on the diversity of their workforce. However, the SRA has failed to provide guidance on how to tackle this requirement whilst navigating the hot topic of the impending general data protection regulations (GDPR).
The information you are required to collect from your workforce is categorised as ‘sensitive personal data’, and whilst the information can be anonymised, in smaller firms it is likely that the information collected will be able to identify an individual.
So, in the absence of any direction from the SRA or the ICO on the processing of sensitive personal data in this way, what are the best steps?
Regulated law firms are still under an obligation to report diversity information, the most GDPR compliant way of doing this is to get explicit consent from individual staff members. which details the following:
· What information will be collected
· What the information will be used for
· Where the information will be stored
· How long it will be stored for
One of the underlying messages in the GDPR is transparency, provided you are being clear about what you are doing with individuals data and gaining sufficient consent you will be able to balance your requirements to report diversity information and those under GDPR.