The Solicitors Regulation Authority (SRA) initially set May 2017 as the time when it expected all regulated firms to feed in its diversity data to its online portal, however, it recently announced a delay so a further announcement is awaited. The exercise will still take place in 2017.
The Legal Services Board (LSB) has now given regulators the flexibility to manage diversity as they see fit, including the freedom to choose the timing of any survey exercises, so although it is currently undertaken on a two-yearly basis it could change. The LSB has also announced that it will be carrying out a review of diversity within the legal profession in 2018, and surprisingly, that it will not be pursuing a probe into why it is taking so long for women and others from ethnic minorities so long to reach senior positions within the profession.
Although the surveys are currently held every two years, many firms saw the business benefits of the annual collection and publication of staff diversity data and have therefore decided to continue with them no matter what the SRA does.
There are a number of pitfalls that you could encounter when collecting and publishing diversity data, and this article is intended to provide you with an insight into these and how they can be avoided.
Although a large number of firms use the secure Riliance diversity system to collect their data, other firms are using methods that may not be secure, don’t allow the data to be collected anonymously, or they may have signed up to a third-party collection tool where ownership and use of the collected data is unclear!
The diversity data collection process is a very sensitive one, which requires a lot of thought by those responsible for it within firms, and therefore great care must be taken when handling employee data; it is imperative that you understand your data protection and regulatory obligations, and are clear about the ownership and potential use of the collected data.
To ensure you protect both yourself and your employees, you should:
- Ensure all staff are given the opportunity to complete a diversity survey – this is a specific requirement of the SRA
- Provide staff with plenty of time to participate in the survey – don’t leave it until the last minute and then find staff are on holiday and therefore can’t complete it. As it likely that the new deadline for feeding your data into the SRA portal will be in the latter part of the year, there is a real risk that many people will be on holiday so collecting data now may be a preferred option. The SRA has said that any data collected prior to the opening of its portal will be accepted, even if it was collected using the old survey questionnaire from 2015.
- Reassure staff about the use of their collected data – staff will be very concerned about the confidentiality of their data, even if it is collected anonymously, so ensure you take the time to explain to your staff what the data will be used for and who it will be given to
- Comply with the Data Protection Act, particularly in relation to the publication of aggregate data – staff in small teams, departments, or firms could still be identified through anonymous data, especially if staff profiles are provided on the firm’s website, so make sure you publish the data appropriately. Where there is a risk of staff being identified you may want to make a broad statement giving an overview of the data collected, or ultimately you may decide to not publish anything at all (you must have good reason not to publish the data and should back this decision up with a risk assessment).
- Read all terms and conditions that relate to the use of third-party survey tools, ensuring that ownership of collected data remains with the law firm and not the provider – you have legal duties under the Data Protection Act as a data controller, and could face criminal sanctions if you do not protect the data you have responsibility for, even if it involves a third party you have contracted with.
The Information Commissioner is regarded as a very robust regulator and has not been frightened to issue significant fines to organisations for failing to store and manage data properly. Many law firms are potentially at risk as they are unclear about their data protection obligations, and have in the past published diversity data on their websites without any thought as to the possibility of individuals being identified, even from aggregated data!
With the introduction of the General Data Protection Regulations (GDPR) in May 2018, you should already be looking at how you will comply and meet your obligations in the future, but if you have yet to start looking at this issue now would be a good time to start.