Equality, Diversity and Inclusivity Monitoring - A multi-country guide

Summary In the modern workforce, commitments to promoting equality, diversity and inclusivity (“EDI”) are growing in importance. As well as ensuring that the most capable potential leaders and staff are hired, today’s employees and customers place high importance on the diversity of the businesses they work with. Employers today must be able to show that they are taking proactive steps on EDI to attract the best candidates and work with the best companies. In recent years, we have seen more and more employers try to take action to address EDI in their organisation. Many have opened up dialogue with staff members, and have started to assess what reporting, initiatives and support programmes can help develop their businesses and workforce. The first step for most is working out what are their existing diversity challenges. This is difficult to do properly without accurate data. Collecting this data can be challenging, especially where a multicountry workforce means diverging rules across multiple jurisdictions. EDI data is usually highly sensitive, and processing this information is highrisk activity under both employment and privacy laws. There can be significant consequences of getting it wrong, from outraged staff and reputational damage to the potential for fines and legal claims. This guide exists to help you understand these rules. Our comparative traffic-light chart and detailed country summaries have been updated to help you understand what you can collect, and how you can use the data you obtain. If you want to know more, our HR Data experts are happy to help you navigate these requirements for your workforce. Equality, diversity and inclusivity are vital to building a strong, engaged and innovative workforce. Without monitoring, it is difficult for any organisation to know where to start. We are here to help. Australia © Bird & Bird LLP May 2022 Equality, Diversity and Inclusivity Monitoring 5 What characteristics are protected from discrimination? • Race (including colour, national or ethnic origin and immigrant status) • Sex • Sexual orientation • Age • Physical or mental disability • Intersex status • Marital status • Family or carer’s responsibilities • Pregnancy • Gender Identity Note also that some States have different protected attributes including religion and political opinion. What of these are subject to additional protections/requirements under local data protection law? How does this interact with discrimination law and where do they overlap? The Privacy Act 1988 (Cth) (Privacy Act) defines ‘personal information’ as information or an opinion about an identified individual, or an individual who is reasonably identifiable: a whether the information or opinion is true or not; and b whether the information or opinion is recorded in a material form or not.1 There are a number of different types of information which are subject to a higher level of protection under the Privacy Act: • ‘sensitive information’, which includes personal information in the following categories: – information or opinion about an individual’s racial or ethnic origin, political opinion or associations, religious or philosophical beliefs, trade union membership or associations, sexual orientation or practices, or criminal record, provided the information or opinion otherwise meets the definition of personal information); and – health or genetic information; • credit information; • employee record information (subject to exemptions); and • tax file number information. As can be seen from the categories above, sensitive information includes information about most of the characteristics which are protected from discrimination, including race, colour, sexual orientation, physical or mental disability, religion, political opinion and national extraction or social origin. 1 We note that Australian data protection laws are currently undergoing a period of significant change (which will affect many of the obligations in the Privacy Act set out in this table). In late 2021, the Commonwealth Attorney-General released an extensive discussion paper proposing significant reforms to the Privacy Act (expected to be introduced later in 2022 or early 2023) (Discussion Paper), as well as an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (OP Bill) (expected to be introduced to parliament in early 2022). One of the changes proposed in the Discussion Paper is an expansion of the definition of ‘personal information’ to include information that ‘relates to an identified individual’ as opposed to just ‘about an individual’. Australia © Bird & Bird LLP May 2022 Equality, Diversity and Inclusivity Monitoring 6 Is there a general legal requirement to carry out EDI monitoring? No. There is no general requirement to carry out EDI monitoring. Is there any specific EDI data that employers are legally required to process, e.g. to carry out EDI monitoring (such as gender pay gap reporting)? Yes, there are specific domestic laws governing EDI in Australia: • Employers with more than 100 employees are required to report annually on gender diversity in the workplace under the Workplace Gender Equality Act 2012 (Cth). Specifically, an employer must prepare a written public report containing information relating to the employer and to gender equality indicators including: – gender composition of the workforce; – gender composition of its governing body; – equal remuneration between women and men; – availability and utility of employment terms, conditions and practices relating to flexible working arrangements for employees and to working arrangements supporting family or caring responsibilities; and – consultation with employees on issues concerning gender equality in the workplace. • Employers with 500 or more employees are required to have a policy or strategy in place that specifically supports gender equality, to comply with the additional compliance requirements set out in the Workplace Gender Equality (Minimum Standards) Instrument 2014 (Cth). Can employers actively promote diversity in the workplace? Yes. There is no positive requirement for employers to do so, however employers are obligated to prevent discriminatory practices in the workplace. Employers with 500 or more employees must also have a formal policy or strategy in place for at least one of the Minimum Standards to comply with the Workplace Gender Equality (Minimum Standards) Instrument 2014 (Cth) in categories such as: • workforce composition; • gender pay gaps; • support for carers; or • sex-based harassment. Does data protection law have specific provisions either permitting or prohibiting the processing of personal data for equal opportunities & diversity monitoring? Yes. Broadly, the Privacy Act requires that personal information be managed in accordance with the Australian Privacy Principles (APPs). Further information on the basic requirements for handling personal information in accordance with the APPs is set out in the questions below. There is an exemption in relation to the disclosure and use requirements in the APPs for “employee records” that are directly related to a current or former employment relationship; however, this exemption may not apply to an employer’s diversity monitoring initiatives as any such initiatives may not be sufficiently related to the current or former employment relationship. In addition, the employee records exemption is only available to the employing entity and not to related bodies corporate of the employing entity, noting that employee databases and EDI monitoring often involve more than one company in a group. Further, the employee record exemption does not apply to contractors, who are often included in EDI studies. © Bird & Bird LLP May 2022 Equality, Diversity and Inclusivity Monitoring 7 Additionally, where the employee records exemption does not apply, personal information collected as part of an EDI monitoring initiative which falls within the sensitive information category identified in question 2 above is subject to higher levels of protection than other personal information under the Privacy Act, including: • a requirement to obtain employee consent to collect such sensitive information, unless an exception applies; and • if such sensitive information is used for a secondary purpose from the primary purpose for which it was collected, a requirement that such secondary purpose be directly related to that primary purpose. Where employers are required to, or not prohibited from, processing EDI data: Do we have to collect and process EDI data in anonymised form? No, but this is recommended. The Privacy Act does not apply to information which is sufficiently deidentified. Guidance from the Office of the Australian Information Commissioner (OAIC) indicates that this requires that there be no reasonable likelihood of re-identification occurring, for example by removing information used to re-identify an individual or through use of controls/safeguards to prevent re-identification. If the information is not sufficiently de-identified and the employee records exemption does not apply, entities subject to the Privacy Act (APP entities) are also required to comply with the APPs. This includes APP 2 which requires that individuals have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter unless an exception applies, for example where it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym. Given that EDI data is often collated and de-identified, such an exception may be difficult to argue, depending on the circumstances. What are the key employment risks to consider? • Employees cannot be treated less favourably as a result of a specific personal characteristic or attribute. There is an inherent risk that once EDI data has been collected and if it is not anonymised, that it could be used to engage in behaviour that would amount to unlawful discrimination. • The collection of raw EDI data (i.e. not anonymised) will trigger the Privacy Act requirement in respect of collection, being the requirement that a collection notice be provided before or, if that is not practicable, as soon as practicable after an employer collects what would be considered personal information under the Privacy Act about an individual. • An employee records exemption applies to the use and disclosure of personal information, but only once it has been collected and where the relevant personal information is directly related to a current or former employment relationship and employee record. The exemption will only apply to the employing entity so does not provide effective protection for company groups. What are the key data protection compliance requirements under data protection law? Among other obligations, employers are subject to the following key obligations in relation to personal information which is not de-identified or subject to the employee records exemption: • APP entities that are ‘organisations’ may only collect personal information that is reasonably necessary for one or more of their functions or activities, while APP entities that are ‘agencies’ may only collect personal information that is reasonably necessary for, or directly related to, one or more of their functions or activities. Employers do not need consent from employees to collect the same, unless the information is sensitive; • at the time of collection, employers need to take reasonable steps to provide the employee with a collection notice which includes the various matters set out in APP 5.2; • personal information collected for a particular purpose must not be used or disclosed for a secondary purpose unless the individual to whom the information relates has consented to such use or disclosure or another exception applies; • employers disclosing personal information to overseas recipients must take reasonable steps t