All employers must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), collectively the Data Protection Legislation.
This applies to all data that you collect, process, store, retrieve, use, analyse, publish, disclose, disseminate or otherwise make available, combine with other information, erase, destruct and or transfer personal data and special category data for the purpose of monitoring the makeup of your workforce.
Personal data is any information relating to a living individual who can be identified from that data, or from that data in conjunction with other readily available information (a Data Subject) by reference to name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Special category data is any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership of a Data Subject and the processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject, data concerning health or data concerning a Data Subject’s sex life or sexual orientation.
A link to Pact’s pan-industry guidelines on data protection and security is in the useful links below. They are designed to provide practical advice to assist in protecting the data of individuals and in turn protecting production companies from civil and/or criminal sanctions and reputational damage as the result of an unauthorised disclosure of personal or special category data. It is important that all staff read these guidelines and that the necessary practical support and information is provided.
Employers need a legal basis for processing personal data and an additional legal basis when processing special category data. The most relevant legal bases for processing personal data and special category data for the purpose of an employer’s diversity and equality monitoring are:
- It is necessary for the performance of a contract to which the Data Subject is a party (for example, the staff member’s contract of employment); and
- It is necessary for the purposes of carrying out the obligations and exercising specific rights of the employer in the field of employment law.
ICO Requirement:Data Controllers
An employer is statutorily required to register with the Information Commission Office (ICO) and provide certain information to the Information Commissioner (in accordance with the Data Protection (Charges and Information) Regulations 2018) when it acts as data controller, either alone or jointly with others, and determines the purposes and means of processing personal data and special category data. An annual charge is applicable. See useful links for the ICO guidelines.
Safe Storage& Best Practice
Employers must comply with Data Protection legislation and the data protection principles contained when storing personal data and special category data. Please see the pan-industry guidance (link below) for recommended practices on the security of personal data and special category data. If employers have any concerns about the data protection issues surrounding diversity monitoring, they should speak to their company’s data protection officer, or contact Pact or their commissioning broadcaster.