How financial institutions must handle diversity and inclusion reporting data

Guidance and next steps on FCA/PRA data reporting requirements.

The recent consultations published by the FCA (CP23-20: Diversity and inclusion in the financial sector – working together to drive change) and Prudential Regulation Authority (PRA) (CP18/23: Diversity and inclusion in PRA-regulated firms) mark progressive proposals for financial institutions in the UK.

The FCA’s 130-page consultation notes one of its current goals is to accelerate the pace of change on diversity and inclusion in the industry. It sees greater diversity and more inclusion as a way to improve the outcomes for consumers and markets by reducing groupthink, supporting healthy work cultures, unlocking diverse talent and improving understanding of and provision for diverse consumer needs. T

he PRA similarly considers that demographic diversity is likely to bring about different perspectives and attitudes to help solve problems and improve decision-making.

The consultation papers include a range of proposals which, in the FCA’s case, includes proposals to better integrate non-financial misconduct considerations into staff fitness and propriety assessments, Conduct Rules and the suitability criteria for firms to operate in the financial sector, and new obligations on large firms to comply with various data reporting requirements. It is these data reporting requirements, mirrored in the PRA consultation, which we will touch on.

Proposed reporting obligations

The first consideration with these proposed obligations is the suggested scope. It is proposed that the reporting obligations only apply to large firms – defined as firms with 251 or more UK-based employees. For the FCA, they have also carved out Limited Scope SM&CR firms, as financial service activities offered by those firms are usually an ancillary part of their business (eg dental practices offering third party finance options).

Large firms would be required to:

  • annually collect and report to the regulators numerical data across a range of demographic characteristics, inclusion metrics and targets via a regulatory return;
  • during the first year the requirements are in place, report such data as is reasonably practicable and explain the reasons for any gaps and how they will be closed; and
  • report data to the FCA and PRA using a single data return (referred to as REPxxx Diversity and Inclusion for indicative purposes at this stage) on the RegData platform.

The regulators have proposed two categories of data: mandatory demographic characteristics and voluntary demographic characteristics:

Mandatory demographic characteristics

  • Age.
  • Ethnicity.
  • Sex or Gender (firms would be required to report on either Sex or Gender. Firms may choose to report on both Sex and Gender on a voluntary basis).
  • Religion.
  • Disability or long-term health condition(s).
  • Sexual orientation.

Voluntary demographic characteristics

  • Sex and Gender (firms would be required to report on either Sex or Gender. Firms may choose to report on both Sex and Gender on a voluntary basis).
  • Parental responsibilities.
  • Gender identity.
  • Carer responsibilities.
  • Socio-economic background.

The intention is that all firms will be required to provide the mandatory data and then, over time, the regulators may increase the scope and move some characteristics from the voluntary to mandatory category.

Impact on regulated firms

The mandatory reporting characteristics are broad, and go beyond the categories of data that large employers currently report on, for example under gender pay gap reporting legislation.   

Large financial institutions will, potentially for years, have been recording and processing demographic data on their employees. However, smaller financial institutions (which employ hundreds rather than thousands of employees) are unlikely to have invested in sophisticated data capturing policies with their workforce. Additionally they may have wanted to avoid broaching the significant challenges that can come with collecting such data.

The consultation acknowledges that building such datasets will not be an overnight process: “We recognise that employees may not want to disclose certain personal information as part of an employer’s data collection, even if this will be kept confidential and used only as part of aggregated datasets. We appreciate that, as a consequence of this, datasets may be incomplete, especially if firms have not previously collected substantive D&I data and first need to build trust within their organisation.”

The regulators have alluded to them here, but what are the challenges businesses could face in implementing an extensive data capture process?

Practical and legal challenges

The obstacles are mostly dependent on whether an organisation has any precedent in collating employee data. The most immediate barrier will be gaining the trust of the workforce to provide their information. The mandatory categories include data which could be considered benign, such as age, but also that which is almost certainly deeply personal, such as religion and sexual orientation. Some employees may be naturally resistant to disclosing such information to their employer.

Beyond the difficult-to-navigate emotional journey employers will need to take with their employees in providing this data, there are also significant legal concerns. One is for employers to ensure that any diversity and inclusion monitoring is carried out in a way that complies with relevant data protection laws.

In particular, this will inevitably involve processing “special category personal data” for example personal data revealing racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union memberships, biometric data for the purposes of uniquely identifying a person, data concerning health or data concerning a person’s sex life or sexual orientation. These datasets have to be treated with additional care given the increased potential impact on an individual’s fundamental rights and freedoms and risk of discrimination.

Employers must identify a condition set out in Article 9 of the UK GDPR in order to lawfully process special category personal data.

As a result, in addition to the rules applicable to all personal data, such as identifying a lawful basis and notifying employees about how and why their personal data is processed, employers must identify a condition set out in Article 9 of the UK GDPR in order to lawfully process special category personal data. If that chosen Article 9 condition requires authorisation by law or a basis in law (and half of them do), the Data Protection Act 2018, which supplements and tailors the UK GDPR, states you must also meet one of the further conditions set out in Schedule 1.

Often “quality of opportunity or treatment” is the Schedule 1 condition used in the context of diversity and inclusion monitoring but this will depend on the exact circumstances. Requirement for a Data Protection Impact Assessment (DPIA) will also be triggered where this data is collected on a large scale.

The consultations have noted that they have explicitly avoided matching the categories to the protected characteristics set out in the Equality Act 2010. They consider their proposed categories to provide a comprehensive and long-term view of the representation and progression of employees in the financial services sector. The challenge for employers will therefore be ensuring that they abide by their legal obligations while navigating terminology which does not immediately align with the statutory wording under the Equality Act.

Guidance for collecting data

The consultations acknowledge some of the challenges a business may face in collating this data. They direct readers to industry-specific guidance, however there are some general steps that can be taken to aid in the smooth and meaningful collating of data (which closely aligns with key data protection principles under the UK GDPR).

Ensuring that participation in the survey is genuinely voluntary and that applicants have a “prefer not to respond” type option for each individual question is important. The latter is actually a requirement put forward by the consultations, and while the consultation does go some way to providing practical guidance it will very much be for each regulated business to navigate this difficult area themselves. This is linked to the wider need to ensure that communications with employees (via the privacy notice, within the survey itself and otherwise for example intranet communications) is clear on the circumstances surrounding the survey and anticipates concerns and questions employees might have.

Employers should implement protocols and technical measures to protect the data.

Employees will certainly be more comfortable with diversity and inclusion monitoring where only datasets necessary for these purposes are collected and stored in an appropriate form. In this regard, employers should consider excluding any open text fields which risk unnecessary data collection and whether the data can be aggregated or pseudonymised. Furthermore, keeping the data secure is essential. Employers should implement protocols and technical measures to protect the data (for example, encryption of the data at rest and in transit, access permissions on a strictly need to know basis and detailed logging of access / actions).

Beyond data protection considerations, the consultations set out further requirements for large firms on diversity and inclusion strategies and target setting. These proposed obligations are naturally linked with data capture, as a firm will be hard-pressed to identify, track and meet diversity targets without proper and effective data. Being able to obtain diversity and inclusion data holistically and legally is therefore going to be an instrumental part of an affected regulated entity’s operations.

Next steps

The consultation closes on December 18, 2023.  If the proposals go through unamended, they would not be implemented until 12 months following the publication of the relevant Policy Statement. Businesses should, therefore. have a workable amount of time to prepare themselves for any mandatory obligations. However, there are a lot of actions a business can (and should) take now to begin setting the groundwork for collecting this data.

Abigail Cannon and Mark Linnane are solicitors in the Employment, Pensions, Immigration, and Compliance (EPIC) team; and Alex Beresford is an associate in the Data Privacy & Protection team, Fieldfisher.