Context
Businesses are under pressure from a range of internal and external stakeholders to create and maintain genuinely diverse and inclusive workplaces. Consequently, more and more businesses want to collect and track Diversity and Inclusion (“D&I”) data about their staff. This may include information about gender, sexual orientation, race, ethnic origin, religion, socio-economic background health, and disability. This information may help organizations better understand the current profile of their workforce, assess the impact of their equal opportunities policies, determine what steps they may need to take to address any barriers to change and measure progress against any objectives/targets set.
However, in some countries, collection and tracking of such data is regulated by various laws and it is socially and culturally inappropriate to ask certain questions in this area.
In France, various regulations and case law restrict the collection of such data, including the EU General Data Protection Regulation (“GDPR”). There is a particular sensitivity in relation to origin/race/ethnicity data (as notably stated in a decision from the French Constitutional Council of 15 November 2007 sanctioning the collection of such data in this context).
Draft recommendation
To guide organizations wishing to implement diversity measurement surveys, the CNIL is submitting a recommendation for public consultation until September 13, 2024 (the “Draft Recommendation”).
It notably includes GDPR-specific recommendations that were not in the guide “Measuring to progress towards equal opportunities” that the CNIL had published with the Defender of Rights twelve years ago (the “Guide”).
The recommendation addresses the following issues in relation to diversity surveys.
Type of survey and purpose
Surveys must remain optional.
The legitimate interest of the organization should be the legal basis for the survey.
However, so-called “special categories of data” (as defined by GDPR, e.g.: health status, sexual orientation, religion, race, ethnic origin, etc.) are considered sensitive data and may only be collected with consent. Under GDPR, this consent must be freely given and can be withdrawn at any time.
The survey should more generally be carried out in the context of an equality program it should also only be used to take collective measures within the organization (and not any address an individual situation).
Our practical tips: Be clear about why you want to collect D&I data and how it fits into your wider D&I strategy.
Rights of participants
Participants must be properly informed in compliance with the requirements of GDPR and their rights respected.
Workers’ representatives should, and in some cases must, be involved (in compliance with labor law requirements).
Our practical tips: Word the information carefully. Take into account the type of relationship the organization has with the local staff and their representatives.
Confidentiality and anonymity
Surveys should favor anonymity as far as possible and, in any event, should ensure confidentiality.
Surveys should not collect data that allows organizations to identify participants nor ask questions that, when put together, can allow to identify indirectly a participant (in this context the size of the relevant organization plays an important role).
The results of the survey must be anonymized and aggregated.
Robust security measures should be in place. For online surveys, specific technical measures may also have to be put in place in the case of online surveys.
Using a trusted third party may constitute a valid guarantee, by ensuring that the employer does not have access to the raw data collected.
Our practical tips:
Ensure you have the right software/systems in place to enable you to collect and store the necessary data and that the confidentiality and security of such data can be guaranteed.
Not all app or survey service providers can be considered as a trusted third party. It is recommended that you carefully read the terms and conditions and the privacy policy of any vendor(s).
Be careful about cross-border transfers of data under GDPR.
The data collected should be limited
In particular, as regards race and ethnicity, such data cannot be collected, but it is possible to address the issue by collecting (i) certain types of objective data such as name, place of birth of employees or that of his/her parents; and (ii) if necessary, subjective data relating to, for example, the feeling of belonging, or how the person considers themselves as perceived by others.
Unfortunately, the Draft Recommendation does not cover other types of sensitive data.
Our practical tips: You must also explore the cultural sensitivities and legal constraints around other special categories of data such as gender, sexual orientation and/or disability. Questions may need to be tweaked/tailored for different jurisdictions, e.g. where it may be inappropriate or unsafe for an individual to be required to disclose certain information. Remember that inappropriately worded questions may cause offence, deter people from answering and/or lead to misleading results. When possible, give staff the option “Prefer not to say” in any questionnaire/survey.
Retention
Data should be anonymized and aggregated, and raw data should be deleted within a reasonable period of time.
Our practical tips: In France, it is not possible to create an actual D&I database of the employees (e.g. the data cannot be retained).
Role of the parties
The employer is a data controller and where it uses a trusted third party the latter can be a processor or a joint controller
Our practical tips: In a group and, depending on the context and content of the survey, the controller could be an affiliate of the employer.
A Data Protection Impact Assessment is strongly recommended.
Our practical tips: A DPIA helps you identify and minimize the data protection risks of a project and involves consideration of issues such as the nature, scope, context and purposes of the processing, compliance and proportionality measures and assessment of risks to individuals. Under the GDPR, businesses must carry out a DPIA where they are processing special category data, which will almost always be the case with a D&I monitoring exercise.
Next steps
The public consultation is open until September 13, 2024. Following this consultation, the CNIL will publish its final recommendation.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.