Fair Work Action Plan 2022 and Anti-Racist Employment Strategy 2022: data protection impact assessment

4. Assessment of Refreshed Fair Work Action Plan

Headline action 1: We will lead by example on the Fair Work Agenda, including sharing and learning of practice, by 2025. We will continue to embed Fair Work in all public sector organisations, setting out clear priorities in the roles and responsibilities of public bodies.

Under Action 1, the use of data is likely to involve undertaking equal pay audits, analysing existing pay gaps, and disseminating data related to Fair Work to help organisations to fulfil commitments such as the Public Sector Equality Duty, or to encourage others to adopt Fair Work measures voluntarily.

For this, it is expected that processing of personal data will be undertaken. Action 1.1 discusses the undertaking of an equal pay audit examining pay of employees for the specific purposes of pay gap reporting and informing Fair Work policy and practice. In addition, Action 1.5 details aims to disseminate and share findings from this and other data collections to inform stakeholders about the labour market and Fair Work. The type of data processed will include data on employee protected characteristics, pay and other sensitive data. Employees are considered vulnerable data subjects by the ICO. due to the possibility of a power imbalance meaning they cannot easily consent or object to the processing of their data by an employer. Data originating from 'vulnerable individuals' is considered personal and highly sensitive.

It is also important to note that under Article 9 of the GDPR, processing of special category data is prohibited except in some circumstances. 'Special category' contains categories such as ethnicity and trade union membership. When processed, such data may create significant risks to employees' fundamental rights and freedoms, for example, resulting in unlawful discrimination. However, it should be noted that the risk is primarily in situations where GDPR and/or appropriate protocol is not followed. The GDPR is designed to protect individuals. The GDPR does not fully prevent the collection of this data, and exceptions can be made, for example, when the data subject has given explicit consent to the processing of this data for a specified purpose. It is important that organisations consider the GDPR requirements that must be addressed before starting such collection.

While data will be published, it is expected that this will not be personally disclosive, however more detail is required to understand safeguards and measures that will be put in place to ensure suitable levels of data security and privacy are maintained by public sector organisations and businesses. Qualitative insights into the workforce can be gathered through staff networks and focus groups, in line with GDPR requirements, where quantitative data reporting is not possible due to privacy concerns.

In addition, the ability of small organisations to collect and publish usable data in relation to the ethnicity pay gap without experiencing GDPR conflicts may delay the public sector in reaching their vision for 2025. This concern around usable data has already been seen by smaller public sector bodies in reporting information on occupational segregation by race and disability, where the desire to produce and report usable data has been complicated by the need to anonymise data in tables and reports. During consultation, stakeholders expressed particular concerns regarding the anonymity of pay gap data when sharing intersectional analysis for groups with more than one protected characteristic, such as racialised minority women.

The provisional DPIA score for this headline action is neutral.

Headline action 2: We will continue to use conditionality to further embed Fair Work in all public sector investment wherever possible.

It is expected that the main use of data under headline action 2 will be to aid the decision making behind forms of financial support from the Scottish Government to organisations. This will consider how organisations comply with Fair Work such as the real Living Wage and providing channels for effective voice.

In regard to the type of data that will be processed, it is unlikely that the Scottish Government will require direct access to and use of quantitative data related to protected characteristics such as ethnicity, disability, religion and gender, and other sensitive data including earnings, hours and trade union membership to fulfil actions 2.1.1 and 2.2. While there are indirect impacts of employers themselves collecting and using this data in reporting to the Scottish Government, this action itself does not involve the processing of personal data.

Qualitative data will also potentially be collected such as case studies, staff testimonies, exit interviews and staff surveys. As noted under the assessment of headline action 1, data involving employees and protected groups is classed as sensitive and personal, with some groups being regarded as 'vulnerable data subjects'. More detail is required from the Scottish Government about how safeguards and measures will be put in place to ensure data privacy and security are maintained by employers when looking to meet criteria set by the Scottish Government.

Key risks involve obtaining appropriate consent for the collection, analysis and dissemination of potentially sensitive data, particularly in the case of data relating to vulnerable data subjects. In addition, care must be taken in processing and sharing potentially sensitive data on a large scale.

The provisional DPIA score for this headline action is neutral.

Headline action 3: We will support employers to utilise the resources and support available to embed Fair Work in their organisations. We will work collaboratively to develop these resources to support and build capability among employers, employability providers and partners.

Under headline action 3, it is likely that the main use of data will be to help organisations to embed Fair Work within their operations. This could involve disseminating knowledge and data related to pay, trade union membership, and protected characteristics within the workplace. However, most of this will be qualitative in nature and is unlikely to identify individuals as it is not expected that data will be attributed to specific organisations.

Where personal data will be collected, used, and disseminated in order to implement this action then privacy concerns should be taken into account throughout. For the purposes of actions involving measures such as pay gap reporting and informing Fair Work policy and practice, data used will mainly be related to employees who are classed as vulnerable data subjects by the ICO and therefore, this data is regarded as highly sensitive.

In regard to risks, personal data regarding ethnicity and trade union membership is classified as a special category of personal data under Article 9 of the GDPR. When processed in situations where GDPR and/or appropriate protocol is not followed, such data may create significant risks to employees' fundamental rights and freedoms, for example, resulting in unlawful discrimination. The GDPR is designed to protect individuals. The GDPR does not fully prevent the collection of data, however, it is important that organisations consider the GDPR requirements that must be addressed before starting such collection. Please refer to headline action 1 for more detail.

More general impacts and risks are expected to align with the assessment under headline actions 1 and 2.

Where improved practices in relation to workplace data collection and usage include improved awareness of personal and sensitive data best practice, this should bring positive impacts for data protection in organisations.

The provisional DPIA score for this headline action is neutral.

Headline action 4: We will work collaboratively to develop resources to support workers to access, remain and progress in fair work.

The main use of data under headline action 4 is expected to involve the use of personal data, particularly in relation to disabled people but also people from racialised minorities, women and people aged over 50. The purpose of this is to increase the number of workers accessing, remaining in, and progressing in Fair Work.

As discussed in the assessment under headline actions 1, 2, and 3, several actions here will involve the Scottish Government and private, public, and third sector organisations collecting, analysing and disseminating data regarding personal data. As discussed, data regarding 'vulnerable data subjects' and 'special categories' are likely to be involved in this which presents some risks if not handled in a careful and compliant way.

In particular, action 4.4.1 involves handling personal data regarding disability to improve labour market participation and achievement rates for disabled people. This, like data regarding other protected characteristics, presents a risk associated with the appropriate handling of the collection, analysis, and dissemination, and processing and sharing on a large scale. More detail is required from the Scottish Government to understand how measures will be implemented to ensure appropriate permission is obtained for the use and disclosure of any personal data associated with this action.

More general impacts and risks are expected to align with the assessment under headline actions 1, 2, and 3.

The provisional DPIA score for this headline action is minor negative.