Fair Work Action Plan 2022 and Anti-Racist Employment Strategy 2022: data protection impact assessment

6. Conclusions

To conclude, this DPIA has identified potential data protection risks of the RAP and ARES based on the ICO guidance and information provided by the Scottish Government.

A number of measures within both the RAP and ARES will involve the processing of personal data and it is expected that this data will be collected, analysed, and disseminated regarding employees for the purposes of informing Fair Work policy and practice. The type of data processed will include data on employee protected characteristics, pay and other sensitive data. The ICO regards employees as 'vulnerable individuals' due to potential power imbalances meaning "they cannot easily consent or object to the processing of their data by an employer". In addition, special category data will also be handled. Article 9 of the GDPR regards ethnicity and trade union membership as 'special category'. Data originating from 'vulnerable individuals' or 'special categories' is considered personal and highly sensitive.

Quantitative data metrics including protected characteristics such as ethnicity, disability, religion and gender, and other sensitive data including earnings, hours and trade union membership will be used. Qualitative data will also potentially be collected such as case studies, staff testimonies, exit interviews, and staff surveys.

Key risks identified through this DPIA include: risks associated with the appropriate handling of the collection, analysis, dissemination and storage of potentially sensitive data; risks associated with obtaining appropriate consent for the collection, analysis and dissemination of potentially sensitive data, particularly in the case of data relating to vulnerable data subjects; and processing and sharing potentially sensitive data on a large scale.

However, it is clear that none of the requests from the Scottish Government are asking employers to carry out any actions which themselves breach GDPR. The risks exist where organisations do not have the knowledge or capacity to adhere to GDPR principles in carrying out the actions.

This DPIA concludes that there could potentially be a minor negative data protection impact arising from both the RAP and ARES due to possible detractions from the protection of data, but not significantly. To prevent this, the Scottish Government is encouraged to provide more detail to understand how measures will be implemented to ensure appropriate permission is obtained for the use and disclosure of any personal data associated with the RAP and ARES.