EHRC legal guidance on using databases

¬†Databases with details of an individual’s personal characteristics, such as race or gender, would be really useful in helping us promote diversity but I’ve been told that holding and sharing this information would breach the Data Protection Act.

It is lawful to invite people to apply to be on a list or database which records individuals’ personal characteristics, from which you draw employees, freelancers or on-screen talent.

It’s also lawful for an employer to collate a database specifically for people who share protected characteristics – for example a database for ethnic minority production freelancers – provided that it is not used as the only method of selecting employees or candidates, unless there is an occupational requirement to do so.

Compiling, maintaining and using such a list or database is lawful provided that the requirements of the Data Protection Act 1998 (DPA) and Gender Recognition Act 2004 (GRA) are met.

The storage or processing of any data that enables a living person to be identified (‘personal data’) is regulated by the DPA. This includes holding their details on a computer or within a filing system. Your organisation will need to be registered as a data controller with the Information Commissioner’s Office (ICO).

‘Sensitive personal data’, which includes the protected characteristics under the Equality Act 2010 (apart from gender and age), can only be processed (obtained, recorded, held or transmitted) in restricted circumstances.

These include:

  • where the individual about whom the sensitive personal data is recorded has given explicit consent to the processing
  • where the individual has previously made their sensitive personal data public or given consent to it appearing in the public domain.

In practice, the most effective way to comply with the DPA is to notify individuals that a database is being compiled, explain the purposes for which it is to be used, and invite them to provide information by completing a form. You should obtain their explicit signed consent to their sensitive personal data being used for the purpose you tell them. You should not use the data for other purposes and you should ensure you keep it up to date.

Great care must be taken with data relating to gender reassignment as it is a criminal offence to disclose data Рeven between individuals in the same organisation Рthat would identify an individual as holding or applying for a full or interim Gender Recognition Certificate, or would identify their prior gender, without their express consent.

Data protection also has to be considered when collecting data that will be used for positive action and diversity monitoring (see below). The ICO has guidance on data protection.