SRA diversity reporting 2023: Time to take action

20 Jun 2023

The time has come again for all SRA-regulated firms to collate and submit their diversity data as part of the SRA reporting process.

SRA’s diversity reporting requirements

Firms will need to ask their staff to provide their diversity characteristics such as ethnicity, age, gender identity and educational background. This process is part of the SRA’s bi-annual collection of data from the firms it regulates. This data then feeds into an analysis and report by the SRA on diversity in the legal profession, and also the SRA’s law firm diversity tool (accessible here) which allows users to see the representation of various groups within partner, solicitor and other staff roles in law firms.

Firms will need to move quickly: the window for submitting the data to the SRA is opens shortly on 26 June 2023 and will close four weeks later on 23 July 2023.

What do firms need to do?

SRA-regulated firms need to submit their data to the SRA and in many cases will also need to publish it on their website.

Given the time-consuming nature of the process, and the many pitfalls which firms may encounter, it is important that all SRA-regulated firms take action as soon as possible.

Failure to provide the necessary data to the SRA before the deadline could lead to enforcement action and potentially sanctions such as a rebuke or a fine.

What has changed since 2021?

The format of the SRA’s template questionnaire is similar to that used in the last reporting round in 2021. There has been a change to the solicitor partner category this year, in that SRA-regulated firms will need to report separately for full equity solicitor partners and salaried or partial equity solicitor partners. There has also been a slight change to the question on parental occupation to align with Social Mobility Commission guidance.

Collecting the data

There are a number of points to consider when collecting the data for your firm:

The collection and compilation of the data can be outsourced, but firms should note that this also raises its own GDPR and regulatory issues.

GDPR: The collection of diversity information will involve the processing of additional employee personal data, including “special category” (i.e. sensitive) personal data such as ethnicity and disability characteristics. As a result, there are a number of compliance issues that need to be addressed to ensure the data can be processed lawfully. We have summarised these below:
- Lawful basis – firms should decide on the lawful basis upon which they will carry out the processing. Legitimate interests or compliance with a legal obligation could be relevant. If relying on legitimate interests, a “legitimate interests assessment” should be carried out. Generally, there are issues with relying on consent in an employment context and this should be avoided to the extent possible.
- Art. 9 GDPR condition – as special category data will be processed, an Article 9 condition needs to be in place. Depending on the condition relied upon, it may be necessary to put in place an “appropriate policy document” under the Data Protection Act 2018.
- Data Protection Impact Assessment (DPIA) – as the processing will likely involve collecting large amounts of special category data, firms should carry out a DPIA. This involves identifying the risks involved with the processing and the safeguards that can be put in place to mitigate those risks.
- Transparency – staff privacy notices should be updated to include details of the purposes of the processing and lawful basis upon which it is based, as well the fact that data may be disclosed to the SRA, if this is not already in place.
- Security – firms should put in place controls to ensure that only members of staff who need to access it are granted are given access.
- Deletion protocol – firms should update their data deletion policy to account for this new collection of data.
- “Anonymisation” – firms should not assume that just because no directly identifiable information (such as names and email addresses) are included in responses that this makes them “anonymous”. Care should therefore be taken if publishing results to make sure these cannot be used to identify specific employees.
Identifying whose data should be collected: Firms should take care to ensure that they request all employees to complete the questionnaire, including those on maternity leave or on sickness absence leave if they are in contact with the firm. Secondees should also be included, but not employees who are usually based outside England & Wales.
Categorising each person’s role: Each member of staff will need to be categorised as one or more of a large number of categories such as solicitors, partners, legal executives, assistants, support staff, trainees and employed barristers. If you feel it would be unclear for those in certain roles, you may wish to clarify which category those job titles will fall into.
Using the data for global diversity surveys: It is increasingly common for global firms to aggregate diversity data across all offices. This will invariably require the transfer of personal data outside of the UK and potentially outside of Europe. It is crucial that the recipient of the data has arrangements in place to comply with the GDPR and the Data Protection Act.

Submitting the data to the SRA

The diversity information, once compiled, should be submitted to the SRA via the portal on its website.

Submitting the data to the SRA is a regulatory requirement under the Code of Conduct for Firms and the SRA may take enforcement action if firms fail to do so by the 23 July 2023 deadline.

Publishing the data

SRA-regulated firms are expected to make their diversity data available to all employees and externally (subject to compliance with data protection legislation). The data may be published on the website, or placed on posters in break rooms, included in internal or external newsletters, bulletins etc.

The SRA expects most firms to publish their diversity data on an anonymised basis, but many firms (or their UK offices of larger firms) will be too small to ensure that the data is truly anonymous. There is no need to make a formal application to the SRA to waive the publishing requirement if a decision is taken not to publish data for this reason, but it is important that the rationale for that decision is adequately recorded.

Next steps

Further information about the process can be found on the SRA’s website at: www.sra.org.uk/diversitydata. Fox Williams can also advise on the process.

Related legal expertise

Related sectors

Professional services

Authors

Follow us online

Register for updates

You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.

Cookie	Type	Duration	Description
__atuvc	third party	1 year	This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__atuvs	third party	30 minutes	This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__stripe_mid	third party	1 year
__stripe_sid	third party	30 minutes
_ga	third party	2 years	This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
_gat	third party	1 minute	Google Analytics cookies to track users as they navigate the website and help improve the website's usability.
_gid	third party	24 hours	This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
cookielawinfo-checkbox-necessary	session	1 year	Records the default button state of the corresponding category. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-non-necessary	session	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Non-Necessary'.
di2	third party	1 year	This cookie is set by addthis.com on sites that allows sharing on social media. The cookie is used to track user behavior anonymously to generate usage trends to improve relevance to their services and advertising.
loc	third party	1 year	This cookie is set by Addthis. This is a geolocation cookie to understand where the users sharing the information are located.
m	third party	2 years
na_id	third party	1 year	This cookie is set by Addthis.com to enable sharing of links on social media platforms like Facebook and Twitter
NID	third party	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
ouid	third party	1 year	The cookie is set by Addthis which enables the content of the website to be shared across different networking and social sharing websites.
uid	third party	1 year	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
um	third party	1 year	Set by addthis.com.(Purpose not known)
uvc	third party	1 year	The cookie is set by addthis.com to determine the usage of Addthis.com service.
vc	third party	1 year	This cookie is set by addthis.com on sites that allow sharing on social media.
viewed_cookie_policy	session	1 year	Is the primary cookie that records the user consent for the usage of the cookies upon accept and reject. It doesn't track any personal data and is set only upon user action (accept/reject).