The Fashion DEI Census Privacy Policy

Subject to Legal Professional Privilege (until in agreed/approved form at which point it can be released as an open document)

Data Privacy Impact Assessment ("DPIA") in relation to Diversity Equity and Inclusion (“DE&I”) monitoring

1. Introduction

 The British Fashion Council (“BFC”), The Outsiders Perspective, Fashion Minority Report (each a “Party”, and collectively the “Parties”) and McKinsey & Co. will be collaborating on a DE&I audit, with the aim of increasing representation across the British fashion industry, and ensuring the British fashion industry represents the diverse communities in the UK (the “Audit”).

As part of the Audit, the Parties intend to carry out a voluntary diversity and inclusion survey (the “Survey”) via the BFC’s website, which individuals and members working across the British fashion industry (“Participants”) will be invited to participate in.

The BFC is carrying out this DPIA in respect of the Audit, and the purpose of this DPIA is to consider the legal framework for this, the potential privacy impact on individuals, and the measures that the Parties will take in order to minimise said impact. 

 

2. Background

 The aims of the Survey are to:

(a) contribute to the Audit by providing a snapshot of the diversity characteristics across all Participants working in the British fashion industry; and

(b) allow the Parties to understand the diversity characteristics of the British fashion industry in order to better inform decisions and the plan of action in respect of the promotion of DE&I across the fashion industry.

The Survey will be carried out using a form developed and implemented by The Fashion Minority Report using an external survey building platform, Typeform. Participants will be sent a link by the Party they are engaged by, which will direct them to the Survey. The Survey will consist of several demographic questions.  The draft Survey questions are set out in Appendix 1.

Users can choose to answer all questions, or only some of them (there will be a ‘prefer not to say’ option. The answers given will be linked to a ‘profile’ (hereafter “Profile Information”). This means that generally the Survey process will be anonymous, save for very rare cases where an individual can be identified by virtue of a very specific set of answers.

The Survey will be entirely voluntary and the Parties will not track who has completed the Survey.

Ultimately, the information held in the Profiles will be used to produce reports on the overall demographics across the British fashion industry (the “Reports”). The Reports are intended to contain aggregated information only, and are not intended to identify any specific individual.

Data sharing between the Parties

The information collected from the Survey will be stored in a Googlesheet operated by Fashion Minority Report, and will then be shared by Fashion Minority Report with the Parties, for the purposes of preparing the Reports. However, as explored further in Section 4 below, in our view the information collected through the Survey should not generally constitute personal data (meaning that overall the GDPR is not applicable to the processing or sharing of such information).

The Parties will act as joint controllers in respect of the Survey and related processing, and will enter into a joint controller agreement to set out their respective obligations.

3. Need for a DPIA

Personal data, as defined in Article 4 of the GDPR, is data which relates to an identifiable individual. Where information is truly anonymous, it will not be personal data and the GDPR will not apply.

The BFC understands that even when information is intended to be anonymous, it can still become identifiable in certain circumstances. Because the Survey information is sensitive in nature, the BFC is carrying out this DPIA to consider the extent to which there is such an identification risk.  This DPIA will also consider the legal framework for processing any personal data – this would be applicable in the event that any of the information was in fact to be deemed to be relate to an identifiable individual.

However, given the purposes of the processing and its voluntary nature we do not believe that any processing is likely to result in a high risk to the rights and freedoms of the individuals who choose to participate. As such, this DPIA is carried out on an elective basis as part of good data privacy practice to record the BFC’s analysis and the measures we are taking to minimise the privacy impact of the project.

4. Will personal data be processed?

Profile Information

Personal data, as defined in Article 4 of the GDPR, is data which relates to an identifiable individual. Where information is truly anonymous, it will not be personal data and the GDPR will not apply.

When the Participants input answers to the Survey, the information will be stored as Profile Information – this will not be linked with their name, email address or other identifiers.

However, the BFC is conscious that Recital 26 of the GDPR is clear that information can still be personal data if it can be attributed to an individual with the use of additional information – see extract below (emphasis added):

“any information concerning an identified or identifiable natural person.  Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.  To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”

The BFC is aware that there is a risk that, where respondents have a relatively unique mix of reported characteristics, it may be possible to guess who they are from the information. The Survey questions which make this particularly likely are those which ask for the Participant’s level of seniority in their business, how long they have been with their company, their area of business, and age.

Whilst this would generally require existing and extensive knowledge of the demographics of the British fashion industry, we believe that this may be possible in some (admittedly very rare) cases.

The likelihood of being able to guess a Member’s identity from the information is lessened further by the facts that:

(1) the Survey will not ask Participants for their location, employer, brand, or designer; and

(2) the Participants will be dispersed across organisations spanning the British fashion industry.

We therefore conclude that the Profile Information collected through the Survey should not generally constitute personal data (meaning that overall the GDPR is not applicable) though it may be in some rare cases.

Reports

The Parties intend to make the Reports available to those working with or alongside the British fashion industry. However, the “raw” Profile Information will not be made available to others, and they instead will only have access to any aggregated data included in the Reports.

In theory, similar contextual  reidentifications risks  to those set  out above could apply in respect of the information in the Reports (i.e. if a Report showed that only one disabled model worked within the industry, it would be quite easy to identify them).  However:

• before any Reports produced from the Survey information are shared more widely, the Parties will review them for any identification risk and consider whether further measures are consequently required to mitigate any risks. These might include using percentages rather than hard numbers (so a report might say “5% of the industry are Black African” rather than “1 member of the production team in Designer X’s show is Black African”), or imposing minimum reporting thresholds (so essentially there would need to be a certain amount of underlying individuals informing any reporting dimension for that dimension to be included in the report at all). These measures will be applied as necessary at the time of Report creation and/or sharing; and
• as noted above, the Survey will not ask Participants for their location, employer, brand, or designer, and the Participants will belong to a range of organisations across the British fashion industry, meaning that the likelihood of reidentification of Participants from the Reports is significantly reduced.

We can therefore conclude that the information in the reports should not generally constitute personal data,  however the checks and processes described above will minimise this risk, and the risk mitigation measures set out in the Data Privacy Analysis section will still be applied.

5. Data Privacy Analysis

As above, the Profile Information is very unlikely to be linked to an identifiable individual Member. However, to the extent that a very small residual risk of identification remains, the privacy analysis would be as follows.

1. Legal Basis

For standard (non-special) personal data BFC’s legal basis would be its ‘legitimate interest’ (Article 6(1)(f) GDPR) in understanding the demographics of the Event with a view to maintaining and promoting diversity and equality.

For special personal data (including that relating to race, sexual orientation, and disability), BFC would rely on Schedule 1(8) Data Protection Act 2018 which allows the processing of certain categories of special data for equal opportunities purposes.

1. Transparency (Articles 13, 14 GDPR)

When the Survey is launched, we will provide further information on the specifics of the Survey process including why we are carrying out the Survey, what information will be captured, how the information will be used, the extent to which individuals may be identifiable, and who Reports may be shared with (the “Survey Information”). The Survey Information will be shown to Participants before they begin the Survey. This will emphasise the voluntary nature of the Survey and will ensure that respondents understand how their answers will be used and shared.

1. Proportionality and Legitimate Interest Assessment

BFC has a clear legitimate purpose for undertaking the Survey; collecting the Profile Information allows the BFC, in collaboration with the Parties, to better understand whether or not we are achieving our goals in terms of diversity and inclusion across the British fashion industry, and helps us to monitor the effectiveness of any relevant DE&I initiatives. For example, we may compare the results of this Survey to similar ones carried out in respect of future events within the fashion industry. 

We believe that the processing of any personal data as part of the Survey process (which would be extremely minimal, were it to occur at all) would be proportionate to this purpose, particularly given the following factors:

• the overall process will be voluntary, and there will be ‘prefer not to say’ options (effectively allowing opt-out on a per question basis not just “all or nothing”);
• there will be very limited access to the underlying Profile Information, and limitations will be placed on how it can be used - i.e. the fact it will be used for DE&I purposes only and not to make decisions about any specific individual; and
• a high level of transparency and disclosure will be put in place, as above.

We believe that, given the above factors, this clear legitimate purpose outweighs any interest that the data subjects might have. This, along with the totality of this DPIA, is BFC’s ‘Legitimate Interest Assessment’ for the purposes of Article 6(1)(f).

1. Retention

We will not keep personal data for longer than is necessary for our purposes. We anticipate that we will store the Survey information for a sufficient period  to give us the flexibility to generate different types of reports as we work out the best way of presenting the information over time. Once we have settled on a reporting format, we will apply a fixed period after which the survey data will be deleted.  

The Reports generated from the data will be retained on an ongoing basis for comparison purposes (i.e. to allow comparisons of how diversity profiles have changed throughout the years). However, as explained above, individuals should generally not be identifiable from such Reports.

1. Data Minimization

To minimize the amount of data processed, only data that is strictly necessary for the specified purposes will be collected. The data will be collected via a form similar to that in Appendix 1. The structured nature of this collection method will allow us to prevent excess or inadvertent data collection.

1. Accuracy

The data is provided by the data subjects themselves. This will help ensure that the information collected is accurate.

1. Data Security

We will strictly limit the number of ‘users’ who can access the system. It is intended that only a very small number of HR and management personnel will have user access, as well as McKinsey & Co., allowing them to generate reports.

In addition to the measures specified in Section 4 above, the following security measures apply to data collected via the Survey:

(a) The data will be stored on Typeform and Googlesheets, with the following access controls implemented in respect of the data: only via granted access to key individuals from each organisation; and

(b) To the extent the Parties are able to view the data, the following access controls are implemented in respect such access: only via granted access to key individuals from each organisation.

1. Data Sharing and Extra EEA Transfers

The Reports produced from the data (though not the Profile Information) will be made available online. As above, we will put measures in place to minizine the possibility that individuals are identifiable from the Reports, so it is not expected that any Reports shared will contain personal data.

 

6. Conclusion

In conclusion, to the extent that personal data is processed, the Parties will have a legal basis for doing so, and will have provided sufficient information to individuals via the Survey Information. The processing would also be proportionate given the protections being put in place, and the voluntary nature of the Survey process.