Gender Pay Gap Reporting Guidance (2026) — recording sex + the GRC-holder data firewall
GEO/WEU statutory guidance on gender-pay-gap reporting. Post-FWS, GPG figures are recorded on biological sex; a GRC holder is recorded by BIRTH sex for…
Authority catalogue v1.12.27 data current as of
- Citation
- GEO/WEU gender pay gap reporting guidance, 2026 edition. PDF + exact paragraph anchors TO ACQUIRE from gov.uk — see _provenance.
- Jurisdiction
- England, Wales & Scotland
- Year
- 2026
- Status
- Authoritative
- Certainty
- Current
In brief
GEO/WEU statutory guidance on gender-pay-gap reporting. Post-FWS, GPG figures are recorded on biological sex; a GRC holder is recorded by BIRTH sex for the GPG calculation. Because this can OUT a stealth GRC holder, the guidance relies on GRA 2004 s.22's 'required by law' / non-identifying exceptions and prescribes mitigations: process to the LEAST extent necessary; a single named person with confidential access; anonymise the published output; do NOT single anyone out; do NOT demand documents/evidence of sex; apply the SAME process to all employees. THE DECISIVE TOOLKIT POINT — a purpose-limitation firewall: this birth-sex data is ring-fenced to the GPG reporting purpose and MUST NOT be reused as evidence to exclude a person from a single-sex service or facility, or for any other operational HR decision (UK GDPR Art 5(1)(b) purpose limitation). The lawful posture is 'do it, then ring-fence it' — an employer in scope cannot opt out of GPG reporting, but must firewall the data. A concrete worked instance of the OEO Equality Impact Assessment (EQIA-003) involuntary-disclosure finding.
Key provisions
- recording-employees-sex — Recording employees' sex — biological-sex basis; GRC holders by birth sex: Step 1 'Recording employees' sex': GPG figures are based on biological sex (post-FWS). A GRC holder is recorded by birth sex for the GPG calculation, not acquired gender. This is a legally-mandated internal processing of special-category data that can out a stealth GRC holder.
- gra-s22-reliance-and-mitigations — GRA s.22 reliance + the mandatory mitigations: The processing relies on GRA 2004 s.22's 'required by law' / non-identifying exceptions. The guidance prescribes mitigations: process to the least extent necessary; a single named person with confidential access; anonymise the published figures (watch small-headcount re-identification); do not single anyone out; do not demand documents; apply the same process to everyone.
- purpose-limitation-firewall — KEY — the purpose-limitation firewall (never repurpose GPG birth-sex data): The birth-sex data recorded for GPG reporting is ring-fenced to the GPG purpose (UK GDPR Art 5(1)(b)). It must NOT be reused as evidence to exclude a person from a single-sex service/facility, nor for any other operational decision. Keep it separate from operational HR fields, storage-limited, not queryable.
When relevant
Employer in scope of GPG reporting (250+ employees) handling GRC-holder sex data; any DPIA / EqIA touching gender or sex data fields; Quinn questions on recording sex, GRC confidentiality, or whether HR sex data can inform single-sex-service decisions.
Take this further
Assess your organisation
See how your policies and practice measure up against this authority — and the other 121 in the catalogue — with the toolkit's free diagnostic.
Related authorities
Browse the full authority catalogue or the toolkit's resources hub for more context.
Contains public sector information licensed under the Open Government Licence v3.0 .