UK Model Diversity Survey:
Data Sharing Addendum
Each party below is a separate and independent data controller in respect of personal data processed in the context of the UK MDS:
InterLaw Diversity Forum Ltd, a company incorporated in England and Wales and operating as a not-for-profit, having its principal place of business at 7 Bell Yard, London, WC2A 2JR, United Kingdom (“IDF”).
(To the extent that the Client Signatory has made a determination that it processes personal data only) Client Signatories.
Law Firm Participants.
The overall purpose of the processing is for identifying or keeping under review the existence or absence of equality of opportunity or treatment of diverse individuals in the legal profession with a view to tracking and enabling equality to be promoted or maintained.
IDF will carry out a Model Diversity Survey - a supplier DEI questionnaire that Client Signatories can ask their panel firms/legal service providers to fill out – to enable measuring of diversity, equity and inclusion data across law firms (the “UK MDS”).
The UK MDS will assist Client Signatories in providing greater transparency around diversity, inclusion, and culture in their panel law firm/legal service providers.
The UK MDS will also assist Law Firm Participants in providing uniform, thorough, and accurate information to their Client Signatories and will streamline DEI data collection (“Agreed Purpose”).
The Parties agree only to share personal data for the Agreed Purpose and in particular that no personal data will be used for the purposes of measures or decisions with respect to any particular data subject.
Which other organisations will be involved in the data sharing?
The parties set out above.
In addition, data may be accessed by the Law School Admission Council, Inc. (“LSAC”), a Delaware not-for-profit corporation, which is a data processor of IDF and is responsible for the maintenance and support of the UK MDS.
What data items are we going to share (including any special category data or sensitive data)?
Data shared by Law Firm Participants with IDF:
The personal data that Law Firm Participants share with IDF comprises:
Names, pronouns, email address and job title of the Law Firm Participant’s contact, and the name of the CEO/Managing Partner.
Number of individuals who fall into particular diversity categories.
Demographic profiles for lawyers in leadership positions.
Demographic profiles of the highest and lowest earning partners.
Demographic profiles of those holding the top 30 key client partnerships.
Special category data, such as racial or ethnic origin, disability information and sexual orientation.
The UK MDS does not allow the provision of names (other than the contact point and CEO/Managing Partner) and no financial figures are given in the UK MDS. Additionally, the UK MDS is a voluntary survey and data subjects at Law Firm Participants can always decline to answer. Law Firm Participants may choose not to report on an individual, either by assigning them a value of “0” or by counting them under “X not disclosed to firm”, as appropriate.
Data shared by Client Signatories with IDF:
The personal data that Client Signatories share with IDF is:
Names, email address and login credentials (username and password) for the purposes of using the system and services.
Data shared by IDF with Client Signatories:
IDF will use Law Firm Participants’ responses on a confidential basis to generate graphical ‘Dashboards’ for Client Signatories. Client Signatories will receive Law Firm Participants’ names, CEO/Managing Partner names, and the name and email of the Law Firm Participant's UK MDS contact. All response information will be aggregated and released in a statistical or summary form. Only anonymous numerical diversity data is input into the UK MDS and IDF will not share any raw numerical data with Client Signatories. Instead, IDF will show percentages (rather than the actual numbers) of lawyers that fall into an applicable diversity category. Further, even in this context of percentages, Client Signatories will never be told the total baseline numbers for any group which might enable dissection of such percentages. Consequently, as no baseline Law Firm Participant data is shared directly with Client Signatories, data cannot be reverse engineered to identify the raw material input into the UK MDS. Therefore it is not anticipated that Client Signatories will have access to nor process any personal data.
Data shared by IDF with Law Firm Participants:
The raw data provided in the UK MDS will not be accessible by other Law Firm Participants. No Law Firm Participant has any access to the platform dashboard, the reports it generates, or any other Law Firm Participants’ data in any form. Accordingly, Law Firm Participants shall not have access to any personal data provided by any other Law Firm.
What is our lawful basis for sharing?
IDF relies on the following lawful basis to the extent that there is any processing of personal data as part of the provision of the UK MDS:
Legitimate Interests: for personal data, processing is necessary for IDF’s and the Client Signatories’ legitimate interests (GDPR Article 6(1)(f)), which are not outweighed by the rights and freedoms of individuals. Such legitimate interests include processing in order to: (i) operate the UK MDS and generate reports for Client Signatories; and (ii) ensure network information, security, and the efficient running of the Microsoft dashboard.
Substantial Public Interests: for special category data, processing is necessary for reasons of substantial public interest (GDPR Article 9(2)(g)). IDF relies on the lawful bases set out in Schedule 1, Part 2, Data Protection Act 2018 relating to the equality of opportunity or treatment, and/or racial and ethnic diversity at senior levels.
Law Firm Participants (and Client Signatories, as applicable) are separately responsible for determining their own lawful basis for the processing of personal data by them and sharing such data.
What about access and individual rights?
Law Firm Participants (and Client Signatories, as applicable) are separately responsible for informing staff that their data will be shared with IDF for the purposes of the UK MDS, determining their procedures for compliance with individual rights and explaining how individuals can exercise their rights.
Data subjects can contact any controller involved in the sharing. For IDF, the relevant point of contact is:
What information governance arrangements should we have?
IDF and LSAC have a contract in place with appropriate data processing provisions and standard contractual clauses for international data transfers.
Technical and organisational security arrangements:
IDF and LSAC have appropriate technical and organisational security measures in place to protect personal data. This includes:
Only allowing access to the UK MDS to individuals on a need-to-know basis using secure login details.
Strict access controls. No Law Firm Participant has any on-going access to the online platform once their data has been submitted, access to the reports it generates, or access to any other Law Firm Participants’ data.
Information security policies.
If there should occur a data breach in respect of any personal data or confidential information, InterLaw Diversity Forum will notify the affected Law Firm Participants promptly as soon as it becomes aware of such breach.
No raw numerical data will be shared with Client Signatories or Law Firm Participants. Law Firm Participants will only provide numerical information in relation to the diversity categories, and IDF does not share the numbers with Client Signatories – only percentages.
Retention and deletion:
IDF will delete the data after six years post-participation (to align with UK statutory limitation periods), and LSAC will delete the data as soon as it’s no longer needed for LSAC to provide IDF with maintenance or support services. IDF will ensure that it carefully considers any deletion requests it receives and assesses whether any exceptions or exemptions apply under data protection laws on a case-by-case basis. If IDF considers that the information needs to be deleted, it will remove the data that is reported to Client Signatories on the platform dashboard, or to delete the data entirely from the online platform.
Data is accurate as of 31 December of the previous year, and Law Firm Participants are expected to complete the survey annually so that the information remains as accurate as possible.
Data sharing arrangements will be reviewed on a regular basis and updated to reflect any changes.
Last updated: 4 September 2023