UK Model Diversity Survey:
Data Sharing Addendum
Each party below is a separate and independent data controller in respect of personal data processed in the context of the UK MDS:
InterLaw Diversity Forum Ltd, a company incorporated in England and Wales and operating as a not-for-profit, having its principal place of business at 7 Bell Yard, London, WC2A 2JR, United Kingdom (“InterLaw”).
(To the extent that the Client Signatory has made a determination that it processes personal data only) Client Signatories.
Law Firm Participants.
The overall purpose of the processing is for identifying or keeping under review the existence or absence of equality of opportunity or treatment of diverse individuals in the legal profession with a view to tracking and enabling equality to be promoted or maintained.
InterLaw will carry out a Model Diversity Survey - a supplier DEI questionnaire that Client Signatories can require their panel firms/legal service providers to fill out – to enable measuring of diversity, equity and inclusion data across law firms (the “UK MDS”).
The UK MDS will assist Client Signatories in providing greater transparency around diversity, inclusion, and culture in their panel law firm/legal service providers.
The UK MDS will also assist Law Firm Participants in providing uniform, thorough, and accurate information to their Client Signatories and will streamline DEI data collection(“Agreed Purpose”).
The Parties agree only to share personal data for the Agreed Purpose and in particular that no personal data will be used for the purposes of measures or decisions with respect to any particular data subject.
Which other organisations will be involved in the data sharing?
The parties set out above.
In addition, data may be accessed by the Law School Admission Council, Inc. (“LSAC”), a Delaware not-for-profit corporation, which is a data processor of InterLaw and is responsible for the maintenance and support of the UK MDS.
What data items are we going to share (including any special category data or sensitive data)?
Data shared by Law Firm Participants with InterLaw:
The personal data that Law Firm Participants share with InterLaw is:
Names, pronouns, email address and job title of the Law Firm Participants contact, and the name of the CEO/Managing Partner.
Number of individuals who fall into particular diversity categories.
Demographic profiles for lawyers in leadership positions.
Demographic profiles of the highest and lowest earning partners.
Demographic profiles of those holding the top 30 key client partnerships.
Special category data, such as racial or ethnic origin, disability information and sexual orientation.
The UK MDS does not allow the provision of names (other than the contact point and CEO/Managing Partner) and no financial figures are given in the UK MDS. Additionally, the UK MDS is a voluntary survey and Law Firm Participants can always decline to answer. They may choose not to report on an individual, either by assigning them a value of “0” or by counting them under “X not disclosed to firm”, as appropriate.
Data shared by Client Signatories with InterLaw:
The personal data that Client Signatories share with InterLaw is:
Names, email address and login credentials (username and password).
Data shared by InterLaw with Client Signatories:
InterLaw will use Law Firm Participants’ responses on a confidential basis to generate dashboard ‘reports’ for Client Signatories. Client Signatories will receive Law Firm Participants’ names, CEO/Managing Partner names, and the name and email of the Law Firm Participant's UK MDS contact. All response information will be aggregated and released in a statistical or summary form. Only anonymous numerical diversity data is input into the UK MDS and InterLaw will not share any raw numerical data with Client Signatories. Instead, InterLaw will show percentages (rather than the actual numbers) of lawyers that fall into an applicable diversity category. Further, even in this context of percentages, Client Signatories will never be told the total baseline numbers for any group which might enable dissection of such percentages. Consequently, as no baseline Law Firm Participant data is shared directly with Client Signatories, data cannot be reverse engineered to identify the raw material input into the UK MDS.
Data shared by InterLaw with Law Firm Participants:
The raw data provided in the UK MDS will not be accessible by other Law Firm Participants. No Law Firm Participant has any access to the platform dashboard, the reports it generates, or any other Law Firm Participants’ data in any form.
What is our lawful basis for sharing?
InterLaw relies on the following lawful basis:
Legitimate Interests: for personal data, processing is necessary for InterLaw’s and the Client Signatories’ legitimate interests (GDPR Article 6(1)(f)), which are not outweighed by the rights and freedoms of individuals. Such legitimate interests include processing in order to: (i) operate the UK MDS and generate reports for Client Signatories; and (ii) ensure network information, security, and the efficient running of the Microsoft dashboard.
Substantial Public Interests: for special category data, processing is necessary for reasons of substantial public interest (GDPR Article 9(2)(g)). InterLaw relies on the lawful bases set out in Schedule 1, Part 2, Data Protection Act 2018 relating to the equality of opportunity or treatment, and/or racial and ethnic diversity at senior levels.
Law Firm Participants (and Client Signatories, as applicable) are separately responsible for determining their own lawful basis for the processing of personal data by them and sharing such data.
What about access and individual rights?
Law Firm Participants (and Client Signatories, as applicable) are separately responsible for informing staff that their data will be shared with InterLaw for the purposes of the UK MDS, determining their procedures for compliance with individual rights and explaining how individuals can exercise their rights.
Data subjects can contact any controller involved in the sharing. For InterLaw, the relevant point of contact is firstname.lastname@example.org.
What information governance arrangements should we have?
InterLaw and LSAC have a contract in place with appropriate data processing provisions and standard contractual clauses for international data transfers.
Technical and organisational security arrangements:
InterLaw and LSAC have appropriate technical and organisational security measures in place to protect personal data. This includes:
Only allowing access to the UK MDS to individuals on a need-to-know basis using secure login details.
Strict access controls. No Law Firm Participant has any on-going access to the online platform once their data has been submitted, access to the reports it generates, or access to any other Law Firm Participants’ data.
Information security policies.
No raw numerical data will be shared with Client Signatories or Law Firm Participants. Law Firm Participants will only provide numerical information in relation to the diversity categories, and InterLaw does not share the numbers with Client Signatories – only percentages.
Retention and deletion:
InterLaw will delete the data after six years post-participation (to align with UK statutory limitation periods), and LSAC will delete the data as soon as it’s no longer needed for LSAC to provide InterLaw with maintenance or support services. InterLaw will ensure that it carefully considers any deletion requests it receives and assesses whether any exceptions or exemptions apply under data protection laws on a case-by-case basis. If InterLaw considers that the information needs to be deleted, it will remove the data that is reported to Client Signatories on the platform dashboard, or to delete the data entirely from the online platform.
Data is accurate as of 31 December of the previous year, and Law Firm Participants are expected to complete the survey annually so that the information remains as accurate as possible.
Data sharing arrangements will be reviewed on a regular basis and updated to reflect any changes.