Privacy

Table of Contents
  

Introduction

  1. Definitions
  2. Responsibility for Your Personal Information
  3. Categories of Individuals About Whom We Process Personal Information
  4. Categories and Sources of Personal Information Processed
  5. Sharing of Personal Information
  6. Cross-Border Transfers of Personal Information
  7. Data Retention Period
  8. Updating Personal Information about You
  9. Security of Personal Information
  10. Policy for Confidentiality of Social Security Numbers
  11. Personal Information about Others that You Provide to Us
  12. U.S. State Law Privacy Rights
  13. Changes to the Global Privacy Policy
  14. How to Contact Us

Appendix 1: Summary of Privacy Rights under the GDPR (Regulation (EU) 2016/679) and the Data Protection Act 2018
Appendix 2: Privacy Policy for California Residents under the  California Consumer Privacy Act of 2018
Appendix 3: HIPAA Business Associate Privacy Policy
Appendix 4: Privacy Notice at Collection for California Residents
Appendix 5: Notice of Compliance with Connecticut Act Concerning the Confidentiality of Social Security Numbers
Appendix 6: Website Cookies Policy

Introduction

Locke Lord LLP and Locke Lord (UK) LLP (jointly “Locke Lord,” the “Firm” or “we”) understand how important your privacy and the protection of your personal data and information is to you. The following Global Privacy Policy explains how we use and protect personal data and information that we collect, store, transfer, and otherwise process.

If (i) our processing of your personal data is subject to the GDPR (as hereinafter defined) or (ii) you are a resident of California, and your personal information is subject to the privacy laws and regulations of California, the additional provisions of each of Appendix 1 (the “GDPR Privacy Rights Summary”) or Appendix 2 (the “CCPA Privacy Policy”) shall also apply, respectively.  To the extent the provisions of this Global Privacy Policy conflict or are inconsistent with the ‎provisions set out in the applicable Appendix, the provisions in that Appendix shall control.‎

If you have any questions regarding this Global Privacy Policy or do not feel that your concerns have been addressed, please direct your questions through the “How to Contact Us” section at the end of this Privacy Policy.

1. Definitions

“CCPA” means the California Consumer Privacy Act of 2018‎ and any regulations issued thereunder, as they may be amended from time to time, including by the California Privacy Rights Act of 2020.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April ‎‎2016 on the protection of natural persons with regard to the Processing of personal data and on ‎the free movement of such data, and repealing Directive 95/46/EC and any law made under or ‎as a result of it and/or, as applicable, the UK GDPR as defined in The Data Protection, Privacy ‎and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, including the ‎Data Protection Act 2018 and any law made under or as a result of it.‎

Global Privacy Policy” means this Global Privacy Policy, as supplemented as applicable by the provisions set forth in ‎the GDPR Privacy Rights Summary, the CCPA Privacy Policy, the HIPAA Business Associate ‎Privacy Policy,‎ the Connecticut Policy,  and the Website Cookies Policy and which are set out ‎in Appendices 1-3 and 5-6, respectively.‎

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, and including all related regulations.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act contained in Public Law 111-5, as amended.

“Personal Information” as used in this Global Privacy Policy means (i) “personal data” as defined in the GDPR and means any data that relates to an identified or identifiable natural person and (ii) “personal information” as defined under the CCPA, and means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

“Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and "processed", "processing" and similar terms shall be interpreted accordingly.‎

“Protected Health Information” has the meaning under HIPAA.

“you” means any individual person identified or identifiable by Personal Information, as relevant for the context in which it is used in the Global Privacy Policy.

2. Responsibility for Your Personal Information

Locke Lord is responsible for its Processing of your Personal Information under this Global Privacy Policy ‎and is considered the "data controller" under the GDPR (as defined therein).  Locke Lord consists of the following two legal entities:

  • Locke Lord LLP, 2200 Ross Avenue, Suite 2800, Dallas, Texas  75201, United States, T: +1-214-740-8000, and
  • Locke Lord (UK) LLP, 201 Bishopsgate, London, EC2M 3AB DX 567, United Kingdom; T: +44 (0) 20 7861-9000

Unless stated otherwise, and generally speaking, Locke Lord LLP and Locke Lord (UK) LLP are ‎to be considered joint data controllers (also as defined under the GDPR).  ‎

You may contact the Firm regarding any questions or complaints as specified in the “How to Contact Us” section below.

3. Categories of Individuals About Whom We Process Personal Information

We process Personal Information from or about the following categories of individuals:

  • Firm employees, partners, contractors, consultants, paid interns, job applicants, and temporary employees (“HR Data”);
  • Current or former participants in the Firm’s retirement and/or welfare benefit plans or their beneficiaries (“Benefit Plan Data”);
  • Users of the Firm Website (“Website Data”);
  • Individuals who are, or are associated with, Firm clients, vendors, or other business contacts with whom we interact or seek to establish a relationship with (“Contact Data”);
  • Individuals identified in data provided by or on behalf of clients in connection with representation by the Firm (“Client Sourced Data”); and
  • Individuals who are, or are associated with, adverse parties, witnesses, or other third parties relevant to our legal representation of clients, such as information obtained during investigations or discovery in the context of litigation, arbitration, negotiations, or other aspects of client representation (“Other Party Data”)  
      
4. Categories and Sources of Personal Information Processed

We may collect and store various types of Personal Information about you, depending on the ‎category in which you fall and the reason for which the Personal Information is processed. The ‎following is a general summary of the Personal Information about you that we may process in ‎each category, the sources of such Personal Information, and the purposes of Processing.  If you are resident in the UK or EU please also refer to Appendix 1.‎

4.1 HR Data

When you apply for employment or engagement with the Firm (whether as an employee, partner, contractor, consultant, paid intern or temporary employee), when we evaluate your employment application and related materials (e.g., the results of pre-employment screenings), and thereafter throughout the course of your employment, contract or consulting arrangement, we obtain HR Data about you.

Categories of HR Data: The HR Data we collect and process varies by the roles and responsibilities that you undertake with the Firm, the location where you work, and our needs.  Such personal information may include:

  • Individual Data: Your name, address, telephone and/or mobile telephone number, e-mail address, image, ‎gender, gender identity or gender expression, marital status, date of birth/age, ‎citizenship, race, national, or ethnic origin, foreign language skills, relevant tax ‎identification number(s), IP address, information on your passport, driver’s license or ‎other governmental identification, immigration status/visa information contained in a ‎governmental employment eligibility form, prior employers, education, qualifications, ‎prior employment history, results of criminal background screening, credit checks, ‎emergency contact information, name change information,  CVs, etc.;‎

  • Job-Related Data: Recruitment records, application forms, equal opportunities monitoring forms, ‎assessment exercises or tests, interview records and notes and related decision making ‎records, information contained in your offer letter, contracts of employment or similar ‎contracts, your payroll and salary information, bank account information (to administer ‎direct deposit and/or expense reimbursements), overtime and working hours records, ‎timesheets, bonus information, benefits, insurances and pension information, dependent ‎and beneficiary information you provide, information about reimbursable expenses you ‎incur on our behalf, information about Firm-owned equipment assigned to you, P45, ‎P60, tax coding and tax records, tax and government reporting information, information ‎about your performance on the job, including reviews, appraisals, warnings, grievances, ‎resignation and termination records, individual and management development plans and ‎reviews, and information relating to promotions and position changes (including ‎requests), training records, information regarding your compliance with company ‎policies and certifications, annual leave records, statutory leave records and payments, ‎log-on and work station activity and web history information, information obtained from ‎outbound and inbound emails sent from Firm equipment‎, system usage, CCTV and building access control data;‎

  • Special Categories of Personal information: Your race, national or ethnic origin, religion or creed, church affiliation (where ‎necessary for deducting church taxes from your income), political opinion, sex life, trade ‎union membership (e.g., where necessary for organizing social elections), geolocation data, data concerning health ‎‎(e.g., leave information, information on pregnancy or disabilities in order to comply ‎with legal requirements), accident records, health assessments and occupational health ‎reports, and media information you provide, physical or mental disability, veteran or ‎military status, or data that you voluntarily submit concerning your sexual orientation; ‎and

  • Other Data About You: Any additional Personal Information that may be included on documents you submit or ‎we obtain as part of your employment application or throughout the course of your ‎employment, to the extent legally allowed, such as information contained on any ‎employment application or cover letter, curriculum vitae or resume, diploma, transcript, ‎license, professional qualifications and  regulatory status, statement of good behavior, ‎background screening, employment contract, any related documents, reference check, ‎identification card, request for leave, benefits, wage garnishment and other similar ‎court-ordered information, etc., and information collected from publicly available ‎resources, professional license databases, and credit agencies, where applicable. ‎Whenever you provide Personal Information about a dependent or beneficiary (e.g., in ‎connection with benefits we provide to you), it is your obligation to inform such ‎dependent or beneficiary of the fact that you have provided us with Personal Information ‎about him or her, and to inform such dependent or beneficiary of his or her rights under ‎the Global Privacy Policy.‎
      

Sources of HR Data: We obtain HR Data about you (i) directly from you or from inbound emails you receive, (ii) from our partners and employees at the Firm (e.g., performance reviews), and (iii) from third parties, such as government agencies, recruiters, educational establishments, employment agencies, screening companies, references that you provide to us, and may as well be obtained or provided from publicly available sources, such as publicly accessible websites, including social media, containing content you directly or indirectly control. 

While you have the ability to use facial or fingerprint biometrics  for authentication when signing on to Firm-issued equipment, using this is optional and other methods are available.  As you, rather than the Firm, chooses whether or not to utilize these facilities, the Firm does not determine the method of processing and so is not considered a data controller in this respect and it has no access to any such biometric data you may choose to utilize.

Purposes and Legal Basis for the Processing: Your HR Data is processed for the purpose of establishing and maintaining your employment ‎relationship with us (whether as an employee, partner, contractor, consultant or otherwise), as more fully ‎set out below. The legal basis for Processing each category of HR Data is as follows:

  • Individual Data:
    • Reason for Processing: Your Individual Data is processed for the purposes of (a) making a decision about hiring you and determining the terms on which you work for us, (b) ensuring you have the necessary qualifications and entitled to work in the office for which you are being hired, and (c) checking your background, solvency and professional standing.
    • Legal Basis for Processing: The legal basis for Processing your individual data is that it is ‎(i) necessary for entering into and/or performing your employment relationship with the Firm, ‎‎(ii) necessary for compliance with one or more legal obligations to which you or the Firm is ‎subject (e.g., reporting to governmental, taxing, and law enforcement and judicial ‎authorities, including the respective bar authorities you are (applying to become) a member of), (iii) necessary for the purposes of the legitimate business interests pursued by the Firm‎ in recruiting and employing personnel in order to provide its services and/or (iv) processed with your consent. ‎
  • Job-Related Data:
    • Reason for Processing: Your job-related data is processed for the purposes of‎ (a) recording the terms of your employment or engagement, pay and benefits, (b) paying you, deducting taxes and benefit co-pay amounts, making 401k or pension contributions and administering benefits, (c) reimbursing you for expenses you incurred on behalf of the Firm, (d) conducting performance ‎reviews, managing ‎performance and ‎determining performance ‎‎requirements, (e) making decisions about ‎salary reviews and ‎compensation., (f) assessing qualifications for ‎a particular job or task, ‎including decisions about ‎promotions and ‎terminations, (g) training and development ‎requirements, (h) assessing client complaints, (i) gathering evidence for ‎possible grievance or ‎disciplinary hearings against you, (j) dealing with legal disputes ‎involving you or others and ‎(k) protecting the Firm from data breaches and other cyber security risks.‎‎
    • Legal Basis for Processing: The legal basis for Processing your job-related data is that it is ‎(i) necessary for performing your employment relationship with the Firm, ‎‎(ii) necessary for compliance ‎with one or more legal obligations to which you or the Firm is ‎subject (e.g., reporting to ‎governmental, taxing, and law enforcement and judicial ‎authorities, including the respective ‎bar authorities you are (applying to become) a member of), ‎(iii) necessary for the ‎purposes of the legitimate business interests pursued by the Firm or its clients‎ in employing ‎personnel in order to provide its services and to protect client information, and/or (iv) processed with your consent.‎
  • Special Categories of Personal Information:
    • Reason for Processing: Special categories of Personal Information is processed for the purposes of‎ ‎(a) in the case of race, national or ethnic origin, or data that you voluntarily submit concerning your sexual orientation, complying with client requests for diversity statistics or reporting to an independent diversity rating organization, (b) in the case of your religion or creed, ‎deducting church taxes or contributions made to a church from your pay, (c) uniquely identifying you or your location in the case of biometric data or geolocation data, (d) assessing our legal obligation to offer you statutory leave or a leave for medical reasons, or to accommodate medical needs and (e) in the case of veteran or military status, to ensure we do not discriminate against veterans during the recruiting process or during your employment, to make required filings with the government and to apply for applicable tax credits or other governmental benefits.
    • Legal Basis for Processing: The legal basis for Processing special categories of Personal Information is that it is ‎(i) necessary for performing your ‎employment relationship with the Firm, ‎‎(ii) necessary for compliance ‎with one or more legal ‎obligations to which you or the Firm is ‎subject, ‎(iii) necessary for the ‎purposes of the legitimate ‎business interests pursued by the Firm or its clients‎ in employing ‎personnel in order to provide its services and to protect client information, and/or (iv) processed with your consent.‎
  • Other Data About You:
    • Reason for Processing: Other data about you is processed for the purposes of‎ ‎(a) making a decision about hiring you and determining the terms on which you ‎work for us, (b) ensuring you have the necessary qualifications and entitled to ‎work in the office for which you are being hired, (c) checking your ‎background, solvency and professional standing, (d) in the case of driving offenses, obtaining relevant insurance and (d) in the case of dependent information, in connection with benefits we provide to you. ‎
    • Legal Basis for Processing:‎The legal basis for Processing other data about you is that it is ‎(i) ‎necessary for performing your ‎employment relationship with the Firm where the nature of that information ‎is necessary to ‎‎comply with a legal obligation under your employment contract (i.e., for ‎insurance), or where ‎‎you have consented (i.e., DBS check)‎) ‎, ‎‎(ii) necessary for compliance ‎with one or more legal ‎‎obligations to which you or the Firm is ‎subject (i.e., reporting to ‎governmental, taxing, ‎and law ‎enforcement and judicial ‎authorities‎, including the respective ‎bar authorities you are (applying to become) a member of‎), ‎(iii) necessary for the ‎purposes of the legitimate ‎‎business interests pursued by the Firm in employing ‎personnel in order to provide its services ‎‎(i.e., complying with client requests for background checks on team members working for that ‎client) and/or (iv) processed with your consent.‎

Additional Protection for Certain Special Categories of Personal Information: Where we process your biometric or non-HIPAA health data only the following persons will have access such information: members of our HR team, office managers, personnel whose role includes disability discrimination, and personnel with responsibility for the health and safety of staff. For health data that is Benefit Plan Data, the Firm’s HIPAA policies will apply and only members of the Firm’s HIPAA workforce are permitted to have access to such Protected Health Information, as discussed in Section 4.2 below.

4.2 Benefit Plan Data

The Firm extends various retirement and welfare benefits to our employees and their eligible dependents and beneficiaries. The Firm generally outsources administration of the benefit plans, but as the plan sponsor of the plans, the Firm has certain responsibilities that require the direct collection and use of certain information for operational purposes. Information collected in connection with the benefit plans that are group health plans is subject to the plans’ HIPAA notices and policies. HIPAA and employment laws prohibit the Firm from using Protected Health Information to make employment related decisions. HIPAA also requires the Firm to designate a limited number of firm personnel who are allowed to have access to protected health information derived from the operation of the Firm’s benefit plans. All firm personnel who are so designated must undergo HIPAA training and comply with the plans’ HIPAA policies.

4.3 Website Data

You do not have to submit any Personal Information in order to use our Website (www.lockelord.com) and, as applicable for employees and Partners of the Firm, LNet, as well as outside contractors who maintain and update our Website and LNet (together the "Firm Website")

Categories of Website Data: When you visit the Firm Website, we may collect two types of data: (1) Personal Information about you that you voluntarily choose to provide to us, and (2) information related to your activities on the Firm Website that we automatically collect as you interact with the Firm Website (“Website Usage Information”).

  • Information You Voluntarily Provide:  We collect Personal Information that you voluntarily provide in response to requests we may make at various places and through various mechanisms on the Firm Website. The Personal Information we collect is business-oriented data and is usually limited to contact information necessary for the relationship, such as name, company name, job title, and email address. We may collect such information, for example, when you fill out and submit a form, such as if you register for an event, register to receive a newsletter or email communications, when you submit an inquiry or request to us using a form or e-mail address link on the Firm Website, and when you send an email to a Firm address or Firm mail list that is listed on the Firm Website. In such case, we will collect whatever Personal Information you voluntarily provide in response to our request.
  • Special Categories of Personal Information: In connection with the registration for and provision of access to an event or seminar, we may ask for information about your health for the purpose of identifying and accommodating any disabilities or special dietary requirements you may have. Any use of such information is based on your consent. If you do not provide any such information about disabilities or special dietary requirements, we will not be able to take any respective precautions.
  • Website Usage Information and Cookies: The Firm Website uses cookies for analytical and functionality purposes that allow us to improve our Website based on visitor experience. Our cookies policy is set forth in Appendix 6.
  • Links to Third Party Websites.  The Firm Website may contain links to other third-party websites (including but not limited to publications containing articles written by and about our attorneys and organizations where our attorneys are speaking and/or participating in community, service or bar activities), all of which are separate legal entities whose information practices may be different from ours. This Privacy Policy does not cover any such third-party websites. If you provide Personal Information to such third-party websites all information you disclose will be subject to the Privacy Policy and practices of such third parties. We are not responsible for the policies and practices of such third parties and, therefore, you should review the specific policies posted on those websites prior to submitting Personal Information to them.
  • Information about Children. Neither the Firm Website nor any of our products or services are directed to children younger than age sixteen (16). We do not knowingly collect Personal Information from children under the age of sixteen (16) via the Firm Website and we will delete any such information later determined to be from a person younger than age sixteen (16).
  • Third-Party Tracking and Do Not Track.  Third parties may use tracking technologies in connection with our Firm Website, which may include the collection of information about your online activities over time and across third-party websites. This Global Privacy Policy does not apply to these third-party technologies because we may not control them and we are not responsible for them. Do Not Track is a technology that enables users to opt out of tracking by websites they do not visit. Currently, we do not monitor or take any action with respect to Do Not Track technology.
       

Sources of Website Data: We obtain Website Data about you (i) directly from you if you voluntarily choose to enter Personal Information on the Firm Website, and (ii) from the data analytics software, cookies, and web beacons that we may use on the Firm Website.

Purposes and Legal Basis for the Processing:

We process Website Data as more fully set forth below for the purposes of building relationships with existing and potential clients and other interested parties, communicating with such parties, and analyzing and improving the Firm Website. This includes keeping such people informed of the latest updates about legal and regulatory developments and notifying them of seminars and hosted events. The legal basis for such Processing each category of Website Data is as follows:

  • Information You Voluntarily Provide:
    • Reason for Processing:  Information you voluntarily provide is processed for the purposes of building relationships with existing and potential clients and other interested parties and ‎communicating with such parties‎.
    • Legal Basis for Processing:  The legal basis for Processing is that it is (i) necessary for the legitimate business interests of the Firm in marketing and providing our legal services and/or (ii) processed with your consent.
  • Special Categories of Personal Information:
    • Reason for Processing:  Special categories of Personal Information that you voluntarily provide when you register for attendance at a seminar we sponsor is processed for the purposes of identifying and accommodating any disabilities or special dietary requirements you may ‎have‎.
    • Legal Basis for Processing:  The legal basis for Processing is that it is processed with your consent.‎
  • Website Usage Information and Cookies:
    • Reason for Processing:  The Firm Website uses cookies for analytical and functionality purposes that allow us to improve our Website based on visitor experience. 

Legal Basis for Processing:  The legal basis for Processing is that it is (i) necessary for the legitimate business interests of the Firm in marketing ‎and providing our legal services, (ii) necessary for the legitimate business interests of the Firm in‎ maintaining the functionality of the Firm Website, and/or (ii) processed with your consent.‎

4.4 Contact Data

As any business, we collect, receive, and process Contact Data regarding our clients, potential clients, and other third parties (e.g., vendors, other attorneys, and other business and professional contacts) with whom we may interact from time to time.

Categories of Contact Data: The Contact Data that we collect and process typically consists of information such as name, title, position, employer, email address, other business contact data (e.g., business card data), and similar relationship type data. Such Contact Data may also include details of your visits to our offices.

Sources of Contact Data: We obtain Contact Data about you (i) directly from you, such as when you seek legal advice from us, attend a seminar or another event or sign up to receive newsletters, emails, or other information from us, or when you or your organization offer to provide or provide services to us, (ii) from others (e.g., referrals), (iii) from third parties, such as government agencies, compliance screening and credit reference agencies, and (iv) from publicly available sources, such as websites (e.g., LinkedIn, your business’ website, etc.).

Purposes and Legal Basis for the Processing:

We process Contact Data for the purposes described below. The legal basis for such Processing is also described below.

  • Reason for Processing:Contact Data is processed for the purposes of (a) marketing and communicating to potential clients, including keeping such people informed of the latest updates ‎about legal and regulatory developments and ‎notifying them of seminars and hosted events,‎ (b) providing legal services to clients, building and managing relationships with existing and ‎potential clients and other interested parties, and communicating with such parties, including keeping such people informed of the latest updates ‎about legal and regulatory developments and ‎notifying them of seminars and hosted events,‎ (c) complying with our legal obligations (such as record-keeping obligations), compliance ‎screening for anti-money laundering and crime prevention and detection purposes or recording obligations, (d) managing risk to the Firm, such as when we do financial and credit checks and conduct diligence on ‎prospective or existing clients in order to decide whether to onboard them as clients or ‎keep them as clients, and (e) generally ‎operating the Firm’s business, including sending invoices to client.
  • Legal Basis ‎for Processing:The legal basis for Processing Contact Data is that it is (i) necessary for the legitimate business interests of the Firm‎ in marketing ‎and providing our legal services, (ii) necessary to comply with our legal obligations and/or (iii) processed with your consent.

4.5 Client-Sourced Data

In the course of representing our clients, and providing legal services to them, we may receive certain Client-Sourced Data from such clients or from third parties providing such data on their behalf, as necessary or relevant to the legal services we are providing.

Categories of Client-Sourced Data: The scope and extent of the Client-Sourced Data that we collect and process is typically determined by the client and/or the nature and scope of the relationship and legal services involved. It will generally involve information on employees, representatives and ultimate beneficial owners of our Clients and may in some cases involve special categories of data or criminal data.

Sources of Client-Sourced Data: We obtain Client Sourced Data directly from our clients, and from third parties that provide such information on behalf of our clients, such as their professional advisors, attorneys, auditors, and accountants, consultants, and others.

Purposes and Legal Basis for the Processing:

  • Reason for Processing:  We process Client-Sourced Data for the purposes of (a) managing risk to the Firm, such as when we do a financial and credit check and ‎conduct diligence on prospective or ‎existing clients in order to decide whether to ‎onboard them as clients or keep them as ‎clients and (b) providing legal services to our clients in connection with specific matters for a client on which we are engaged, such as performing ‎due diligence in connection with transactional matters (i.e., the sale or purchase of a client or ‎other company or assets relating to the clients or other company), representing a client in a ‎litigation matter (i.e., information about the client, the other party or employees, representatives ‎and ultimate beneficial owners of the client and such other parties and may in some cases ‎‎involve special categories of data or criminal history data in order to analyze issues in the ‎litigation and present issues to a court or other trier of fact in such litigation)‎.
  • Legal Basis for Processing:  The legal basis for Processing Client-Sourced Data is that it is (i) necessary for the legitimate business interests of the Firm to assess risk of onboarding or keeping a client, (ii) necessary for the legitimate business interests of the Firm in providing our legal services, (iii) necessary for the performance of a contract to which the data subject is party, (iv) necessary to comply with a court order or our legal obligations and/or (v) processed with your consent. 

As a matter of Firm policy, Firm attorneys and staff may use or disseminate Client-Sourced Data only for the purpose of providing legal services consistent with our ethical obligations to our clients, including the duty of confidentiality under rules of professional responsibility applicable to our lawyers in our various jurisdictions .  The Firm believes in transparency with the client as to the collection, use, and dissemination of Client-Sourced Data, and the reasons therefor.

Additional Protection for Certain Client-Sourced Data: Where we process genetic, biometric, health data or data relating to crime, only the following persons will have access to such information: staff carrying out AML and other checks related to potential criminal activity and personnel having responsibility for the client.

Protected Health Information Under HIPAA. To the extent that any Client is considered to be a Covered Entity or Business Associate (as each is defined in HIPAA) under HIPAA, and the Client-Sourced Data includes Protected Health Information (as defined in HIPAA), or Protected Health Information is collected by us in our capacity as a Business Associate or sub-contractor Business Associate under HIPAA, the provisions of the HIPAA Business Associate Privacy Policy attached as Appendix 3 also shall apply.

4.6 Other Party Data

In the course of representing our clients, and providing legal services to them, we may seek, obtain, receive, or require, certain Other Party Data regarding adverse parties, witnesses, or other third parties relevant to our legal representation of the client.

Categories of Other Party Data: The scope and extent of the Other Party Data that we collect and process is typically determined by the applicable client, an adverse party, a court, and/or the nature and scope of the legal representation involved.

Sources of Other Party Data: We obtain Other Party Data about you from a variety of sources as necessary in the context of representing our clients, which may include directly from adverse parties (either voluntarily or through discovery in litigation or arbitration), from our own investigations in connection with representing our clients, and from other third parties providing such data.

Purposes and Legal Basis for the Processing:

  • Reason for Processing: We process Other Party Data for the purposes of (a) managing risk to the Firm, such as when we ‎conduct ‎diligence on other parties involved in a matter in order to decide whether to ‎take on or terminate a particular matter and (b) providing legal services to our clients in connection with specific matters for a client on which we are engaged, such as performing ‎‎due diligence in connection with transactional matters (i.e., the sale or purchase by a client of an‎‎other company or assets relating to another company), representing a client in a ‎‎litigation matter (i.e., information about the other party or employees, representatives ‎‎and ultimate beneficial owners of the client and such other parties and may in some cases ‎‎‎involve special categories of data or criminal history data in order to analyze issues in the ‎‎litigation and present issues to a court or other trier of fact in such litigation)‎.
  • Legal Basis for Processing:The legal basis for Processing Other Party Data is that it is (i) necessary for the legitimate business interests of the Firm to assess risk of opening or terminating a particular matter, (ii) necessary for the legitimate business interests of the Firm‎ in providing our legal services, (iii) necessary to comply with a court order or ourlegal obligations and (iv) processed with your consent.
Protected Health Information Under HIPAA. To the extent that any Other Party Data is provided by a Covered Entity or Business Associate under the HIPAA, and the Other Party Data includes Protected Health Information, the provisions of the HIPAA Business Associate Privacy Policy attached as Appendix 3 also shall apply.
5. Sharing of Personal Information

Subject in all cases to our ethical obligations as attorneys, we may share selected Personal Information about you with the following parties or in the following circumstances.  We do not sell Personal Information we collect about you, including as the term “sale” is used within the meaning of the CCPA or the Nevada Act Relating to Internet Privacy.

5.1       Intra-Firm

Locke Lord LLP and Locke Lord (UK) LLP may share Personal Information about you between them as necessary for the conduct of the Firm’s business.

5.2       Third Party Service Providers

We may share Personal Information about you with third parties who perform services for us or on our or our clients’ behalf, for the limited purpose of carrying out such services. This includes, without limitation, third parties that assist in managing our organization, hosting or administering the Firm Website or other systems, sending communications on our or our clients’ behalf, maintaining or analyzing our or our clients’ data, providing marketing assistance, conducting background checks, or in providing legal services to us or our clients. It also includes third parties providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference and background check agencies and regulatory bodies with whom such Personal Information is shared. The Firm also shares Personal Information with third parties in connection with the ‎provision of payroll, provisions of benefits, and occupational health and professional advisers ‎(life assurance trustees, auditors, insurers and brokers, accountants and ‎legal advisers etc.).

5.3       Clients and Other Parties

We may share selected Personal Information about you with clients, adverse parties, courts, regulators, legal counsel, experts, consultants, law enforcement personnel, and other persons or entities to the extent reasonably necessary or appropriate in the context of providing legal representation or other legal services for our clients.

5.4       Corporate Change

We reserve the right to disclose and transfer Personal Information about you in connection with a Firm merger, consolidation, restructuring, financing, sale of substantially all assets, or other organizational change.

5.5       Legal Requirements and Law Enforcement

We may disclose Personal Information about you when we believe in good faith that the law requires it; at the request of governmental authorities conducting an audit or investigation; pursuant to a court order, subpoena, or discovery request in litigation; to verify or enforce compliance with our agreements or policies and applicable laws, rules, and regulations; or whenever we believe disclosure is necessary to limit our legal liability or to protect or enforce the rights, interests, or safety of the Firm Website, its users, or other third parties. We also reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful.

5.6       Consent

We may also share Personal Information about you in accordance with any express consent you or your authorized agent give us which is specific to the purposes of the Processing which you will be informed about at the time we request such consent. You do not have to give such consent.  If you do give consent, you may withdraw it at any time by contacting us (see “How to Contact Us” section below), however please be aware that such withdrawal will not affect the lawfulness of Personal Information collected and processed prior to the date of your withdrawal of consent.

6. Cross-Border Transfers of Personal Information

Some Firm offices are located in different countries.  The Firm will transfer Personal Information from one country to another from time to time.  It will do so in compliance with applicable privacy and data protection law. For purposes of facilitating transfers of Personal Information from the UK or the EU to the U.S., Locke Lord LLP and Locke Lord (UK) LLP, have entered into Standard Contractual Clauses approved by the EU and the UK. You may request a copy of these Standard Contractual Clauses from the Firm at any time.  Where the Firm transfers Personal Information from the EU or UK to any third party outside the EEA where ‎there is no relevant adequacy decision, it will put in place EU Standard Contractual Clauses or, as appropriate, either an international data transfer agreement (“IDTA”) or an addendum to the EU Standard Contractual Clauses, with ‎such third party or confirm the implementation of a safeguard required by GDPR or in some instances it may rely upon derogations contained in Article 49 GDPR.

Personal data may be freely transferred by the Firm between the EEA and the UK in accordance ‎with the European Commission’s implementing decision of 28.6.21 on the adequate protection of ‎personal data by the United Kingdom.‎

7. Data Retention Period

All Personal Information retained by the Firm will be deleted when such Personal Information are no longer necessary for the purposes for which it was processed, unless applicable law requires a longer retention period. 

Client-Sourced and Other Party Data.  As set out in the Firm’s “Closing Matters and Client Document Retention” policy, the standard Retention Period for all client/matter ‎documents that contain Personal Information is five (5) years from the date the client/matter is ‎closed, or six (6) years in the case of files in the London office, except for documents to be retained for a shorter or longer period of time as ‎determined by the client’s guidelines or other agreement with the Firm or a member of the General ‎Counsel’s Office.

The following periods apply under the Firm’s policy “Document Retention—Accounting Records”:

  • Time entries that may contain personal data are retained permanently;
  • Accounts receivable records (excluding bills) and payroll records that may contain personal data are retained for the greater of (i) the required time periods under IRS regulations or (ii) seven years following the end of the year to which they relate.
      

The Firm retains vendor records/contracts with Personal Information during the duration of the contract and for seven years following the termination of the agreement or expiration of the ‎contract.

HR and Benefit Plan Data.

  • The Firm follows state and federal guidelines for HR Data in the US.Employee files are retained while employment (or contract) continues and for seven years after the date of termination of employment;
  • Form I-9 Employment Eligibility Verification forms are retained as required under federal law for three years after date of hire or one year after the date employment ends, whichever is later;
  • Information in benefit and pension plans is retained as required under the Employee Retirement Income Security Act of 1974 or the various states where we have employees for a minimum of six years after filing returns or reports, unless an extension or other exception applies.

In respect of HR Data for the UK, please refer to Annex 1.

Website Data. We may use ‎third-party services, currently Google Analytics and Siteimprove, to ‎collect ‎standard internet log information and details of visitor behavior patterns.  Such data is retained for 14 months, which is the minimum length possible.

Contact Data.  The Firm removes information from its marketing lists if a person is not connected to a current lawyer of the Firm and has not interacted with the Firm’s email messages for a year.‎

8. Updating Personal Information about You

If any of the Personal Information that you have provided to us changes, for example if you change your email address or if you wish to cancel any request you have made of us, or if you become aware we have any inaccurate Personal Information about you, please contact us as specified in the “How to Contact Us” section below. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete Personal Information that you provide to us.

9. Security of Personal Information

We have implemented appropriate technical and organizational measures (i) to provide a level of security appropriate to the risks that are presented by the Firm’s Processing of Personal Information, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise processed, and (ii) to protect the ongoing confidentiality, integrity, availability and resilience of processing systems and services for the personal information.’

10. Policy for Confidentiality of Social Security Numbers

It is the policy of the Firm to protect the confidentiality of Social Security numbers (or equivalent unique government identification numbers in other jurisdictions) in its ‎possession from misuse and improper disclosure by maintaining and enforcing policies and ‎physical and electronic safeguards against misuse and improper disclosure. Unlawful disclosure ‎of Social Security numbers is prohibited, and access to them is limited to Firm personnel who ‎need access to such information in order to perform their job functions at the Firm.‎

11. Personal Information about Others that You Provide to Us

If you provide Personal Information to us about someone else (such as one of your directors or ‎employees, or someone with whom you have business dealings) you must ensure that you are ‎entitled to disclose that Personal Information to us and that, without our taking any further ‎steps, we may collect, use and disclose that Personal Information as described in this Global ‎Privacy Policy. Depending upon your location and the location of any person about whom you ‎provide us with Personal Information, you may be required under applicable law to ensure the ‎individual concerned is aware of the various matters detailed in this Global Privacy Policy, as ‎those matters relate to that individual, including our identity, how to contact us, our purposes ‎for collection, our Personal Information disclosure practices (including disclosure to overseas ‎recipients), the individual’s right to obtain access to their Personal Information and make ‎complaints about the handling of their Personal Information (as well as other legal rights such ‎individual has, as explained in this Global Privacy Policy), and the consequences if the Personal ‎Information is not provided (such as our inability to provide services).‎

12. U.S. State Law Privacy Rights

If you are an individual residing in a jurisdiction of the U.S. with a state privacy law that applies to us (such as the Texas Data Privacy and Security Act), you may have privacy rights that apply to certain of your personal information, other than information we process in an employment or commercial context, and publicly available information, subject to other exceptions.

You may make a request to exercise your consumer privacy rights (i) to know and access your personal information, (ii) to obtain a copy of your personal information, (iii) to correct inaccuracies in your personal information, and (iv) to request that we delete your personal information.

If we deny your request, you may have the right to appeal.

To submit a consumer privacy rights request under applicable state law, or to appeal a denial of your request, please contact us as indicated below under the heading “How to Contact Us.”

13. Changes to the Global Privacy Policy

The Firm reserves the right to modify or amend the Global Privacy Policy at any time. The current version of the Global Privacy Policy will be published on our Website. Nothing contained in the Global Privacy Policy creates or is intended to create an attorney-client agreement between you and the Firm.  Please see our Legal Notices/Disclaimer on our Website for more information about attorney-client privilege.

14. How to Contact Us

For any questions about the Global Privacy Policy, to exercise any of your rights listed above or under the particular Appendix, or for any questions or complaints regarding the manner in which we handle or protect Personal Information, we can be contacted as follows:

By e-mail: Privacy@lockelord.com

By phone:US toll free: +1-888-558-5025

By postal mail:

Locke Lord LLP
Attn: Privacy Officer
2800 Financial Plaza
Providence, RI  02903

Additional rights afforded to California residents under the CCPA are set forth in the CCPA Privacy Policy under the section entitled “Contact Information.”

********************************************************************

Effective Date:           June 17, 2024
Geographic Scope:    Applies to all offices
Application:               Applies to all attorneys and team members as well as all persons from whom the Firm collects data

________________________________________

This policy is not a contract, and the Firm reserves the right to change, modify, suspend, interpret or cancel this policy in whole or in part, at any time, with or without prior notice.  Nothing in this policy is intended to change the traditional relationship of employment at will.


Appendix 1
Summary of Privacy Rights under the GDPR (Regulation (EU) 2016/679) and the Data Protection Act 2018‎ ‎

To the extent provided by applicable law, and subject to our ethical obligations as attorneys, natural persons habitually resident in the UK or an EU member state‎ have the following rights:

  • To know what data we hold about you, why we hold it, the lawful basis for Processing it basis and ‎who we share it with;
  • To be notified of a data breach in some circumstances; ‎
  • To request access to the personal data that we hold about you and to request that we rectify or erase it;
  • To request a copy of the personal data that we hold about you;
  • To request a transfer of your personal data from us to another data controller;and
  • To request restriction of Processing of your personal data or object to its Processing.

We do not impose any charge for these requests ‎(except further copies of data)‎.  For any such request, you can contact us by e-mail, postal mail, or phone as specified in the “How to Contact Us” section below. We will, after having properly identified you, endeavor to respond to all requests in a timely manner, but in no event longer than one calendar month although where your request is complex it may take us up to a further two ‎months to provide a copy of your personal data.

To the extent there is any inconsistency between the policy and this Appendix, this Appendix shall prevail.

To the extent the Firm is not the controller of your data, we will notify the controller of your request if required by applicable law.

Automated decision making, profiling and biometrics
We do not use automated decision making or profiling technology or process biometric data in the UK/EU. 

Withdrawing consent under the GDPR
Where the lawful basis of our Processing under the GDPR is that you have consented to it for a particular identified purpose, you have the right to withdraw that consent at any time. To do so, please contact us as specified in the “How to Contact Us” section below. If you do withdraw consent, this will not affect the lawfulness of any Processing that was based on your consent before its withdrawal but it may affect some aspect of your relationship with us, for example, if applying for a job, we may not be able to undertake a DBS check without your consent. In most cases we do not rely upon consent.

Filing a Complaint under the GDPR
You have the right under the GDPR to lodge a complaint in respect of your data protection rights with the applicable supervisory authority for data protection in your jurisdiction.  If you are in the United Kingdom, that supervisory authority is the UK’s Information Commissioner’s Office: https://ico.org.uk/. If you are located in the EU/EEA, a list of and more information about the EU/EEA Data Protection Authorities can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Purposes and legal basis
The Firm may collect the following categories of personal information from the sources identified below for the business and commercial purposes indicated, and may disclose, share, or sell (as indicated) such categories of personal information with the specified categories of third parties.

 

Category of Personal Information

Examples of Personal Information Collected

Categories of Sources of Personal Information Collected

Legal Basis and Purpose

Expected ‎Retention Period ‎or Criteria for ‎Retention

Categories of ‎Third Parties to ‎Which Personal ‎Information is or ‎may be Disclosed

Identifiers

Contact details, such as real ‎name, signature, alias, postal ‎address, ‎telephone or mobile ‎contact number, unique ‎personal ‎identifier, online ‎identifier, Internet Protocol ‎address, email ‎address, social ‎media handle, pictures and ‎video likeness, voice ‎recording, account name, ‎social security number, tax ‎reference, driver’s licence ‎number, passport number, ‎residence card or other ‎immigration documentation ‎number or similar identifier,‎
‎physical characteristics ‎or ‎description, insurance ‎policy ‎number, ‎education, ‎employment, ‎employment ‎history, ‎bank account ‎number, ‎credit card number, ‎or ‎debit card number.

Directly from you or ‎obtained by us, for ‎example when you ‎engage our services or ‎apply for employment ‎or register on or visit our ‎website or otherwise ‎interact or contact us.‎

From third-parties that ‎interact with us in ‎connection with the ‎services that we provide. ‎This may include your ‎employer, our client, ‎credit reference ‎agencies, governmental ‎and law enforcement ‎agencies, public records, ‎anti-fraud databases, ‎sanctions lists, court ‎judgments, social media ‎sites, via cookies, from ‎other parties such as ‎parties to transactions ‎and litigation including ‎experts, witnesses and ‎other related parties.‎

Legitimate interest: ‎
To build, manage, evaluate ‎and monitor relationships ‎with existing and potential ‎clients and other interested ‎parties and communicate ‎with such parties
To provide legal services to ‎our clients.‎
To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship.‎
To operate and manage the ‎Firm's business including its ‎website. ‎
To comply with legal ‎obligations:‎
To comply with sanctions, ‎anti-money laundering, ‎anti-counter terrorist ‎financing and similar legal ‎requirements.‎

 

 

 

 

 

Generally, until no ‎longer necessary for ‎the purposes for which ‎the personal ‎information was ‎processed, unless ‎applicable law ‎‎requires a longer ‎retention period. ‎
Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Time entries that may ‎contain personal data ‎are retained ‎permanently.‎
Accounts receivable ‎records (excluding ‎bills), the greater of (i) ‎the required time ‎periods under HMRC ‎regulations or (ii) ‎seven years following ‎the end of the year to ‎which they relate.‎
HR Data as set forth ‎in the chart below.‎
Personal information ‎in agreements, seven ‎years following the ‎termination or ‎expiration of the ‎relevant agreement.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎
Immigration ‎Employment ‎Eligibility Verification ‎forms. As set forth in ‎the HR Data ‎Retention chart ‎below;‎
Information in benefit ‎and pension plans, as ‎set forth in the HR ‎Data Retention chart ‎below.‎
Standard internet log ‎information and ‎details of visitor ‎behavior patterns, 14 ‎months.‎

Service providers ‎‎(such as IT hosting ‎and infrastructure, ‎credit reference ‎agencies, screening ‎agencies, payroll ‎agencies, benefits ‎providers, professional ‎advisers, auditors, ‎accountants, insurers); ‎
Where necessary or ‎appropriate with third ‎parties with which you ‎or we maintain a ‎relationship regarding ‎our services, and other ‎parties to or involved ‎with transactions and ‎litigation or the ‎provision of legal ‎advice, including ‎experts, witnesses, ‎courts, regulators ‎other lawyers and ‎other parties involved ‎in the matter;‎
Government agencies, ‎law enforcement,. ‎including to support or ‎comply with ‎regulatory and legal ‎requirements; ‎
Outside companies or ‎organizations, in ‎connection with ‎routine or required ‎reporting.‎
Other relevant parties ‎where necessary or ‎appropriate if we sell ‎or merge our business ‎or undergo or plan to ‎undergo a similar ‎transaction.

Commercial ‎Information

Records of ‎personal property, ‎products ‎or services ‎purchased, ‎obtained, or ‎considered, or ‎other ‎purchasing or ‎consuming ‎histories or tendencies.‎

See identifiers.‎

Legitimate interest:‎

To establish, build, evaluate ‎and monitor relationships ‎with ‎existing and potential ‎clients ‎and other interested ‎parties ‎and communicate ‎with such ‎parties;‎ and

To operate and manage the ‎Firm's business. ‎

To provide legal services to ‎‎our clients.‎

Performance of a contract.‎

Generally, until no ‎longer necessary for ‎the purposes for which ‎the personal ‎information was ‎processed, unless ‎applicable law ‎‎requires a longer ‎retention period.‎
Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎

See above.

Biological ‎Information

Physiological, or biological ‎ ‎information, ‎including ‎imagery of the face ‎and ‎voice recordings.‎

 

See Identifiers and ‎additionally: ‎
CCTV;‎
still pictures; ‎
audio file;‎
Building access control; ‎
Voicemail.‎

Legitimate interest: ‎

To provide legal services to ‎‎our clients.‎

To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship. ‎
For safety and security, and ‎to prevent and detect crime ‎around office premises.

Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information as set out ‎in the HR Data ‎Retention chart below.‎

For CCTV data ‎generated from Firm ‎server ‎rooms, for 12 ‎months after the date ‎it was created.‎

For data contained in ‎voice mails not ‎deleted by a Firm ‎recipient and retained ‎in the Firm’s email ‎system, 180 days ‎from date of receipt; ‎for data contained in ‎voice mails not ‎deleted by a Firm ‎recipient and saved to ‎the Firm’s document ‎management system, ‎as noted above for ‎client/matter ‎‎documents that ‎‎contain personal ‎information.

See above.

Internet or other electronic network activity information

Browsing history, search ‎history,‎‎ information ‎regarding a consumer’s ‎interactions with an Internet ‎Web site, application, ‎or ‎advertisement, IP address, ‎log-on information, IT and ‎systems usage, CCTV and ‎building access control.

See Identifiers and ‎additionally:‎
The Firm's website;‎
IT systems and ‎applications;‎
CCTV;‎
Voicemail.

 

Legitimate interest:‎

To build, manage, evaluate ‎and monitor relationships ‎with existing and potential ‎clients and other interested ‎parties and communicate ‎with such parties
To provide legal services to ‎our clients.‎

To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship.‎
To operate and manage the ‎Firm's business including ‎website use and to ensure ‎compliance with IT security ‎and related policies; and‎
For safety and security, and ‎to prevent and detect crime ‎around office premises.‎

Generally, until no ‎longer necessary for ‎the purposes for which ‎the personal ‎information was ‎processed, unless ‎applicable law ‎‎requires a longer ‎retention period. ‎
Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎

Information from ‎marketing lists, one ‎year after a person is ‎not connected to a ‎current lawyer of the ‎Firm and last ‎interacted with the ‎Firm’s email ‎messages.‎
For CCTV data ‎generated from Firm ‎server ‎rooms, for 12 ‎months after the date ‎it was created.‎
For data contained in ‎voice mails not ‎deleted by a Firm ‎recipient and retained ‎in the Firm’s email ‎system, 180 days ‎from date of receipt; ‎for data contained in ‎voice mails not ‎deleted by a Firm ‎recipient and saved to ‎the Firm’s document ‎management system, ‎as noted above for ‎client/matter ‎‎documents that ‎‎contain personal ‎information.

See above.

Geolocation data

Geographic information.

See Identifiers and ‎Internet or other ‎electronic network ‎activity information and ‎additionally via our IT ‎systems or those ‎operated by service ‎providers on our behalf.‎

Legitimate interest: ‎

To provide legal services to ‎‎our clients.‎

To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship.‎
To establish and monitor IT ‎security and related access ‎rights, and for IT security ‎purposes.

Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎

See above.

Sensory Data

Audio, electronic, visual, ‎thermal, olfactory, or similar ‎‎information.

See Identifiers and ‎Internet or other ‎electronic network ‎activity information.er related parties

Legitimate interest:‎

To provide legal services to ‎‎our clients; and

To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship.‎
For safety and security, and ‎to prevent and detect crime ‎around office premises.‎

Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎

For CCTV data ‎generated from Firm ‎server ‎rooms, for 12 ‎months after the date ‎it was created.‎
For data contained in ‎voice mails not ‎deleted by a Firm ‎recipient and retained ‎in the Firm’s email ‎system, 180 days ‎from date of receipt; ‎for data contained in ‎voice mails not ‎deleted by a Firm ‎recipient and saved to ‎the Firm’s document ‎management system, ‎as noted above for ‎client/matter ‎‎documents that ‎‎contain personal ‎information.

See above.

Professional or employment-related information

Current and/or past ‎‎employment history ‎‎including performance ‎‎evaluations, annual leave ‎records, disciplinary and ‎grievance procedures, ‎statutory leave records ‎‎(maternity, paternity, etc.), ‎training and development ‎records, resignation and ‎termination records, health ‎assessments, working time ‎records, timesheets, accident ‎records, P45, tax records and ‎coding, pension and benefits ‎enrolment and ‎administration, death benefit ‎nomination and revocation ‎forms, pay records, details on ‎overtime, bonuses, expenses, ‎other benefits in kind.‎

 

 

See Identifiers and in ‎addition from ‎recruitment agents and ‎partners, from current or ‎former employers and ‎educational ‎establishments, benefits ‎providers, HMRC or tax ‎authorities.

Legitimate Interest:‎

Performance of a contract. ‎

Compliance with a legal ‎obligation.‎
‎ ‎
To build, manage, evaluate ‎and monitor relationships ‎with existing and potential ‎clients and other interested ‎parties and communicate ‎with such parties

To provide legal services to ‎our clients.‎

To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship.‎

Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎

See above.

Education and ‎Recruitment Records

Education records, files, ‎‎documents, and other ‎‎materials directly related to ‎a ‎student ‎maintained by an ‎‎educational agency or ‎‎institution or by a person ‎‎acting for such an agency ‎or ‎‎institution, such as grades, ‎‎transcripts, class lists, ‎student ‎schedules, student ‎‎identification ‎codes, student ‎‎financial information, or ‎‎student disciplinary records.‎ ‎Completed online application ‎forms or CVs, equal ‎opportunities monitoring ‎forms, assessment exercises ‎or tests, notes from interviews ‎and short-listing exercises ‎and related decision making, ‎qualifications records, pre-‎employment verification of ‎details provided by the ‎successful candidate (such as ‎checking qualifications and ‎references).‎

See Identifiers and in ‎addition from ‎recruitment agents and ‎partners, from current or ‎former employers and ‎educational ‎establishments, ‎

Legitimate Interest:‎
To perform contracts.‎

To comply with legal ‎obligation. ‎

To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship‎.

Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎

See above.

Special Category ‎personal data and ‎criminal record data

Racial or ethnic origin, ‎‎religion, or philosophical ‎belief, trade union ‎membership, genetic data, ‎heath data, sex life or sexual ‎orientation. ‎

Criminal record data and ‎DBS check.

See above.‎

Legitimate Interest: To ‎comply with legal ‎obligation.‎

Performance of ‎employment law rights and ‎obligations. ‎

In connection with any ‎legal proceedings (including ‎prospective legal ‎proceedings), for the ‎purpose of giving/obtaining ‎legal advice or the ‎establishment, exercise or ‎defence of legal claims. ‎

With consent (usually DBS ‎check only). ‎


To provide legal services to ‎our clients. ‎
To establish, evaluate, ‎maintain and manage, ‎employment relationships, ‎whether as a partner, ‎employee, contractor, ‎consultant, intern/student ‎or other work relationship.‎

Client/matter ‎‎documents that ‎‎contain personal ‎information, five (5) ‎years from the date ‎the client/matter is ‎‎closed, or six (6) ‎years ‎in the case of files in ‎the London office, ‎except for documents ‎to be retained for a ‎shorter ‎or longer ‎period of time as ‎‎determined by the ‎client’s guidelines or ‎other agreement with ‎the ‎Firm or a member ‎of the General ‎‎Counsel’s Office.‎
Employment ‎information, as set ‎forth in the HR Data ‎Retention chart below.‎

See above.


Retention periods for HR Data

HR Data

Retention period

Recruitment records

These may include:

Completed online application forms or CVs.

Equal opportunities monitoring forms.

Assessment exercises or tests.

Notes from interviews and short-listing exercises.

Pre-employment verification of details provided by the successful candidate. For example, checking qualifications and taking up references. (These may be transferred to a successful candidate's employment file.)

DBS checks (These may be transferred to a successful candidate's employment file if they are relevant to the ongoing relationship.)

Six months after notifying candidates of the outcome ‎of the recruitment exercise

Immigration/right to work checks

Three years after the termination of employment or ‎services

Contracts and Individual Data ‎

 

 

These may include:

Written particulars of employment

Contracts of employment or other contracts

Documented changes to terms and conditions

Browsing history, search ‎history,‎‎ information ‎regarding a consumer’s ‎interactions with an Internet ‎Web site, application, ‎or ‎advertisement, IP address, ‎log-on information, IT and ‎systems usage, CCTV and ‎building access control.

Payroll and wage records

 

Payroll and wage records

Details on overtime

Bonuses

Expenses

Benefits in kind

These must be kept for at least three years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes they will be retained for seven years after employment or services end

Current bank details

Bank details will be deleted as soon after the end of employment as possible once final payments have been made‎

Pay records

These must be kept for at least three years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes they will be retained for seven years after employment ends

Records in relation to hours worked and payments made to workers

These must be kept for three years beginning with the day on which the pay reference period immediately following that to which they relate ends. However, given their potential relevance to pay disputes they will be retained for seven years after the working relationship ends

Travel and subsistence

While employment continues and for seven years after ‎employment ends

Record of advances for season tickets ‎and loans to employees

While employment continues and for seven years after ‎employment ends

Personnel records

 

These include:

Qualifications/references.

Consents for the processing of special categories of personal data.

Annual leave records.

Annual assessment reports.

Disciplinary procedures.

Grievance procedures.

Death benefit nomination and revocation forms.

Resignation, termination and retirement.

While employment continues and for seven years after employment ends

Records in connection with working time

 

Working time opt-out

Three years from the date on which they were entered ‎into

Records to show compliance, including:

Time sheets for opted-out workers.

Health assessment records for night workers.

Three years after the relevant period

Maternity and statutory family leave records

 

These include:

Dates of leave taken.

Periods without statutory payment.

Certificates showing the expected week of confinement or other relevant dates.

Matching certificates or relevant declarations.

Four years after the end of the tax year in which the ‎period ends

Accident records

 

These are created regarding any reportable accident, death or injury in connection with work.

For at least four years from the date the report was ‎made

Technology records

 

IP address

Log-on information 

IT and systems usage

CCTV

Building access control

 For 12 months after the date it was created

Appendix 2
Privacy Policy for California Residents under the
California Consumer Privacy Act of 2018

Locke Lord LLP and Locke Lord (UK) LLP (jointly ‎‎”Locke Lord,” the “Firm” or “we”) understand how important your privacy and the protection ‎of your personal information is to you.  ‎

This Privacy Policy for California Residents under the California Consumer Privacy Act of 2018 (the “CCPA Privacy Policy”) applies to personal information of California residents to the extent the information is subject to the California Consumer Privacy Act of 2018, as amended (the “CCPA”).  The Firm’s “Privacy Notice at Collection for California Residents” is linked to Appendix 4.  This CCPA Privacy Policy does not apply to personal information subject to exemptions under the ‎CCPA.  Such information exempt from the CCPA includes personal information collected ‎pursuant to (i) the federal Gramm-Leach-Bliley Act and its implementing regulations or the ‎California Financial Information Privacy Act; (ii)‎ HIPAA; (iii) the Fair Credit Reporting Act.

The provisions of the Firm’s Global Privacy Policy (the “Global Privacy Policy”) to which this CCPA Privacy Policy is attached shall also apply to your personal information.  ‎To the extent the provisions of the Global Privacy Policy conflict or are inconsistent with the provisions ‎of the CCPA Privacy Policy, the provisions of the CCPA Privacy Policy shall control.

To the extent that any Client is considered to be a Covered Entity or Business Associate under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the personal information includes Protected Health Information, or Protected Health Information is collected by us in our capacity as a Business Associate or sub-contractor Business Associate under HIPAA, the provisions of the HIPAA Business Associate Privacy Policy attached as Appendix 3 to the Global Privacy Policy shall also apply.

Personal Information We Collect, Use, Disclose, Share, or Sell

Categories of Personal Information We Collect, Categories of Sources of Personal Information, Business or Commercial Purposes for Which Personal Information Will Be Used, and Third Parties with Whom Personal Information is Sold, Shared, or Disclosed

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”).  We do not sell your personal information.‎

Within the last twelve (12) months, we collected the following categories of personal information from the sources identified below for the business and commercial purposes indicated, and disclosed, shared, or sold (as indicated) such categories of personal information with the specified categories of third parties.  

Category of Personal Information

Examples of Personal Information Collected

Categories of Sources of Personal Information Collected

Business or Commercial Purpose(s) for Which Collected or Disclosed

Categories of Third Parties to Which Personal Information is Disclosed

Identifiers

Contact details, such as real name, alias, postal address, ‎telephone or mobile contact number, unique personal ‎identifier, online identifier, Internet Protocol address, email ‎address, social media handle, pictures and video likeness, voice recording, account name, social security number, driver’s license number, passport number, or similar identifier.

Directly from you, or obtained by us, for example when you engage our services or apply for employment or register on or visit our website or otherwise interact or contact us.

 

From third-parties that interact with us in connection with the services that we provide. This may include your employer, our client, credit reference agencies, governmental and law enforcement agencies, public records, anti-fraud databases, sanctions lists, court judgments, social media sites, via cookies, from other parties such as parties to transactions and litigation including experts, witnesses and other related parties.

To build, manage, evaluate ‎and monitor relationships ‎with existing and potential ‎clients and other interested ‎parties and communicate ‎with such parties;‎

To provide legal services to ‎our clients; ‎

To establish, evaluate, ‎maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant intern/student or ‎other work relationship.‎

To comply with sanctions, ‎anti-money laundering, anti-‎counter terrorist financing ‎and similar legal ‎requirements.‎

 

 

 

 

 

Service providers (such as IT hosting and infrastructure, credit reference agencies, screening agencies, payroll agencies, benefits providers, professional advisers, auditors, accountants, insurers);

Where necessary or appropriate with  third parties with which you or we maintain a relationship regarding our services, and other parties to or involved with transactions and litigation or the provision of legal advice, including experts, witnesses, courts, regulators other lawyers and other parties involved in the matter;

Government agencies, law enforcement, including to support or comply with regulatory and legal requirements; and

Outside companies or organizations, in connection with routine or required reporting.

Other relevant parties where necessary or appropriate if we sell or merge our business or undergo or plan to undergo a  similar transaction.

Personal Information Categories Listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e))

A name, signature, ‎Social Security number, ‎physical characteristics ‎or description, address, ‎telephone number, ‎passport number, ‎driver's license or state ‎identification card ‎number, insurance ‎policy number, ‎education, employment, ‎employment history, ‎bank account number, ‎credit card number, ‎debit card number, or ‎any other financial ‎information, medical ‎information, or health ‎insurance ‎information.

See above.

See above.

See above.

Characteristics of protected classifications under California or federal law

Race, color, age (40 years and older), ancestry, ‎national origin, citizenship, ‎religion or creed, ‎marital ‎status, medical condition, ‎physical or mental disability, ‎sex (including gender, ‎gender ‎identity, gender ‎expression, pregnancy or ‎childbirth and related ‎medical conditions), sexual ‎‎orientation, veteran or ‎military status, genetic ‎information (including ‎familial genetic ‎‎information)‎.

 

See above.

See above.

See above.

Commercial Information

Records of personal property, products ‎or services purchased, ‎obtained, or considered, or other purchasing or ‎consuming histories or tendencies.

 

See above.

To establish, build, evaluate ‎and monitor relationships ‎with ‎existing and potential ‎clients ‎and other interested ‎parties ‎and communicate ‎with such ‎parties;‎
To operate and manage the ‎Firm's business; ‎

To provide legal services to ‎‎our clients; and‎

Performance of a contract.‎

 

See above.

Biometric Information

Physiological, biological or ‎behavioral characteristics, ‎including imagery of the face ‎and voice recordings, from ‎which an identifier ‎template, such as a ‎face print, a minutiae ‎template, or a voiceprint, ‎can be extracted, and information on sleep, health, ‎or exercise.‎

 

See above.

To provide legal services to ‎‎our clients; ‎
To establish, evaluate, ‎maintain ‎and manage ‎employment relationships, ‎‎whether as a partner, ‎‎employer, contractor, ‎‎consultant, intern/student or ‎other work relationship; and‎
For safety and security, and ‎to prevent and detect crime ‎around office premises.‎

See above.

Internet or other electronic network activity information

Browsing history, search history,‎‎ ‎and information regarding a consumer’s interactions with an Internet Web site, application, ‎ or advertisement, IP address, log-on information, IT and systems usage, CCTV and building access control.

 

See above.  In addition, the Firm’s website; IT systems and applications; CCTV; and voicemail.

To build, manage, evaluate and monitor relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients;

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant, intern/student or other work relationship;

To operate and manage the Firm's business including website use and to ensure compliance with IT security and related policies; and

For safety and security, and to prevent and detect crime around office premises.

See above.

Geolocation data

Geographic information.

See above.  In addition, Internet or other electronic network activity information and additionally via our IT systems or those operated by service providers on our behalf. 

To provide legal services to ‎our clients;

To establish, evaluate, maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship; and

To establish and monitor IT security and related access rights, and for IT security purposes.‎

See above.

Sensory Data

Audio, electronic, visual, thermal, olfactory, or similar ‎information. ‎

See above.

To provide legal services to ‎our clients;

To establish, evaluate, maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship; and

For safety and security, and to prevent and detect crime around office premises.‎

See above.

Professional or employment-related information

Current and/or past ‎employment history ‎including performance ‎evaluations.‎

 

 

See above. In addition from recruitment agents and partners, from current or former employers and educational establishments.

Performance of a contract;

Compliance with a legal obligation;

To build, manage, evaluate and monitor relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients; and

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant, intern/student or other work relationship.

See above.

Non-public education information (as defined in the Family Educational Rights and Privacy Act (20 U.S.C. 1232g, 34 C.F.R. Part 99))

Education records, files, ‎documents, and other ‎materials directly related to ‎a student ‎maintained by an ‎educational agency or ‎institution or by a person ‎acting for such an agency ‎or ‎institution, such as grades, ‎transcripts, class lists, ‎student schedules, student ‎identification ‎codes, student ‎financial information, or ‎student disciplinary records.‎

See above. In addition from recruitment agents and partners, from current or former employers and educational establishments.

See above.

See above.

Inferences drawn from other personal information

Preferences, characteristics, behavior, attitudes, intelligence, abilities, and aptitudes.

See above.

To provide legal services to ‎our clients; and

To establish, evaluate, maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship.‎

See above.

Sensitive Personal ‎Information

Personal information that reveals: a ‎Social ‎‎Security number or other ‎government ‎‎identifier; account login ‎information or a ‎‎financial account ‎number with associated ‎‎credentials; contents of ‎mail, ‎email, or text ‎messages. Health information.‎

 

 

See above.

To comply with legal obligation;

To build, manage, evaluate and monitor build relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients; and

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant, intern/student or other work relationship.

See above.

 

We do not share personal information for the purpose of cross-context behavioral advertising. 

We do not sell personal information.  We do not sell or share the personal information of minors under 16 years of age.

We do not use or disclose sensitive personal information for purposes other than the following:

  1. To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
  2. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.
  3. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions.
  4. To ensure the physical safety of natural persons.
  5. For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
  6. To perform services on behalf of the business.
  7. To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by the business.
  8. To collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer.

Your Privacy Rights

Right to Notice

You have the right to receive notice at or before the point of collection about our collection and retention practices.  Please review the Firm’s “Privacy Notice at Collection for California Residents” at Appendix 4 for more information.

Right to Know and Access Your Information

You have the right to request that we disclose to you certain descriptions and categories of the personal information we collect, use, disclose, share, or sell about you.  For example, you may request the following:

‎(1) The categories of personal information we have collected about you.‎

‎(2) The categories of sources from which the personal information is collected.‎

‎(3) The business or commercial purpose for collecting, selling, or sharing personal information.‎

‎(4) The categories of third parties to whom we disclose the personal information.‎

‎(5) The specific pieces of personal information we have collected about you.‎

You may make up to two disclosure requests in any 12 month period.

Right to Request Deletion

You have the right to request that we delete your personal information (a “deletion request”). 

Only you, or someone legally authorized to act on your behalf, may make a deletion request ‎related to your personal information‎. You may also make a deletion request on behalf of your minor child.

You should be aware, however, that California law allows us to retain your personal information under certain conditions, even if you have asked us to delete it, such as when retaining your personal information is necessary for us to complete a transaction with you or provide you with a service you have requested.  We will notify you of any denial of your deletion request and the reason for such denial.

Right to Request Correction

You have the right to request that we correct your personal information. 

Exercising your California Consumer Privacy Rights

You may exercise the rights described above by making a “verifiable consumer request.”  To submit a verifiable consumer request (including a deletion request), please send an email to CCPAInquiries@lockelord.com.  You can also call 888-558-5025 to make the request.  You may make up to two requests in any 12 month period.

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

Making a verifiable consumer request does not require you to create an account with us. ‎‎

Verifying your Identity

In making a verifiable consumer request, we will need to verify your identity.  To verify your identity, ‎we may ask you to provide personal information we have previously collected about you.  If ‎you are making the request for an entity, we will also ask that you provide some independent ‎evidence that you are a representative of that entity and are authorized to make such request.‎

We will only use personal information provided in a verifiable consumer request or request to delete, correct, or limit the use of, your personal information, to verify the ‎requestor's identity or authority to make the request.‎  We cannot respond to your request or provide you with personal information if we cannot verify ‎your identity or authority to make the request and confirm the personal information relates to ‎you.‎

Using an Authorized Agent

You may use an authorized agent to submit a verifiable consumer request.  To use an authorized agent, you will need to (i) provide written instruction to your agent and verify your identity to us, or (ii) provide a power of attorney pursuant to California Probate Code Sections 4000 to 4465.

Right to Non-Discrimination for Exercise of Consumer Privacy Rights

We will not discriminate against you because you have chosen to exercise any of your privacy rights provided by the CCPA.

Contact Information

If you have questions about the Global Privacy Policy or this CCPA Privacy Policy, please contact us at:

Phone:           ‎+1-‎888-558-5025‎

Website:         www.lockelord.com

Email:             CCPAInquiries@lockelord.com

Address:        2200 Ross Avenue
                       Suite 2800
                       Dallas, TX
                       
Attn: CCPA Inquiries


Appendix 3
HIPAA Business Associate Privacy Policy

I.                   Background

Locke Lord LLP (the “Firm”) provides legal services to certain entities that are considered to be Covered Entities or Business Associates under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)  as amended by The Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”).  The policies contained in this HIPAA Business Associate Privacy Policy and the Firm’s Global Privacy Policy (“Policies”) apply to the Firm solely in its role as a HIPAA Business Associate.  Capitalized terms used in this HIPAA Business Associate Privacy Policy and not otherwise defined shall have the meaning given to such terms under the section “Overview of Key HIPAA/HITECH Definitions.”‎

HIPAA and its implementing regulations (“HIPAA Privacy Regulations”) restrict the Firm’s ‎uses of, disclosures of, and requests for Protected Health Information as a Business Associate. ‎The Firm’s Global Privacy Policy and this HIPAA Business Associate Privacy Policy ‎‎(collectively, the “Policies”) set forth guidelines that the Firm’s personnel (“Workforce”) must ‎follow when collecting, using or disclosing Protected Health Information, and set forth a number ‎of rights Individuals have pursuant to applicable law. The Firm considers the protection of this ‎information to be an essential priority and expects all of its Workforce to act in a manner ‎consistent with these Policies. Failure of a member of Workforce to follow the Policies may result ‎in disciplinary action.‎

In conjunction with the Policies, the Firm has also implemented the HIPAA Data Security Policy and Breach Notification Procedures to set forth requirements that Workforce must follow when dealing with and safeguarding electronically maintained or transmitted Protected Health Information and when a potential breach of unsecured Protected Health Information is discovered.  These Policies and the HIPAA Data Security Policy and Breach Notification Procedures are intended to supplement the Firm’s Privacy and Compliance Information Security Program, and shall be construed and administered at all times in a manner consistent with the applicable requirements of HIPAA, the HITECH Act, and HIPAA regulations.

These Policies will change as necessary and appropriate to comply with changes in the law and/or business needs of the Firm.

Any Business Associate agreement that the Firm is asked to sign, or any agreement under which a subcontractor to the Firm will have access, use, maintenance or disclosure of PHI on behalf of the Firm, must be approved by the Firm’s Privacy Officer or her designee prior to signature.The Firm’s fundamental legal obligations when acting as a Business Associate are to observe the terms of the applicable Business Associate agreement, and comply with the HIPAA Information Security Regulations and HIPAA Breach Notification regulation.

II.                Overview of Key HIPAA/HITECH Definitions:

A.          Business Associate:  Business Associate means a person or entity who on behalf of a Covered Entity creates, receives, maintains, or transmits Protected Health Information for a function or activity regulated by the HIPAA Privacy Regulations.

1.            These services include, but are not limited to, claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; certain Patient Safety Activities; benefit management; re-pricing; and practice management; or

2.            The provision of legal services, actuarial services, accounting services, consulting services, data aggregation services, management services, administrative services, or accreditation services and financial services to or for a Covered Entity where the provision of the service involves the disclosure of PHI from the Covered Entity or from another Business Associate of the Covered Entity, to the person.

The term Business Associate includes a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a Covered Entity and that requires access on a routine basis to such PHI.  The term Business Associate also includes a person that offers a personal health record to one or more individuals on behalf of a Covered Entity.  A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate is also considered a Business Associate.  In some situations, the Firm may function as a subcontractor to another Business Associate.  In such situations, the Firm is a Business Associate if it creates, receives, maintains, or transmits a Covered Entity’s PHI on behalf of another Business Associate. In some other instances, the Firm might engage a subcontractor to process PHI that the Firm has ‎obtained from or on behalf of a Covered Entity.  In that case, the subcontractor is also a Business ‎Associate, and must execute a Business Associate agreement with the Firm.  ‎

B.           Covered Entity:  Covered entity means (i) a Health Plan, (ii) a Health Care Clearinghouse and (iii) a Health Care Provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

C.           Designated Record Set:  A group of records maintained by or for a Covered Entity that is: (i) the medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and or case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals.

D.          Electronic Protected Health Information:  Electronic Protected Health Information (“Electronic Protected Health Information” or “ePHI”) means electronic protected health information as defined under HIPAA regulations that is created, received, maintained or transmitted by or on behalf of Covered Entities, including Protected Health Information that is transmitted over the Internet, stored on a computer, CD, disk, magnetic tape or other related means.

E.           Individual.  Individual means the person who is the subject of Protected Health Information.

F.           Limited Data Set:  Protected Health Information of that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: (i) names; (ii) postal address information, other than town or city, State, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) electronic mail addresses; (vi) social security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) web universal resource locators (URLs); (xiv) internet protocol (IP) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images.

G.            Protected Health Information or PHI: Protected Health Information(“PHI”) means information that is created or received by a Covered Entity (or by a Business Associate acting on behalf of a Covered Entity) and relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future Payment for the provision of health care; and that identifies the Individual or for which there is a reasonable basis to believe the information can be used to identify the Individual. Protected Health Information includes information about persons living or deceased whether in electronic, printed, or spoken form.  PHI excludes: (1) individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (“FERPA”); (2) records held by a Covered Entity in its role as employer; and (3) records regarding a person who has been deceased for more than 50 years.

H.            Workforce:  Workforce means any associate, partner, counsel, staff member, and any other employee, whether employed directly, engaged by contract, or otherwise, of the Firm.  The term includes all administrative, management and technical employees as well as all attorneys and paralegals representing Firm clients on behalf of the Firm.  Business Associates or subcontractor Business Associates are not considered to be Workforce.

III.             Workforce Covered by This Manual

These Policies apply to any member of the Workforce that, by nature of his or her job description and through the course of providing services to a Covered Entity or another Business Associate, uses, discloses, or requests PHI.

IV.             General HIPAA Business Associate Privacy Policy

The Firm considers the protection of Protected Health Information to be an essential priority and expects all of its Workforce to act in a manner consistent with HIPAA, the HITECH Act, and HIPAA Privacy Regulations.  The Firm will use, disclose, maintain and request Protected Health Information received from or created on behalf of Covered Entities or other Business Associates only as permitted under HIPAA and in compliance with the Firm’s applicable Business Associate agreements.

In general, HIPAA and the HIPAA Privacy Regulations restrict the Firm’s uses of, disclosures of, and requests for Protected Health Information to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure.  The Firm respects the rights of Individuals under HIPAA and maintains documentation of compliance with the HIPAA privacy requirements and the terms of its Business Associate agreements for six (6) years from the date the documentation was created.

All Workforce members have the responsibility to immediately report violations or potential violations of these Policies to their supervisor or to the Privacy Officer or to the Workforce member that the Privacy Officer may designate to receive initial reports.  The Firm is committed to taking and will take appropriate disciplinary measures against Workforce who violate any policy or procedure concerning the privacy of health information.  The Firm trains its Workforce regarding compliance with the Policies as necessary and appropriate for Workforce to carry out Firm Business Associate functions.  

The Firm’s Privacy Officer can be contacted as follows:

By e-mail: Privacy@lockelord.com

By phone: US toll free +1-‎888-558-5025‎

By postal mail:

Locke Lord LLP
Attn: Privacy Officer
2800 Financial Plaza
Providence, RI  02903

V.                Documentation

Documentation created pursuant to these Policies shall be retained by the Privacy Officer for six years from the date on which it was created.  Documentation shall be made available to those persons responsible for implementing the procedures to which the documentation pertains.

VI.             Specific Privacy Policies

A.          Privacy Officer.  The Firm will designate a Privacy Officer to oversee the formulation and implementation of the Firm’s HIPAA Business Associate Privacy Policy. The Privacy Officer’s duties include coordinating activities related to protecting privacy and monitoring the Firm’s HIPAA privacy program to oversee compliance with applicable laws, rules, and regulations. The Privacy Officer also serves as the chief liaison for dealing with privacy matters that arise in relationships with Covered Entities, other Business Associates, the Firm’s subcontractors, the public, and privacy enforcement authorities.

B.           Workforce Training.  The Firm will train Workforce members who access, use and disclose PHI regarding the Firm’s policies and procedures for the safeguarding of PHI as necessary and appropriate for each such Workforce member to carry out his or her job functions under HIPAA.  The Firm will also train all applicable Workforce members in Texas as required for compliance with the Texas Medical Records Privacy Act, Tex. Health & Safety Code Chapter 181.

C.           Workforce Sanctions.  The Firm expects all Workforce members handling PHI to adhere to the Firm’s policies and procedures regarding the safeguarding of PHI and will sanction Workforce members who violate the Firm’s policies and procedures pertaining to PHI.

D.          Refraining From Intimidating or Retaliatory Acts.  The Firm shall refrain from engaging in intimidation, threats, coercion, discrimination, or any other retaliatory acts in regards to PHI under the situations proscribed by the HIPAA Privacy Regulations.

E.            Complaints.  It is the policy of the Firm, as a Business Associate, to receive, respond to, and resolve complaints regarding allegations of improper use or disclosure of PHI by Individuals, Covered Entities, other Business Associates, Workforce members, or the Firm’s subcontractors.

F.          Subcontractors. The Firm will require all subcontractors who access, use, maintain or disclose ‎PHI on behalf of the Firm and its Covered Entity or Business Associate clients to agree to ‎comply with the Firm’s HIPAA policies, applicable law, and the terms of all applicable Business ‎Associate agreements to which the Firm is a party.  These requirements will be set forth in a ‎Business Associate agreement in a form that has been approved by the Firm’s privacy officer or ‎her designee.‎

G.          Authorization.  It is the Firm’s policy to only use or disclose PHI in a manner permitted by the HIPAA Privacy Regulations or as authorized by the applicable Individual.

H.             Minimum Necessary Uses and Disclosures of and Requests for PHI.  The Firm will use the minimum amount of PHI necessary to carry out job functions and to provide legal services pursuant to its obligations under the applicable Business Associate agreement to which it is a party and will disclose or request PHI in accordance with determinations made regarding the minimum amount needed to achieve the purpose of the disclosure or request. Workforce members who routinely use, receive and process requests for disclosure of, or request PHI, will receive training regarding policies and the determinations that have been made regarding minimum necessary disclosures.

Effective from February 17, 2010 until the time the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) issues guidance, as required by the HITECH Act, on what constitutes the “minimum necessary,” the Firm will limit any use, disclosure or request for PHI to the Limited Data Set, as set forth in the HIPAA Privacy Regulations, or if needed by the Firm, to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The Firm will comply with any future guidance on what constitutes the “minimum necessary” promulgated by the Secretary, which guidance shall override inconsistent policies and procedures established herein.

I.            Personal Representatives and Verification of Identity.  The Firm recognizes that, with respect ‎to the HIPAA Privacy Regulations and PHI, a personal representative of an Individual is to be ‎treated as if that personal representative were the Individual.  The Firm will use reasonable ‎efforts to verify the identity and authority of a person or entity that requests access to PHI and ‎who will be recognized as personal representatives without placing an undue burden on the ‎representative.  Before making any disclosure to an individual or a representative, the Firm will ‎confirm that such disclosure is authorized by the applicable Covered Entity.‎.

J.          Right to Request Privacy Restrictions.  In accordance with the HIPAA Privacy Regulations and these Policies, the Firm will respect any requests for privacy restrictions granted by the applicable Covered Entity and shall refer any requests received by the Firm to the Covered Entity or Business Associate client in accordance with the terms of the applicable Business Associate agreement.

K.           Requests for Confidential or Alternative Communications.  The Firm, in its role as a Business Associate, recognizes an Individual’s right to request that a Covered Entity and its Business Associates communicate with that Individual about his or her PHI only in the manner and at the location that the Individual requests. For instance, an Individual may wish to be contacted about their PHI only at work or by sending mail to a specific address. The Firm will reasonably accommodate such requests, to the extent such request have been granted by the applicable Covered Entity, in accordance with the terms of the applicable Business Associate agreement.

L.         Access to Records.  The Firm shall process a request to access, inspect, and/or obtain a copy of certain PHI maintained by the Firm, if the request is made by a Covered Entity or Business Associate client in response to a request from an Individual or his or her authorized representative.  The Firm will respond to such request in accordance with the terms of the applicable Business Associate agreement.

M.          Requests for Amendments.  The Firm recognizes an Individual’s right to request that the applicable Covered Entity and its Business Associates including, but not limited to, the Firm, amend his or her PHI that is maintained in a Designated Record Set. Such requests may be subject to the Covered Entity’s denial, in accordance with applicable law.  The Firm will defer to the Covered Entity regarding the denial or acceptance of a request for amendment unless stated otherwise in the applicable Business Associate agreement.

N.          Accounting of Disclosures.  It is the Firm’s policy to provide to a Covered Entity upon its receipt of a request from Individuals, a timely accounting of certain disclosures of an Individual’s PHI as required by law.  The Firm shall maintain all information required by law to prepare and provide such an accounting when requested and in accordance with the applicable Business Associate agreement.

O.            Mitigation.  To the extent known by the Firm, the Firm is committed to complying with HIPAA and other applicable legal requirements regarding the mitigation of the harmful effects of the improper use or disclosure of PHI and in a manner consistent with the applicable Business Associate agreement.

P.           Records Management.  The Firm will retain all required HIPAA Privacy Regulations documentation for at least six (6) years, maintain appropriate storage facilities to protect documentation containing PHI or ePHI and establish appropriate procedures for destruction of records.

R.           Disclosures to the Secretary.  The Firm will provide the Secretary with copies and/or access to records in such time and manner required by HIPAA Privacy Regulations and as requested by the Secretary.  The Firm will cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the Firm’s HIPAA policies, procedures, or practices.

Effective Date:  March 15, 2016, as updated June 18, 2018, June 18, 2019, June 21, 2022 and July 18, 2023
Geographic Scope:  Applies to all U.S. offices
Application:  Applies to all attorneys and staff


This policy is not a contract, and the Firm reserves the right to change, modify, suspend, interpret or cancel this policy in whole or in part, at any time, with or without prior notice.  Nothing in this policy is intended to change the traditional relationship of employment at will.

Appendix 4
Privacy Notices at Collection for California Residents

Locke Lord LLP and Locke Lord (UK) LLP (jointly “Locke Lord,” the “Firm” or “we”) understand how important your privacy and the protection of your personal data and information is to you.  Protecting your privacy is important to the Firm.  This Privacy Notice at Collection applies to personal information of California residents to the extent the information is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (“CCPA”).  This Privacy Notice at Collection describes how the Firm may collect, use, disclose and safeguard the personal information you provide when you communicate or interact with the Firm, including as a client, as well as information you provide on the Firm’s websites and through or in connection with our mobile apps (the “Apps”) or other software- and Internet-enabled programs and services sponsored by the Firm.  This Notice at Collection does not apply to personal information collected pursuant to exemptions, including information collected subject to (i) the federal Gramm-Leach-Bliley Act and its implementing regulations or the California Financial Information Privacy Act; (ii) HIPAA; or (iii) the Fair Credit Reporting Act.‎ ‎ ‎

Personal Information We Collect

We collect or use information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”).  Because the chart below includes information collected for various types of individuals, such as our ‎customers, employees, and others, not all of the categories of collected personal ‎information described may be applicable to you.‎ We may collect or use the following categories of your personal information in the following ways:   

Category of Personal Information

Examples of Personal Information Collected or Used

Expected Retention Period or Criteria for Retention

Business or Commercial Purpose(s) for Which Collected or Disclosed

Identifiers

Contact details, such as real name, alias, postal address, ‎telephone or mobile contact number, unique personal ‎identifier, online identifier, Internet Protocol address, email ‎address, social media handle, pictures and video likeness, voice recording, account name, social security number, driver’s license number, passport number, or similar identifier.

Generally, until no longer necessary for the purposes for which the personal information was processed, unless applicable law ‎requires a longer retention period.

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Time entries that may contain personal data are retained permanently.

Accounts receivable records (excluding bills) and payroll records, the greater of (i) the required time periods under IRS regulations or (ii) seven years following the end of the year to which they relate.

Personal information in agreements, seven years following the termination or expiration of the relevant agreement.

Employment information, seven years after the date of termination of employment.

Form I-9 Employment Eligibility Verification forms. as required under federal law for three years after date of hire or one year after the date employment ends, whichever is later;

Information in benefit and pension plans, a minimum of six years after filing returns or reports, unless an extension or other exception applies.

Standard internet log information and details of visitor behavior patterns, 14 months.

Information from marketing lists, one year after a person is not connected to a current lawyer of the Firm and last interacted with the Firm’s email messages.‎

To build, manage, evaluate and monitor relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients;

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant intern/student or other work relationship.

To comply with sanctions, anti-money laundering, anti-counter terrorist financing and similar legal requirements.

 

Personal Information Categories Listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e))

A name, signature, ‎Social Security number, ‎physical characteristics ‎or description, address, ‎telephone number, ‎passport number, ‎driver's license or state ‎identification card ‎number, insurance ‎policy number, ‎education, employment, ‎employment history, ‎bank account number, ‎credit card number, ‎debit card number, or ‎any other financial ‎information, medical ‎information, or health ‎insurance ‎information.

See above.

See above.

Characteristics of protected classifications under California or federal law

Race, color, age (40 years and older), ancestry, ‎national origin, citizenship, ‎religion or creed, ‎marital ‎status, medical condition, ‎physical or mental disability, ‎sex (including gender, ‎gender ‎identity, gender ‎expression, pregnancy or ‎childbirth and related ‎medical conditions), sexual ‎‎orientation, veteran or ‎military status, genetic ‎information (including ‎familial genetic ‎‎information)‎.

 

Generally, until no longer necessary for the purposes for which the personal information was processed, unless applicable law ‎requires a longer retention period.

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

Information in benefit and pension plans, a minimum of six years after filing returns or reports, unless an extension or other exception applies.

 

See above.

Commercial Information

Records of personal property, products ‎or services purchased, ‎obtained, or considered, or other purchasing or ‎consuming histories or tendencies.‎

 

Generally, until no longer necessary for the purposes for which the personal information was processed, unless applicable law ‎requires a longer retention period.

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

To establish, build, evaluate and monitor relationships with ‎existing and potential clients ‎and other interested parties ‎and communicate with such ‎parties;‎

To operate and manage the Firm's business; 

To provide legal services to ‎our clients; and

Performance of a contract.

Biometric Information

Physiological, biological or ‎behavioral characteristics, ‎including imagery of the face ‎and voice recordings, from ‎which an identifier ‎template, such as a ‎face print, a minutiae ‎template, or a voiceprint, ‎can be extracted, and information on sleep, health, ‎or exercise.‎

 

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

For CCTV data generated from Firm server ‎rooms, for 12 months after the date it was created.

For data contained in voice mails not deleted by a Firm recipient and retained in the Firm’s email system, 180 days from date of receipt; for data contained in voice mails not deleted by a Firm recipient and saved to the Firm’s document management system, as noted above for client/matter ‎documents that ‎contain personal information

 

To provide legal services to ‎our clients;

To establish, evaluate, maintain ‎and manage employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship; and

For safety and security, and to prevent and detect crime around office premises.‎

Internet or other electronic network activity information

Browsing history, search history,‎‎, ‎and information regarding a consumer’s interactions with an Internet Web site, , application, ‎ or advertisement, IP address, log-on information, IT and systems usage, CCTV and building access control.

Generally, until no longer necessary for the purposes for which the personal information was processed, unless applicable law ‎requires a longer retention period.

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

Information from marketing lists, one year after a person is not connected to a current lawyer of the Firm and last interacted with the Firm’s email messages.

 

To build, manage, evaluate and monitor relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients;

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant, intern/student or other work relationship;

To operate and manage the Firm's business including website use and to ensure compliance with IT security and related policies; and

For safety and security, and to prevent and detect crime around office premises.

Geolocation data

Geographic information.

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

To provide legal services to ‎our clients;

To establish, evaluate, maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship; and

To establish and monitor IT security and related access rights, and for IT security purposes.

Sensory Data

Audio, electronic, visual, thermal, olfactory, or similar ‎information. ‎

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

For CCTV data generated from Firm server ‎rooms, for 12 months after the date it was created.

For data contained in voice mails not deleted by a Firm recipient and retained in the Firm’s email system, 180 days from date of receipt; for data contained in voice mails not deleted by a Firm recipient and saved to the Firm’s document management system, as noted above for client/matter ‎documents that ‎contain personal information.

 

To provide legal services to ‎our clients;

To establish, evaluate, maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship; and

For safety and security, and to prevent and detect crime around office premises.‎

Professional or employment-related information

Current and/or past ‎employment history ‎including performance ‎evaluations.‎

 

 

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

 

Performance of a contract;

Compliance with a legal obligation;

To build, manage, evaluate and monitor relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients; and

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant, intern/student or other work relationship.

Non-public education information (as defined in the Family Educational Rights and Privacy Act (20 U.S.C. 1232g, 34 C.F.R. Part 99))

Education records, files, ‎documents, and other ‎materials directly related to ‎a student ‎maintained by an ‎educational agency or ‎institution or by a person ‎acting for such an agency ‎or ‎institution, such as grades, ‎transcripts, class lists, ‎student schedules, student ‎identification ‎codes, student ‎financial information, or ‎student disciplinary records.‎

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

 

See above.

Inferences drawn from other personal information

Preferences, characteristics, behavior, attitudes, intelligence, abilities, and aptitudes.

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

 

To provide legal services to ‎our clients; and

To establish, evaluate, maintain and manage ‎employment relationships, ‎whether as a partner, ‎employer, contractor, ‎consultant, intern/student or other work relationship.‎

Sensitive Personal ‎Information

Personal information that reveals: a ‎Social ‎‎Security number or other ‎government ‎‎identifier; account login ‎information or a ‎‎financial account ‎number with associated ‎‎credentials; contents of ‎mail, ‎email, or text ‎messages. Health information.‎

 

 

Client/matter ‎documents that ‎contain personal information, five (5) years from the date the client/matter is ‎closed, or six (6) ‎years in the case of files in the London office, except for documents to be retained for a shorter ‎or longer period of time as ‎determined by the client’s guidelines or other agreement with the ‎Firm or a member of the General ‎Counsel’s Office.‎

Employment information, seven years after the date of termination of employment.

 

To comply with legal obligation;

To build, manage, evaluate and monitor build relationships with existing and potential clients and other interested parties and communicate with such parties;

To provide legal services to our clients; and

To establish, evaluate, maintain and manage employment relationships, whether as a partner, employer, contractor, consultant, intern/student or other work relationship.


We do not and will not sell personal information.  We do not share personal information for the purpose of cross-context behavioral advertising.  In the preceding 12 months we have shared personal information with third parties for business or commercial purposes as described above for each category of personal information.

We do not sell or share the personal information of minors under 16 years of age.  We do share cookies with third parties as described in our global privacy policy.‎ To opt-out of the sharing of information with third parties in this context, please review our global privacy policy for instructions or adjust your browser settings accordingly.

Further Information

Please visit our website, www.lockelord.com, for further information about personal information we collect, and your rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (at Appendix 2 of our Privacy Policy at Privacy | Locke Lord).

If you have questions about this notice or wish to contact us concerning your rights, please contact us at:

Phone:             ‎+1-‎888-558-5025‎

Website:          www.lockelord.com

Email:             CCPAInquiries@lockelord.com

Address:          2200 Ross Avenue
                        Suite 2800
                        Dallas, TX
                       
Attn: CCPA Inquiries

 

Appendix 5
Notice of Compliance with Connecticut Act Concerning the Confidentiality of Social Security Numbers

Connecticut law requires any person or entity that collects Social Security numbers from Connecticut residents in the course of business to create a privacy protection policy and to publish or display it publicly.  Locke Lord LLP has adopted a Global Privacy Policy that specifically includes a section on the protection of the confidentiality of social security numbers.  That section is Section 10.

 

 

Appendix 6
Website Cookies Policy

The Firm Website uses cookies for analytical and functionality purposes that allow us to improve our Website based on visitor experience.

Cookies are small text files placed on a computer hard drive to record a visitor's information such as user ID and browsing behavior. Our cookies do not collect your name or email address.

We use the following types of cookies:

(a) Necessary cookies. These are cookies that are required for the operation of our Website. They include, for example, cookies that enable the Website to perform as intended and to access secure areas of our Website.

(b) Analytical/performance cookies. They allow us to recognize and count the number of visitors and repeat visitors, to see how visitors move around our Website when they are using it, to see which search engine is being used to access our Website, the region a visitor is browsing from, and the type of device a user is visiting from. This helps us to improve the way our Website works, for example, by ensuring that users are finding what they are looking for easily. We may use third-party services, currently Google Analytics and Siteimprove, to collect standard internet log information and details of visitor behavior patterns. This information is only processed in a way that does not identify anyone. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. Individuals who have opted to browse websites in private or incognito mode will not be tracked by Siteimprove on our Website.

Third-Party Tracking and Do Not TrackThird parties may use tracking technologies in connection with our Website, which may include the collection of information about your online activities over time and across third-party websites. Our Global Privacy Policy does not apply to these third-party technologies because we may not control them and we are not responsible for them. Do Not Track is a technology that enables users to opt out of tracking by websites they do not visit. Currently, we do not monitor or take any action with respect to Do Not Track technology.

If you do not wish to receive cookies, most browsers allow you to change your cookie settings. Please note that if you choose to change cookie settings you may not be able to use the full functionality of our Website. These settings will typically be found in the "options" or "preferences" menu of your browser. Further, most browsers permit individuals to decline cookies. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.