Data Protection Policy

Effective Date: April 2020
Last Reviewed: Feb 2025

 

1. Introduction  

China Police Clearance is committed to safeguarding the confidentiality, integrity, and security of all personal and sensitive data entrusted to us by clients, employees, and third parties. This policy ensures compliance with legal obligations, upholds agent-client privilege, and aligns with professional ethical standards.  

2. Scope 

This policy applies to:  

  • All staff and employees handling data on behalf of the China Police Clearance.  
  • All forms of data, including:  
    •  Client case files (digital and physical).  
    •  Agent-client communications (emails, calls, wechat messages).  
    •  Personal data (e.g., client IDs, financial records, health information).  

3. Key Principles  

  • Confidentiality: Protect agent-client privilege and client data at all times.  
  • Lawfulness: Process data only with valid legal bases (consent, contractual necessity, legal obligation).  
  • Data Minimization: Collect only data necessary for case objectives.  
  • Accuracy: Ensure records are up-to-date and relevant for legal proceedings.  
  • Security: Implement robust technical and organizational safeguards.  
  • Accountability: Document compliance measures and conduct regular audits.  

4. Roles & Responsibilities  

  • Data Protection Officer (DPO): oversees compliance, breach response, and staff training.  
  • Managing Partner: Ensures agency-wide adherence to this policy.  
  • IT Security Team: Maintains secure systems, encryption, and access controls.  
  • All Employees: Report breaches immediately and follow data handling protocols.  

5. Data Collection & Use  

  • Lawful Basis: Data is collected only for legitimate case-related purposes.  
  • Informed Consent: Clients are informed via engagement letters about data use, sharing, and retention.  
  • Special Categories: Extra protections apply to sensitive data (e.g., passport, signed contract).  

6. Data Security Measures  

  • Technical Safeguards  
    • Encryption for emails, documents, and stored data.  
    • Multi-factor authentication (MFA) for all systems.  
    • Regular cybersecurity audits and vulnerability testing.  
  • Physical Safeguards  
    • Locked filing cabinets for physical documents.  
    • Restricted access to offices, server rooms, and archives.  
  • Access Controls  
    • Role-based access to case files (e.g., only assigned staff/employee).  
    • Logging and monitoring of system access.  

7. Data Breach Response  

  • Containment: Isolate affected systems and preserve evidence.  
  • Assessment: Determine breach scope and risk to clients.  
  • Notification:  
    •  Report to authorities.  
    •  Inform affected clients if there is a high risk to their rights.  
  • Remediation: Update security protocols and retrain staff.  

8. Data Retention & Disposal  

  • Retention Periods:  
    •  Clients' digital files deleted once case closure.
    •  Clients' email retained for 1 year post-case closure. 
    •  Financial records retained for 1 year for tax/audit purposes.  
  • Disposal:  
    •  Physical photocopies shredded via cross-cut shredders.  
    •  Digital data permanently erased using certified tools (e.g., Blancco).  

9. Client Rights  

  • Request access to their digital documents before case closure.  
  • Correct inaccuracies.  
  • Request deletion.  
  • Object to data processing unrelated to their case.  
  • Submit requests via email/wechat.  

10. Training & Awareness  

  • Annual training for all staff on confidentiality, phishing, and secure data handling.  
  • Mandatory updates when policies or laws change.  

12. Policy Review  
Reviewed annually or after significant changes (e.g., new regulations, breaches).  
Next scheduled review: Feb 2026.