top of page

Privacy Policy

At Kang Law we know you care about how your personal information is used and shared, and we take your privacy seriously. Please read the following to learn more about how we collect, use and disclose information about you.

Kang International Ltd (t/a “Kang Law”)
Company Number: 13391150
Address: 6, Kestrel House, Weydon Lane, Farnham, GU9 8UY.

Tel: +447767828163 
Email: info@kanglaw.co.uk
Website: www.kanglaw.co.uk 

Kang Law
Last Updated: 10 December 2025

Who we are

Kang Law is a trading name of Kang International Ltd (Company No. 13391150) registered in England & Wales. Our address is at: 6, Kestrel House, Weydon Lane, Farnham, GU9 8UY

What Personal Data do we collect?

We (or third parties on our behalf) may collect and use the following categories of personal information: name, address, email address, and telephone number.

Information Security Policy
(this “Policy”)

Introduction

 
 

  • The Practice is committed to the highest standards of information security and treats confidentiality and data security extremely seriously.

  • In relation to personal data, under Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), the Practice is required to:

    • use technical or organisational measures to ensure personal data is kept secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;

    • implement appropriate technical and organisational measures to demonstrate that it has considered and integrated data compliance measures into the Practice’s data processing activities; and

    • be able to demonstrate that it has used or implemented such measures.

  • The purpose of this Policy is to:

    • protect against potential breaches of confidentiality;

    • ensure all our data assets and IT facilities are protected against damage, loss, or misuse;

    • ensure that all clients and stakeholders are aware of and comply with UK law and the Practice’s procedures applying to the processing of personal data; and

    • increase awareness and understanding in the Practice of the requirements of information security and the responsibility of staff to protect the confidentiality and integrity of the data that they themselves handle.

Definitions

For the purposes of this Policy:

Business Information

means business-related information other than personal information regarding customers, clients, suppliers and other business contacts of the Practice;

Confidential Information

means trade secrets or other confidential information (either belonging to the Practice or to third parties) that is processed by the Practice;

Personal Data

(sometimes known as personal information) means data relating to an individual who can be identified (directly or indirectly) from that data;

Practice

means Kang International Ltd (trading as ‘Kang Law’) incorporated and registered in England and Wales with company number 13391150, whose address is 6, Kestrel House, Weydon Lane, Farnham, GU9 8UY;

Pseudonymised

means the process by which personal data is processed in such a way that it cannot be used to identify an individual without the use of additional data, which is kept separately and subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identifiable individual; and

Special Category Data

(formerly ‘sensitive personal data’) means personal data about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data, biometric data (where used to identify an individual) and data concerning an individual’s health, sex life or sexual orientation.

Roles and Responsibilities

Information security is the responsibility of all of our staff. The Practice’s data protection officer (DPO) is in particular responsible for:

  • monitoring and implementing this Policy;

  • monitoring potential and actual security breaches;

  • ensuring that staff are aware of their responsibilities; and

  • ensuring compliance with the requirements of Assimilated Regulation (EU) 2016/679, UK GDPR and other relevant legislation and guidance.

Scope

  • The information covered by this Policy includes all written, spoken, and electronic information held, used, or transmitted by or on behalf of the Practice, in whatever media. This includes information held on computer systems, hand-held devices, phones, paper records, and information transmitted orally.

  • This policy applies to all Practice staff, including employees, temporary and agency workers, other contractors, interns, volunteers, and apprentices, and all staff are required to be familiar with this Policy and comply with its terms.

  • The Practice information covered by this Policy may include:

    • personal data relating to staff, customers, clients, suppliers;

    • other business information; and

    • confidential information.

  • This Policy supplements other internal Practice policies, and the contents of those policies are required to be taken into account by staff, as well as this Policy.

  • This Policy has been drafted with the assistance of a representative group of employees to ensure that it is clear and easy to understand. We will review and update this Policy regularly in accordance with our data protection and other obligations. We may amend, update, or supplement it from time to time. 

General principles

  • All Practice information is required to be treated as commercially valuable and protected from loss, theft, misuse, or inappropriate access or disclosure.

  • Personal data and special category data must be protected against unauthorized and/or unlawful processing and against accidental loss, destruction, or damage by the use of appropriate technical and organizational measures.

  • Staff are required to discuss with line managers the appropriate security arrangements and technical and organisational measures that are appropriate, and in place for the type of information they access in the course of their work.

  • Practice information (other than personal data) is owned by the Practice and not by any individual or team.

  • Practice information is required to be used only in connection with work being carried out for the Practice and not for other commercial or personal purposes.

  • Personal data is required to be used only for the specified, explicit, and legitimate purposes for which it is collected.

Information management

  • Personal data is processed in accordance with our data protection principles and all of our other relevant policies.

  • In addition, all information collected, used, and stored by the Practice is required to be:

    • adequate, relevant, and limited to what is necessary for the relevant purposes;

    • kept accurate and up to date;

  • The Practice will take appropriate technical and organisational measures to ensure that personal data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage, including:

    • pseudonymisation of personal data; and

    • encryption of personal data.

  • Personal data and confidential information will be kept for no longer than is necessary and stored and destroyed in accordance with our internal policies and applicable law.

Human resources information

  • Given the internal confidentiality of personnel files, access to such information is limited to certain senior staff members. Except as provided in individual roles, other staff are not authorised to access that information.

  • Any staff member in a management or supervisory role or involved in recruitment is required to keep personnel information strictly confidential.

  • Staff may ask to see their personnel files and any other personal data in accordance with Assimilated Regulation (EU) 2016/679, UK GDPR, and other relevant legislation. 

Access to offices and information

  • Office doors, keys, and access codes are required to be kept secure at all times, and keys or access codes are not to be given or disclosed to any third party at any time.

  • Documents containing confidential information and equipment displaying confidential information should be positioned in a way to avoid them being viewed by people passing by, e.g., through office windows.

  • Visitors are required to sign in at reception, accompanied at all times, and never left alone in areas where they could have access to confidential information.

  • Wherever possible, visitors should be seen in meeting rooms. If a member of staff must meet with visitors in an office or other room that contains Practice information, then steps should be taken to ensure that no confidential information is visible.

  • At the end of each day, or when desks are unoccupied, all paper documents, backup systems, and devices containing confidential information are required to be securely locked away.

Computers and IT

  • Password protection and encryption are required to be used where available on Practice systems in order to maintain confidentiality.

  • Computers and other electronic devices are required to be password-protected, and those passwords are required to be changed regularly. Passwords are required not to be written down or given to others.

  • Computers and other electronic devices are required to be locked when not in use and when you leave your desk, to minimise the risk of accidental loss or disclosure.

  • Confidential information is required not to be copied onto a floppy disk, removable hard drive, CD, DVD, or memory stick/ thumb drive without the express permission of the Practice’s director. Data held on any of these devices should be transferred to the Practice’s computer network as soon as possible in order for it to be backed up and then deleted from the device.

  • All electronic data is required to be securely saved on the cloud (and backed up, where the facilities are available) at the end of each working day. For documents worked on within our internal cloud systems, data is typically saved on the cloud in real time.

  • Staff are required to ensure they do not introduce viruses or malicious code onto Practice systems. Software is required not to be installed or downloaded from the internet without it first being virus checked. 

Communications and transfer of information

  • Staff are required to maintain confidentiality when speaking in public places.

  • Confidential information is required to be kept confidential and circulated only to those who need to know the information in the course of their work for the Practice. 

  • Confidential information is required not to be removed from the Practice’s offices unless required for authorised business purposes, and then only in accordance with paragraph 10.4 below.

  • Where confidential information is permitted to be removed from the Practice’s offices, all reasonable steps are required to be taken to ensure that the integrity of the information and confidentiality are maintained. Staff are required to ensure that confidential information is: 

    • stored on a device with strong password protection, which is kept locked when not in use;

    • when in paper copy, not transported in unsecured bags or cases;

    • not read in public places; and

    • not left unattended or in any place where it is at risk (e.g., in conference rooms, car boots, cafes). 

 

  • Postal, document exchange (DX), and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.

  • All sensitive or particularly confidential information should be encrypted before being sent by email, or be sent by tracked DX or recorded delivery.

Personal email and cloud storage accounts

Employees are required not to use a personal email account or personal cloud storage account for work purposes.

Home Working

  • Staff are required to only access Practice information at home where required for authorised business purposes, and then only in accordance with paragraph 12.2 below.

  • Where staff are permitted to access Practice information at home, staff are required to ensure that appropriate technical and practical measures are in place within the home to maintain the continued security and confidentiality of that information. In particular:

    • personal data and confidential information are required to be kept in a secure and locked environment where they cannot be accessed by family members or visitors; and

    • All personal data and confidential information are required to be retained and disposed of in accordance with paragraph 6.4 above.

  • Staff are required to only use confidential information on their home computers for authorised business purposes.


Transfer to third parties
Third parties should be used to process Practice information only in circumstances where appropriate written agreements are in place, ensuring that those service providers offer appropriate confidentiality, information security, and data protection undertakings. Consideration is required to be given to whether the third parties will be processors for the Assimilated Regulation (EU) 2016/679, UK GDPR.
 

Overseas transfer
There are restrictions on international transfers of personal data and transfers to international organisations. Staff may only transfer personal data outside the UK, or to an international organisation, with the prior written authorisation of the Practice’s director.

Training
Staff will receive training on the contents of this Policy, both at the induction and as part of our continual monitoring.

Reporting breaches
We have an obligation to report actual or potential data protection compliance failures. This allows the Practice to:

  • investigate the failure and take remedial steps if necessary;

  • maintain a register of compliance failures; and

  • make any applicable notifications.


When we’re pursuing legitimate interests:

We may receive your personal information from you over the phone or from a website form that you fill in for more information about our service. We will contact you to discuss any issues relevant to your circumstances and keep in touch to see if you would like to book an appointment. You may ask us to stop processing your information in this manner at any time.

When you interact with our website, we may automatically collect technical data about your equipment, browsing actions, patterns, and the website that referred you to our website. We collect this personal data by using cookies, server logs, and other similar technologies. We may share anonymous data about your visit to our site with Google Analytics for the purposes of benchmarking and understanding data trends. Technical data is collected from analytics and search information providers such as Google and Bing to perform ad measurement services. Please see our cookie policy for further details, including how to opt out of sharing this information.

We may share the location of your Will with the National Will Register.

We may contact you by telephone, email, or SMS to ask you to complete customer feedback forms. We do this in order to improve our customer service and the services that we offer. Sometimes we will nominate a representative to do this on our behalf.

Where we have a legal obligation:

Where we are required by law to comply with legal or regulatory requests.

How do we share and disclose information to third parties?

We do not rent or sell your information to anyone. Should you decide to become a client of Kang Asset Management, we may share your data with our relevant third-party legal service providers in order to fulfil the services that you have requested.

How long do we keep hold of your information?

We retain your information until you withdraw your consent for us to maintain contact with you, after which it is deleted. If you choose to become a client of ours, we retain your information until the completion of the administration of your estate.

Your data protection rights

You have rights in connection with your personal data that include the following: to withdraw consent where you have given it, to be informed and have access to your personal data, to correct or complete inaccurate data, and in certain circumstances to restrict, request erasure, object to processing, or request portability of your personal data to another organisation. If you wish to contact us regarding your data protection rights, please email info@kanglaw.co.uk 

The Information Commissioner’s Office (the ICO) is the supervisory authority that regulates personal data in the UK. You can get in touch with the ICO by:

  • Visiting their website: www.ico.org.uk

  • Calling them on 0303 123 1113

  • Writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5A


Know more about us:

  • We provide Professional advice for your circumstances.

  • 100% of our services are provided by our Lawyers. 

  • Our services are protected by Professional Liability Insurance.

bottom of page