VRS encourages information to be handled according to its sensitivity and business importance.

Information may be classified as Public, Internal, Confidential, or Restricted. Public information includes information intended for unrestricted distribution. Internal information includes operational information intended for authorised business use.

Confidential information includes customer information, recruitment information, commercial information, and business records that should only be accessed by authorised individuals.

Restricted information includes highly sensitive information where unauthorised disclosure could result in significant legal, operational, financial, privacy, reputational, or commercial harm.

Appropriate safeguards should be applied according to the classification of the information.

Information should only be collected, accessed, processed, used, disclosed, transferred, or retained where there is a legitimate business purpose, contractual requirement, legal obligation, customer instruction, consent, or other lawful basis for doing so.

VRS seeks to avoid excessive collection, unnecessary processing, unauthorised disclosure, or inappropriate use of information.

Information should be handled only to the extent reasonably necessary for the purpose for which it was obtained.

VRS promotes data minimisation principles throughout its operations.

Only information reasonably necessary for service delivery, recruitment support activities, operational requirements, compliance obligations, customer instructions, legitimate business purposes, or legal requirements should be collected or processed.

Individuals providing services through VRS should avoid creating unnecessary copies of information, downloading information without authorisation, storing excessive information, or retaining information beyond legitimate business requirements.

VRS seeks to maintain accurate, complete, relevant, and current information.

Reasonable steps should be taken to correct inaccuracies, update outdated information, remove duplicate records, and maintain data quality where practical and appropriate.

Customers, candidates, contractors, suppliers, and other individuals are encouraged to notify VRS where information requires correction or updating.

Access to information should be limited to authorised individuals with a legitimate business need.

VRS encourages the use of role-based access controls, least-privilege principles, individual user accounts, authentication controls, periodic access reviews, and access removal processes when access is no longer required.

Shared credentials should be avoided wherever practical. Administrative privileges should be granted only where necessary and should be reviewed regularly.

Access to sensitive information should be restricted according to operational requirements and information classification levels.

VRS personnel may be granted access to customer-controlled systems including applicant tracking systems, customer relationship management platforms, communication systems, recruitment databases, reporting systems, document management systems, sourcing tools, email platforms, compliance systems, and related technologies.

Customers are encouraged to provide only the minimum access necessary to perform agreed services and to maintain appropriate internal controls over user permissions, account creation, account ownership, system administration, and access reviews.

VRS seeks to process customer data only to the extent necessary to deliver agreed services and in accordance with applicable contractual obligations, confidentiality requirements, customer instructions, and legal obligations.

VRS does not claim ownership of customer data.

All individuals providing services through VRS are expected to maintain appropriate confidentiality regarding information obtained through their activities.

Confidential information should not be disclosed, copied, transferred, discussed, distributed, or otherwise made available to unauthorised persons.

Confidentiality obligations apply during and after the relevant business relationship and continue unless information becomes publicly available through lawful means.

Appropriate contractual, operational, and technical measures may be used to support confidentiality obligations.

VRS seeks to maintain appropriate administrative, technical, organisational, and physical safeguards designed to protect information against unauthorised access, disclosure, misuse, loss, alteration, corruption, destruction, or compromise.

Such safeguards may include authentication controls, access restrictions, confidentiality obligations, security awareness activities, role-based permissions, monitoring controls, endpoint protection, secure communication methods, cloud security measures, data minimisation practices, password management standards, encryption technologies where appropriate, and secure disposal procedures.

Security controls should be proportionate to the sensitivity of the information being protected.

As VRS operates within a distributed and remote service delivery environment, individuals providing services through VRS are expected to maintain appropriate security practices when accessing information remotely.

Devices should be protected through authentication controls, operating systems should be maintained and updated, confidential information should be protected from unauthorised viewing, and reasonable care should be taken when working from shared or public environments.

Where practical, information should remain within authorised systems rather than being stored locally on personal devices.

Lost, stolen, compromised, or suspected compromised devices should be reported promptly.

VRS may utilise third-party providers to support business operations, communication, recruitment support activities, customer relationship management, cloud infrastructure, analytics, accounting, scheduling, marketing, document management, and related activities.

Where practical, VRS seeks to engage reputable providers that maintain appropriate privacy, confidentiality, security, and compliance standards.

VRS may assess providers based on factors including security practices, operational reliability, confidentiality commitments, legal compliance, and suitability for the intended purpose.

Where applicable, individuals may have rights relating to their personal information, including rights of access, correction, deletion, restriction, objection, portability, withdrawal of consent, and complaint.

Requests relating to personal information should be directed to VRS using the contact details provided within this Policy.

Before responding to a request, VRS may require information necessary to verify identity and authority.

VRS may decline requests where permitted by law or where legal, contractual, operational, security, or regulatory obligations require continued retention or processing of information.

A data breach may involve unauthorised access, disclosure, misuse, corruption, alteration, loss, theft, destruction, compromise, or unavailability of information.

Suspected or actual incidents should be reported promptly through appropriate channels.

VRS may investigate incidents, assess affected information, identify potential risks, implement containment measures, undertake remediation activities, determine notification requirements, cooperate with affected customers where relevant, and take reasonable steps to reduce the likelihood of recurrence.

Where required by law, VRS may notify customers, individuals, regulators, authorities, or other affected parties.

Following significant incidents, VRS may review controls, procedures, and practices to identify opportunities for improvement.

VRS operates internationally and may utilise personnel, customers, contractors, technology providers, cloud infrastructure providers, communication platforms, and business systems located across multiple jurisdictions.

As a result, information may be accessed, processed, stored, transferred, reviewed, or managed across international borders.

VRS seeks to implement reasonable safeguards including confidentiality obligations, contractual protections, access controls, security measures, and operational controls designed to protect information involved in cross-border activities.

Customers remain responsible for assessing their own legal obligations relating to international access, transfers, and processing within their environments.

VRS may monitor compliance with this Policy through operational reviews, access reviews, security reviews, compliance assessments, incident reviews, customer feedback, process evaluations, training activities, and other governance mechanisms.

This Policy may be reviewed, updated, amended, or replaced periodically to reflect changes in legal requirements, operational practices, technology, security threats, business activities, industry standards, or customer expectations.

Corrective actions, process improvements, and additional safeguards may be implemented where appropriate.

Questions, concerns, incidents, complaints, requests, or enquiries relating to data protection, confidentiality, information security, or this Policy may be directed to:

Virtual Recruitment Solutions

• Email: legal@virtualrecruitment.solutions

• Website: virtualrecruitment.solutions

VRS will seek to review and respond to data protection enquiries within a reasonable timeframe and in accordance with applicable legal obligations and internal procedures.