Home/Data Handling Policy
Security & Governance

How TITC handles personal data in practice

This policy explains the internal standards TITC applies when collecting, storing, using, sharing, retaining and responding to incidents involving personal data. It supports our public privacy notice and is designed to reflect practical POPIA and GDPR expectations.

Effective date: March 12, 2026 Operational handling standard Applies across advisory and recruitment workflows
Principle 01

Collect only what is needed

We aim to collect personal data that is relevant, adequate and proportionate to a specific advisory, recruitment, intelligence or operational purpose.

Principle 02

Limit access and exposure

Personal data should only be available to people and service providers who need it for a legitimate business purpose and who are subject to confidentiality obligations.

Principle 03

Respond quickly when risks arise

Suspected incidents, loss events or unauthorised access must be investigated, contained, documented and escalated without delay.

Governance and accountability

TalentintheCloud PTY Limited, trading as TITC and titc.io, is accountable for the lawful and responsible handling of personal data collected through the website and through connected business activities.

Privacy oversight sits with Darren Franks as the privacy contact and internal escalation point for data rights requests, incident reporting and policy review.

Collection, classification and minimisation

Before collecting or storing personal data, we aim to identify the purpose, the likely sensitivity of the information and the people who genuinely need access to it.

  • We try to collect the minimum data needed to progress an enquiry, mandate, search, diligence exercise or business relationship.
  • Where special personal information or higher-risk data is not required, it should not be requested through standard website channels.
  • Data gathered from public sources should still be relevant, fair to use and connected to a legitimate business purpose.
  • Where consent is the chosen basis for processing, that consent should be clear, specific and capable of being withdrawn.

Access control, storage and security safeguards

We seek to protect personal data through a combination of technical and organisational controls appropriate to the volume, sensitivity and business context of the information involved.

  • Access should be limited on a need-to-know basis.
  • Accounts, tools and storage locations used for personal data should be protected with appropriate authentication and access management controls.
  • Reasonable steps should be taken to protect data in transit and at rest where the relevant systems support those controls.
  • Devices, files and communications used in live mandates should be handled with due regard to confidentiality and commercial sensitivity.
  • Where information is no longer needed in an active workflow, it should be archived or removed in line with the retention rules below.

Sharing with clients, partners and processors

Personal data may be shared internally, with clients, with prospective employers or with service providers where there is a lawful basis and a defined business purpose.

  • Candidate or executive profile information should not be disclosed more widely than necessary for the relevant search or advisory process.
  • Third-party processors should be selected with regard to security, reliability and contractual accountability.
  • Where cross-border processing is involved, appropriate safeguards should be considered before data is transferred or made accessible.
  • Personal data should never be sold as a standalone commercial asset.

Retention, archival and secure disposal

Retention periods depend on the purpose of collection, the status of the relationship and any regulatory or contractual obligations that apply.

  • Website enquiries and dormant business development records are generally reviewed against a 24-month retention horizon from the last meaningful interaction.
  • Active client, candidate or mandate records may be retained for longer while the relationship remains live or there is a justified operational, evidential or legal reason to do so.
  • When data is no longer required, it should be securely deleted, anonymised or archived in a controlled manner.

Rights requests and data subject communications

Requests for access, correction, deletion, restriction, objection or portability should be directed to [email protected]. We may ask for enough information to verify identity and locate the records involved.

Requests should be assessed promptly and ordinarily answered within one calendar month unless a lawful extension is needed because of complexity, volume or overlapping legal obligations.

Incident response and breach handling

If TITC becomes aware of suspected unauthorised access, disclosure, loss, destruction or alteration of personal data, the issue should be escalated immediately for investigation and containment.

  1. Assess: identify what happened, which systems or records were affected, and whether personal data was involved.
  2. Contain: isolate affected systems, credentials, integrations or workflows and work with hosting or service providers where relevant.
  3. Evaluate risk: determine the likely impact on individuals, clients, candidates and operations.
  4. Notify: where required by law, notify the appropriate regulator and affected individuals without undue delay. Under GDPR this may require notification within 72 hours where feasible; under POPIA, notification must be made as soon as reasonably possible after discovering a qualifying compromise.
  5. Record and remediate: document the incident, the decision-making, the measures taken and the follow-up steps needed to reduce recurrence.

Review and updates

This policy should be reviewed when our operating model, website tooling, service providers or legal obligations change materially. Updated versions will be published on the site when appropriate.

Read privacy policy Contact TITC