ESG Report 2025

25 Where changes occur to the purpose, scope or method of collection, or where personal sensitive information, automated decision-making or the provision of information to third parties is involved, the Marketing Department, the Digital Centre and the Compliance Department must jointly conduct a risk assessment and complete internal approval procedures before processing may proceed. In addition, the Group regards improving employees' information security awareness as a foundational project for data protection. The Digital Centre, Legal Centre, information security audit function and data management departments regularly organise thematic training based on updates to personal information protection laws and regulations and internal policies. Training content covers the latest data security landscape, industry cases and issues identified in internal audits, thereby enhancing employees' skills and awareness in personal information and data protection. The Group also periodically disseminates practical tips and reminders on data security through internal notice boards, email and office system notifications to foster a sound data security culture. Personnel handling sensitive data are required to sign confidentiality agreements and strictly comply with them. The United Laboratories has established a full-process supervision and emergency management mechanism covering prevention before incidents, response during incidents and improvement after incidents. It has developed an information security emergency response mechanism covering data leakage, cyberattacks, system paralysis, natural disasters and other emergencies, with clear requirements for the identification, response, reporting, investigation and rectification of incidents. Once an information security incident occurs, the individual or department that discovers the issue must report it immediately to the Digital Centre, which will promptly activate the emergency response plan, assess the scope and severity of the incident and notify relevant departments to coordinate handling. After the emergency response is completed, the Group establishes a dedicated investigation team to identify the causes, process and responsibilities relating to the incident, form an investigation report, trigger an accountability mechanism for responsible persons, and optimise data security and protection policies, processes and technical measures in a targeted manner. 5.4.4 Emergency Response to Information Security Incidents During the Year, the Group did not experience any information leakage incidents, nor was it involved in any legal proceedings relating to information security against the Group or its employees. Information Security Incident Discovery Officer Identifies and reports Information Security Team Leader Initiates accessing and reporting General Manager Digitisation Centre I ssues work instructions Information S ecurity Team Follows up on the progress and compiles reports Complete Information Security Reporting Channels The United Laboratories International Holdings Limited 2025 Environmental, Social and Governance Report