The very nature of our business means we handle personal data about those we employ, our customers, partners and users of our services. This will include sharing personal data with our suppliers and partners. We have an important duty to respect this data and ensure it is protected and handled responsibly and only used for the purpose for which it was provided. We take our obligations under data protection and privacy laws across the world very seriously.
Personal data means any information relating to or capable of identifying an individual, whether directly or indirectly. This means that the information says or reveals something private, personal and of meaning about someone, and that it must reveal who that person is (either by itself, or when combined with other information that we hold). This information may relate to any person who has directly or indirectly come into contact with Serco.
Personal data has a wide scope and includes: contact details, such as names, addresses, telephone numbers, email addresses and dates of birth; salary; opinions about someone; identification numbers; IP address and biometric data (i.e. fingerprint or iris scan data); information contained in call recordings; CCTV and other information related to your employment and the services we provide to our customers, partners and the users of our services.
There are more stringent privacy rules on how we manage ‘sensitive’ personal data which includes ethnic background, political opinions, religious beliefs, health, sexual health and criminal records etc.
For more information download:
Data Protection Group Standard Operating Procedure (Access - Serco Employees only)
Security Group Standard (Access - Serco Employees only)
Stop and think?
Only manage personal data in accordance with the data protection principles and respect the privacy of individuals. If you see personal data is being mismanaged speak up and if in doubt, speak to your line manager or Information Security Lead.
What you can expect from us:
We respect people's right to keep their personal data private and will only hold personal data if we are legally entitled to.
We will ensure that personal data we control or process is in accordance with our policies as well as applicable laws and regulations.
We will manage personal data in accordance with the following Data Protection Principles. This applies to personal data kept in any form, digital, analogue or printed and includes having policies and procedures to ensure personal data is properly processed:
- personal data must be processed in a fair, lawful and transparent manner
- personal data must be obtained only for one (or more) specific, explicit and legitimate purpose(s) and must not be further processed in any manner incompatible with that/those purpose(s)
- personal data must be adequate, relevant and not excessive in relation to purpose(s) for which they are processed
- personal data must be accurate and, where necessary, kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate (having regard to the purpose(s) for which they are processed) are immediately deleted or rectified;
- personal data processed for any purpose(s) must not kept longer than necessary to meet that/those purpose(s) appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- personal data will at all times be processed in a manner that can demonstrate compliance with the above-mentioned data protection principles.
We will provide training to those who manage personal data so that they can understand and adhere to these principles and the policies and processes we have in place.
We will enter into arrangements with our customers, suppliers and partners to properly manage and process personal data.
If you make a subject access request we will provide you with access to your personal data.
We expect you to:
- Always keep and manage personal data in accordance with the Data Protection Principles
- If you become aware that personal data is managed outside the Data Protection Principles immediately speak up and notify your line manager or Information Security Lead
- Maintain appropriate privacy standards when dealing with personal data and ensure it is processed in accordance with Serco's standards, or your customer's standards. If you handle a customer's personal data, you should use the customer's standards. If there isn't one, you should use Serco's standards
- Keep your own personal data up to date and notify your line manager or human resources of any changes
- Never disclose personal data to anyone who doesn't have the right to see it or the need to know it.
Take great care not to give personal data about Serco employees, our customers, service users or partners to any third parties, unless you are authorised to do so