2 Who Is Responsible For Your Personal Data
Where processing of personal information is carried out by another Serco Group company for their own purposes, that other Serco Group company may also be a data controller of your personal information. You can find out more about the Serco Group companies at www.serco.com/ukecompanies or by contacting us using the information in section 17.
3 Data Protection Principles
To help you understand how we handle your personal information more clearly, below is a summary of the data protection principles which guide how we use or handle your personal information. These principles provide that personal data should be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
4 The kind of information we hold about you
We may collect, store, and use the following categories of personal information about you:
- General employee data including full name, title, contact address, telephone numbers, email addresses, date of birth, gender, ethnic origins, marital status and dependants, next of kin and emergency contact information and National Insurance number, photographs, evidence of right to work, personal preferences such as smoking (optional), medical information, disability information (where applicable), travel and accommodation details, working time / shift pattern.
- Financial information including bank account details, payroll and share plan records and tax status information.
- Position information including job title, employee number, role and function, work history, working hours, annual leave and other leave entitlement and used, details about absence from work including any dependant details provided or shared by you, training records, medical assessment details, reporting structure, date of hire, notice period, departments, salary details, pay grade, pension and benefits information.
- Education data including curriculum vitae/resume details, qualifications, language abilities, areas of expertise, training history, professional memberships and honours and awards.
- Career history data including former employers, work experience, length of time in role(s) and business(es), disciplinary and grievance records, project and industry experience, assignments undertaken/worked on, performance information, reviews, ratings/reports, insurance information and compensation history.
- Internal investigation data contained in emails or other documents which may be relevant to an internal investigation.
- Vehicle information including driving licence details, vehicle registration, car usage (mileage), insurance and accident details.
- CCTV footage and other information obtained through electronic means.
- Image and/or voice captured through photography, filming, videotaping and/or audio recording.
- Information about your use of our information and communications systems including IP address.
- Responses to internal surveys.
- Building access and movement records.
- System and resource access and usage activity.
- Personal conduct information from vetting procedures.
- Details of your interest in and connection with the intermediary through which your services are supplied (as it applies to contractors and any other relevant workers).
- We may also collect, store and use the following "special categories" of personal data, including information about: Your race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Your trade union membership.
- Your biometric identifier, including finger printing and facial recognition.
- Your health, such as any information about any medical conditions and employment sickness records, including:
- Where you leave employment and under any share plan operated by a Serco Group company the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision.
- Details of any absences (other than holidays) from work including time on statutory parental leave and sick leave.
- Details for long term sickness absence management (such as making adjustments and accommodations).
- Where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes.
Depending on the role that you hold with us, we may also process information about criminal convictions and offences, including civil offences barring information (please refer to Section 9 for further details).
Some of this information about you may have been collected during recruitment when you applied to work for Serco, which was retained and processed as part of your on boarding as a member of Serco’s workforce.
5 How is your personal information collected?
Subject to the nature and requirements of the specific role(s) for which you are employed by Serco, we may collect personal information about you from a number of sources and in different ways:
- You, as the employee, worker or contractor.
- Recruitment agencies.
- Screening and background check providers.
- Government agencies including those who share information relating to employees for taxation purposes.
- Disclosure and barring services in respect of criminal convictions.
- Share plan administrators in connection with any plans that you may participate in, and trustees of any employee benefits trusts used in connection with the operation of these plans.
- Reference requests made to third parties, including previous employers and named referees.
- Trustees or managers of pension arrangements operated by a Serco Group company.
- In the course of job-related activities throughout the period of you working for us.
- Government agencies.
- Training providers.
- Fleet management providers.
- Health providers.
- Insurance companies.
- Viewpoint survey providers.
- Professional advisors including external legal advisors.
- IT service providers.
- Client organisations for whom you may undertake activities.
- Travel service providers including car leasing organisations and fuel card providers.
- By monitoring emails, internet and telephone usage.
- Occupational health providers.
6 How we will use information about you
We will use the personal information we collect about you to (where applicable):
- Administer the contract we have entered into with you.
- Pay you (deducting tax and National Insurance contributions).
- Provide your employee benefits to you, such as reward programmes.
- Invite you to participate in and grant any awards pursuant to any share plans operated by a Serco Group company.
- Administer your participation in any share plans operated by a Serco Group company, including communicating with you about your participation and collecting any tax and social security due via employer withholding in connection with any share awards, and liaising as required with third party plan administrators and any trustees of an Employee Benefit Trust as required in connection with the settlement of your awards.
- Enrol you in a pension arrangement in accordance with our statutory automatic enrolment duties.
- Liaise with the trustees or managers of a pension arrangement operated by a Serco Group company, your pension provider and any other provider of employee benefits.
- Provide business management and planning, including accounting and auditing.
- Conduct performance reviews, managing performance and determining performance requirements.
- Make decisions about salary reviews and compensation.
- Assess qualifications for a particular job or task, including decisions about promotions.
- Gather evidence for possible grievance or disciplinary hearings.
- Make decisions about your continued employment or engagement.
- Conduct internal surveys with employees to enhance business - employee engagement.
- Make arrangements for the termination of our working relationship.
- Assess whether any adjustments need to be made to your working environment including for example during any local, national or international emergency.
- Make travel and accommodation arrangements as part of your business activities.
- Obtain details about education, training and development requirements.
- Deal with legal disputes involving you, or other employees, workers and contractors, including accidents at work.
- Ascertain your fitness to work.
- Manage sickness absence.
- To obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law.
- To assess and comply with health and safety requirements and obligations including in relation to employee’s safety, well-being and health needs which includes test results of relevant employees e.g. where necessary for the purpose of safeguarding against the impact of a health-related issue (for example, coronavirus or some other pandemic or disease) or drug and alcohol testing to protect the safety of the workplace.
- Prevent fraud.
- Monitor your use of our information and communication systems to ensure compliance with our IT policies.
- For internal Serco promotional, training, news and information sharing purposes.
- To support business and administration functions.
- Ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
- Conduct data analytics studies to review and better understand employee retention and attrition rates.
- Undertake equal opportunities monitoring.
We will use your personal information in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation) including in respect of any measures we are required to take from time to time during a national or international emergency (for example during a pandemic).
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
7 Legal basis for processing
The law requires us to have a “legal basis” or “lawful ground” to collect and use your personal information. Some of the grounds for processing may overlap and there may be several grounds which justify our use of your personal information.
Most commonly, we will use your personal information in the following circumstances:
- To enter into an employment contract with you and to meet our obligations under your employment contract.
- To comply with a legal obligations and regulatory requirements; for example:
- it is a requirement to check an employee’s entitlement to work in the UK;
- to comply with employment law including the Transfer of Undertakings (Protection of Employment) Regulation 2006 (TUPE);
- to deduct tax and National Insurance contributions;
- to monitor and measure equal opportunities;
- to comply with health and safety laws;
- to comply with national laws for humanitarian purposes including for monitoring epidemics, pandemics and their spread; and
- enable employees to take periods of leave to which they are entitled.
- To pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests, or where necessary to protect the interests of you or others, such as:
- to administer your employment contract;
- to allow effective workforce management and to support business and administrative functions of the business;
- to maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and to contact an employee’s emergency contact in the event of an emergency;
- for accounting and auditing purposes;
- for promotional purposes;
- for research purposes;
- to review and keep a record of employee performance and related processes, for staff training and career development and to address any performance issues;
- to operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
- to make and record decisions about salary reviews and compensation;
- for health, safety and security purposes;
- to ensure business policies and standards are adhered to and IT devices issued to employees are used appropriately;
- for business analysis purposes and to develop our business strategies;
- in connection with a business transaction such as merger, restructuring or sale of the business;
- to investigate and/or report breaches of business policy and procedures, fraud, misrepresentation, security incidents, crime and similar matters, in accordance with applicable law;
- prevent and detect criminal activities;
- ensure secure and effective operation and to prevent unauthorised use if IT systems; and
- in connection with establishing, exercising or defending our legal rights in the event of a claim and compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with the legal process or litigation).
We may also use your personal information in the following situations, which are likely to be rare:
- where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent;
- you have already made the information public;
- we have obtained your consent, which you may withdraw at any time;
- where it is needed in the public interest or for official purposes; and
- where it is needed for archiving purposes, scientific or historical research purposes or statistical purposes.
Please note that in some circumstances we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
If you have any queries about our use of your personal information (including legal basis) please contact our Data Protection Officer using the details set out in section 17.
8 How we use special category information
We may use special categories of your personal data in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence (including any dependant details provided or shared by you) or family related leaves, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions and permanent health insurance.
- If you leave employment and under any share plan operated by a Serco Group company the reason for leaving is determined to be ill-health, injury or disability, we will use information about your physical or mental health, or disability status in reaching a decision about your entitlements under the share plan.
- If you apply for an ill-health pension under a pension arrangement operated by a Serco Group company, we will use information about your physical or mental health in reaching a decision about your entitlement.
- We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
- We will use information about you to assess and comply with health and safety requirements and obligations including in relation to your or your colleagues safety, well-being and health needs which includes testing of relevant employees e.g. where necessary for the purposes of safeguarding against pandemic or disease (such as coronavirus) or drug and alcohol testing to protect the safety of the workplace.
- We use health information to ensure suitability for work.
- We use biometric controls (e.g. fingerprinting or facial recognition technology) to monitor employees access to and the security of restricted areas and to verify when employees start and finish work.
- We use dietary information, and disability information in order to ensure appropriate facilities (e.g.
- We use information about sexual orientation and religion which may be collected from internal viewpoint surveys or volunteered by the employee to enhance business – employee engagement.
- We will use trade union membership information to pay trade union premiums, register the status of a protected employee and to comply with employment law obligations.
Special categories of information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information, in addition to having one of the general bases set out in Section 7 above. Where required by applicable laws, we will take steps to have in place an appropriate policy document and safeguards relating to the processing of such personal information.
We may process special categories of personal information in the following circumstances:
- Where we have your explicit consent to do so – including where you voluntarily provide us with that personal information.
- Where we need to carry out our legal obligations or exercise rights in connection with your employment.
- The processing is necessary for establishment, exercise or defence of legal claims.
- Where it is needed for reasons of substantial public interest, such as for equal opportunities monitoring, in relation to our occupational pension scheme or preventing or detecting unlawful acts such as fraud.
Less commonly, we may process and share this type of information where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have made that personal information public. We may also process such information about employees or former employees in the course of legitimate business activities with the appropriate safeguards.
If you have any queries about our use of special category information, please contact the Data Protection Officer using the information in section 17.
9 Information about Criminal Convictions
For some roles we will process information about criminal convictions. We will only collect information about your criminal conviction’s history in relation to employment if you are employed in a designated role which is conditional on such checks being satisfactory.
Where required for your role we will carry out a criminal record check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular:
- We are legally required to carry out criminal record checks for those carrying out certain roles or operating in particular areas of work.
- Your role is one which is listed on the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 and is also specified in the Police Act 1997 (Criminal Records) Regulations so is eligible for a standard or enhanced check from the Disclosure and Barring Service.
- Your role requires a high degree of trust and integrity.
- We may use criminal information for vetting and fleet management (and to ensure you are legally compliant – e.g. for driving).
Your contract of employment or contract for services sets out any requirement upon you to comply with disclosure and processing of information about criminal convictions.
Where we process information about criminal convictions and offences, we do so in order to protect individuals and businesses and to comply with regulatory and legal obligations. We also need a further justification in addition to the general legal basis set out in Section 7. The processing may be on the basis of substantial public interest which includes:
- Preventing or detecting unlawful acts.
- Regulatory requirements relating to unlawful acts and dishonesty.
- Safeguarding of children and of individuals at risk.
We may also process such information in the event of a claim, as necessary for the purpose of:
- Obtaining legal advice or in connection with, any legal proceedings (including prospective legal proceedings).
- Establishing, exercising or defending our legal rights.
Where required by applicable laws, we will take steps to have in place an appropriate policy document and safeguards relating to the processing of such personal information.
It is necessary for us monitor our employees in various ways in order to comply with our legal and regulatory requirements, based on our legitimate interests as a business or to exercise our rights as an employer. For example, we monitor our employees in the following ways:
- tachographs record driving information about time, speed and distance travelled by a vehicle fitted with such a device, as required by law;
- vehicles equipped with telematic devices record information such as vehicle usage, driver location and associated driver behaviour and licence recording;
- monitoring when a member of staff has entered or tried to enter into a swipe card access area and at what time;
- verifying when employees start and finish work, such as with the use of biometric technology (i.e. fingerprinting or facial recognition technology);
- review content (for example stored or accessed external contents) on Serco’s information systems and monitor telephone, email and internet traffic data (for more information, please refer to the GSOP Acceptable Use of Information Systems on MySerco;
- drug and alcohol testing; and
- equal opportunities monitoring.
We process personal data obtained through such monitoring in accordance with legal requirements and carry out these activities to the extent it is necessary and proportionate, and it is permitted by law. If you have any concerns in relation to monitoring, please speak to your line manager or HR lead.
11 Photography and filming
Serco often arranges for photographs and video to be taken at our sites, offices, conferences and events and these often feature our employees, contractors and workers. We will use the images and recordings resulting from such photography or filming for Serco internal promotional, news, training and information sharing purposes and based on these legitimate interests. We may use these images internally, including via Serco communication channels such as Yammer, in newsletters, on company notice boards and in training booklets. If you do not wish to be photographed or filmed please inform the photographer or individual filming at the time. If you have any concerns, please contact your Data protection Officer using the information in section 17.
12 Data sharing
We will only share your personal information with third parties for the purposes of your employment and associated processing requirements, including:
- Companies within the Serco Group, as required for the legitimate business interests of other companies within the Serco Group;
- Serco’s Customers/Clients and their relevant associated organisations;
- Government agencies;
- Health providers (including the NHS);
- Professional advisors such as legal and insurance organisations;
- Local Government pension scheme actuaries;
- Training providers;
- Third party benefit providers, as required to provide you with benefits which you are entitled to under your contract with us such as share plan administrators and employee benefits trust trustees;
- IT service providers;
- Communication platform providers such as Yammer;
- Future employers;
- Recruitment agencies;
- Financial organisations such as banks and card processing providers;
- Travel service providers including car leasing organisations and fuel card providers;
- Accommodation providers such as Concur Solutions;
- Vetting service providers; and
- Other external service providers that process your data on our behalf.
Serco contracted third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We may also from time to time need to share personal information with our regulators or as required to comply with the law.
13 Data security
We have put in place security measures and training to assist with preventing your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. Please refer to Serco’s Group Standard on Security for further details.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
14 Data retention
We keep personal data in accordance with Serco internal retention procedures, which are determined in accordance with our regulatory obligations and good industry practice. These retention periods depend on the nature of the information (e.g. we apply different retention periods to our staff information as opposed to information about our customers) and may be subject to change.
Serco’s Employee Personal Data Retention Guide is available on MySerco. If you have any questions or concerns about how long we retain your personal data, please contact MyHR, your Line Manager or the Data Protection Officer using the details below.
15 Transferring personal information globally
We operate on a global basis. Accordingly, your personal data may be transferred and stored in countries outside the UK and/or the European Economic Area (EEA) (as may be applicable), including the Middle East, America and Asia-Pacific, which are subject to different standards of data protection or it may be transferred to the UK or the EEA from countries outside of the EEA. The relevant Serco Group companies or companies will collect personal information from you in the country in which you live and from which you work. We ensure transfers within Serco Group are covered by an intra-group data sharing agreement entered into by all relevant entities within Serco Group, which contractually obliges each member to ensure that personal data receives an adequate and consistent level of protection.
Where the information is processed outside of the UK including the EEA by third parties or information transfers to the UK from the EEA or outside of the EEA, we will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed (with appropriate security) to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end:
- We will put in place binding corporate agreements, which will include the relevant standard contractual clauses approved by the European Commission and/or the UK’s Information Commissioner’s Office (as the case may be) for transferring personal data outside the UK and/or EEA or into the UK, to ensure that your information is safeguarded; or
- We will ensure that the country in which your personal data will be handled has been deemed "adequate" by the European Commission and/or the UK’s Information Commissioner’s Office (as the case may be) or the company is registered and compliant with a European Commission and/or the UK’s Information Commissioner’s Office (as the case may be) recognised code of conduct or certification scheme.
We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information but will carefully validate any requests for information from law enforcement or regulators before disclosing the information.
If you would like further information about the global handling of your personal information, please contact your local Data protection Officer using the information in section 17.
16 Your legal rights
You have legal rights in connection with your personal information. Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Current Serco employees, please refer to the Country Standard Operating Procedure Subject Access Requests, available on MySerco for more details. You can email your subject access request to MyHR@serco.com.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. If there has been a change to your personal data that you have supplied to us during the course of your employment, you should inform us.
- Request erasure of your personal information (commonly known as the "right to be forgotten"). This enables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which Serco is subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims.
- Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests, but if you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling).
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person.
- Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
- Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms.
- Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent.
If you want to exercise any of the rights above, please submit your requests in writing to MYHR.
We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way but where required we will provide you with our reasons for the decision clearly if this was to arise.
17 Data Protection Contacts
UK and Europe
Data Protection Officer
Enterprise House 1
1 Bartley Wood Business Park
Alternatively, please email email@example.com or call +44 (0)1256 745900.