Confidential information
We never let it fall into the wrong hands
This video has sub-titled versions in the following languages:
عربي, 中文, Nederlands, English, Français, Deutsch, Italiano, Español
Accessible via the 'cc' button in the video player menu once the video starts.
What it's all about
Any information is confidential if it has value to Serco and is not publicly available. That includes commercially sensitive information and intellectual property obtained from colleagues, customers and partners or marked as such.
But confidential information isn’t just commercial. It also includes any personal information and details that we hold in trust about anyone who works for us, or for anyone we care for and work with.
If we allow confidential information to fall into the wrong hands, it can cause immense harm to individuals, to our company, our partners and customers.
So the task for all of us is to make sure none of it ever does. And in today’s hyper-connected world, that challenge is greater than ever.
It means whenever we create or share or store confidential information, we need to be alert to the risks of it going astray. That way we ensure it only ever ends up in the right place.
What we all need to know and do
-
We carefully assess and manage the risks of any information we handle.
-
We retain proper records of our business activities.
-
We never falsify or hide records and accounts.
-
We never alter or destroy records or documents, unless we have approval to do so.
-
When we create or receive information, we assign it a confidentiality marking classification and only share it with those who are entitled and permitted to receive it.
-
We take special care to protect confidential information when we are away and not in Serco’s offices.
-
If authorised to share information, we only do so where a signed non-disclosure agreement and / or data sharing agreement is in place.
-
When working with third-parties, we check that we are authorised to share information and have done the appropriate due diligence before doing so.
- We always maintain the confidentiality of customer and employee information unless they have legitimate interests, given written consent, or the law requires or allows disclosure.
-
We manage and properly protect our intellectual property when dealing with our company’s records and information.
-
We never reveal confidential information about Serco, a customer or an employee if we leave to work elsewhere.
- We only keep data for as long as reasonably necessary.
-
Similarly, if we previously worked for a customer or competitor, we keep the information we obtained there confidential. No one should ever try to coerce someone into disclosing confidential information about a previous employer.
-
Where we use technology such as artificial intelligence, we ensure there are appropriate ethics and controls to avoid bias.
-
Where we transfer personal information outside to another jurisdiction, we have checked that there is appropriate security in place.
Storybox
It was the end of the day. I had some spreadsheets I had to send off. They were all confidential information about one of our customers. I needed to get them quickly to an external consultant for review.
His name was John Andrews. I typed the first few letters of his name and the computer came up with his address. So I clicked on it, checked through my email carefully like I always do for spelling and that all the attachments were there. Then pressed Send.
Only the email didn’t go to John Andrews. It went to John Andrew. No “s”. And he happened to work for the customer.
He phoned me the next day. He was a decent man - understood how easy it was. He even laughed. But he said he had to report it.
No one else laughed. The whole thing was taken as a breach of trust. The customer thought very seriously about cancelling their contract with us.
In the end they didn’t - but only on condition that I was given a final written warning.
I’m so careful, usually. Just that one time. That one tiny difference - no “s”.
Whenever we create or share or store confidential information, we need to be alert to the risks of it going astray.
There are tools and techniques to manage such mistakes, make sure you are familiar with them and if not, ask your local IT team or Manager for help. That way we ensure it only ever ends up in the right place.
I shake my head every day since it happened. How could I be so stupid? I was chatting away with Sofia on the way home. You know, usual stuff, what had happened today, whether we thought we might win the pitch to the customer for our bid or not…
The next day I went into work and was called into my boss’s office. While we had been talking on the train, a competitor had been sitting behind us and heard the whole thing. We had given away our pitch secrets and they had told the client that we were talking about them in public. The client dropped us from the tender and we lost that opportunity.
I have let the company down, but mostly I feel awful. We had been trained to not do that, but I didn’t stop and think. How could I be so careless?
We take special care to protect confidential information wherever we are.
Extract from a letter received today…..
“Further to our letter of 15 June …
We have now interviewed Mr Joss Atkins. He received the email last Tuesday. He said he’d never heard of the sender but had heard of Serco. The content wasn’t part of his job, but he said it was interesting, and he forwarded it on to a friend at the security company who alerted us.
He says he then forgot about it until he received the call from Serco. We assume this is the call you made asking him to delete all references to the email.
Clearly this came too late in the day.
Your suggestion that Mr Atkins should have deleted the email when he realised it was not intended for him and that it contained confidential information about our company seems to us to be the most feeble attempt to “pass the buck”.
Equally your attempt to excuse the employee who mistakenly sent this email to the wrong address because “there was intense pressure of work that day” is unacceptable.
The fact remains that critical information about us held by you was released to a competitor, and the cause was unquestionably gross carelessness.
We cannot place any confidence in the effectiveness of your training around security issues that are vital to our continued ability to compete.
I am therefore writing to confirm that we no longer wish to do business with you and will be looking for another supplier with immediate effect.”
We should always maintain the confidentiality of customer and employee information unless they have given written consent, or the law requires or allows its disclosure.
I only just made the plane - up the night before trying to finish a proposal to take to a customer. It was really good work by a whole team of people - but there was some pretty important data I had to refer to.
As usual I took my laptop, and as usual I guarded it with my life.
Anyway, I got to the hotel, checked into my room, went down to get some supper and finish the proposal off.
There was a man and woman in the elevator going down. They seemed to be really into each other - tourists, I thought, having a good time.
I got a table, ordered some food and started going through the proposal.
Then the man in the lift approached me. He was smiling, and asked if I could take a photo of him and his girl. ‘Sure,’ I said.
He wanted me to get them with the view across the river - it was spectacular. I left my computer open and logged on as I was only going to be a minute and we went to the windows, he gave me his mobile and they posed together while I snapped them.
They both thanked me, and I went back to my table. And you guessed it - my laptop had gone. Stolen. And when I looked for them, the couple had gone too.
Of course I can’t say for certain, but to this day I’m pretty sure it was a professional job - a real life spy story. The couple were there to distract me, while someone else took the open laptop.
We never found out how much damage that heist caused. All I know is that someone got hold of material they could easily have used against us.
You could say I was a victim, or you could say it was my fault. I’ve always gone with the latter.
If we allow confidential information to fall into the wrong hands, it can cause immense harm to individuals, to our company, our partners and customers.
We should always make sure our laptops are secure and if we have printed something then we never leave important documents or printed information lying around.