Skip to content

Confidential information toolbox

Toolbox

Our policies, procedures and other resources

Group policies are available on our website and can be viewed here.

These policies and supporting procedures form the Serco Management System (SMS). The SMS sets out for each policy area requirements by role so you can understand what is expected of you. It also provides supporting procedures and related documents. 

Access to these documents is for Serco colleagues only and you will need to log into myserco to access them. If you have problems accessing them, please request a copy from your manager.

You can access the following here:

  • Group Policy Statement

    • Data Privacy

  • Function policy

    • Data Retention

    • Information and Data Privacy

  • Procedure

    • Data Protection

    • Data Protection Impact Assessment (DPIA)

    • Freedom of Information

    • Incident Reporting

  • Guidance

    • High-Risk Processing of Personal Data

 

Definitions

Information is confidential if it has value to Serco and is not publicly available, or if it involves personal information about individuals. Depending on the nature of our work, we might also obtain confidential information from our colleagues, customers, partners and others. Confidential information can also be disclosed in many forms such as hard copy documents, electronically and even orally.

There are many kinds of confidential information, including:

  • personal information especially sensitive information

  • information about finances, business plans or practices

  • marketing plans

  • pricing policies

  • specifications

  • systems

  • relationships

  • costs

  • business strategies

  • information about colleagues, customers, partners or third-parties

  • agreements

  • intellectual property such as technical information, innovations, improvements, know-how and trade-secrets

This typically involve any data which, if misused, could jeopardise a businesses' general commercial interests. Examples include:

  • Customer contractual information and operational data that is not publicly available (may be specific categories such as Defence) 

  • Customer classified information (subject to Securities Aspects Letter etc)

  • Supplier contractual information and related operational data 

  • Legally privileged advice 

  • Serco financial information not publicly available

  • Customer and supplier bid documentation

  • Operational performance data

  • Internal corporate and management information 

  • Intellectual property, know-how and trade secrets 

  • Mergers and acquisitions information

  • Information involved in a bid

  • Confidential proposals subject to non-disclosure agreement

A non-disclosure agreement is a legally binding contract that means you agree not to disclose confidential information that has been shared with you for the purposes of doing your job. Standard templates are available on MySerco.

Classifying our documents and emails, based on the information they contain, is a vital part of information security at Serco. It helps to ensure every piece of information is stored, handled and shared in the right places with the right people.

We need to understand the different classifications and select the right one for every document and email we create or change. This is particularly important where a document or email contains personal information, commercially sensitive, legally privileged or confidential information or trade secrets. It is our responsibility to know and understand the policy and guidelines for Information Privacy Classification.

We classify the information we hold so we know how to keep it safe.

SRS information is our most valuable information, which, in the wrong hands could cause serious damage to us, our customers, shareholders, partners or suppliers through serious loss of reputation; significant financial loss; loss of opportunity; or legal action.

This information may belong to the Company, customers, or third-parties. Access to SRS information must be restricted on a need to know basis with only authorised Serco employees, or specified authorised external persons or entities being granted access. Encryption and controls over the distribution outside of Serco must be in place for all SRS information.

SB information is information which if disclosed without authorisation, may cause unwanted exposure of the inner workings of the company, but would not result in significant financial loss or serious harm to the company or its business interests. In essence, it is any information that is not generally made available to the public unless approved for release.

This information is generally available within our offices, systems or intranet and all company employees and affiliate employees are permitted to have general access to this kind of information.

This information must not be shared beyond the company premises unless with approval for formal business engagement.

Some information is made public. Serco uses this classification to indicate that the processes required to release the information must always be followed after marking the information as ‘Public’ and before publishing on the internet. We must follow the local approval processes when classifying any information as Public, as only certain individuals are authorised to assess whether information is suitable for full public disclosure.

If you're a manager

  • Make sure everyone on your team understands the risks associated with any information you handle so that you can properly manage those risks and protect the information.

  • Ensure all records and documentation (including contractual documentation) are held in a safe and secure manner and in accordance with document management and data retention requirements.

  • Liaise with your information security lead for advice and guidance, where required, regarding data and information retention, security, and disclosure.

  • Ensuring any incidents breaches and suspected breaches (in particular those concerning any loss of personal data) are managed in accordance with Incident & Fraud Reporting and Management procedures and reported into Assure within defined timescales and categorised according to Serco Incident Reporting Scale (SIRS).

  • Ensure that you understand the data you hold especially commercially sensitive data, where this is protected and held for as long as reasonably necessary according to the relevant retention period.

Raise a concern

Learn more

What happens if we don't follow mycode?

Learn more

Speak Up

Learn more

Discover more...

Personal information

We protect it carefully.

Using our systems and keeping our information safe

Keeping the bad guys from getting in and our information from getting out.

Social media

We think twice before we post or tweet.

External communication

We don’t speak for Serco unless we’re authorised.