Skip to content

Personal information toolbox


Our policies, standards and other resources

We have more in-depth Group policies, standards and guidance covering different aspects of personal information. You can find links to them here.

In addition, there may be specific policies and procedures that apply where you work. Your manager can tell you about these. If you are unsure then ask your manager.

(Please note: some of our resources are only available to Serco employees. In this case, you’ll need to log in to MySerco to access them. If you have problems accessing them, please request a copy from your manager.)

Data Privacy
One page statement defining Serco’s commitment to ensure that personal data is kept secure, handled with care and in compliance with all applicable data protection and privacy laws.

SMS-GS-II1 Information and Data Privacy
Defines minimum standards to ensure that information produced, or any personal data processed, meet customer, legislative and regulatory requirements and is accurate, kept up to date, consistent and provided in a timely manner in order to enable effective decision making.

SMS-GS-BC1 Acceptable Use of Information Systems
Sets out the behaviours that must be adopted, the rules that colleagues must abide by and the legal requirements that must be complied with when using information systems. These include using the internet, social media and email to access, process and publish information either owned by or referencing Serco, our colleagues, clients or business. partners.

SMS GSOP-II1-2 Data Retention
Provides a framework to govern how we manage personal data. It sets out the broad principles we should always apply.

SMS-GSOP-II1-3 Data Protection Impact Assessment
Provides a framework for conducting Data Protection Impact Assessments to help identify data privacy risks in our business activities.

SMS-GSOP-O1-2 Incident and Fraud Reporting and Management
Provides a framework for the reporting a data breach.


Means any information relating to or capable of identifying a living individual either directly or indirectly. There are many kinds of personal information, including:

  • contact details, such as names, addresses, telephone numbers, email addresses and dates of birth
  • salary
  • health
  • opinions about someone
  • identification numbers
  • IP addresses and biometric data (i.e. fingerprint or iris scan data)
  • information contained in call recordings
  • ​CCTV and other information related to our employment and the services we provide

There are more stringent rules on how we manage “sensitive” or “special category” data.

This includes ethnic origin, trade union membership, political opinions, religious or philosophical beliefs, sex life and orientation, genetic data, biometrics, and criminal records.

These types of personal data have specific protection as misuse could create significant risks to the individual’s fundamental rights and freedoms.

We classify the information we hold so we know how to keep it safe.

SRS information is our most valuable information, which, in the wrong hands could cause serious damage to data subjects, our customers, shareholders, partners or suppliers through serious loss of reputation; significant financial loss; loss of opportunity; or legal action.

This information may belong to the Company, customers, or third-parties. Access to SRS information must be restricted on a need to know basis with only authorised Serco employees, or specified authorised external persons or entities being granted access. Encryption and controls over the distribution outside of Serco must be in place for all SRS information.

SB information is information which if disclosed without authorisation, may cause unwanted exposure of the inner workings of the company, but would not result in significant financial loss or serious harm to the company or its business interests. In essence, it is any information that is not generally made available to the public unless approved for release.

This information is generally available within our offices, systems or intranet and all company employees and affiliate employees are permitted to have general access to this kind of information.

This information must not be shared beyond the company premises unless with approval for formal business engagement.

Data Protection Principles explained

We process personal data in a fair, lawful, and transparent manner.

We only obtain personal data for specific, explicit and legitimate purposes. They must not be used in any manner incompatible with those purposes.

Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed.

We ensure that personal data are accurate and, where necessary, we keep them up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate or inappropriate to the purpose for which they are being processed, are deleted or rectified without delay.

We do not keep personal data any longer than is necessary for meeting the purposes they are collected and used for.

Using appropriate technical or organisational measures, we ensure the appropriate level of security for personal data. This includes protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

We are all responsible for applying these Data Protection Principles and for demonstrating compliance with them.

If you're a manager

  • Ensure that responsibilities for data protection/privacy and for information and data management is clearly defined in the day to day operations of your team and that appropriate controls are in place.

  • Ensure privacy risks have been assessed and understood.

  • Maintain a data inventory that records all personal data processing activities.

  • Ensure personal data is only disclosed outside Serco to third-parties where there is:

    • a contractual requirement to do so

    • written consent from our customer to do so

    • a legitimate business need

    • a legal obligation to disclose

  • Take particular care and follow the rules when transferring personal data overseas.

  • Make sure data handlers and data owners - particularly anyone handling personal data - has had the appropriate training so they understand local processes, roles and responsibilities. Keep a record of this training.

  • Ensure all records and documentation (including contractual documentation) are held in a safe and secure manner and in accordance with document management and Data Retention requirements.

  • If you’re not sure about any aspect of data and information retention, security, always ask your information security lead for advice and guidance

  • Make sure any incidents, breaches and suspected breaches - particularly those concerning any loss of personal data - are managed in accordance with Incident and Fraud Reporting and Management procedures. They must be reported into Assure within defined timescales and categorised according to Serco’s marking rules.

  • Be sure you are able to demonstrate that all these requirements are being met and implemented effectively.

Raise a concern

Learn more

What happens if we don't follow mycode?

Learn more

Speak Up

Learn more

Discover more...

Confidential information

We never let it fall into the wrong hands.

Using our systems and keeping our information safe

Keeping the bad guys from getting in and our information from getting out.

Social media

We think twice before we post or tweet.

External communication

We don’t speak for Serco unless we’re authorised.