Personal information toolbox

Means any information relating to or capable of identifying a living individual either directly or indirectly. There are many kinds of personal information, including:

• contact details, such as names, addresses, telephone numbers, email addresses and dates of birth
• salary
• health
• opinions about someone
• identification numbers
• IP addresses and biometric data (i.e. fingerprint or iris scan data)
• information contained in call recordings
• ​CCTV and other information related to our employment and the services we provide

There are more stringent rules on how we manage “sensitive” or “special category” data.

This includes ethnic origin, trade union membership, political opinions, religious or philosophical beliefs, sex life and orientation, genetic data, biometrics, and criminal records.

These types of personal data have specific protection as misuse could create significant risks to the individual’s fundamental rights and freedoms.

We classify the information we hold so we know how to keep it safe.

SRS information is our most valuable information, which, in the wrong hands could cause serious damage to data subjects, our customers, shareholders, partners or suppliers through serious loss of reputation; significant financial loss; loss of opportunity; or legal action.

This information may belong to the Company, customers, or third-parties. Access to SRS information must be restricted on a need to know basis with only authorised Serco employees, or specified authorised external persons or entities being granted access. Encryption and controls over the distribution outside of Serco must be in place for all SRS information.

SB information is information which if disclosed without authorisation, may cause unwanted exposure of the inner workings of the company, but would not result in significant financial loss or serious harm to the company or its business interests. In essence, it is any information that is not generally made available to the public unless approved for release.

This information is generally available within our offices, systems or intranet and all company employees and affiliate employees are permitted to have general access to this kind of information.

This information must not be shared beyond the company premises unless with approval for formal business engagement.

We process personal data in a fair, lawful, and transparent manner.

We only obtain personal data for specific, explicit and legitimate purposes. They must not be used in any manner incompatible with those purposes.

Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed.

We ensure that personal data are accurate and, where necessary, we keep them up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate or inappropriate to the purpose for which they are being processed, are deleted or rectified without delay.

We do not keep personal data any longer than is necessary for meeting the purposes they are collected and used for.

Using appropriate technical or organisational measures, we ensure the appropriate level of security for personal data. This includes protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

We are all responsible for applying these Data Protection Principles and for demonstrating compliance with them.