Skip to content

Personal information toolbox


Our policies, procedures and other resources

Group policies are available on our website and can be viewed here.

These policies and supporting procedures form the Serco Management System (SMS). The SMS sets out for each policy area requirements by role so you can understand what is expected of you. It also provides supporting procedures and related documents. 

Access to these documents is for Serco colleagues only and you will need to log into myserco to access them. If you have problems accessing them, please request a copy from your manager.

You can access the following here:

  • Group Policy Statement

    • Data Privacy

  • Function policy

    • Data Retention

    • Information and Data Privacy

  • Procedure

    • Data Protection

    • Data Protection Impact Assessment (DPIA)

    • Freedom of Information

    • Incident Reporting

  • Guidance

    • High-Risk Processing of Personal Data



Means any information relating to or capable of identifying a living individual either directly or indirectly. There are many kinds of personal information, including:

  • contact details, such as names, addresses, telephone numbers, email addresses and dates of birth
  • salary
  • health
  • opinions about someone
  • identification numbers
  • IP addresses and biometric data (i.e. fingerprint or iris scan data)
  • information contained in call recordings
  • ​CCTV and other information related to our employment and the services we provide

There are more stringent rules on how we manage “sensitive” or “special category” data.

This includes ethnic origin, trade union membership, political opinions, religious or philosophical beliefs, sex life and orientation, genetic data, biometrics, and criminal records.

These types of personal data have specific protection as misuse could create significant risks to the individual’s fundamental rights and freedoms.

We classify the information we hold so we know how to keep it safe.

SRS information is our most valuable information, which, in the wrong hands could cause serious damage to data subjects, our customers, shareholders, partners or suppliers through serious loss of reputation; significant financial loss; loss of opportunity; or legal action.

This information may belong to the Company, customers, or third-parties. Access to SRS information must be restricted on a need to know basis with only authorised Serco employees, or specified authorised external persons or entities being granted access. Encryption and controls over the distribution outside of Serco must be in place for all SRS information.

SB information is information which if disclosed without authorisation, may cause unwanted exposure of the inner workings of the company, but would not result in significant financial loss or serious harm to the company or its business interests. In essence, it is any information that is not generally made available to the public unless approved for release.

This information is generally available within our offices, systems or intranet and all company employees and affiliate employees are permitted to have general access to this kind of information.

This information must not be shared beyond the company premises unless with approval for formal business engagement.

Data Protection Principles explained

We process personal data in a fair, lawful, and transparent manner.

We only obtain personal data for specific, explicit and legitimate purposes. They must not be used in any manner incompatible with those purposes.

Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed.

We ensure that personal data are accurate and, where necessary, we keep them up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate or inappropriate to the purpose for which they are being processed, are deleted or rectified without delay.

We do not keep personal data any longer than is necessary for meeting the purposes they are collected and used for.

Using appropriate technical or organisational measures, we ensure the appropriate level of security for personal data. This includes protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

We are all responsible for applying these Data Protection Principles and for demonstrating compliance with them.

If you're a manager

  • Ensure that responsibilities for data protection/privacy and for information and data management is clearly defined in the day to day operations of your team and that appropriate controls are in place.

  • Ensure privacy and especially sensitive information risks have been assessed and understood.
  • Maintain a data inventory that records all personal data processing activities.

  • Ensure personal data is only disclosed outside Serco to third-parties where there is:

    • a contractual requirement to do so

    • written consent from our customer to do so

    • a legitimate business need

    • a legal obligation to disclose

  • Take particular care and follow the rules when transferring personal data overseas including conducting a transfer risk assessment where you are transferring data to a country that does not have adequate or the same protection as in your local jurisdiction.

  • Make sure data handlers and data owners, particularly anyone handling personal data, understand what data they hold and for what reason and have been trained on local processes, roles and responsibilities. Keep a record of this training.

  • Ensure all records and documentation (including contractual documentation) are held in a safe and secure manner and in accordance with document management and Data Retention requirements.

  • Only hold data for as long as reasonably necessary and in accordance with our retention rules. If you’re not sure about any aspect of data and information retention or security then ask your data protection officer, data protection champion, or information security lead for advice and guidance.
  • Make sure any incidents, breaches and suspected breaches - particularly those concerning any loss of personal data - are managed in accordance with Incident and Fraud Reporting and Management procedures. They must be reported into Assure within defined timescales and categorised according to Serco’s marking rules.

  • Be sure you are able to demonstrate that all these requirements are being met and implemented effectively.

Raise a concern

Learn more

What happens if we don't follow mycode?

Learn more

Speak Up

Learn more

Discover more...

Confidential information

We never let it fall into the wrong hands.

Using our systems and keeping our information safe

Keeping the bad guys from getting in and our information from getting out.

Social media

We think twice before we post or tweet.

External communication

We don’t speak for Serco unless we’re authorised.