Skip to content

Welcome to Serco.com. Please review the region selection dropdown just below to get the most relevant content to your region.

Data privacy and information security

We collect, store and process large amounts of personal data. We accept our responsibility to ensure that such personal data is kept secure, handled with care and in compliance with all applicable data protection and privacy laws.

We are committed to protecting and preserving our human, information and physical assets and resources from all threats, whether internal or external, deliberate, or accidental, that might have an adverse impact on individuals, our customers, our activities and our reputation. Wherever we work we will have security and information technology processes and procedures that meet our business objectives and customer needs, reduce risks and protect the confidentiality, accuracy and availability of information.

We have a data protection programme that focuses on data privacy right through data, minimisation and retention, handling data subject requests properly, implementing privacy by design, boosting transparency, understanding data hosting and technology use, as well as implementing training and awareness programmes.


How we have performed

Data protection regulators

We have had four substantiated complaints from data protection regulators; two in the UK relating to a minor data breaches; and two in Australia which the Australian Information Commissioner determined were privacy breaches.

Data breach

We were impacted by one significant data breach involving one of our US suppliers but had no significant data breaches ourselves.

Data protection week

Our focus has been on ‘Back to Basics’ to simplify data protection which was driven through International Data Protection Week in January 2023. This included awareness campaigns, training and a 'fireside' discussion in June on the importance of data protection and information security.

Data protection champions

We now have 252 Data Protection Champions (DPCs) across the UK, Europe and Middle East.

Data protection awareness

We continue to drive increased awareness through engaging senior leadership in an online 'fireside' discussion on data minimisation, developed a new Manager Hub on a dedicated DPO SharePoint site; improved global DPO integration through Serco UK & Europe sharing best practice into other Divisions; and held a Data Protection Conference and DPC Roadshows to network and share best practice on data governance.

Data protection laws

We have monitored changes to data protection laws globally with enhanced training on changes in laws in Switzerland and Saudi Arabia; developed and deployed specialised data protection training in Serco UK & Europe; deployed enhanced training, processes and awareness to relevant UK groups on subject matter data requests to improve how we manage customer rights; deployed training and raised awareness on data inventory and Data Protection Impact Assessment processes; and introduced monthly DPO newsletters to foster a culture of organisational privacy and good data governance.

Information privacy certification

Serco North America received certification to Certified Information Privacy Professional (CIPP/US) covering US Government privacy laws, regulations and policies specific to government practice, as well as those more broadly applicable to the public and private sectors in the US.

Phishing campaigns

We completed four global phishing simulation campaigns using a variety of email templates and sophistication levels. Our reporting rate for credential entering phishing simulations has remained on target at a minimum of 75% during 2023.

Information security reporting

We have improved the consistency of reporting of information security, cyber and data protection performance across the group. This has included incorporating data protection risk into the Group cyber risk, which is reported quarterly. This has enabled us to monitor our risk appetite under increasing external threats and evolving external environment.

Cyber and security awareness

We have published regular cyber and security awareness communications via various channels (including on our intranet pages, employee experience application, traditional posters and noticeboards) in line with national events such as International Data Protection Day, World Password Day and National Cyber Awareness Month.

Training

We refreshed our mandated data protection and information security training. In the UK, we have trialled new face-to-face cyber and phishing awareness training for any teams requiring additional or more personalised training and also made this available as an agenda item for wider Business Unit/Contract briefing sessions. General security awareness is also now included in the new starter induction process to help create a sustainable security culture across the organisation and reduce the cyber risk of human error.

Detection and security vulnerability tooling

We have substantially completed the rollout in all regions of the new enhanced detection and security vulnerability mitigation tooling for our endpoint assets that forms the basis of the global security improvement programme.

What next

  • No substantiated complaints from data protection regulators.

  • No significant data breaches.

  • Minimum 75% phishing simulation reporting rate.

  • Review international transfers and hosting of data to ensure data is transferred in a secure way outside Serco UK & Europe.

  • Enhance data protection due diligence in the supply chain and ongoing monitoring.

  • Enhance the capability of our Security Operations Centre during 2024, including introducing new processes and procedures to match our investment in the new detection and response tooling.

  • Continue to enhance security awareness education and training, addressing any new techniques being observed and maintaining our global employee awareness campaigns, live events and more.

  • Continue to work closely across the Group to monitor changes in law and external threats on the potential breaches.

Our reports and resources

Smiling Serco female colleague sat in an office chair wearing a head scarf

2023 Impact Report

The human face of impact.

Female Prison Custody Officer standing in corridor with arms folded

2023 Data Book

A full suite of ESG data points over a five-year period with notes and commentary.

ESG resources

ESG reports and resources, public third-party reports on Serco operations, and our responses to frequently asked questions.

Explore our positive impact