Skip to content

Welcome to Serco.com. Please review the region selection dropdown just below to get the most relevant content to your region.

Data privacy and information security

Serco is committed to delivering secure services and safeguarding the data we collect, store, and process.

We regularly assess and strengthen mitigating controls to minimise the risk of data breaches or service disruption. Our approach aligns with recognised industry practices and international standards, reflecting the increasing geopolitical risk environment and the growing sophistication of cyber threats. Highlights include:

Smiling male at airport scanner

  • Continued investing in systems, processes, and our people, supported through security awareness training, global phishing simulations, and crisis management exercises.

  • Operated a continuous programme of information security investment designed to respond to the evolving threat landscape and ensure compliance with customer expectations, regulatory obligations, legal requirements, and contractual commitments.

  • Undertook internal compliance assurance reviews and external assurance activities to help strengthen resilience, including annual ISO 27001 surveillance, Cyber Essentials Plus (UK Government recommended) and customer-led audits.

We continue to strengthen our approach to data protection given the evolving external environment including cyber threats. Oversight is provided by the Group Data Protection Officer, supported by regional privacy leads and a network of Data Protection Champions (DPCs) who continue to embed consistent practices across operational teams. This network provides a foundation for improving visibility and capability in key areas.

Highlights include:

  • Initiated a refresh of the UK data protection compliance framework, with implementation and operational embedding ongoing.

  • Continued to update Group-wide data protection policies and privacy notices to reflect changes in operational practice, contractual expectations, and emerging regulatory requirements, including new legislation.

Training and awareness form an important part of our overall approach, alongside policies, processes, and controls.

Mandatory annual data protection training is supported by ongoing role-specific training for DPCs and HR teams. Our global “Protect Together” awareness programme, including annual phishing simulations and targeted behavioural campaigns, continues to enhance colleague awareness, although we recognise that further improvement is needed to embed consistent, secure practices.

Explore our ESG framework

People

Building the capability and culture that enables performance

Learn more

Place

Helping our communities to thrive

Learn more

Planet

Transitioning our business to Net Zero

Learn more

Enabling engagement activities

Learn more

Governance

Our responsible business foundations

Learn more