UK Privacy Notice

At Serco, we value your privacy and are committed to protecting your personal information.

This Privacy Notice explains how we collect, use, store, and share your data when you interact with us - whether through our website, products, or services. Our goal is to be transparent about our practices and to give you control over your personal information.

We encourage you to read this notice carefully to understand your rights and how we handle your data. If you have any questions or concerns, please contact us at [email protected].

Who we are

Serco Limited and Serco Group plc are a provider of public services across the UK and internationally. In the UK, we deliver frontline and support services on behalf of public bodies including the Ministry of Justice/Defence, the Home Office, the NHS, and local authorities.

We are committed to protecting your personal data and handling it fairly, lawfully and transparently.

Data controller

Unless stated otherwise, Serco Limited is the data controller for this notice.
Registered office: Serco House, Bartley Way, Hook, Hampshire RG27 9UY
ICO registration number: Z5746980
Data Protection Officer: [email protected]

You can find out more about the Serco Group companies at www.serco.com/ukecompanies.

When this notice applies

This Privacy Notice explains how Serco Group plc and specifically its UK subsidiaries process personal data in connection with our activities and operations across the United Kingdom. It applies to a wide range of individuals whose personal data we collect, receive, or use in the course of delivering our services, managing contracts, supporting internal operations and maintaining secure facilities and systems.

This notice applies to the following categories of individuals:

A. Members of the public who use or are affected by our services

This includes individuals who:

Access or participate in services delivered by Serco on behalf of a public sector customer (e.g. Individuals engaged with the justice system, immigration accommodation users, patients or healthcare service users, passengers using transport services)
Contact one of our helplines or customer service teams
Participate in assessments, interviews, or government-funded programmes (such as employment support or public health initiatives)
Are indirectly involved in a service we operate — for example, where their personal data appears in documents, records, or logs we handle as part of service delivery

B. Individuals whose personal data we receive from public sector customers

We often receive personal data from government departments and public authorities to help us deliver the services we are contracted to provide. This may include data about:

Individuals engaged with the justice system, including court users and detainees
Patients or healthcare service users
Asylum seekers and individuals using immigration or resettlement services
People involved in public health or employment support programmes

In these cases, Serco may act as a data processor on behalf of the public sector customer or as a joint data controller, depending on the nature of the contract and responsibilities set out in law.

C. Visitors to our offices, service locations, and operational facilities

This includes:

Visitors to our corporate offices, operational sites, or meeting locations
Members of the public or contractors visiting facilities we manage on behalf of public sector customers, such as prisons, healthcare centres or immigration accommodation
Anyone whose image or information is captured via CCTV, access control systems, or visitor management systems

D. Job applicants and recruitment candidates

This applies to individuals who:

Apply for employment or contract opportunities at Serco
Submit a CV or application via our career portal, or third-party recruitment partners
Take part in interviews, assessments or vetting processes as part of a recruitment procedure

A specific Recruitment Privacy Notice will be provided at the relevant stage of the process, in addition to this general notice.

E. Employees, workers, and contractors

We process personal data about:

Current and former employees of Serco and its UK entities
Temporary workers, agency staff, secondees, and contractors
Individuals engaged through framework agreements or managed service arrangements
This includes data used for employment and workforce management, security vetting, HR recordkeeping, payroll, and internal investigations.

Employee-specific notices and policies will apply in parallel with this one.

F. Users of our websites, applications and digital systems

This includes:

Visitors to Serco websites, applications, portals and online platforms
Users of internal or external digital services we manage
Individuals whose data is captured for purposes such as system access, security monitoring, or service performance analytics
We may collect data such as IP addresses, device types, location (where relevant) and usage logs through cookies and other tracking technologies

For more information, please refer to our Cookie Notice.

In some instances, a separate or supplementary privacy notice will apply in addition to this one. These may be provided:

In connection with a particular public sector contract or service
Where specific legal, regulatory or ethical obligations require tailored information
As part of internal company policies (e.g., relating to HR, whistleblowing, or safeguarding)

These supplementary notices will be made available at the appropriate time and are designed to complement, not replace, this general notice.

Supplementary Privacy Notices

The personal data we collect

This depends on your relationship with us and the context in which we interact. We only collect data that is relevant and necessary for the intended purpose.

Category	Examples of Personal Data
Basic personal data	Full name, home or contact address, telephone number(s), email address, date of birth, gender, nationality, national insurance number, passport, driving licence or ID documents
Employment and work-related data	Curriculum vitae (CV), application forms, employment history, and previous roles. Qualifications, training records and professional memberships. Right to work documentation (e.g., visa or immigration status). Pre-employment screening and references. Vetting and security clearance details. Performance appraisals, conduct and disciplinary records. Attendance, rota or timekeeping records.
Sensitive or Special Category data (collected only where lawful and necessary)	Health or medical information (e.g., for adjustments or service delivery). Racial or ethnic origin (e.g., for equal opportunities monitoring). Religious or philosophical beliefs (e.g., for wellbeing or dietary needs). Biometric data (e.g., fingerprints or facial scans for access control). Criminal offence or conviction data (e.g., for safeguarding or vetting)
Digital and technical data	IP address and device identifiers. Browser type and operating system. Cookie identifiers and website usage data. Usernames, login credentials and access logs. Data from software or systems used in the course of business or service delivery
Operational and case-related data	Audio recordings (e.g., contact centre calls). Vehicle registration numbers captured on Automatic Number Plate Recognition (ANPR) systems. CCTV footage (e.g., from offices, healthcare or custody settings). Body-worn or in-vehicle video (where applicable). Correspondence and complaint records. Data from case files or operational logs (e.g., justice, immigration, health) received from public sector customers
Additional contextual data	Location or travel information (e.g., for transport or logistics services). Emergency contact or next of kin details. Internal communications or meeting attendance (where relevant to service delivery or investigations)

How we collect your information

We collect personal data through various channels, depending on the nature of your relationship with Serco and the type of service we are delivering. The table below outlines the key sources.

Source	Description and examples
Directly from you	Information you provide to us directly, including: Filling in forms (e.g., job applications, service registrations) Contacting our customer service teams or helplines Submitting correspondence, feedback, or complaints Participating in interviews, assessments, or programmes Engaging with our services in person, online, or over the phone
From public sector customers	Data we receive from government departments or public bodies to enable us to deliver services on their behalf, such as: Case files or client records (e.g., justice, healthcare, immigration) Referral or enrolment data Monitoring or performance information shared under contract We may act as a data processor or joint controller depending on the context.
From third parties	Data obtained lawfully from other organisations, for example: Previous employers, recruitment agencies, or referees Background screening and vetting providers Occupational health professionals Training providers or professional bodies Subcontractors or delivery partners involved in a service
Automatically through technology	Data collected through systems and devices when you interact with us, including: CCTV or access control systems at sites we operate Website usage data through cookies or analytics tools System access logs or security monitoring on digital platforms Vehicle tracking systems or body-worn video (in operational settings)
From publicly available sources	Information from external records or platforms where relevant and lawful, including: Companies House or professional registers Public court records or regulatory filings Social media (only where necessary and proportionate to the purpose) Government open data or public reports

Why we process your data and our lawful bases

Under data protection law, we must have a valid reason, known as a lawful basis, to collect and use your personal data. The basis we rely on depends on the nature of our relationship with you and the purpose of the processing.

The table below explains the lawful bases we may use and gives examples of how each applies in practice.

Lawful basis	Description and examples
Consent (Article 6(1)(a))	We rely on consent where you have given us clear permission to process your data for a specific purpose. Examples: Signing up to receive marketing or newsletters Accepting optional cookies on our website Participating in voluntary research or surveys Where consent is used, you may withdraw it at any time.
Contractual necessity (Article 6(1)(b))	We process your data where it is necessary to enter or perform a contract with you. Examples: Processing job applications and employment contracts Managing payroll and benefits Delivering services to individuals under agreed terms (e.g., assessments or service appointments)
Legal obligation (Article 6(1)(c))	We process data where required to comply with a legal or regulatory obligation. Examples: Meeting health and safety or employment law requirements Keeping accurate records for audit or tax purposes Reporting safeguarding concerns or responding to law enforcement enquiries
Vital interests (Article 6(1)(d))	We may process data to protect someone’s life or wellbeing, usually in emergency situations. Examples: Providing urgent medical information in a health crisis Contacting next of kin if someone becomes seriously unwell at a Serco-managed site
Public task (Article 6(1)(e))	We process data when delivering services on behalf of public sector customers, where the task is in the public interest or under official authority. Examples: Managing custodial or immigration services Providing contact centre or assessment services under government contracts Supporting public health or justice programmes
Legitimate interests (Article 6(1)(f))	We may use your data for our own legitimate business needs, provided this does not unfairly affect your rights. Examples: Ensuring the security of our facilities (e.g., through CCTV) Managing internal investigations or audits Maintaining business continuity and IT systems security

Special category and criminal offence data

Condition (Special Category/Criminal Data)	Examples of when we use it
Employment, social protection or social security law (Article 9(2)(b))	e.g., occupational health reports, reasonable adjustments, right to work checks
Substantial public interest (Article 9(2)(g))	e.g., safeguarding, equality monitoring, security clearance processes
Health or social care provision (Article 9(2)(h))	e.g., where Serco provides services in health settings
Explicit consent (Article 9(2)(a))	e.g., voluntary disclosure of special category data, where not otherwise required
Criminal offence data (Article 10 and Schedule 1 of the Data Protection Act 2018)	e.g., vetting for security roles, legal disclosures, and safeguarding investigations

If you have questions about the legal basis for any specific type of processing, or would like more information, you can contact our Data Protection Officer at: [email protected].

How we use your personal data

Purpose	Examples of use	Lawful basis
Delivering public services on behalf of public sector customers	Operating custodial, probation, or immigration services Delivering healthcare, transport, or local authority services Handling service referrals and service delivery Recording service outcomes or incidents	Public task (Article 6(1)(e)) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. In some cases, legal obligation may also apply.
Managing service users and operational casework	Maintaining records of service users or participants Booking appointments or assessments Processing contact details and correspondence Responding to complaints, appeals, or formal queries	Public task (Article 6(1)(e)) May also involve contract (Article 6(1)(b)) where individual terms apply (e.g., in employment programmes).
Employment and workforce management	Recruitment and onboarding Payroll and contract administration Recording attendance, training, and performance Managing employment contracts, including grievances or disciplinary cases	Contract (Article 6(1)(b)) Legal obligation (e.g., tax, employment law) Legitimate interests (Article 6(1)(f)): efficient HR and business management
Security and safeguarding	CCTV, access control, and ID systems Vetting and background checks Monitoring secure areas Reporting safeguarding incidents or concerns	Legal obligation (Article 6(1)(c)) Public task (Article 6(1)(e)) Legitimate interests (Article 6(1)(f)): ensuring safety, security, and legal compliance and prevention or detection of criminal offences Special category data: Substantial public interest (Article 9(2)(g))
Health and wellbeing	Occupational health reports and adjustments Recording sickness absence Providing clinical or health services Supporting service users’ physical or mental health	Legal obligation (e.g., health and safety) Employment and social protection law (Article 9(2)(b)) Health or social care provision (Article 9(2)(h)) Consent (Article 6(1)(a)) where required
Communication and engagement	Responding to general enquiries or service feedback Communicating service updates or operational messages Sending newsletters or consultations (where opted in) Engaging with local communities or service users	Public task (Article 6(1)(e)) Legitimate interests (Article 6(1)(f)): stakeholder engagement Consent (Article 6(1)(a)) for optional communications
Monitoring and improving service performance	Recording and reviewing calls or interactions Analysing user activity or service outcomes Auditing service quality and operational delivery Responding to feedback or complaints	Public task (Article 6(1)(e)) Legitimate interests (Article 6(1)(f)): service improvement and assurance
Compliance, governance, and legal obligations	Responding to legal, audit, or regulatory enquiries Retaining records for statutory time periods Supporting legal claims or dispute resolution Reporting incidents to the relevant authorities	Legal obligation (Article 6(1)(c)) Public task (Article 6(1)(e)) In some cases, legitimate interests (Article 6(1)(f)): protecting legal position and managing risk
IT and systems management	Issuing system access or login credentials Monitoring digital platform usage Detecting security threats or policy breaches Supporting technical maintenance or audits	Legitimate interests (Article 6(1)(f)): maintaining secure, functional IT infrastructure. May also involve processing under a contract (staff or supplier systems) Legal obligation where linked to cybersecurity regulations

Who we may share your personal data with

We only share your personal data where it is lawful, necessary, and proportionate to do so. The table below outlines the categories of organisations we may share data with, why this is done, and the relevant legal bases.

Who we share data with	Why we share it	Lawful basis and safeguards
Public sector customers (e.g. Ministry of Justice, Home Office, Ministry of Defence, NHS, local authorities)	To deliver services on their behalf; to report incidents, performance data, or case updates; to comply with contract terms or statutory duties	Public task (Article 6(1)(e)) Legal obligation We may act as either data controller or data processor, depending on the arrangement
Subcontractors and service delivery partners	To support service delivery, such as IT providers, facilities staff, healthcare workers or logistics providers	Contract (Article 6(1)(b)) Legitimate interests: efficient service delivery Data processing agreements are in place
Security and vetting bodies (e.g., Disclosure and Barring Service, UKSV)	To carry out background checks and vetting for high-security roles or safeguarding purposes	Legal obligation Public task Special category/criminal data: processed under Schedule 1 of the Data Protection Act 2018
Professional advisers (e.g., lawyers, auditors, insurers)	For legal advice, audit, insurance, dispute resolution, or regulatory reporting	Legitimate interests: protecting legal, financial and reputational interests Legal obligation (where relevant)
Regulators and oversight bodies (e.g., ICO, CQC, Ofsted)	To comply with legal or regulatory inspections, audits, or investigations	Legal obligation Public task (e.g., for contracted public services)
Police and law enforcement	To support criminal investigations, respond to lawful requests, or report criminal activity or safeguarding concerns	Legal obligation Vital interests (in emergencies) Substantial public interest for sensitive data
Other Serco Group entities (within the UK or internationally, where permitted)	For internal governance, reporting, legal, HR, or shared service functions	Legitimate interests: e.g., effective business administration
Judicial bodies and legal representatives	To comply with court orders, legal proceedings, or to respond to legal claims	Legal obligation Public task Legitimate interests: protecting or exercising legal rights
Third-party systems or platforms (e.g., cloud software providers, contact centre systems)	To host, store, or manage personal data used in our operations	Contract Legitimate interests: secure IT infrastructure We ensure providers meet appropriate technical and organisational security standards

Safeguards we apply when sharing data

We only share the minimum data necessary for the specified purpose
Third parties are subject to contractual obligations (e.g., data processing agreements)

We assess all data sharing arrangements for necessity, proportionality, and compliance

International data transfers

In some circumstances, your personal data may be transferred outside the United Kingdom. This may happen, for example, when we:

Use cloud-based platforms or global suppliers
Share data with other Serco Group entities outside the UK
Work with subcontractors or partners located overseas

We take care to ensure that all such transfers are lawful and that your data remains protected.

Where data may be transferred	Why the transfer may occur	Safeguards we apply
European Economic Area (EEA)	Some of our cloud providers, service partners, or group entities may be located in EEA countries	The UK Government recognises the EEA as providing adequate protection for personal data
Other countries with UK ‘adequacy regulations’ (e.g., New Zealand, Japan)	We may use global providers or affiliates in countries approved by the UK as having adequate data protection standards	Data is transferred under an adequacy decision, meaning no further safeguards are required
Countries without adequacy decisions (e.g., United States, India, Australia)	We may use international suppliers, data processors, or group entities to provide business or IT services	We aim to ensure that all transfers are made using UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs), approved by the Information Commissioner
Serco Group companies outside the UK	Internal transfers of HR, finance, legal or operational data may occur within our corporate group	We have an intragroup data transfer agreement in place and we are working to ensure all relevant entities are included in this framework.
Third-party platforms and cloud services	Some of the IT systems and platforms we use to store or process data may host servers in non-UK locations	We ensure contracts with providers include robust data protection clauses and we assess risks and apply additional technical and organisational measures (e.g., encryption, access controls)

Additional measures we take:

Conducting transfer risk assessments for high-risk countries
Applying encryption and secure access controls where required
Regularly reviewing third-party compliance and data security practices

We do not transfer your data internationally unless there is a clear business need and always with due regard for your rights and protections under the UK GDPR.

How we keep your data secure

Whether held in digital or physical form, we apply a wide range of technical, organisational and procedural safeguards to protect it from unauthorised access, misuse, accidental loss, or damage.

Security measure	What it protects against	How it supports data protection
Access controls and permissions	Unauthorised access to systems or files	Only authorised personnel can access personal data, based on their role and need to know
Encryption of data (at rest and in transit)	Interception or theft of data in storage or during transfer	Ensures that data cannot be read or altered without secure access keys
Secure IT infrastructure and networks	Cyberattacks, malware or hacking attempts	Firewalls, antivirus software and threat monitoring help protect systems from intrusion
Multi-factor authentication (MFA)	Unauthorised system logins or credential misuse	Adds an extra layer of security beyond passwords, particularly for sensitive systems
Physical security controls	Theft or unauthorised physical access	Includes ID badges, visitor registration, CCTV, and restricted zones at offices and secure sites
Regular staff training and awareness	Accidental disclosure or mishandling of data	Ensures employees understand their data protection responsibilities and follow secure procedures
Data minimisation and pseudonymisation	Unnecessary data exposure or risk	We limit the personal data we collect and process and apply techniques to reduce identifiability where appropriate
Audit trails and logging	Undetected changes, access, or misuse	Activities on key systems are monitored and logged to ensure accountability and support investigations if needed
Regular security testing and reviews	Outdated or vulnerable systems	Penetration testing, vulnerability scans and policy reviews help maintain and improve our security posture
Supplier and subcontractor due diligence	Weak links in our supply chain	We assess third-party providers for compliance with security and data protection standards before allowing them to handle personal data

We have a dedicated information security function responsible for monitoring, investigating, and responding to potential risks.

How long we keep your information

We keep personal data only for as long as is necessary to fulfil the purpose for which it was collected, or to meet our legal, contractual, and regulatory obligations. Retention periods vary depending on the type of data and the context in which it is used.

The table below provides examples of how long we may keep different categories of personal data:

Type of data	Example retention period	Reason or legal basis for retention
Service user records (e.g., case files, programme data)	Varies by contract but often 6 to 8 years after service ends	To comply with public sector customer contracts, audit requirements and statutory duties
CCTV footage	Typically, 30 days, unless required for investigation	For site security and safeguarding; longer retention only if needed for a specific incident
Visitor logs and access records	12 months to 2 years (typical)	Site safety, security and traceability of access
Employee records	6 to 7 years after employment ends	To comply with employment law, HMRC rules and for potential legal claims
Recruitment data (unsuccessful applicants)	Up to 12 months from decision (unless consent to retain longer)	To respond to queries or complaints; in line with ICO guidance on recruitment data
Health and safety records	2 to 40 years, depending on the nature of the incident (e.g., exposure to hazardous substances)	Legal obligations under health and safety law
Training and professional development records	Duration of employment plus 6 to 7 years	Evidence of compliance, competence and regulatory checks
Financial and payroll data	6 to 7 years after the end of the tax year	Required by HMRC for accounting and audit purposes
Complaint or safeguarding investigation files	6 to 15 years (depending on service area and seriousness)	Legal risk, safeguarding obligations and public interest
IT access logs and system usage records	Typically, 3 to 24 months but may be beyond this in certain circumstances.	Cybersecurity, monitoring and audit trail purposes

How retention periods are determined

Legal and regulatory requirements (e.g., tax law, safeguarding, employment law)
Contractual terms with customers
Operational needs and the importance of the data
Limitation periods for legal claims or investigations

Your rights under data protection law

Under the UK General Data Protection Regulation (UK GDPR), you have several rights in relation to your personal data. However, in many cases Serco acts as a data processor on behalf of a customer (such as a government department, NHS body, or local authority). In these situations, the public sector body is the data controller and is legally responsible for handling your rights request.

If we are processing your data on behalf of a public sector customer, we may not be permitted to respond directly to your request. In those cases, we will inform you and direct you to the appropriate contact point at the relevant organisation.

If we are the data controller (e.g., for employee data, recruitment, CCTV at our corporate sites), you can exercise your rights directly with us.

Summary of your rights

Your right	What this means	When it applies
Right to access (Article 15)	You can ask for a copy of the personal data we hold about you.	Applies in most cases unless it affects others’ rights or relates to sensitive operations. If Serco is a data processor, your request will be passed to the data controller.
Right to rectification (Article 16)	You can request corrections to inaccurate or incomplete personal data.	Applies wherever data is factually incorrect. If we process data for a public authority, they are responsible for updating records.
Right to erasure (Article 17)	You can ask for your data to be deleted in certain circumstances.	Applies where there is no longer a lawful basis. May not apply where we must retain records by law or contract.
Right to restrict processing (Article 18)	You can ask us to stop using your data but allow us to keep storing it.	Useful during complaints or when contesting accuracy. May need to be directed to the controller.
Right to data portability (Article 20)	You can request your data in a reusable format.	Applies only where processing is based on consent or contract and is carried out by automated means. Rarely applies.
Right to object (Article 21)	You can object to processing based on public task or legitimate interests.	We must stop unless we can demonstrate compelling, legitimate grounds. Does not apply to all data uses.
Right to withdraw consent (Article 7(3))	You can withdraw your consent at any time.	Only applies where consent is the lawful basis (e.g., optional communications). Withdrawing consent does not affect past processing.
Right to be informed (Articles 13 & 14)	You have the right to clear information about how we use your data.	Fulfilled through this Privacy Notice and, where relevant, service-specific notices.
Right not to be subject to automated decision-making (Article 22)	You can object to decisions made solely by automated means.	Serco does not make decisions solely by automated means that significantly affect individuals without human oversight.

Exercising your rights

If Serco is the data controller for the information in question you can contact:

Email: [email protected]
Address: Data Protection Officer, Serco Group plc, Serco House, Bartley Way, Hook, Hampshire RG27 9UY

We will respond within one calendar month, unless your request is complex or involves third-party data. We may need to verify your identity before we can act on your request.

If Serco is acting as a data processor, we will:

Inform you that we are not the data controller
Redirect your request or provide contact details for the relevant public sector customer who controls the data
Cooperate with them as needed to support their response

If you are unhappy with our response or the way we handle your personal data, you can contact the Information Commissioner's Office (ICO). Details provided in the next section.

How to raise a concern or make a complaint

If you have any questions, concerns, or complaints about how we use your personal data, please let us know so we can address them.

What you can do	What happens next	Your rights
Contact our Data Protection Officer (DPO) Email: [email protected] Address: Data Protection Officer, Serco Group plc, Serco House, Bartley Way, Hook, Hampshire RG27 9UY	We will review your concern and aim to respond within one calendar month. In some cases, we may need additional information to investigate properly.	You have the right to raise concerns directly with the DPO if you believe your data has been used unfairly, unlawfully, or without proper justification.
Make a formal complaint to Serco	If your concern cannot be resolved informally, we will investigate it under our internal complaints process. We will keep you informed of progress and the outcome.	We are required to cooperate fully and transparently. You have the right to request records of our findings.
Contact the Information Commissioner’s Office (ICO) Website: Make a complaint \| ICO Tel: 0303 123 1113 Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF	The ICO is the UK’s independent data protection regulator. They can investigate whether we’ve handled your data appropriately and may take enforcement action if necessary.	You can escalate your concern to the ICO at any time, particularly if you are not satisfied with our response or if we fail to respond within the required time frame.

If Serco is acting as a data processor on behalf of a public sector customer (e.g., a government department), we may not be the appropriate organisation to handle your complaint. In such cases, we will advise you to contact the relevant data controller, and we will assist them as required.

Version control and updates

We review this Privacy Notice regularly to ensure it remains accurate, relevant and compliant with data protection law. Changes may be made to reflect:

Updates in legislation or guidance from the ICO or government
Changes in the services we deliver or the way we process personal data
Amendments to our internal procedures or IT systems

Where appropriate, we will notify individuals of material changes, such as through updated notices on our website or through direct communication where feasible.

Version	Date issued	Summary of changes
Version 1.0	24/07/25	Initial publication of Serco’s main UK privacy notice, replacing the legacy website and applicant-focused notice. Includes controller/processor distinction, lawful bases, and expanded retention details.

Regions

In the course of our business in the different regions, Serco processes personal data. This can be personal data of our staff, customers, service users or our suppliers. In all situations and regions, Serco takes its obligations to process, handle, collect and protect personal information seriously.

To find how your region collects, handles and processes personal information and who to contact for further details or questions, please select your region from the list below:

Serco Group plc Asia Pacific Europe

Middle East North America

Police or other agency disclosures

If you wish to access personal information held by Serco and you work for the police or other agencies e.g. local authority, you can submit a request for disclosure using Serco’s DPA 2018 Disclosure Request form.

The Data Protection Act 2018 and the UK General Data Protection Regulation does not automatically give police or other agencies rights of access to information. We will only release information that are necessary, relevant and proportionate and only after we are satisfied that the disclosure will be in compliance with the law.

Before Serco can consider any request for personal information, you must fill in this form with all the requested information and email the completed form to the addresses listed above. If you do not fully or properly complete the form and provide clearly all the requested details in the form, your request will be refused, or you will be asked to re-submit your request for disclosure.

Data Protection Office

We have appointed a Data Protection Officer (DPO) or equivalent to oversee compliance with our Privacy Notices. If you have any questions about our notices or how we handle your personal information, please address to:

Data Protection Officer
Serco Ltd
Serco House
16 Bartley Wood Business Park
Bartley Way
RG27 9UY

Alternatively, please email [email protected].