Privacy policy

1. Introduction

Serco is committed to ensuring that your personal data is protected and that we are being transparent about the information we hold about you. This privacy notice applies only to the personal data collected as part of the Health Assessment Advisory Service (HAAS).

Serco “Serco“, “us“, “we” or “our“, collects your personal data as part of the HAAS which we operate in the South West and Southern England under
contract to the Department for Work and Pensions (DWP). All personal data relating to HAAS is processed on behalf of DWP as the data controller, with
Serco acting as the data processor.

Where processing of personal data is carried out on this website and Serco is the data controller, it will clearly articulate this in the following sections of this notice.

This privacy notice clearly sets out the personal data that Serco processes as a data controller. If you wish to know more detail about how DWP handle your personal data, you should visit GOV.UK and view the DWP Personal Information Charter.

Our site may also provide links to third party websites. Serco is not responsible for the conduct of non-Serco companies linked to the site and you should refer to the privacy notices of these third parties as to how they may handle your personal information.

We may collect personal data about you when:

it is provided by you directly (e.g. when you apply for a role and register with us, including additional communications via email, telephone or in
video conferencing meetings);
it is collected in the normal course of our relationship with you (e.g. in an interview);
it is recorded in a video assessment as part of a Serco recruitment programme;
it is collected from your named referees;
it has been made public by you (e.g. contacting Serco via a social media platform about future career opportunities);
it is received by us from third parties, including to verify information you have provided (e.g. recruitment agencies, your former employer, law enforcement agencies, disclosure and barring service checks);
it is received from our business partners and suppliers (e.g. marketing partners, IT support services, careers portal operator);
it is collected when you visit our website or use any features or resources available on the website (including the careers portal, subscribing to marketing); or
it is created by us, such as records of your communications with us or records of your job interviews.

Cookies

Cookies are small text files that are downloaded onto your device when you visit a website. For more information about cookies used on this site refer to the cookies policy on Serco.com.

2. Personal Data Collected

The following sets out the types of personal data we may collect:

Personal Details: title, full name, data of birth, age, gender, address, telephone numbers, email address, visa and immigration status, nationality, language and dialect spoken, subscriptions and pastimes.
Images and recordings: your photograph, film/video footage and recordings of you (which may include your voice).
Family and Friends : name and contact details of family members, dependents and emergency contact details.
Career History: business activities, work history, job roles, experience and referees, work address, work telephone number, contact details of former
and current employers, work-related social media profile details.
Security Information: security clearances and vetting information.
Qualification, Training and Education History: schools and universities attended, qualifications obtained, additional training obtained.
Preferences: consents, permissions, or preferences that you have specified or agree to our terms and conditions for submitting an application to us
Interview Details: interview responses, opinions of interviewers.

3.3 Special category and sensitive personal data

We may also collect special category data where necessary for the purposes of managing our relationship with you.

The data that may be collected includes:

health and medical information
political opinions or memberships
trade union membership
ethnicity
religion; and
sexual orientation.

Equality and Diversity

We may collect special categories of information (such as your ethnicity, religious beliefs, sexual orientation and your health as regards any disability) to promote diversity and monitor equal opportunities within Serco’s workforce. However, these questions are not mandatory and will not affect your application if you choose not to provide this information.

Information about Criminal Convictions

We may be required to carry out vetting if you apply for a designated role which is conditional on such checks. This might involve the collection and use of sensitive information obtained from criminal records checks such as offences or alleged offence including any past or ongoing criminal proceedings. We carry out criminal records checks for the following purposes:

To comply with our legal obligation to ensure an individual is eligible to work in the UK; and
For our legitimate interest or that of a third party and as necessary to exercise our rights as an employer to carry out pre-employment screening
including a full background and criminal records check, depending on the role: (i) to establish whether an applicant has committed an unlawful act
or been involved in dishonesty, malpractice or other seriously improper conduct; or (ii) to comply with government and public sector clearance
requirements.

We have in place appropriate policy documents and safeguards which we are required by law to maintain when processing such data.

4. How and why we use your data

Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and handle your personal information. The purposes for which we may use your personal data and the legal basis on which we may perform such processing are set out below.

Purpose of Processing	Lawful Basis	Legitimate Interest (if applicable)
Process your job application and contact you to discuss it or to invite you to interview	Legitimate Interest	Contact you and assess your skills, suitability and experience for a role
Complete our onboarding processes if you are successful with your application	– Performance of a contract with you – Check your entitlement to work in the UK	N/A
To carry out vetting and background checks	Legitimate interest To comply with a legal obligation	To ensure you are suitable to work for Serco
Respond to enquiries, complaints, or feedback	Legitimate interest	Timely resolution and service improvement
Monitor platform access and IT system use	Legitimate interest	Protecting data, platforms, and services from misuse or intrusion
Enhance or personalise services based on usage feedback	Legitimate interest	Service optimisation and improved user experience
Prevent or detect fraud, security threats, or unlawful activity	Legal obligation / Legitimate interest	Ensuring the integrity of our operations and compliance with regulations
Share data with relevant third parties (e.g. DBS providers, law enforcement regulators)	Legal obligation / Legitimate interest
Carry out audits, tax reporting, and internal governance	Legal obligation / Legitimate interest	Regulatory compliance and business oversight
Conduct internal evaluation or training delivery reviews	Legitimate interest	Quality assurance and operational improvement
Share data within Serco Group companies	Legitimate interest	Centralised administration, compliance, and support functions
Send marketing communications (if opted in or permitted for B2B)	Consent / Legitimate interest (B2B only)	Promoting relevant services and maintaining business relationships including to inform you of employment opportunities which may arise at Serco, including via “job match” emails
Defend legal claims or comply with legal obligations	Legal obligation / Legitimate interest	Protecting our legal and financial interests
Manage business strategy, planning, and potential business sales or mergers	Legitimate interest	Sustainable growth, operational transitions, and long-term planning

A “legitimate interest” means we have a valid business reason to process your data, provided it does not unfairly impact your rights.

If we rely on consent, you may withdraw it at any time by contacting us.

If you have any queries about our legal basis for using your personal information, please contact the DPO via the details set out below.

Exemptions

Serco sometimes handles personal information relying on exemptions under the applicable data protection law. Any permitted handling of personal information under such exemptions will take priority over this privacy notice to the extent of any inconsistency.

5 Equality and Diversity

6. Information about Criminal Convictions

We carry out criminal records checks for the following purposes:

· To comply with our legal obligation to ensure an individual is eligible to work in the UK; and

· For our legitimate interest or that of a third party and as necessary to exercise our rights as an employer to carry out pre-employment
screening including a full background and criminal records check, depending on the role: (i) to establish whether an applicant has committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct; or (ii) to comply with government and public sector clearance requirements.

We have in place appropriate policy documents and safeguards which we are required by law to maintain when processing such data.

7. Sharing your data

We may share you data with:

Your previous employer (for references)
Serco Group entities for shared services
Subcontractors or partners who help us deliver training or services
IT and system support providers
Credit reference agencies and organisations involved in the prevention of fraud
Third party vetting companies who carry out pre-employment checks including Disclosure and Barring Service (DBS) check
Financial processors (e.g. banks, invoicing platforms)
Marketing and communication providers
Legal, insurance, or audit advisors
Government and regulatory bodies (when required by law)

We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or changing services suppliers.

8. International data transfers

We may transfer your data outside the UK or European Economic Area (EEA), such as to other Serco entities or approved service providers. These transfers will only occur where appropriate protections are in place, such as:

Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission

Intra-group agreements across Serco entities

Adequacy decisions for specific countries

You can request a copy or summary of the safeguards applied to these transfers.

9 Security of your data

We implement physical, technical and organisational measures
to protect your data, including:

Role-based access control to systems
Encrypted data storage and transfer
Password protection and firewall technology
Physical security (e.g., secure servers and restricted rooms)
Internal staff policies, confidentiality obligations, and regular training

However, please note that transmission of data over the internet is not entirely secure. While we do our best to protect it, any online transmission is at your own risk.

10. How long do we keep your data?

Serco will only retain your personal information for the period necessary to fulfill the purposes outlined in this privacy notice and as otherwise needed to comply with applicable law. Where your personal information is no longer needed, we will ensure that it is disposed of in a secure manner.

We retain the data as follows:

Type of Record	Retention Period
Successful applicants	In line with Serco Employee privacy notice and retention documents
Unsuccessful applicants	6 months from date position was filled
Complaints and investigations	Reviewed every 10 years
User accounts	4 years after licence expiry
Marketing emails, job match emails	12 months from when you last contacted us or until you notify us that you no longer wish to receive such communications (e.g. unsubscribing)
Emails and general correspondence	7 years
Social media messages or interactions	Until deletion is requested
IP addresses and cookie data	In line with your cookie preferences

In some circumstances we may store your personal information for longer periods of time where we are required to do so in accordance with legal or regulatory requirements or so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

11. Your Legal Rights

You have the following rights under data protection
law:

Access – request a copy of the personal data we hold about you
Rectification – ask us to correct inaccurate orincomplete information
Erasure – request deletion of your data where no longer needed or consent is withdrawn
Restriction – ask us to suspend processing in certain circumstances Objection – object to processing based on legitimate interests or for direct marketing
Data portability – receive your data in a structured format or transfer it to another provider
Withdraw consent – withdraw consent at any time where that is the lawful basis
Know about international data transfers –and request information about safeguards in place

If you want to exercise any of these rights, please submit your requests in writing to the DPO via the contact details below. Please note, to ensure the security of your personal data, we may ask you to verify your identity before proceeding with any such request.

12 Data Protection Officer

If you have any concerns about how we handle your personal data please contact:

Data Protection Officer
Serco Limited
Enterprise House
11 Bartley Wood Business Park
Bartley Way
RG27 9XB

email: dpo@serco.com or call: +44 (0)1256 745900.

We would be happy to address any concerns you have about your data privacy directly, and we encourage you to contact us in the first instance with your queries. However, you have a right to lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/concerns/or telephone: 0303 123 1113) who will then investigate your complaint accordingly.

13. Changes to this privacy notice

This privacy notice was last reviewed and updated on August 2025.

We may revise this notice periodically. Please regularly check our website for the latest version. On some occasions, we may also actively advise you of specific data handling activities or significant change where required by law.