See here for the Restart Scheme Privacy Policy
See here for the Department for Education’s Skills Bootcamps Privacy Notice
This Serco Limited (“Serco”, “we” or “us”) Employment, Skills and Training (“EST”) Privacy notice will help you understand how Serco collects, uses, discloses, holds and safeguards your personal data when you visit our website (https://est-serco.com) and/or submit a query to us.
Throughout this notice where we refer to Data Protection Legislation, we mean the Data Protection Act 2018 (“DPA2018”), UK General Data Protection Legislation (“UK GDPR”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and any legislation implemented in connection with this legislation.
This depends on your relationship with us and the context in which we interact. We only collect data that is relevant and necessary for the intended purpose.
|
Category
|
Examples of Personal Data
|
|---|---|
|
Basic personal data |
Full name, home or contact address, telephone number(s), email address, date of birth, gender, nationality, national insurance number, passport, driving licence or ID documents |
|
Employment and work-related data |
Curriculum vitae (CV), application forms, employment history, and previous roles. Qualifications, training records and professional memberships. Right to work documentation (e.g., visa or immigration status). Pre-employment screening and references. Vetting and security clearance details. Performance appraisals, conduct and disciplinary records. Attendance, rota or timekeeping records. |
|
Sensitive or Special Category data (collected only where lawful and necessary) |
Health or medical information (e.g., for adjustments or service delivery). Racial or ethnic origin (e.g., for equal opportunities monitoring). Religious or philosophical beliefs (e.g., for wellbeing or dietary needs). Biometric data (e.g., fingerprints or facial scans for access control). Criminal offence or conviction data (e.g., for safeguarding or vetting) |
|
Digital and technical data |
IP address and device identifiers. Browser type and operating system. Cookie identifiers and website usage data. Usernames, login credentials and access logs. Data from software or systems used in the course of business or service delivery |
|
Operational and case-related data |
Audio recordings (e.g., contact centre calls). Vehicle registration numbers captured on Automatic Number Plate Recognition (ANPR) systems. CCTV footage (e.g., from offices, healthcare or custody settings). Body-worn or in-vehicle video (where applicable). Correspondence and complaint records. Data from case files or operational logs (e.g., justice, immigration, health) received from public sector customers |
|
Additional contextual data |
Location or travel information (e.g., for transport or logistics services). Emergency contact or next of kin details. Internal communications or meeting attendance (where relevant to service delivery or investigations) |
The personal information collected may include the following:
Special Category and Sensitive Data
We will not intentionally seek to collect, store or otherwise use information about you classed as ‘special categories of data’ or ‘sensitive data’ as a result of queries submitted through the website. However, this type of data may be required and submitted to one of the operators of the relevant EST business unit you submitted your query about.
The lawful bases we rely on to process your personal data are:
We may collect personal data directly from you in various ways, including over the phone, via email or otherwise in writing or via our IT systems.
|
Purpose
|
Examples of use
|
Lawful basis
|
|---|---|---|
|
Communication and engagement |
|
Public task (Article 6(1)(e)) Legitimate interests (Article 6(1)(f)): stakeholder engagement Consent (Article 6(1)(a)) for optional communications |
|
Monitoring and improving service performance |
Responding to feedback or complaints |
Public task (Article 6(1)(e)) Legitimate interests (Article 6(1)(f)): service improvement and assurance |
|
Compliance, governance, and legal obligations |
|
Legal obligation (Article 6(1)(c)) Public task (Article 6(1)(e)) In some cases, legitimate interests (Article 6(1)(f)): protecting legal position and managing risk |
|
IT and systems management |
|
Legitimate interests (Article 6(1)(f)): maintaining secure, functional IT infrastructure. May also involve processing under a contract (staff or supplier systems) Legal obligation where linked to cybersecurity regulations |
We will only share your personal data for specified purposes with third parties, including sharing with:
We may disclose your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets. Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
Serco operates on a global basis and accordingly we may share personal data with other companies within Serco Group located outside the European Economic Area (EEA), but we will ensure such transfers are covered by relevant protections to ensure your personal data is secured.
We may disclose your personal information to third parties outside the EEA such as our suppliers and service providers. Where we transfer your personal data outside of the EEA, we will ensure a similar degree of protection is afforded to it by ensuring one of the following is in place:
Whether held in digital or physical form, we apply a wide range of technical, organisational and procedural safeguards to protect it from unauthorised access, misuse, accidental loss, or damage.
|
Security Measure
|
What it protects against
|
How it supports data protection
|
|---|---|---|
|
Access controls and permissions |
Unauthorised access to systems or files |
Only authorised personnel can access personal data, based on their role and need to know |
|
Encryption of data (at rest and in transit) |
Interception or theft of data in storage or during transfer |
Ensures that data cannot be read or altered without secure access keys |
|
Secure IT infrastructure and networks |
Cyberattacks, malware or hacking attempts |
Firewalls, antivirus software and threat monitoring help protect systems from intrusion |
|
Multi-factor authentication (MFA) |
Unauthorised system logins or credential misuse |
Adds an extra layer of security beyond passwords, particularly for sensitive systems |
|
Physical security controls |
Theft or unauthorised physical access |
Includes ID badges, visitor registration, CCTV, and restricted zones at offices and secure sites |
|
Regular staff training and awareness |
Accidental disclosure or mishandling of data |
Ensures employees understand their data protection responsibilities and follow secure procedures |
|
Data minimisation and pseudonymisation |
Unnecessary data exposure or risk |
We limit the personal data we collect and process and apply techniques to reduce identifiability where appropriate |
|
Audit trails and logging |
Undetected changes, access, or misuse |
Activities on key systems are monitored and logged to ensure accountability and support investigations if needed |
|
Regular security testing and reviews |
Outdated or vulnerable systems |
Penetration testing, vulnerability scans and policy reviews help maintain and improve our security posture |
|
Supplier and subcontractor due diligence |
Weak links in our supply chain |
We assess third-party providers for compliance with security and data protection standards before allowing them to handle personal data |
We will retain your personal data for as long as is reasonably necessary for the purposes for which it was collected. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements.
Generally, we will retain your personal data in accordance with any applicable limitation period (as set out in any applicable law), which will usually be six (6) years following the expiry of our business relationship with you.
In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings. When no longer necessary to retain your personal information, we will delete or anonymise it.
You are under no obligation to provide us with your personal data. However please be aware that in certain circumstances, such as where it is required by law or under the terms of a contract with you, we may not be able to perform the contract or provide you with services that you have requested. Additionally, the website may not operate in the way that you would expect if certain operations cannot take place. If this is the case, you will be notified of this at the time.
|
Your Right
|
What this means
|
When it applies
|
|---|---|---|
|
Right to access |
You can ask for a copy of the personal data we hold about you. |
Applies in most cases unless it affects others’ rights or relates to sensitive operations. |
|
Right to rectification |
You can request corrections to inaccurate or incomplete personal data. |
Applies wherever data is factually incorrect. |
|
Right to erasure |
You can ask for your data to be deleted in certain circumstances. |
Applies where there is no longer a lawful basis. May not apply where we must retain records by law or contract. |
|
Right to restrict processing |
You can ask us to stop using your data but allow us to keep storing it. |
Useful during complaints or when contesting accuracy. |
|
Right to data portability |
You can request your data in a reusable format. |
Applies only where processing is based on consent or contract and is carried out by automated means. Rarely applies. |
|
Right to object |
You can object to processing based on public task or legitimate interests. |
We must stop unless we can demonstrate compelling, legitimate grounds. Does not apply to all data uses. |
|
Right to withdraw consent |
You can withdraw your consent at any time. |
Only applies where consent is the lawful basis (e.g., optional communications). Withdrawing consent does not affect past processing. |
|
Right to be informed |
You have the right to clear information about how we use your data. |
Fulfilled through this Privacy Notice and, where relevant, service-specific notices. |
|
Right not to be subject to automated decision-making |
You can object to decisions made solely by automated means. |
Serco does not make decisions solely by automated means that significantly affect individuals without human oversight. |
If Serco is the data controller for the information in question you can contact:
Email: dpo@serco.com
Address: Data Protection Officer, Serco Group plc, Serco House, Bartley Way, Hook, Hampshire RG27 9UY
We will respond within one calendar month, unless your request is complex or involves third-party data. We may need to verify your identity before we can act on your request.
If you are unhappy with our response or the way we handle your personal data, you can contact the Information Commissioner’s Office (ICO). Details provided in the next section.
If you have any questions, concerns, or complaints about how we use your personal data, please let us know so we can address them.
|
What you can do
|
What happens next
|
Your rights
|
|---|---|---|
|
Contact our Data Protection Officer (DPO) Email: dpo@serco.com |
We will review your concern and aim to respond within one calendar month. In some cases, we may need additional information to investigate properly. |
You have the right to raise concerns directly with the DPO if you believe your data has been used unfairly, unlawfully, or without proper justification. |
|
Make a formal complaint to Serco |
If your concern cannot be resolved informally, we will investigate it under our internal complaints process. We will keep you informed of progress and the outcome. |
We are required to cooperate fully and transparently. You have the right to request records of our findings. |
|
Contact the Information Commissioner’s Office (ICO) Website: Make a complaint | ICO Tel: 0303 123 1113 |
The ICO is the UK’s independent data protection regulator. They can investigate whether we’ve handled your data appropriately and may take enforcement action if necessary. |
You can escalate your concern to the ICO at any time, particularly if you are not satisfied with our response or if we fail to respond within the required time frame. |
If you want to exercise any of the rights above, please submit your requests in writing to dpo@serco.com.
We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
This EST Website Privacy Policy was updated in October 2025
We may amend this EST Website Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check our website for the latest version of this EST Website Privacy Policy.