Cymraeg

1. Introduction

Serco Limited is one of the providers selected to deliver the programme commissioned by the Department for Work and Pensions (DWP). Serco is based at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.

This Serco Restart Scheme Privacy Policy (“Policy”) is issued by Serco (referred to hereafter as “Serco”, “our” “we” and/or “us”) for the Restart Scheme, for and on behalf of Serco and the Department for Work and Pensions (DWP) as data controllers. The Restart Scheme is a programme of tailored support for people unemployed for 12 months and over get back into work including developing skills and transferring their skills to different sectors. We have developed this Policy to ensure you (a participant of the programme) are informed and confident about the security and privacy of your personal information.

This Policy is to help you understand how Serco collects, uses, discloses, holds and safeguards the personal information about you.  It also explains your rights in relation to your personal information and how to contact us or the Information Commissioner’s Office in the event you have a question, concern, or feedback. Please read this Policy carefully as it contains important information.

2. Who Is Responsible for Your Personal Data

For the purposes of the relevant data protection legislation and this Policy, Serco and the DWP are joint data controllers for personal information jointly processed; and are independent data controllers of personal information not jointly processed which are necessary for the Restart Scheme. This means Serco and DWP (either jointly and/or independently) are responsible for looking after and protecting your information.

Serco is registered as a data controller with the UK’s Information Commissioner's Office and our registration number is Z5746980. Our programme and/or website may provide links, promote or signpost to other independent third-party websites, plug-ins or applications (e.g. the Thrive App for which we may be a reseller/promoter). Those third party are not always under our control. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are not responsible for the conduct of third-party companies linked to the programme or the website or the contents of their privacy notices. You should refer to the privacy notices of these third parties as to how and why they may handle your personal information. When you leave our website or before you enable any connection, we encourage you to read the privacy notice of every website, plug-ins or applications you visit or wish to use.

DWP

Where DWP is an independent data controller of the personal data which is collected, used and/or shared between Serco and DWP as part of delivery of the Restart Scheme or other DWP run programme/services, please refer to DWP’s privacy policy for details of how they manage your personal information: www.gov.uk/government/organisations/department-for-work-pensions/about/personal-information-charter

3. Personal Data Collected

When using the term “personal data” or “personal information” in this Policy, we mean information (including opinions) that relates to you and from which you could be identified, either directly or in combination with other information which we may have in our possession.

We will collect, store, and use the following (not exhaustive) type of personal information about you:

• Personal and Employability Details: title, full name, contact address, contact number, email address, gender, date of birth, signature, images, benefit details, financial details, family, lifestyle and social circumstances, employment and education details, education and training details, CCTV images.
• Identification Information: National Insurance Number, benefit information letters details.  
• Correspondence: responses, comments, feedback and opinions when you communicate with us for instance when making a complaint.
• SMART Action Plan and Assessment Records: Diagnostic assessment, needs assessment related to joining the programme, SMART Action Plan and meeting notes following communication/attendance at meetings.
• Preferences: permissions, or preferences that you have specified
• Special Category Personal Data: health and medical information, race or ethnic origin and any other sensitive information such as biometric data, offences including alleged offences, criminal proceedings, outcomes and sentences
• System Identifiers: e.g. IP address, device identifiers, login attempts, date and time for accessing our or our commissioned third-party platforms and/or apps and any personal data collected through cookies.

Please note, you do not have to provide your personal information to us. However, if you do not provide your personal information which we ask for and require for the programme, we may not be able to: provide you with the support that you require under the programme, or meet the necessary requirement of the programme; or respond to enquires that you may have (list not exhaustive).  

4. How Your Personal Data Is Collected

We will obtain your personal data in different ways:

• We will receive information about you from the DWP when you are referred to us via Job Centre Plus including from other third parties where applicable (e.g. employers, local authorities, partner organisations);
• We collect information directly from you in various ways (including through your nominated appointee/representative), including over the phone, face to face, via email, or online portal;
• We collect information during normal course of our relationship with you (e.g. when we have our initial assessment meeting and through managing your delivery through the programme etc.);
• We collect information that was made public by you (e.g. contacting us via a social media platform);
• We collect information via our CCTVs that operate in our offices/sites and/or IT systems, including via our website or receive information from our suppliers; and
• Personal data may also be created by us, such as records of your communications with Serco.

5. How and Why We Use Your Personal Information

We will collect, use and share your personal information where we have a legal justification to do this and the processing is necessary. The legal justification depends on the purpose of the personal information collected and its processing requirements. The legal justification on which we rely on to process your personal information includes:

• To fulfil our contractual obligations to you, including delivering the programme content.
• To exercise our legal rights with respect to our contract with you.
• Where we have consent (on occasions we may ask you for consent, we will use the data for the purpose which we explain at the time) or where the information is made public by you.
• To exercise our functions and to meet our legal responsibilities, including for the performance or exercise of a public task (including for and/or on behalf of a government department).
• For the purposes of employment, social security and social protection law.
• For the purpose of equal opportunity monitoring.
• For the purposes of any measures we are required to take from time to time during a national or international emergency (for example during a pandemic) and to comply with national laws for humanitarian purposes including for monitoring epidemics, pandemics and their spread.
• For the reasons of substantial public interest to fulfil a function of a government department (e.g. the Department of Work and Pension).
• Where processing is necessary for reasons of substantial public interest including but not limited to equal opportunities monitoring and/or preventing and/or detecting unlawful acts.
• In response to requests from government law enforcement authorities conducting an investigation.
• Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business e.g. in the framework of tax control and reporting obligations.

Where necessary for Serco’s or third parties legitimate interests, as listed below, and where our interests are not overridden by your data protection rights, such as:

• To effectively manage and deliver our services to you, including sharing your information with relevant partners and service providers in connection with delivering these services.
• To comply with our DWP contractual obligations, including to verify details of Participants who gain employment as part of the Restart programme, in order for Serco to receive payment from DWP.
• To contact you and manage any enquiries, complaints and feedback.
• To enhance, modify, personalise or otherwise improve our services / communications for the benefit of our customers.
• For promotional purposes.
• To ensure programme procedures are adhered to, e.g. programme induction, completion of Action Plans.
• For business analysis purposes and to develop our business strategies.
• For safety and/or security purposes, such as preventing unauthorised access and modifications to systems and/or protecting you, our workers, third parties on site, and our premises with the use of CCTVs.
• In connection with establishing, exercising or defending our legal rights in the event of a claim and compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with the legal process or litigation).

Where we need to use your personal information for any other purpose, we will let you know at the time we collect your personal information or as required or permitted by law.

Serco sometimes handles personal information relying on exemptions under the applicable data protection law.  Any permitted handling of personal information under such exemptions will take priority over this Serco Restart Scheme Privacy Policy to the extent of any inconsistency.

6. When Is Sensitive Data Collected and Used?

We may on occasions process your special category information (e.g. information about your health or ethnic origin) or information about your criminal convictions, as set out in section 3.

We will primarily collect this information in the following scenarios:

• Where we may ask you about health concerns, disabilities as part of the initial meeting to ensure that what we deliver is both suitable and tailored to you.
• To assess and comply with health and safety requirements and obligations including in relation to safety, well-being and health needs e.g. where necessary for the purpose of safeguarding against the impact of a health-related issue (for example, coronavirus or some other pandemic or disease) to protect the safety of our workplace, you and others involved with the delivery of the programme.
• Information on spent/unspent criminal convictions or restrictions on your employment to ensure we safeguard yourself and others when supporting you into employment.
• Collect information about your ethnic background for the purposes of equal opportunity monitoring.
• Where you choose to share special category information in your communications with us.

Collection of this information will not affect whether your will be accepted onto the programme.

Where required by applicable laws, we will take steps to have in place an appropriate policy document and safeguards relating to the processing of such personal information.

7. Cookies

We use cookies on our website. Cookies are small text files that are downloaded onto your device when you visit a website. Please refer to our cookies policy for further information about our use of cookies.  Cookies only record the areas of our website that a computer/device has visited. If you do not want a cookie you can set your browser to deny it or visit our cookies policy for further details. 

8. CCTV

We currently have closed circuit television (CCTV) operating in and around our sites, and offices for (but not limited to): (i) public and worker health and safety; (ii) security; and (iii) crime prevention and detection. For these reasons, the information processed may include visual images of personal appearance and behaviours.

We display signs to inform visitors and workers that they are under surveillance and there may be video recording in operation. This information is kept in secure environments and access is restricted to Serco’s designated workers.

9. Sharing Your Personal Information with Others

As set out above in section 2, we operate this programme on behalf of DWP. We will share your personal data with them as part of delivering the services as independent data controller; and where we are jointly processing your personal information with the DWP. You may also be contacted for evaluation and research purposes by DWP (or an organisation acting on its behalf).

We will disclose your personal information to another third party in certain circumstances such as where it is a contractual obligation or where we are permitted to do so by law. On some occasions, these third parties may also be a controller of your personal data. The other third parties we may share your personal data with includes:

• Your nominated appointee, representative, employer or organisation engaged for the purpose of the Restart Scheme (excluding Serco’s subcontractors).
• Other government department or public body (e.g. local authorities).
• Our third-party providers who help deliver or run our system and business (e.g. system provider).
• Our professional advisors (e.g. legal advisor, insurers, auditors) or third party providers engaged by us to conduct research and evaluation of the programme and the services we provide to you.
• Government, regulatory and law enforcement bodies where we are required in order to comply with our legal obligations; to exercise our legal rights and/or for the prevention; detection and investigation of crime.
• Other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business.
• Our subcontractors who operate under contract to Serco to deliver Restart Scheme services.

We may disclose your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or DWP changes service providers. Serco’s contracted third-party service providers are required to take appropriate security measures to protect your personal information in line with our contract and the laws.

Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.

Transferring your personal information outside the European Economic Area (EEA)

We (and our subcontractors who operate to deliver the programme to you on our behalf) do not currently transfer, store or otherwise process personal data, as applicable under this Serco Restart Scheme Privacy Policy, outside the United Kingdom (UK). However, if our business needs change, we will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests.

Serco operated on a global basis. Our standard practice when transferring personal data outside the UK/EEA is to:

• put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission and/or the Information Commissioner’s Office for transferring personal information outside the EEA, to ensure that your information is safeguarded;
• ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission and/or the Information Commissioner’s Office; or the company is registered and compliant with recognised code of conduct or certification scheme;
• in the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection; and
• carefully validate any requests for information from law enforcement or regulators before disclosing the information.

We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information. If you would like further information about the global handling of your personal information, please contact us using the details below.

10. Security of Your Personal Information

Serco takes precautions including administrative, technical and physical measures to safeguard your personal information, including password protected access to IT systems, documented employee procedures, internal monitoring and training to help ensure that your information is protected and secure. Our employees, contractors, and any other third party providers are bound by confidentiality obligations and we will only allow access to employees and contractors and any other third-party providers where there is a genuine business need.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use robust procedures and security features to try to prevent unauthorised access.

11. How Long Do We Keep Your Personal Information

We keep your personal information for as long as is necessary or for as long as we are required to under our contractual obligations and for the purposes set out in this Policy. Any personal information processed by us will be retained as per our records and retention schedule and will only be used for the purposes for which it was collected. Set out below are summaries of criteria we use to determine how long we will keep your personal information for, thereafter we will either delete or anonymise the data:

• We will retain your information for as long as you are engaged for the services, thereafter we may be required to retain your information for another 7 years under our contract with DWP.
• We will retain any contractual information for a minimum of 6 years (following expiry or termination of the contract unless it needs to be retained for longer)

Where not subject to the above, we will generally keep your personal data in accordance with any applicable limitation period (as set out in applicable law) to allow reasonable time for review and deletion or anonymisation of the personal information held.

12. Your Legal Rights

You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information (commonly known as the "right to be forgotten"). This enables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which Serco is subject.

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal or contractual obligation; or (ii) for the establishment, exercise or defence of legal claims.

• Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis for that processing, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling).
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person.

• Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
• Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms.
• Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent.

If you would like to exercise any of these rights for the data Serco processes as a joint controller and/or an independent controller, please submit your requests to Serco via the address below. Please note, to ensure security of personal information, we will ask you to verify your identity before proceeding with any such request.

For any personal information processed by DWP as an independent data controller and not as a joint data controller with Serco, please contact the DWP direct to exercise your rights using their Right of Access online form at: www.gov.uk/guidance/request-your-personal-information-from-the-department-forwork-and-pensions

We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

13. Data Protection Officer

We have a Data Protection Officer (DPO) to oversee compliance with this Serco Restart Scheme Privacy Policy. If you have any questions about this Serco Restart Scheme Privacy Policy or how we handle your personal information, please address to:

Data Protection Officer

Serco Ltd

Enterprise House

18 Bartley Wood Business Park

Bartley Way

RG27 9XB

Alternatively, please email dpo@serco.com or call +44 (0)1256 745900.

Supervisory authority

We would be happy to address any concerns you have about your data privacy directly, and we encourage you to contact us in the first instance with your queries. However, you have a right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk/concerns/ or telephone: 0303 123 1113) who will then investigate your complaint accordingly.

Changes to the Serco Restart Scheme Privacy Policy

This Serco Restart Scheme Privacy Policy (version 1.1) was reviewed and updated in August 2023.

We may amend this Serco Restart Scheme Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. If we change this Serco Restart Scheme Privacy Policy, we will post the details of the changes on our website: www.serco-ese.com/restart-scheme. Any changes will be effective when posted.