Please read this Policy carefully as it contains important information on who we are, how and why we process the personal information that you provide to us, whether through our website, by post, by phone, in person or when you otherwise communicate with us. It also explains your rights in relation to your personal data and how to contact us or the supervisory authorities in the event you have a complaint. If you have any questions or comments about this Policy, you can contact us by using the details set out below in section 11 (Data Protection Office) of this Policy.
2 Who we are
Serco People Fund (“the Charity”, “we”, “us”) is a charity registered with the Charities Commission for England and Wales No. 1194113. Its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.
For the purpose of the Data Protection Legislations (the “DPL”); any other applicable laws relating to the protection of personal data and the privacy of individuals (all as amended, updated or replaced from time to time); and this Policy, we are the data controller of your personal data that we process. This means that when we process your personal data, we are responsible for looking after and protecting your data.
Please note, our website may provide links, promote or signpost to other independent third-party websites, plug-ins or applications. Those third party are not always under our control. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are not responsible for the conduct of third-party companies linked to the programme or the website or the contents of their privacy notices. You should refer to the privacy notices of these third parties as to how and why they may handle your personal information. When you leave our website or before you enable any connection, we encourage you to read the privacy notice of every website, plug-ins or applications you visit or wish to use.
3 Information we may collect from you
The personal data you provide to us or that are collected by us (or on our behalf) is used for service and operational purposes, for example to assess your application, or any communicate with you about your query. The types of personal data we will collect, store and use include:
• Your Personal Details: title, full name, phone number, date of birth, address, email address, marital status, employee number and confirmation of employment, location of employment and work history, beneficiary details, circumstances for assistance including health and medical information (where relevant to the application) and any other information or evidence provided to support the application.
• Internal Identifiers: application reference numbers.
• Financial Details: bank account details, including receipts and invoices linked to the application.
• Correspondence: call logs, application form, general correspondence exchanges with us.
• Website Access Details: your computer(s) unique identifier (e.g. IP Address) where required to be collected, the date and time you accessed the website (if required to be collected).
Please note, you do not have to provide your personal information to us. However, if you do not provide your personal information which we ask for we may not be able to accept your application, properly assess your application, or respond to enquires that you may have.
If you are under 16, do not send any information about yourself to us unless you have your parent's or guardian's permission. In the event we learn that we have collected personal information from anyone under the age of 16, and do not have a parent or guardian's consent, we will delete that information. If we do hold personal data about children, we will handle that data in accordance with the terms of this Policy.
4 How we collect the personal data
We will collect personal data about you when:
• It is provided to us by you or your dependent or authorised nominee (e.g. when you contact us or submit your application);
• it is collected in the normal course of our relationship with you (e.g. access our services via our website or created by us, such as records of your communications with us;
• it has been made public by you (e.g. contacting us via a social media platform) or obtained from a publicly accessible source (e.g. Companies House);
• it is received by us from or made available to us by third parties including Serco (e.g. confirmation of employment with Serco;
• the personal data is collected via our IT systems, such as:
• automated monitoring of our website, and other technical systems; and
• cookies if personal data is collected (please refer to the section below for further information).
5 How and why we will use your personal information
We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do so. The purposes for which we may use your personal data and the legal basis on which we may perform such processing are set out below.
Where you give us consent
• To process your information. For example, consent to processing your application once submitted. You have the right to withdraw consent at any time where consent is the only legal basis for processing your personal data. This will not affect our lawfulness of processing based on your consent prior to withdrawal. If you wish to withdrawn consent, please contacting us using the details in section 11.
For purposes which are required by law
• In response to requests from government law enforcement authorities conducting an investigation.
• Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business e.g. the Charity’s purposes and legal requirements.
Where necessary for the Charity’s or third parties legitimate interests and where the interests are not overridden by your data protection rights, such as:
• To deliver the services to you, and with the assistance of Serco Limited who helps manage and facilitate the application process for and on behalf of the charity.
• To manage, facilitate and/or improve the provision of our services to you, including but not limited to administering our website; managing enquiries, complaints and feedbacks;
• For security purposes, such as preventing unauthorised access and modifications to systems.
• For accounting and auditing purposes.
• To support business and administrative functions of the business and/or ensure business policies are adhered to.
• To prevent, investigate, detect and/or report fraud, misrepresentation, security incidents, crime and other related matters.
• In connection with a business transaction such as merger, restructuring or sale of the business.
• For legal claims, compliance, regulatory and investigative purposes as may be necessary (including disclosure of such information in connection with legal process or litigation.
In some cases, your personal information may be aggregated and anonymised where relevant to the service usage, performance, and delivery. This may be extracted and used by us for the assessment and improvement of services that the Charity provides, measuring impact, for governance purposes and for any official audits or legislative requirements. We may also collect anonymised data to assess and report on trends and annual achievements.
7 Sharing Your Personal Information with Others
We will only disclose personal information to a third party in very limited circumstances, or where we are permitted or required to do so by law. The third parties to whom we provide your personal data include:
• Serco Limited and other subsidiaries within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business and the website or confirm present or past employment within Serco;
• third parties we use to help deliver our services to you (e.g. consultancy, banks and payment providers);
• other third parties we use to help us run our business (e.g. IT support providers, analysis experts, communication platform providers);
• third parties approved by you (e.g. when you request your details to be transferred);
• our professional advisers (e.g. auditors, law firms, insurers and brokers); and/or
• Government, regulatory and law enforcement bodies (e.g. Charity Commissioner, Police, Public Health authorities/bodies) where we are required in order:
a) to comply with our legal obligations;
b) to exercise our legal rights (e.g. pursue or defend a claim); and
c) for the prevention, detection and investigation of crime.
We may transfer your personal information to third parties in connection with any reorganisation, restructuring, merger, acquisition, sale or transfer of assets. In such cases, we will take the appropriate steps to make sure that such transfer is in accordance with the applicable DPL.
Less commonly, we may process and share your personal data where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.
We also impose data protection obligations on contracted third parties to ensure they can only use your data when providing services to us for the purposes listed above. These third parties cannot pass your details on to any other parties unless instructed to by us unless they are required to do so by law.
Transferring Your Personal Information Globally
The personal information that we collect from you may be transferred to, and stored at, a destination outside the UK or European Economic Area ("EEA") (for example, in the USA). It may also be processed by workers operating outside the UK/EEA who work for us or for one of our service providers or we may share personal information with other companies within Serco Group located outside the UK/EEA.
In the event, your personal information may need to be transferred outside of the UK/EEA, we will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law(s) and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognised as providing an adequate level of legal protection, or where we are satisfied that alternative arrangements are in place to protect your privacy rights. Our standard practice when transferring personal data outside the UK/EEA is to:
• Put in place binding corporate agreements, which will include the relevant adopted standard contractual clauses for transferring personal information outside the UK/EEA, to ensure that your information is safeguarded.
• Ensure that the country in which your personal information will be handled has been recognised as providing an adequate level of legal protection, or where we are satisfied that alternative arrangements are in place to protect your privacy rights.
• in the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
• Carefully validate any requests for information from law enforcement or regulators before disclosing the information.
We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information.
8 Security of Your Personal Information
We take precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect personal data using a variety of security measures including (but not limited to): password protected access; data back-up; encryption; firewalls; and secure storage facility with appropriate security restrictions.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
9 How Long We Keep Your Personal Information
We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Policy. Where your information is no longer needed, we will ensure that it is disposed of in a secure manner. If you would like further details about our retention policies, please email us via the details below in section 11.
Listed below are the general criteria we use to determine how long we will keep your personal information, where upon we will either delete or anonymise the data:
• We will continue to keep your personal information while we are providing services, or if we have an ongoing relationship with you (e.g. you are in receipt of support from the charity, or you have an ongoing complaint).
• We will retain unsuccessful application and associated evidence for no longer than 12 months.
• We will retain successful application and associated evidence for a maximum of 7 years (unless it is required for a longer period).
• We will retain general correspondence and papers (including emails) received by us (excluding complaints and investigations) only for as long as necessary and for a maximum of 12 months (unless it is required for a longer period).
• Our register of feedback, complaints and investigations will be retained only for as long as necessary and for a maximum of 12 months (unless it is required for a longer period).
• We will retain purchase orders, invoices and receipts for 7 years from the end of the last transaction.
Where not subject to the above, we will generally keep your personal data in accordance with any applicable limitation period (as set out in applicable law) plus one (1) year, to allow reasonable time for review and deletion or anonymisation of the personal information held. This will usually be seven (7) years following the expiry of our business relationship with you. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with contractual, legal, regulatory, tax and/or accounting requirements.
10 Your Legal Rights in Respect of Your Personal Information
You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:
• Request access to your personal information (commonly known as a “data subject access request”).
• Request correction of the personal information that we hold about you.
• Portability of the personal information you provided us, in certain situations.
• Request erasure of your personal information.
• Object to processing of your personal information by us or on our behalf.
• Request the restriction of processing of your personal information.
• Request the transfer of your personal information to another party.
• Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent.
Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request. We may also charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
If you would like to exercise any of these rights, please submit your requests to the Data Protection Office as detailed below in section 11. Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we have to others, or if we are legally entitled to deal with the request in a different way.
11 Data Protection Office
If you have any questions about this Policy or how we handle your personal information, please address to:
Data Protection Champion
Serco People Fund
16 Bartley Wood Business Park
Alternatively, please email firstname.lastname@example.org or call +44 (0)1256 745900.
We ask that you please first attempt to resolve any issues or concerns with us first, although you have a right to contact the Information Commissioner’s Office (ICO) at any time and file a complaint where you believe there have been an infringement of data protection laws. The contact details for the ICO are available at: https://ico.org.uk/concerns or via telephone: 0303 123 1113. The ICO will then investigate your complaint accordingly.
13 Changes to this Policy
We may amend this Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check this page for the latest version of this Policy. If we change this Policy, we will post the details of the changes on this page. Any changes will be effective when posted.
This Policy was last reviewed and updated in February 2022.