McPherson Document Solutions Ltd respects all data which is shared with us either from yourself or which is passed to us or that is available via the public domain. We aim to be clear when we collect your data and not to do anything you would not reasonably expect. We comply fully with the Data Protection Act 1998 (Z3133909) and General Data Protection Regulations (May 2018). This is a live document and will be reviewed on an ongoing basis. We will keep you fully up to date on any changes which directly impact on you. Our primary contact for GDPR Compliance is our Steven McPherson (email@example.com)
- We only collect data which either you pass to us or which we require to collect in line with the business needs and activities. This normally consists of; company name, VAT Number, company registration number, contact name, telephone number(s), email address, contact address, position within company and any financial details required to allow for payment of account. As well as any other information only relevant to meet the needs of the business.
Who do we share this data with?
- If you choose to be sent an invoice for the goods or services we provide, this data (such as client name, contact details, company name, purchase order and finance details) is shared with our invoice finance factor – Bibby Financial Services Scotland (https://www.bibbyfinancialservices.com/). The only data Bibby’s hold is required to manage the invoice factoring aspect of the business – i.e., company name, contact name, full address, telephone number and email address (these are passed to Bibby’s direct from McPhersons). Other debtor information is generated by Bibbys and is business data available in the public domain, i.e. vat number, Company registration, credit rating. This information is used to contact debtor via phone, email, fax and or post. No debtor data is shared with 3rd parties without consent. Data is held for max of 7 years, but can be deleted upon request from either the debtor or McPhersons. If you would rather this information was not shared with Bibby’s, please advise your contact at McPhersons prior to starting contract.
- For email marketing, we utilise the services of MailChimp – https://mailchimp.com/. Using their secure database, we record your email address. We only use this service for a yearly newsletter or to advise our full or specific client base of special offers or current news. You can opt out of this via link on the first email you receive from them.
- Confidential Destruction – Shredding. Once advised to do so (in the form of a signed Authorisation to Destroy has been received back from client) we utilize the services of a specialist in document shredding and recycling – http://securityshreddingscotland.co.uk/. Either our van is loaded with boxes and driven directly to the shredding facility where our team will physically view the boxes and files being shredded or a large 6 ton container is driven directly in to our warehouse. The container is lifted off the back of a lorry within our warehouse and warehouse doors are closed behind. Our own staff load the boxes of documents, drawings, microfilm etc in to the container manually. Once loaded, the doors of the container are closed and securely locked. The container is then uplifted directly from our warehouse and driven on the back of a lorry directly to the shredding centre in East Kilbride. Container is driven in to secure shredding area, container is tipped directly in to the shredder and all contents are destroyed to industry standard EN15713. A Certificate of Destruction is then provided and passed to client upon request. Shredded material is then recycled in to the likes of household tissues or kitchen roll etc. Once authorized to do so, all scans generated are removed from all production drives. Approx 6 months later, we will remove (delete) all scans from our backup server. This can be increased to 12 months if client requests.
- CCTV – When visiting our premises, our facility (external building and car park areas) is covered by a full colour and recording CCTV system owned and maintained by Ecosse Doors Ltd. The owner of which is also the landlord of the building we lease. Suitable signage is clear advising of this when visitors enter the car park and public areas. CCTV only covers external areas – car park and garden grounds.
Where do we collect information about you?
- When you give it to us directly – via email, verbal communication or in writing.
- When we receive it indirectly – websites or other relevant databases available within the public domain.
Keeping your information secure and up to date.
- We would appreciate if you let us know if your details change. Where required, we use publicly available sources to keep our records up to date.
- All staff (production, admin, sales and management) have received training and have signed agreements to demonstrate they understand their requirements to ensure GDPR compliance. This is continually reviewed and updated where and when required.
- Contact details (data such as email, phone, name), are held on password and / or fingerprint encrypted mobile devices (such as mobile phone, tablet / laptop) of both directors of the company. In addition, one admin pc workstation within McPhersons which is not accessible via our production network. This work station is password protected, runs current and up to date firewall and anti-virus systems and is backed up nightly to our online remote LiveDrive server.
- All staff are Disclosure Scotland checked, and sign Confidentiality Agreements on a yearly basis.
- All work is uplifted and delivered using company vehicles and by our own staff – external staff carry company identification.
- Our network router has two built in firewalls (NAT and SPI type).
- An additional Firewall protects all wireless stations.
- Each station (pc) has its own personal firewall running.
- Procedures are in place to ensure tracking of all data generated within production and admin.
- Each work station is password protected.
- Virus scans on all computers are scheduled to run on a regular basis. In addition, real-time virus scanning is also running at all times.
- Internet ports on production and all non essential internet pc’s are closed.
- Each station’s operating systems (OS) are updated with security patches when required.
- Station ports which are known to transfer common viruses are closed and this is reviewed on a regular basis.
- We have a strict secure shredding policy in place for all documents generated internally. All documents generated / printed containing personal or confidential information is shredded to industry standard EN15713.
- Production personnel are limited to what access they have, which is only data that is relevant for them to carry out their role within production – i.e. client name, company name and if required contact details. Contact details are normally limited to supervisor or management level.
- All hard drives containing data are formatted once they reach end of life to ensure all data is removed.
- All external media (cds / dvds / portable hard drives etc) are virus scanned by our Data Protection Officer
- Members of staff and visitors are not permitted to use personal external media devices (i.e., usb data sticks, PDA’s, mobile phones etc) on our network.
- We do not send data out with the EU – e.g. for indexing etc. All indexing work is carried out within our own premises.
- We use an agreed password with 256-Bit AES (Advanced Encryption Standard) encryption within a zip file when emailing or posting electronic data.
- All uplifts, prep, scanning and indexing of data (boxes / files etc) are carried out by our own staff using our own transport. This is not passed to any third party – unless advised otherwise.
- All scanned images / data we capture from clients paper or microfilm records are held on our secure intranet. Network, control panels and server points are held within a locked network cabinet, which is controlled by production director and production coordinator who are the only two key holders. For further details please see http://www.trmcpherson.co.uk.
- For further details on data security please see http://www.trmcpherson.co.uk.
How long do we keep data for?
- Our standard terms are for 7 years from last contact. However, if at any time you would like your contact details / data removed from our systems, please contact your representative at McPhersons
- Once we have scanned and returned our customers data, this is held on our finishing pc for 8 weeks. We then request direct to the customer in writing that they allow us to delete all scanned images we have created / worked on from our system. Therefore, scanned data is only held on our system for a limited amount of time.
Can I see what data you hold on me?
- Of course, please contact your representative at McPhersons. You should advise you wish a Subject Access Request (SAR). Your request will be looked upon immediately and information forwarded to you at no cost to yourself, in digital form and as soon as possible.
- In the highly unlikely event that McPhersons experience a data breach which directly effects your personal data, we will contact you without hesitation. You will be kept up to date on any investigations which follow.