About this cookie policy

This Cookie Policy explains what cookies are and how we use them. You should read this policy to understand what cookies are, how we use them, the types of cookies we use i.e, the information we collect using cookies and how that information is used and how to control the cookie preferences. For further information on how we use, store and keep your personal data secure, see our Privacy Policy.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Your consent applies to the following domains: parrisandmcnally.co.uk

What are cookies ?

Cookies are small text files that are used to store small pieces of information. The cookies are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make the website more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

How do we use cookies ?

As most of the online services, our website uses cookies first-party and third-party cookies for a number of purposes. The first-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our websites are used mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.

What types of cookies do we use?

Essential: Some cookies are essential for you to be able to experience the full functionality of our site. They allow us to maintain user sessions and prevent any security threats. They do not collect or store any personal information. For example, these cookies allow you to log-in to your account and add products to your basket and checkout securely.

Statistics: These cookies store information like the number of visitors to the website, the number of unique visitors, which pages of the website have been visited, the source of the visit etc. These data help us understand and analyze how well the website performs and where it needs improvement.

Marketing: Our website displays advertisements. These cookies are used to personalize the advertisements that we show to you so that they are meaningful to you. These cookies also help us keep track of the efficiency of these ad campaigns.

The information stored in these cookies may also be used by the third-party ad providers to show you ads on other websites on the browser as well.

Functional: These are the cookies that help certain non-essential functionalities on our website. These functionalities include embedding content like videos or sharing contents on the website on social media platforms.

Preferences: These cookies help us store your settings and browsing preferences like language preferences so that you have a better and efficient experience on future visits to the website.

How can I control the cookie preferences?

Should you decide to change your preferences later through your browsing session, you can click on the “Privacy & Cookie Policy” tab on your screen. This will display the consent notice again enabling you to change your preferences or withdraw your consent entirely.

In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. To find out more out more on how to manage and delete cookies, visit wikipedia.org, www.allaboutcookies.org.


GDPR Policy 

Last Reviewed May 2019 

This policy is based on ensuring that PARRIS & MCNALLY meet the Eight principles of Data Protection. 

The Data Protection Act sets out the eight principles with which the PARRIS & MCNALLY and its employees, contractors and suppliers (PARRIS & MCNALLY) must comply whenever it processes personal data.  

The Data Controller is Colin McNally.  

GDPR Training can be gained through utilising Business Gateway training courses, utilising the GDPR checklist (available from Colin McNally), or from other training support that is available.  

Before 25th May 2018 you should check any information you individually hold on personal computer drives or in paperwork and safely destroy anything that the council does not have a legal reason to retain. Make sure old information is destroyed. 

KEY MESSAGE – Only use the minimum amount of data to get the job done 

What is Personal Data?

When we say ‘personal data’ we mean identifiable information about you, like your name, email, address, telephone number, bank account details, payment information, support queries, community comments and so on. If you can’t be identified (for example, when personal data has been aggregated and anonymised) then this notice doesn’t apply.  

These stipulate that the data must: 

  1. ‘Be collected and processed fairly and lawfully’

In order for us to process data ‘fairly’, we should: 

ensure that we have a legitimate reason to obtain or process the data 

the Data Subject must be made aware that their data is being used and their consent obtained. They must never be deceived or misled – they must have a clear understanding of the reasons for which it is proposed that their data be used 

  • If any sensitive personal data is involved Data Subjects must have provided their express consent to the processing 
  • Care needs to be taken to ensure that personal data is only ever obtained from a person who is legally authorised to supply it. 

Financial Data 

As part of the Engagement process completed with clients then GDPR guidelines will be included within this, this includes holding personal, private, tax and other related information for the purposes of the needs of their financial planning, financial forecasting or completion of personal tax submissions or similar. 

The main issues raised by this principle are; 

All personal data which is processed by PARRIS & MCNALLY must be covered by our Registration with the Information Commissioner. Most routine uses of personal data by staff will be covered by our Registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please ensure you have contacted the client and gained there consent for obtaining the information. Initial engagement forms should meet this requirement.  

  • personal data held for one purpose should not be used for another 
  • personal data must not be disclosed to any third person (other than those described in the University’s Registration in certain circumstances), so take great care when you receive a request for data from a third party (see guidance on disclosing data). 
  1. ‘Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are held’ 

To ensure compliance: 

  • you should not collect any personal data not strictly necessary for the purpose it is obtained. If you are obtaining or holding any sensitive personal data take special care to properly consider its necessity 
  • records should also be unambiguous, accurate and professionally worded.  ‘Be accurate and, where necessary, be kept up to date’  

Personal data must not be inaccurate or misleading to any matter of fact. This applies to information from a third party. The source of information should always be included on records. 

  1. ‘Be held no longer than is necessary for the registered purpose’

Failure to remove data when its purpose has been served is a breach of the Data Protection Act. As PARRIS & MCNALLY needs to hold and process personal data for a variety of different legitimate reasons, it is not always possible to stipulate how long particular data should be retained. HMRC require data to be held for a minimum of six years.  

PARRIS & MCNALLY also will access data through HMRC IT systems and therefore data will be held for longer on these systems and will be covered by HMRC Data Protection guidelines. 

PARRIS & MCNALLY need to decide on a case-by-case basis when data should be destroyed. 

  1. ‘Be processed in accordance with the rights of the Data Subjects under the Act’

PARRIS & MCNALLY must ensure that all personal data is processed in accordance with the rights of Data Subjects, who can:

  • make Subject Access Requests to find out what information we hold about them, the purposes for which it will be used and to whom it has been disclosed 
  • prevent processing for the purposes of direct marketing or the processing of data which is likely to cause them substantial damage or distress 
  • ask, if appropriate, to have the data corrected or deleted 
  • be informed about automated decision-making processes that affect them and prevent significant decisions that affect them from being made solely on automated processes.
  1. ‘Be held under secure conditions, together with appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’ 

Access to personal data will only be granted to staff insofar as is necessary for legitimate operational purposes. The personal or private use of personal data held by the PARRIS & MCNALLY is strictly forbidden. 

All staff with access to personal data must be mindful that they play a role in ensuring that it is always kept securely. They must familiarise themselves with PARRIS & MCNALLY’s Data Protection Policy and follow our guidance on data security. 

PARRIS & MCNALLY have obtained and will continue to obtain Cyber Resilience Certification.  

  1. ‘Not be transferred to a country or territory outside the European Economic Area, unless that country ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data’ 

Personal data must not be transferred to a country outside European Economic Area unless: 

explicit consent has been obtained from the Data Subject(s)  

  • the data has been completely anonymised 
  • that country ensures an adequate level of protection for Data Subjects 
  • a contract is in place with the recipient of the personal data, which puts the necessary safeguards in place.

Special care should be taken when travelling with a laptop or other mobile device which contains personal data. 


Processing Personal Data 

At least one of these must apply whenever you process personal data.  

There may be more than one. Select the one which is appropriate to the activity you are doing:  

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent. 
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. 
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). 
  • Vital interests: the processing is necessary to protect someone’s life. 
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

It is essential data breaches and near misses are reported immediately to your line manager.

We should not be holding data on the following; 

Special data is: Special categories of personal data that reveals:  

  • racial or ethnic origin;  
  • political opinions; 
  • religious and philosophical beliefs; 
  • Trade Union membership; 
  • genetic data; 
  • biometric data for uniquely identifying a natural person; and 
  • sex life and sexual orientation.