What to Look for in a Secure Scanning Provider
When your documents leave your premises for scanning, you are entrusting a third party with potentially sensitive information — personal data, financial records, legal documents, medical files. The scanning provider becomes a data processor under GDPR, and you remain responsible for the security of that data. Choosing a provider with robust security is not optional — it is a legal obligation.
Physical Security
Security starts with the building. Your documents will spend days or weeks at the scanning facility, and during that time they need protection equivalent to or better than what they had at your premises.
Facility Access
A properly secured scanning facility restricts access to authorised personnel only. Look for:
- Electronic access control (fob or keypad entry) — not just a locked door with a shared key
- Visitor sign-in and escort requirements — visitors should not wander the facility unaccompanied
- Separate secure areas for document storage and scanning — not a general-purpose warehouse
- Restricted zones within the facility for highly sensitive material
- Alarm systems with monitoring, ideally 24/7 by a professional security company
CCTV
CCTV should cover all entry points, document storage areas, scanning rooms and corridors. Recordings should be retained for a minimum of 30 days. Ask whether CCTV is actively monitored or only reviewed after incidents. The presence of cameras is a deterrent, but recorded footage is what matters for accountability.
Document Handling
From collection to return, your documents should be traceable. A secure provider maintains a chain of custody log — recording when documents were collected, who received them, where they are stored in the facility, which operator processed them, and when they were returned or destroyed. If a box goes missing, they should be able to identify exactly where the chain broke.
Staff Vetting
The people handling your documents matter as much as the building they work in.
- DBS checks: All staff who handle client documents should have current Disclosure and Barring Service (DBS) checks — at minimum a Basic check, ideally a Standard check for those handling sensitive personal data
- Employment references: Verified employment history and references before hiring
- Confidentiality agreements: Written agreements signed by all staff covering obligations during and after employment
- Training: Documented data protection and information security training for all staff, with regular refresher sessions — not a one-off induction
Data Security
During Scanning
- Scanned files stored on encrypted storage during the project — not on open network shares accessible to all staff
- Workstations used for scanning should not have internet access or USB ports (preventing data exfiltration)
- Each project should be segregated — operators working on your project should not have access to other clients’ data simultaneously
Data Transfer
- Scanned files delivered via encrypted transfer — SFTP, encrypted cloud link, or encrypted physical media
- Unencrypted email attachments are not acceptable for anything containing personal data
- If physical media (USB drive, hard drive) is used for delivery, it should be encrypted with AES-256 or equivalent
- Confirm that TLS 1.2 or higher is used for all electronic transfers
Data Retention and Destruction
After the project is complete and you have confirmed receipt of all files, what happens to the data on the provider’s systems?
- A defined data retention period — typically 30-90 days for quality assurance purposes, then secure deletion
- Documented secure deletion process — not just “deleting files” but overwriting or destroying storage media
- Written confirmation of data destruction on request
- If physical documents are to be destroyed after scanning, this should be done to EN 15713 standard with a certificate of destruction
Certifications and Standards
- ISO 27001: The international standard for information security management. The most important certification for a scanning provider handling sensitive data. Requires systematic risk management, documented security controls, regular audits and continuous improvement
- ISO 9001: Quality management system — ensures processes are documented, consistent and continuously improved
- Cyber Essentials: UK government-backed scheme covering basic cyber security controls — firewalls, secure configuration, access control, malware protection and patch management
- BS 10008: Relevant if scanned copies need to carry legal evidential weight — ensures the scanning process is trustworthy and auditable
Data Processing Agreement
Under GDPR, any scanning provider handling personal data must sign a Data Processing Agreement (DPA) with you. This is a legal requirement, not optional. The DPA should specify:
- What data is being processed and for what purpose
- How long the provider retains data after the project
- Security measures the provider implements
- Sub-processor arrangements (does the provider use any third parties?)
- Breach notification obligations — the provider must notify you within 72 hours of discovering a data breach
- Your right to audit the provider’s compliance
- What happens to data at the end of the contract
If a scanning provider does not have a standard DPA ready to share, or resists signing one, this is a significant red flag.
Security Checklist
Before committing to a provider, confirm:
- ISO 27001 certified (or working towards it with a clear timeline)
- DBS-checked staff
- Electronic access control and CCTV at the facility
- Encrypted data storage and transfer
- Documented chain of custody for physical documents
- Data Processing Agreement available and willing to sign
- Defined data retention and secure destruction policy
- Breach notification process in place
- Willing to allow facility visit or audit
Get a Free Quote
Every project is different, so the best way to understand your options is to get in touch with our team. We provide clear, no-obligation advice — usually within the same day.
Call us on 01691 650355 or use the form below.
