In the new standard this section was changed to read as follows:

The organization shall exercise care with customer property while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost damaged or otherwise found to be unsuitable for use, the organization shall report this tothe customer and maintain records.

NOTE: Customer property can include intellectual property and personal data.

As the Quality rep. for a CD/DVD manufacturer I am looking at help in digital IP. Is there anyone with anything written for intellectual property for the 9001:2008 standard?

We have an audit in May to the revised standard, and the implication to my company is now greater than before.

Marie,

If you could describe the type of customer intellectual property that would help. If it is related to motion pictures, television, or music then you will have to meet all applicable laws related to intellectual property.

Try contacting the following organizations for help:

Motion Picture Association of America (NPAA)
National Association of Broadcasters (NAB)

Our company manufactures and prints CD's & DVD's for a variety of uses.

We currently make our customers sign an Intellectual Property form that ensures that they are owners of the content or can prove that they have the rights to distribute such content.

Our IP can include the following: digital, music, videos, images, company information. This content can be received via ftp, a hard drive, a disc or a dongle.

I am hoping to get some input on what companies are going to implement to incorporate the changes to the standard within their own manufacturing organizations.

The standard gives you the basics of what you must be done with intellectual property that will be incorporated into the product which in your case would be DVD’s and CD’s. You will need to protect this information while it is your custody to prevent theft of this material. If one of your customers finds that his or her property, while in your control was sold, given or in some other way used without the owners permission your organization may be held libel for all unrealized revenue the customer may have received.

As I remember from when I work in the television production intellectual property is intangible property as the result of creativity which may or may not be copyrighted but the owner is afforded protection under the law for this creativity.

Because Clause 4.1 of ISO 9001 requires your organization to identify both statutory and regulatory requirements associated with the product or services you provide you should seek legal guidance on what the law requires of your organization in regards to the protection of the customer intellectual property.

We have an audit in May to the revised standard, and the implication to my company is now greater than before.
Hi Marie,

I'm confused. :confused: Why is the implication now any different than before? If you met the requirements before, you should still be meeting them now. ISO 9001:2000 said:NOTE Customer property can include intellectual property.
ISO 9001:2008 says:NOTE Customer property can include intellectual property and personal data.

My concern stems from the external auditor we have. I am anticipating him to go in depth into this area. We have non-disclosure agreements, we have the IP agreement for distribution and ownership, but the gap I see is the protection of such property as it is transferred over an ftp site.

Before information was provided on a CD or DVD, now it comes over the computer. In addition, we do not have anything formalized for employees in the company. We are drafting a Terms and Conditions document with our legal currently, however, the belt and suspenders approach is always a good one for this area.

Our external auditor spent 5 1/2 hours with myself and the owners of the company auditing Management Review and that audit was only 2 days! He will latch onto this new wording and because of the nature of the business, will see what safeguards are in place.

My concern stems from the external auditor we have. I am anticipating him to go in depth into this area. We have non-disclosure agreements, we have the IP agreement for distribution and ownership, but the gap I see is the protection of such property as it is transferred over an ftp site.


Then security of your computer systems must be sufficient to prevent loss of intellectual property though unauthorized internal of external access of this property. Look for a consultant who specializes in computer system security. Top management take the lead on this because most IT personnel are not very well versed on system security as they should be.

Also because of the nature of your business you should also put some attention on the second part of the Clause 7.5.4 Note related to personnel data. You also will need to protect customer credit card numbers and bank account numbers as part of the customer property that must be protected.

It is time for you to issue a formal preventive action (Clause 8.5.3) related to possible loss of personnel data as it appears that there is a concerned about the loss of customer property. Working through the PA process should lessen any concern an external auditor may have regarding customer property.

Jeff,

Your post was quite informative, thank you so much for pointing out areas for improvement. I appreciate the help!:D

Our external auditor spent 5 1/2 hours with myself and the owners of the company auditing Management Review and that audit was only 2 days! He will latch onto this new wording and because of the nature of the business, will see what safeguards are in place.

Wow, I think that is over the top. I have previously been involved in products that go into nuclear subs and the DOD inspector came in and approved every shipment and didn't get that involved in the approval process.

Then security of your computer systems must be sufficient to prevent loss of intellectual property though unauthorized internal of external access of this property. Look for a consultant who specializes in computer system security. Top management take the lead on this because most IT personnel are not very well versed on system security as they should be.

Also because of the nature of your business you should also put some attention on the second part of the Clause 7.5.4 Note related to personnel data. You also will need to protect customer credit card numbers and bank account numbers as part of the customer property that must be protected.

It is time for you to issue a formal preventive action (Clause 8.5.3) related to possible loss of personnel data as it appears that there is a concerned about the loss of customer property. Working through the PA process should lessen any concern an external auditor may have regarding customer property.I know that I have been accused of compartmentalization thoughts in the past, but....in the context of an ISO 9001 audit, data and information security is limited. ISO has developed ISO 27001 exactly to address the needs of organizations that have a need for implementing robust ISMS (Information Security Management Systems). Wow, I think that is over the top. I have previously been involved in products that go into nuclear subs and the DOD inspector came in and approved every shipment and didn't get that involved in the approval process.If the auditor spends 5 1/2 hours with top management, doing a meaningful assessment and value added investigation, s/he should be commended for that, IMHO.
Auditors tend to shy away from interacting with top management during audits. It is a MANAGEMENT system standard, after all. Auditors need to keep top management accountable for the system.

This statement hasn't changed much from the ISO 9001:2000 version. It always included intellectual property, and now personal data was added. Personal data examples include health records, charge card info., etc.

So you would handle the intellectual property the way you always have done it.

Sidney

You are right about the limited addressing of this in ISO 9001 and I was unaware of ISO 27001 but the note is there to tickle the funny bone of the implementer and the auditor. If this external auditor will spend 5.5 hours on management review think of the fun she/he could have with this little guidance not at the end of 7.5.4.

As Sidney says, there's a Standard been developed specifically for Information Security MS, and if you needed to go for certification for that, it is more stringent and then you probably would need a specialist in same. But for this, surely normal IT security applies, using logons, changing passwords, etc etc.

ISO 9001 as howste points out, already included IP in the Note in the 2000 version, and have now simply added in that customer data is another example, to clarify. No major change IMO.

You would be expected to have systems or methods to take all reasonable care of your customer's property supplied to you, whether that is on CD or via the web.

I'd also expect/hope that you will have provided info to your customer along the lines of 'all reasonable care taken, but no total guarantee given'? You are not, I imagine, offering a 101% guarantee of security, nor meeting more stringent requirements (eg, for financial institutions): you're offering an 'all possible care taken'. And you should be able to demonstrate to an auditor (and of course to yourselves) what that 'reasonable care' consists of and how it works and how you assess whether it's adequate or not, and what you do about it if not.

I just dont see that there is any kind of huge change here. As for the 2008 version - it has, remember no new requirements! Slight changes of wording, yes, clarifications, yes, but there are no new requirements.

Then security of your computer systems must be sufficient to prevent loss of intellectual property though unauthorized internal of external access of this property. Look for a consultant who specializes in computer system security. Top management take the lead on this because most IT personnel are not very well versed on system security as they should be.

Also because of the nature of your business you should also put some attention on the second part of the Clause 7.5.4 Note related to personnel data. You also will need to protect customer credit card numbers and bank account numbers as part of the customer property that must be protected.

It is time for you to issue a formal preventive action (Clause 8.5.3) related to possible loss of personnel data as it appears that there is a concerned about the loss of customer property. Working through the PA process should lessen any concern an external auditor may have regarding customer property.

Hi Jeff Frost
Personal data in clause 7.5.4-note.
We, dental implant manufacturer, do have personal data(account number, credit card number, etc. of our customers(Dentists). It leads us to update our QMS.

Question.
Because every companies has customers and Once they have a single customer they have some personal data of customer. Does it mean that the clause 7.5.4 can not be excluded for any company?:confused: