Auditor Confidentiality vs. Liability

Hi, forum: I'd be interested in your reaction to this hypothetical:

As part of the ISO9001 requirement for compliance to regulatory and customer requirements, let's say hypothetically I audit a chemical storage area. I see some chemicals stored, and look up the MSDS, and find that some chemicals with a potential explosion hazard are being improperly handled, plus being stored very near some improperly stored flammable materials... are you with me? Imminent potential of a major disaster. Could happen in 20 years, could happen in 20 minutes.

I am under confidentiality to the company, my certifying body, and the consulting company that I am sub-contracting for.

However, I've hypothetically uncovered a situation which is an imminent safety danger. Of course, I would hypothetically communicate this to management first.

What would be my hypothetical responsibility to report a situation like this to the local authorities, ex: fire marshal, EPA or OSHA?

If the company decides not to fix it, and there is a catastrophe, there will be plenty of finger pointing and the argument can be made that I, as an agent of the company, could be sued at some point by some grieving widow, or even end up in jail if it is later discovered that laws were violated and I detected the situation and did not report it.

However, it would be outside my confidentiality agreement, as an agent of the company to do so.

So, what would you do.... hypothetically...?

Welcome to the Cove!

Is this an internal audit? If it is the auditor first tells the immediate manager, and does not fail to inform higher management in specific terms what was found, the risks and the codes being violated. If you are not convinced the problem is at once rectified, placing a call to the authorities is supposed to be protected under the Whistle Blower Act.

I welcome input about 2nd and 3rd party auditor responses to this upsetting kind of scenario. :mg:

JShell55 said:

Hi, forum: I'd be interested in your reaction to this hypothetical:

As part of the ISO9001 requirement for compliance to regulatory and customer requirements, let's say hypothetically I audit a chemical storage area. I see some chemicals stored, and look up the MSDS, and find that some chemicals with a potential explosion hazard are being improperly handled, plus being stored very near some improperly stored flammable materials... are you with me? Imminent potential of a major disaster. Could happen in 20 years, could happen in 20 minutes.

I am under confidentiality to the company, my certifying body, and the consulting company that I am sub-contracting for.

However, I've hypothetically uncovered a situation which is an imminent safety danger. Of course, I would hypothetically communicate this to management first.

What would be my hypothetical responsibility to report a situation like this to the local authorities, ex: fire marshal, EPA or OSHA?

If the company decides not to fix it, and there is a catastrophe, there will be plenty of finger pointing and the argument can be made that I, as an agent of the company, could be sued at some point by some grieving widow, or even end up in jail if it is later discovered that laws were violated and I detected the situation and did not report it.

However, it would be outside my confidentiality agreement, as an agent of the company to do so.

So, what would you do.... hypothetically...?

Click to expand...

With the obligatory "I'm not a lawyer" out of the way, I would think that confidentiality agreements between auditors (and their management) and auditees are mainly intended to discourage sharing of intellectual property, trade secrets, and generally information regarding processes and operations thereof. I can't imagine a situation in which a person who sees and reports a "clear and present danger" being found liable for violating a business confidentiality agreement.

That being said, anyone who does report such thing had better be durned sure of what she's reporting, because if she's wrong, it could lead to a lot of trouble. The best thing to do if you're concerned about this sort of thing beyond the idle speculation level is to talk to an attorney about it.

If 'hypothetical' means it had not happened, you should discuss with the party who contracted you, who is also the one having a direct contract with the customer.

If it had already happened, I would record it in black and white, inform the party who contracted my service also in black and white and let them handle the issue from thereon.

I recognized that laws in other countries like the US might be different.

I recall in my ISO 14001 lead auditor training a case study regarding a compliance finding. I believe that we, the students, all said that we would write up the find to the effect of "Regulation XXX-123 is not being adhered to" and we were promptly told we were wrong by the trainer.

We are not compliance auditors (or experts)....we are ISO 14001 auditors. We were not conducting a compliance audit...we were conducting an ISO 14001 audit. There was also the issue of opening ourselves up professionally to liability issues.

Apparently we were to write up the finding indicating an issue with the organization's internal process for verifying compliance to applicable regulations or something to that effect.

It's pretty much aligned with Jim's comment about being 100% confident of the issue.

Given I are sure of my facts (and I would document in great detail, including sketches, etc if I couldn't take actual photos), I would be guided by Article 1 of the ASQ Code of Ethics:

Article 1 – Hold paramount the safety, health, and welfare of the public in the performance of their professional duties.

Again with the caveat that I am not a lawyer, I believe the legal term for a confidentiality agreement to remain silent about the violation of the law is "conspiracy", a crime in itself. Certainly work within organizational channels first, but if one has reason to believe that's not working, go public. Those here who have professional licenses, e.g. PE, are even more duty bound to report. Whistle blowers do get negative consequences sometimes, may even often. But it is the right thing to do. We are not talking about writng up non-compliances, or revealing confidential information. We are talking about possibly saving lives! It is a little disturbing to me that there is this much doubt on the issue.

Geoff Withnell

Friends,

In my Motherland there's a saying:

Hij die zwijgt, stemt toe.

meaning:

He who keeps silent, agrees.

Very tragic examples in the news lately....

Stijloor.

English Common Law principle is the same "Silence gives consent"

Geoff Withnell

RCBeyette said:

I recall in my ISO 14001 lead auditor training a case study regarding a compliance finding. I believe that we, the students, all said that we would write up the find to the effect of "Regulation XXX-123 is not being adhered to" and we were promptly told we were wrong by the trainer.

We are not compliance auditors (or experts)....we are ISO 14001 auditors. We were not conducting a compliance audit...we were conducting an ISO 14001 audit. There was also the issue of opening ourselves up professionally to liability issues.

Apparently we were to write up the finding indicating an issue with the organization's internal process for verifying compliance to applicable regulations or something to that effect.

It's pretty much aligned with Jim's comment about being 100% confident of the issue.

Click to expand...

Eh? Since following regulations is part of the ISO 14001 standard I do not understand the position your instructor took because following regulations is part of the requirements under 14001.

But there is the process approach. A fire or explosion would be bad because it could result in airborne escape of chemicals under control of the EMS, so the organization's risks of explosion or fire should be identified as aspects and operational controls should be designed based on those aspects and risks, to avoid explosion or fire. Chemical storage is of course an important part of an EMS and should be treated as a process/functional area. Chemicals should not be stored in such a way that they could react to each other, for example acids and solvents should be separated. Adequate ventilation should be in place to prevent buildup of toxic/combustible gases.

In my view a good auditor should be able to understand these things and can observe the storage arrangement and examine the process used to identify and control risks. If a sound process exists but is not being followed an auditor should be able to call out a nonconformance that is urgent enough to require immediate action. If no process exists or there is no evidence it's been used for this area the auditor can call that out as a nonconformance. I am absolutely interested in what our CB members say about this.

I am wondering if this is a registration audit or a consultant's audit on independent contract.

If you are in the US and are an employee of the company you have an absolute (and protected by anonymity) right to file a complaint with OSHA... https://www.osha.gov/workers.html

If you are a 3rd party, like me, you have an obligation to report the information to the organization, and in my case to my employer as well.

There are many, many variables in a situation like this.