Sending Internal Documents to External Customers/Parties

[TacitBlue]

What is best practice for sending internal QMS procedures or documents to outside customers or parties?

Currently, we watermark, PDF, and password-protect each document before sending.

What other factors should be considered when sending? Should contractual requirements be reviewed or discussed, or what else should be done?

Above all, just want to make sure that our process for sending out documents is robust.

Thank you.

 

[japayson]

Have you considered a non-disclosure agreement with the organization receiving the documents?

 

[Randy]

Have you considered a non-disclosure agreement with the organization receiving the documents?

NDA's are only as good as the honesty and ethics of the person that signs them.

What is best practice for sending internal QMS procedures or documents to outside customers or parties?

An out of date practice........Common sense. Also a play on an old phrase "Trust but verify" Trust that the need is an honest one and verify the use of the documents to meet that need alone.

 

[Mike S.]

We tell most people requesting copies of our QMS docs that they can view them on site but we don't send out copies. That can backfire and trigger an on-site audit which is usually more painful, so we decide on a case-by-case basis.

Does the external customer really have a valid need to see a document?

We get some customer surveys that are so asinine, asking stupid questions like "do you have a process for document control?" after asking us to send them our AS9100 cert. Then they'll ask for a copy of every document. Ahhhh...no.

 

[Rob_Kellock]

With every management system I develop I also provide a manual. The manual is no longer a requirement under most of the ISO standards, but if the manual details the organisations's purpose and scope of the business and certification. It details the organisational structure and key responsibilities. It also provides an index of any internal documents used to satisfy the requirements of the standards. When it comes to tenders or clients asking for proof of your system you send them that document. It tells them almost all they need to know without handing over any real detail or IP. Sure, they are probably going to ask you for something in addition to this or to see one of those procedures, and then you still need to have a policy about what you will and won't share. However, often you'll get away with just that document and your policies. Policies are often published on websites these days anyway so not usually considered IP.

I agree with Mike S that some will ask for every document, but even then they tend to ask for high-level process documents, which don't tend to be where your IP is stored.

 

[mattador78]

We tell most people requesting copies of our QMS docs that they can view them on site but we don't send out copies. That can backfire and trigger an on-site audit which is usually more painful, so we decide on a case-by-case basis.

Does the external customer really have a valid need to see a document?

We get some customer surveys that are so asinine, asking stupid questions like "do you have a process for document control?" after asking us to send them our AS9100 cert. Then they'll ask for a copy of every document. Ahhhh...no.

Thats happened to me twice and on both occasions it was our customer changing to us as a supplier and the end user was asking for more information to justify the change. Strangley though on both occassions they were changing from a none AS accredited supplier to ourselves who are AS certified, i think it had more to do with the price increase and their ability to show justification through our process controls.

 

[Sidney Vianna]

What is best practice for sending internal QMS procedures or documents to outside customers or parties?

Best practice from a security standpoint is to provide read-only, password protected, download disabled, limited access time to docs via portal. Obviously, the viewers can still do screen capture of what they see online, but making things harder for them to steal information tends to discourage major data breaches. On top of that, any export control sensitive data must NEVER be shared, as that would violate ITAR regulations.

 

[Randy]

Just got a couple process maps and a system manual today. They weren't asked for but the folks sent them anyway ahead of a remote audit.

Sidney's right about screen shots (I get a rash when I say Sidney is right).

 

[Ed Panek]

It depends on the customer. Money talks and other stuff walks as they say. We usually don't send any SOPs or records outside our control. We offer to screen share them to let them review us with them. For our ISO audits, we create a drop box to share them. Our relationship with our ISO auditor is more trusting though.

 

[DannyVerbiest]

It might not always seem an option at first but try to avoid sending complete internal files to external parties. Often it is sufficient to screen share or screenshot a section to your client