Confidentiality of Customer Information in ISO 9001?

[Sidney Vianna]

This is analagous to stating that ISO 9001 requires back-up of electronic records. And I have seen a number of auditors who firmly believe that to be the case.

Sometimes people read too much into a requirement.

Jan summed up the best. Certain customer data (not all) needs to be kept confidential, and that should be specifically dealt with via some type of contractual arrangement.

 

[Paul Simpson]

This is analagous to stating that ISO 9001 requires back-up of electronic records ...

Sometimes people read too much into a requirement.

Thank you, Sidney. Perhaps you'd care to share your thought process.

I did mine.

 

[Phil Fields]

Interesting replies! So is there a final opinion or ruling as to the ISO 9001 requirement on confidentiality?

Phil

 

[Stijloor]

Interesting replies! So is there a final opinion or ruling as to the ISO 9001 requirement on confidentiality?

Phil

Phil,

You've been here long enough to know that some threads never end. The dialogue continues or may end inconclusive. Every Cover has to make up their own mind...

Stijloor.

 

[Colin]

This is analagous to stating that ISO 9001 requires back-up of electronic records. And I have seen a number of auditors who firmly believe that to be the case.

Sometimes people read too much into a requirement.

Jan summed up the best. Certain customer data (not all) needs to be kept confidential, and that should be specifically dealt with via some type of contractual arrangement.

Hmmm, interesting point Sidney. So if an organisation keeps records in an electronic form and does not do back-ups, how do they ensure records are protected?

 

[Sidney Vianna]

Hmmm, interesting point Sidney. So if an organisation keeps records in an electronic form and does not do back-ups, how do they ensure records are protected?

Well, depending on the media the electronic records are stored, protection could be as simple as ensuring that the devices used to store the data are physically protected from the elements, fire, water damage, etc...

If you understand that ISO 9001 mandates back-up of electronic records (as means of protection), why don't you enforce the same policy for hard copy records? Why would an auditor have a double standard between electronic and paper records?

It should be unnecessary to state, but....obviously electronic data back-up is a wise thing to do and business continuity concerns reminds us of that. However, in my opinion, ISO 9001 does not mandate such practice. That's all.

 

[Colin]

I see your point Sidney and agree that there is a need to protect records no matter what the media. I guess that paper records are more likely to remain safe unless there is a fire/flood situation whereas electronic records are more prone to loss via additional means such as accidental deletion, corruption, mechanical failure, etc and therefore need more protection.

I even wonder about the method of backing up too. It is obviously good practice but I fear that some organisations are putting too much faith in memory sticks (USB flash drives). They are very convenient but not overly reliable and easy to lose.