Customer Property ISO 9001:2008 Clause 7.5.4 - Does this include E-mails?

[Jim Green]

Customer Property

the new note states that "Customer Property can include intellectual property and persnonal data...

How do Customer e-mails fall into this?

IE a customer e-mails over a disposition for material. (OK to release per me).
Is this considered personal data that needs to be identified, verified, protected and safeguarded?

I think our Registrar is going to go down this road!

 

[Jim Wynne]

Re: 7.5.1 Customer Property ISO 9001 2008 Does this include E-mails???

Customer Property

the new note states that "Customer Property can include intellectual property and persnonal data...

How do Customer e-mails fall into this?

IE a customer e-mails over a disposition for material. (OK to release per me).
Is this considered personal data that needs to be identified, verified, protected and safeguarded?

I think our Registrar is going to go down this road!

I think the contents of the e-mail would bear on the intellectual property/personal data aspect. In your example, you would want to keep a record of the disposition anyway, no? What the standard is concerned with (in general) are things such as proprietary information (drawings, specifications, pricing information, etc.) that could cause harm to the customer if divulged. Sensitive information should be accessible only to those who need to be able to see it in order to fulfill the contract.

Also, with regard to e-mail, most companies have a standard notice that's appended to all outgoing messages, something like this one from a message I received recently:

The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the send by reply email and destroy all copies of the original message.

It's a little bit silly because the customer knows that some messages will likely be read by someone other than "...the person(s) named above." Nonetheless, it's a reminder that information that could be considered sensitive should be guarded from indiscriminate distribution.

 

[JaneB]

Excellent advice from Jim W

Jim G, a Note is just to add some 'elucidation' on how to interpret a requirement. So when it says it 'can include' it's just giving you a couple of examples. As Jim W says, a disposition may well be IP. Personal, no. But as with anything else, you pick out the bits that do apply in your company.

And in any case you'd want to do these things wouldn't you?

• identify it - eg, store it in a Customer file or 'Dispositions' folder or print out the email or whatever
• verify it - presuming it came from a valid customer email address this would take very little time! but if perhaps the info in it sounded way off beam, I'd expect you to query it with the customer to ensure it's correct, and then
• protect and safeguard it - same thing really,but this is where your virus protecton, controlled logons to your system IT etc, storage of info under suitably controlled conditions come in

 

[Jim Green]

Jim & Jane

Thanks so much. The bulb has been turned on.

 

[Claes Gefvenberg]

Apart from the fresh note, we interpreted it that way long ago, and have a short and sweet written procedure from 2003, named Confidential information. Basically, it states that any information that in the wrong hands could inflict damage on our customers shall be treated as business secrets, and be be available only to the concerned customer and ourselves.

The above goes without saying, but it is good to have it in writing: Customers appreciate it.

/Claes

 

[JaneB]

The above goes without saying, but it is good to have it in writing: Customers appreciate it.

Yes, I agree. And think at times it's useful to have stuff that 99.9% of people think 'goes without saying' to guard against that 0.1% of unethical shysters who don't quite get it.