Employee Data Privacy Policy - ISO 9001:2015 requirement(s)?

[Brizilla]

I'm implementing a new ISO 9001:2015 system for a logistics and fulfillment company. One of their SOP's is a privacy policy for their customers. Under 7.5 should their Privacy Policy include their own employees? There's nothing in the employee handbook about it. Oh, great Sages...enlighten me. I don't want to add something unnecessary.

 

[John C. Abnet]

Under 7.5 should their Privacy Policy include their own employees?

Good day @Brizilla ;
Be careful not to "read" more than the standard requires. The only thing the standard requires specific to this is that "REQUIRED" documentation is "adequately protected". The organization (including consideration of any customer requirements, e.g.; documents of external origin/NDA, etc...) must determine what is "required" and what is "adequately protected".

1- We" can not answer this question. Only the organization can answer this based on their NEEDS. Assuming this is an existing organization, then what is the CURRENT policy/requirement/approach? Don't add requirements and burdens simply for the sake of adding.
2- When you state "you" are implementing..... I am hoping that this does not imply the organization and their top management are not inputting and taking responsibility regarding the QMS (I state this because all too often I have observed an "individual" ----"Implementing" instead of developing within the existing organizational leadership and approach.)

Food for thought.

Hope this helps.

Be well.

 

[yodon]

What, specifically, is driving the privacy policy? That sounds as @John C. Abnet notes, beyond the standard. There certainly are regulations for information protection so you need to understand what's in play.

 

[Johnnymo62]

I'm sure the company has some human resources type of requirements for their employees. SSN, medical info, home address, financial info, etc.

 

[Brizilla]

Thank you for the answers.
"When you state "you" are implementing..... I am hoping that this does not imply the organization and their top management are not inputting and taking responsibility regarding the QMS "
They hired me specifically to implement ISO, and yes I'm working with all the stakeholders and getting managers more involved with each other.

 

[John Broomfield]

Ask your client how they have already implemented this policy within their management system.

After all, you are respecting the system they already have for determining and fulfilling customer requirements as you help them to develop it.

Be careful with your phrase “implementing a new ISO 9001:2015 system” because it suggests you are about to impose your ISO system on their organization.

 

[Sidney Vianna]

Under 7.5 should their Privacy Policy include their own employees?

Despite the fact that ISO 9001 talks about identification of issues for relevant stakeholders, privacy of employee data is something that is not under the ISO 9001 realm. Having said that, please note that there are regulations out there dealing with data privacy, GPDR as an example. So, chances are, the organization might have to have controls on employee data privacy and protection, but that is NOT due to ISO 9001.