External Storage of Data - ISO 9001 Clause 7.5.2 Validation of Processes

[FrameReader]

Hello,

Our company archives some of its documents with a document storage company. Some of the information contained in these documents has some bearing on the service that we provide. I'm not a lawyer but the language in our contract with the document storage company strikes me as being fairly minimal. They commit to providing 'ordinary care' to our documents, and that's about it.

If our stuff gets lost or destroyed, they'll reimburse us for the cost of the actual hardware (digital storage media), which is nice I guess, but if any of our archived info was ever lost or destroyed, being reimbursed for the cost of some digital media would rank low on our list of concerns.

So anyways, we decided it would be a good idea to pay a visit to the site where they store our stuff. I've heard it said that clause 7.5.2 of the Standard, while called 'Validation of processes for service provision' could also be thought of as basically being a 'do what you reasonably can to control external processes'.

The storage of these documents is certainly an external process. According to part (a) of the clause, we should define criteria for reviewing and approving these processes. So I figure, we'll have a look around their site, maybe see if they have some kind of sprinkler system to control fires, good security measures, security cameras ...

Do the experts in the cove have any ideas regarding what else we might want to look for here?

Thank you,
FrameReader

 

[pkost]

Re: 7.5.2 Validation of Processes

You suggest that they store hardware for you - is it networked and active? or is it just a store where you throw in your old harddrives? Are there any paper documents?

If it is all electronic you may want to consider duplicating and using an additional company to reduce any risk.

Regardless, a decent company may have a business contingency/continuity plan which should list all the measures they take to protect their business and your property.

 

[FrameReader]

Re: 7.5.2 Validation of Processes

You suggest that they store hardware for you - is it networked and active? or is it just a store where you throw in your old harddrives? Are there any paper documents?

If it is all electronic you may want to consider duplicating and using an additional company to reduce any risk.

Regardless, a decent company may have a business contingency/continuity plan which should list all the measures they take to protect their business and your property.

It is all electronic - not networked, it is basically just old harddrives, but those harddrives contain information that we should be able to access in case one of our clients has a question about things that happened in the past.

I agree that using an additional company would greatly reduce risk, but I'm quite sure that we won't go that route / would be cost-prohibitive.

Asking for a contingency plan sounds like a good idea. thanks pkost!

 

[The Specialist]

Re: 7.5.2 Validation of Processes

You should be sure that your contract with the third party contains a list of requirements specific to your storage needs that you can 'validate' or 'audit' to...

Your storage requirements may include:

Fire protection storage (sprinkler system or fire retarded storage)
Electro-magnetic protective storage
Storage area temperature/humidity requirements
Accessibility (availability/notice of availability) requirements
File/document database and file location requirements
Confidentiality requirements (third party accessibility)
Security Requirements
File delivery/removal requirements
Company audit/review periods

Etc…

Of course, it will depend on the media being stored!

 

[pkost]

Re: 7.5.2 Validation of Processes

You might want to be careful with old harddrives...I'll give you an example of 5.25 discs and to an increasing extent 3.5in discs - how would you retrieve information from them now? A few years ago every computer had a discdrive for 3.5in. In my office we now only have one. try to find a 5.25 reader!

With hard drives although it is less of an issue legacy connections may still become a problem - PATA used to be standard now most PC's use SATA and some don't even have a socket for PATA drives. You could end up going to a lot of effort retrieving the data!

With the rate at which harddrive capacity increases it may be worth just bundling all archived data onto a couple of large capacity drives every now and then.

 

[somashekar]

Re: 7.5.2 Validation of Processes

It is all electronic - not networked, it is basically just old harddrives, but those harddrives contain information that we should be able to access in case one of our clients has a question about things that happened in the past.

I agree that using an additional company would greatly reduce risk, but I'm quite sure that we won't go that route / would be cost-prohibitive.

Asking for a contingency plan sounds like a good idea. thanks pkost!

If it is not networked, then you are better off renting some safe deposit lockers offered by many banks to deposit your hard drives, provided they have some temperature control etc, established in the strong room.
Your document storage company must do much more than just providing storage.
Can you see if you can get access to any of your associate company / office where you can keep some fireproof cabinets and store them for safe keeping as a disaster management step and store a backup copy in similar fireproof cabinet in a safe place within your organization.
You may run a periodic check on the media to ensure that are stored safe and the data is retreiveable.