External Storage of Data - ISO 9001 Clause 7.5.2 Validation of Processes

F

FrameReader

#1
Hello,

Our company archives some of its documents with a document storage company. Some of the information contained in these documents has some bearing on the service that we provide. I'm not a lawyer but the language in our contract with the document storage company strikes me as being fairly minimal. They commit to providing 'ordinary care' to our documents, and that's about it.

If our stuff gets lost or destroyed, they'll reimburse us for the cost of the actual hardware (digital storage media), which is nice I guess, but if any of our archived info was ever lost or destroyed, being reimbursed for the cost of some digital media would rank low on our list of concerns.

So anyways, we decided it would be a good idea to pay a visit to the site where they store our stuff. I've heard it said that clause 7.5.2 of the Standard, while called 'Validation of processes for service provision' could also be thought of as basically being a 'do what you reasonably can to control external processes'.

The storage of these documents is certainly an external process. According to part (a) of the clause, we should define criteria for reviewing and approving these processes. So I figure, we'll have a look around their site, maybe see if they have some kind of sprinkler system to control fires, good security measures, security cameras ...

Do the experts in the cove have any ideas regarding what else we might want to look for here?

Thank you,
FrameReader
 
Elsmar Forum Sponsor

pkost

Trusted Information Resource
#2
Re: 7.5.2 Validation of Processes

You suggest that they store hardware for you - is it networked and active? or is it just a store where you throw in your old harddrives? Are there any paper documents?

If it is all electronic you may want to consider duplicating and using an additional company to reduce any risk.

Regardless, a decent company may have a business contingency/continuity plan which should list all the measures they take to protect their business and your property.
 
F

FrameReader

#3
Re: 7.5.2 Validation of Processes

You suggest that they store hardware for you - is it networked and active? or is it just a store where you throw in your old harddrives? Are there any paper documents?

If it is all electronic you may want to consider duplicating and using an additional company to reduce any risk.

Regardless, a decent company may have a business contingency/continuity plan which should list all the measures they take to protect their business and your property.
It is all electronic - not networked, it is basically just old harddrives, but those harddrives contain information that we should be able to access in case one of our clients has a question about things that happened in the past.

I agree that using an additional company would greatly reduce risk, but I'm quite sure that we won't go that route / would be cost-prohibitive.

Asking for a contingency plan sounds like a good idea. thanks pkost!
 
T

The Specialist

#4
Re: 7.5.2 Validation of Processes

You should be sure that your contract with the third party contains a list of requirements specific to your storage needs that you can 'validate' or 'audit' to...

Your storage requirements may include:

Fire protection storage (sprinkler system or fire retarded storage)
Electro-magnetic protective storage
Storage area temperature/humidity requirements
Accessibility (availability/notice of availability) requirements
File/document database and file location requirements
Confidentiality requirements (third party accessibility)
Security Requirements
File delivery/removal requirements
Company audit/review periods

Etc…

Of course, it will depend on the media being stored!
 

pkost

Trusted Information Resource
#5
Re: 7.5.2 Validation of Processes

You might want to be careful with old harddrives...I'll give you an example of 5.25 discs and to an increasing extent 3.5in discs - how would you retrieve information from them now? A few years ago every computer had a discdrive for 3.5in. In my office we now only have one. try to find a 5.25 reader!

With hard drives although it is less of an issue legacy connections may still become a problem - PATA used to be standard now most PC's use SATA and some don't even have a socket for PATA drives. You could end up going to a lot of effort retrieving the data!

With the rate at which harddrive capacity increases it may be worth just bundling all archived data onto a couple of large capacity drives every now and then.
 

somashekar

Staff member
Admin
#6
Re: 7.5.2 Validation of Processes

It is all electronic - not networked, it is basically just old harddrives, but those harddrives contain information that we should be able to access in case one of our clients has a question about things that happened in the past.

I agree that using an additional company would greatly reduce risk, but I'm quite sure that we won't go that route / would be cost-prohibitive.

Asking for a contingency plan sounds like a good idea. thanks pkost!
If it is not networked, then you are better off renting some safe deposit lockers offered by many banks to deposit your hard drives, provided they have some temperature control etc, established in the strong room.
Your document storage company must do much more than just providing storage.
Can you see if you can get access to any of your associate company / office where you can keep some fireproof cabinets and store them for safe keeping as a disaster management step and store a backup copy in similar fireproof cabinet in a safe place within your organization.
You may run a periodic check on the media to ensure that are stored safe and the data is retreiveable.
 
Thread starter Similar threads Forum Replies Date
K 7.5.5 Identification of Stored Product - External auditor identified storage problem ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
L AS9100 Section 8.4.2 - External provider test reports AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
Mikey324 External calibration - Finding in our 3rd party audit General Measurement Device and Calibration Topics 58
D Help Me. Non conformitty in External Audit IATF 16949 - Automotive Quality Systems Standard 13
P Is the second factor authentication (2FA) required for external users? Qualification and Validation (including 21 CFR Part 11) 1
J State of the Art for Documents of External Origin ISO 13485:2016 - Medical Device Quality Management Systems 17
D IATF 16949 SI 10, External non-accredited lab IATF 16949 - Automotive Quality Systems Standard 4
S Recommended software to send Quality scorecards to suppliers (external providers) Supplier Quality Assurance and other Supplier Issues 3
J External Standard Services Document Control Systems, Procedures, Forms and Templates 12
Ed Panek External Standards List - Should this document include previously revised standards? ISO 13485:2016 - Medical Device Quality Management Systems 4
F Logistic/shipping companies as external providers AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
J External third party audits Registrars and Notified Bodies 1
J Help settle a disagreement: Should external providers of preventive maintenance be on your ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
J Requirement for Retention of Records of Withdrawn Documents of External Origin Document Control Systems, Procedures, Forms and Templates 3
M Calibration Certificate Result issued by an accredited external laboratory General Measurement Device and Calibration Topics 9
L IATF external audit virtual (remote) IATF 16949 - Automotive Quality Systems Standard 13
A IEC 62304 safety classification, External Controls and off-label use related risks IEC 62304 - Medical Device Software Life Cycle Processes 5
R External Audit and Certificate prorogation due to the pandemic General Auditing Discussions 10
N Audit non-compliance API Q1 - Use of External Documents 4.4.4 in Product Realization Oil and Gas Industry Standards and Regulations 8
J 510(k) for a control kit for an external IVD test kit 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
R Is it required to have an SOP for external audits? Medical Device and FDA Regulations and Standards News 7
Pmarszal External Standards and Regulations Management Process Document Control Systems, Procedures, Forms and Templates 10
I What kind of wine best complements the Friday that you close out your external audit findings? Opinions are welcome. Coffee Break and Water Cooler Discussions 12
B How to apply external voltage to SIP/SOP IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
P Qualifying commercial off the shelf (COTS) external suppliers ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
B Internal and external auditor competency to CSR's IATF 16949 - Automotive Quality Systems Standard 20
N IATF 16949:2016 7.1.5.3.2 External Laboratory - How to approve the Testing Laboratory without accreditation scope IATF 16949 - Automotive Quality Systems Standard 2
A OHSAS 18001 external auditor finding personal interpretation? Occupational Health & Safety Management Standards 5
L External power supplies: How close does the safety report have to match the end-use application? IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
D Reduction of software class based on multiple external risk controls IEC 62304 - Medical Device Software Life Cycle Processes 5
C Identifying and Controlling External Documents Document Control Systems, Procedures, Forms and Templates 3
C External Laboratories and OEM Calibration IATF 16949 - Automotive Quality Systems Standard 0
Q AS9120B flow down to external providers: Records Retention AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
Casana IATF 16949 7.1.5.3.2 External Laboratory - On Site Calibration IATF 16949 - Automotive Quality Systems Standard 8
B Using external FDA and ISO 13485 audit as internal audit Internal Auditing 6
C ISO 17025 2017, Requirement 6.6.3 - Communicate requirements to external providers ISO 17025 related Discussions 4
C Determining if Maintenance Contractor is an External Service subject to ISO 9001 Clause 8.4 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 43
qualprod The Perfect audit? External Audit causes a significant negative impact in a company General Auditing Discussions 9
K AS9100D 8.4.1.1 external providers question - Walmart, Home Depot, our lawn care team. etc. AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 20
A External Auditor issue with Internal Audits Internal Auditing 7
R Do we need to treat local law as external origin documents? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
D ISO 9001:2015 Clause 8.4.3 "Information for External Providers" buying from online retailers. ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
M Applicability of Means of Protection, working voltage in an Automated External Defibrillator IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Necessity of external watchdog next to internal watchdog ISO 14971 - Medical Device Risk Management 1
B How to reply NCR on ineffectiveness of corrective action during IATF external audit? This is repeated issue whereby some mistake was done. IATF 16949 - Automotive Quality Systems Standard 7
I AS9100 8.4.2 Type and Extent of Control - External provider test reports Manufacturing and Related Processes 24
P AS9120B Control of External Providers for Franchised Distribution AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
S Tools and equipment provided by customer - Considered as external provider? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T Transportation - External Service Provider ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
S ISO9001:2015 Clause 9.1 - What the external auditor will look at? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12

Similar threads

Top Bottom