SBS - The best value in QMS software

ISO 13485:2016 and GDRP EU 2016/679

#1
In ISO 13485:2016 there is a new requirement in section 4.2.5 for Control of Records that states "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements." Since we have a CE mark for our medical device we need to be follow GDRP requirements for patient privacy, which entails many documents we need to create to demonstrate compliancy.

As a result I have a few questions... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient? If not, can I expect during our next 13485 audit that the auditor will also audit to GDRP requirements otherwise how could they know if we are "...in accordance with the applicable regulatory requirements"?
 
Elsmar Forum Sponsor

Mark Meer

Trusted Information Resource
#2
... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient?
Keep the scope of your quality system in mind when determining what documents are necessary to maintain under it. Is the confidential information you are maintaining related to your QMS, or the devices designed, manufactured, sold, and/or monitored under it?

Regarding audits, auditors will want evidence that you've established an effective system for meeting the requirements. If you simply say "system shall comply with GDPR" in your procedures as a way to address the ISO requirement, it would be reasonable for an auditor to then follow up with "ok, show me the evidence". In this case, you'd want your GDPR documentation handy to demonstrate to them that you're doing what your procedures state.
 

JoshuaFroud

Involved In Discussions
#3
I personally have addressed this in our QMS by adding a section to the Control of Document and Records procedure stating, "Confidential health information will be maintained in line with GDPR". This is preceded by a sentence stating that as a general rule we, as a company, will not access confidential health information as part of normal business operations.



Our privacy policy and other related documentation is maintained within our electronic document management system but does not explicitly form part of the QMS.
 
#4
Thanks Mark for your reply. I do have one further question related to your response...

You mention that the auditor may say "ok, show me the evidence" but unless they know how to interpret the evidence how can they possible say we are "in accordance with the applicable regulatory requirement" as ISO 13485 states?
 

Mark Meer

Trusted Information Resource
#5
...You mention that the auditor may say "ok, show me the evidence" but unless they know how to interpret the evidence how can they possible say we are "in accordance with the applicable regulatory requirement" as ISO 13485 states?
This is a good point of discussion, as it speaks to a fundamental shortcoming with respect to auditing against this particular ISO requirement. Auditors only have so much time and expertise, and so to check if an organisation is meeting all "applicable regulatory requirements" is not a clearly defined task.

It is within auditors' prerogative to dig as deep as they deem appropriate within the scope of their audit. However, in practice, due to constraints on time and expertise, I think you can assume that in cases like this, if they were to say "show me the evidence", simply pointing them to the documentation is probably sufficient (i.e. the details are unlikely to be scrutinised - but you should be prepared to show something rather than nothing).

Similar case is with respect to design test-reports. You can expect auditors to follow the design verification process down to the documentation outputs (test reports), but it'd be very unlikely that they have either the time or expertise to scrutinise the details (unless they are looking for fulfilment of a specific requirement e.g. justification for sampling).
 

yodon

Staff member
Super Moderator
#6
This is a good point of discussion, as it speaks to a fundamental shortcoming with respect to auditing against this particular ISO requirement.
Indeed, that's a REAL good point of discussion. Without intending to sidetrack this thread, the term (complying with) "applicable regulatory requirement" or similar shows up close to 40 times in the standard. Mr. Meer has hit the nail on the head when he says auditors have only so much time and expertise. This may well be a sore point as things play out. Will an ISO auditor (or the company they represent) be liable for NOT uncovering compliance issues to a regulatory requirement that is outside their expertise?
 
Thread starter Similar threads Forum Replies Date
D Reports under change management | ISO 13485:2016 & ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 5
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
0 ISO 13485:2016 Chapter 8 Integration of the subsections ISO 13485:2016 - Medical Device Quality Management Systems 3
T ISO 13485:2016 Clauses related to process matrix ISO 13485:2016 - Medical Device Quality Management Systems 3
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
Q EN ISO 13485:2016/AC:2018 - AC:2018 being stated in the applicable harmonized standard listing Other ISO and International Standards and European Regulations 1
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
M ISO 13485-2016 online certification ISO 13485:2016 - Medical Device Quality Management Systems 3
S Supplier Management ISO 13485: 2016- Which supplier needs to fill in a self assessment form? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Definition of equipment for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
M ISO 13485:2016 Complaint Definition Clarity Customer Complaints 2
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 10
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 18
M Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485:2016 sample exam/test ISO 13485:2016 - Medical Device Quality Management Systems 3
M Informational Questionário – Análise crítica sistemática – ISO 13485:2016 (Portuguese-only) Medical Device and FDA Regulations and Standards News 0
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
E MDSAP Audit - Our QMS conforms to ISO 13485:2016 and FDA GMP Canada Medical Device Regulations 9
Ronen E Informational ISO 13485:2016 Transition Period End - 1 March 2019 ISO 13485:2016 - Medical Device Quality Management Systems 0
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
C Medical device manufacturing (class 2 ISO 13485:2016) - Is a Deviation allowed? Other Medical Device Related Standards 5
J EU ISO 13485:2016 Recertification Audit - Effect of 10 Minor Nonconformances EU Medical Device Regulations 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
J ISO 13485:2016 Section 6.2 - Documenting the process for establishing competence ISO 13485:2016 - Medical Device Quality Management Systems 6
Q Any good Checklists for ensuring SOPs cover ISO 13485:2016 and 21CFR 820? ISO 13485:2016 - Medical Device Quality Management Systems 3
H Transition to ISO 13485:2016 together with ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 12
B Classes/ Online Training on ISO 13485:2016 and FDA QSR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 5
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
D ISO: 13485:2016 Sec. 7.5.2 (C) - Requirements for cleanliness of product or contamination control ISO 13485:2016 - Medical Device Quality Management Systems 2
M Internal Audit Assessment Criteria - ISO 13485:2016 Internal Auditing 21
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20

Similar threads

Top Bottom