Types of confidential information

Tallinec

Involved In Discussions
Hello.

EN ISO/IEC 17025:2017, clause 4.2.4, requires «keep confidential all information obtained or created during the performance of laboratory activities, except as required by law».

1)Are the customer orders (where no stipulation that info in the orders are confidential) falling within this requirement?
2)Are customer drawings (where no stipulation that info in the orders are confidential) enclosed to the orders falling within this requirement?
3)Are the documents related to interlaboratory comparisons (where no stipulation that info in the orders are confidential) falling within this requirement?
4)Is info from log where laboratory documented environmental condition falling within this requirement?
5)Is a top management review report falling within this requirement?
6)Is a internal audit report falling within this requirement?
7)Is a laboratory procedure for handling, transport, storage, use and planned maintenance of equipment falling within this requirement?
 

Jim Wynne

Leader
Admin
The "keep confidential" requirement just means that customer information shouldn't be made available to anyone except those with an internal need to access it.
 

Tallinec

Involved In Discussions
The "keep confidential" requirement just means that customer information shouldn't be made available to anyone except those with an internal need to access it.
But clause 4.2.4, requires «keep confidential all information obtained or created during the performance of laboratory activities, except as required by law». As I understand, all info №№ 1-7 given in my topic is falling within "all information obtained or created during the performance of laboratory activities"?
 

Tagin

Trusted Information Resource
But clause 4.2.4, requires «keep confidential all information obtained or created during the performance of laboratory activities, except as required by law». As I understand, all info №№ 1-7 given in my topic is falling within "all information obtained or created during the performance of laboratory activities"?

This seems like it might be helpful:
Introduction
Although the new version of ISO/IEC 17025 (2017) includes more text about confidentiality, the basic requirements of ISO/IEC 17025:2005 have not changed but are more detailed. The main requirement is that the laboratory shall have policies and procedures to ensure the protection of its customers' confidential information and proprietary rights, including procedures for protecting electronic storage and transmission of results, as already described in ISO/IEC 17025:2005.
Handling
ISO/IEC 17025:2017 requires the laboratory to legally commit itself to keep information confidential obtained or generated during the performance of assignment for client. When information is made publicly available, either by the customer, by an agreement between the laboratory and the customer, or by requirements in the law, the laboratory shall inform the customer in advance. Information about the customer, obtained from sources other than the customer, and the provider of the information are confidential between the customer and the laboratory.

The personnel shall keep the customer information confidential. This can be specified in the employment contract.

The laboratory should preferably regulate all confidentiality issues in the contract. As a general rule customer information shall be treated confidentially.
 

dwperron

Trusted Information Resource
Hello.

EN ISO/IEC 17025:2017, clause 4.2.4, requires «keep confidential all information obtained or created during the performance of laboratory activities, except as required by law».

1)Are the customer orders (where no stipulation that info in the orders are confidential) falling within this requirement?
2)Are customer drawings (where no stipulation that info in the orders are confidential) enclosed to the orders falling within this requirement?
3)Are the documents related to interlaboratory comparisons (where no stipulation that info in the orders are confidential) falling within this requirement?
4)Is info from log where laboratory documented environmental condition falling within this requirement?
5)Is a top management review report falling within this requirement?
6)Is a internal audit report falling within this requirement?
7)Is a laboratory procedure for handling, transport, storage, use and planned maintenance of equipment falling within this requirement?

17025 requires that you keep the test data confidential.
Section 4.2 explains the intent clearly:
Personnel, including any committee members, contractors, personnel of external bodies, or
individuals acting on the laboratory's behalf, shall keep confidential all information obtained or created
during the performance of laboratory activities, except as required by law.


You must keep the information confidential - not release it outside the organization - without the customer's advance consent or a legal requirement to release the information.
I don't see any of your examples falling into a case where they should be released into the public domain.
 

Tallinec

Involved In Discussions
I don't see any of your examples falling into a case where they should be released into the public domain.
So, a laboratory procedure for handling, transport, storage, use and planned maintenance of equipment falls within "confidential information"? And info from log where laboratory documented (without reference to customer) environmental condition falling within this requirement, too?
 

dwperron

Trusted Information Resource
So, a laboratory procedure for handling, transport, storage, use and planned maintenance of equipment falls within "confidential information"? And info from log where laboratory documented (without reference to customer) environmental condition falling within this requirement, too?

You are making this much too hard. I had just stated that none of your examples fall into confidentiality issues.

How does your laboratory procedure for handling equipment fall into the "shall keep confidential all information obtained or created
during the performance of laboratory activities
"? It doesn't. It has nothing to do with the performance of laboratory activities, it's a procedure not a result.

Your laboratory environmental log is not your customer's proprietary information. You are required to report environmental conditions with your results, the log is just a history archive for your convenience.
 

Tallinec

Involved In Discussions
You are making this much too hard. I had just stated that none of your examples fall into confidentiality issues.

How does your laboratory procedure for handling equipment fall into the "shall keep confidential all information obtained or created
during the performance of laboratory activities
"? It doesn't. It has nothing to do with the performance of laboratory activities, it's a procedure not a result.

Your laboratory environmental log is not your customer's proprietary information. You are required to report environmental conditions with your results, the log is just a history archive for your convenience.
Sorry, if course, you wrote, that none of my examples (№№1-7) fall into confidentiality issues. It is my fault.

I understand, that test results, test reports and all info that agreed (!) between laboratoty and a customer as „confidential” are 100% confidential.

What puzzled me when reading clause 4.2.4 of the standard, that “…all (!!!) information obtained or created…”. I hunted the explanation of this ”pizzle” in Internet, but could not find one.
 

dipstik

Registered
when it says obtain it means for the purposes of the calibration/test and pertaining to such. if you write an SOP while you have a project going you can divulge that SOP. If your client gives you a SOP you cannot share that SOP.

I think some items should be confidential, like the work order, the drawings, 3-7 are not related to client information.
 
Top Bottom