ISO standards define confidentiality as “the protection of information
to ensure that data is accessible only to authorized personnel and is not made
available or disclosed to unauthorized individuals, entities, or processes.”
Confidentiality refers to
information shared within commercial or business activities that generally
cannot be divulged to other parties without the consent of the customer, such
as business with an attorney or physician.
Failure to properly secure
and protect confidential business information can lead to costly lawsuits, loss
of customer trust, confidence and loyalty and ultimately, the loss of the
In a Calibration
laboratory, confidential information can refer to technical and non-technical
information supplied by the customer, including contract documentation, customer
drawings and specifications, customer supplied procedures or methods,
operational policies, measurement results, calibration reports and records, formulas,
and any other materials provided to the calibration laboratory.
Confidentiality Requirements of ISO/IEC 17025:2017
Many states have laws
protecting the confidentiality of certain information in the workplace. The
calibration industry has specific rules and regulations for handling
confidential information as defined in various international standards. Standard
ISO/IEC 17025:2017, which governs the accreditation of calibration laboratories,
states that the laboratory must “keep confidential all information obtained or
created during the performance of laboratory activities, except as required by
The main requirement is
that the calibration laboratory is responsible to keep all customer information
and documentation obtained or created during the performance of laboratory
activities confidential. Laboratories should only use customer information for
communication purposes or to assist in the facilitation of laboratory
The laboratory should have
controlled policies and procedures in place to ensure the protection of its
customers’ confidential information, including procedures for protecting the
electronic storage and transmission of results.
Information which is
already known to be available in the public domain may be disclosed without further
authorization. If any additional information will be made publicly available by
the laboratory, the laboratory shall inform the customer in advance. If
customer information is obtained from sources other than the customer, that
information must be confidential between the customer and the laboratory.
In any instance where the
release of confidential information is prohibited by law, or required by law to
release information to an authority having jurisdiction, the laboratory shall
comply with the appropriate local laws.
Handling of Confidential Information
will need to be implemented to ensure that confidential information is well
protected within the laboratory. Confidential paper documents and records should
be placed in a secure location out of contact from non-laboratory personnel. Confidential
paper documents should also be shredded when they’re no longer required. Electronic
documentation should be stored on a secure network and only viewed on secure
devices. Information should only be shared with other personnel when it’s
necessary and authorized.
All laboratory personnel
need to be aware of the confidentiality requirements, including other employees
that have access to customer information, audit or assessment bodies, contractors
and subcontracted calibration laboratories, or all personnel acting on the
management and employees should be trained in the laboratory’s confidentiality
policies and procedures. Confidentiality
training should be a part of new employee orientation or completed within a
reasonable time after personnel begin work within the laboratory. The laboratory’s policies and procedures should
be communicated to all laboratory personnel through regular staff meetings and
at the annual management review, where the employees
can ask questions about the policies.
Formal confidentiality or non-disclosure agreements (NDAs) may need to be signed and obtained from all personnel prior to obtaining access to confidential information. These agreements are necessary to most businesses today, considering that employees have the capabilities to easily transfer large amounts of data electronically. Most confidentiality agreements remain in effect indefinitely and can protect the laboratory long after personnel leave the employ of the laboratory.
to request a FREE quote from one of our experts.