ISO standards define confidentiality as “the protection of information to ensure that data is accessible only to authorized personnel and is not made available or disclosed to unauthorized individuals, entities, or processes.”
Confidentiality refers to information shared within commercial or business activities that generally cannot be divulged to other parties without the consent of the customer, such as business with an attorney or physician.
Failure to properly secure and protect confidential business information can lead to costly lawsuits, loss of customer trust, confidence and loyalty and ultimately, the loss of the customer.
In a Calibration laboratory, confidential information can refer to technical and non-technical information supplied by the customer, including contract documentation, customer drawings and specifications, customer supplied procedures or methods, operational policies, measurement results, calibration reports and records, formulas, and any other materials provided to the calibration laboratory.
Confidentiality Requirements of ISO/IEC 17025:2017
Many states have laws protecting the confidentiality of certain information in the workplace. The calibration industry has specific rules and regulations for handling confidential information as defined in various international standards. Standard ISO/IEC 17025:2017, which governs the accreditation of calibration laboratories, states that the laboratory must “keep confidential all information obtained or created during the performance of laboratory activities, except as required by law.”
The main requirement is that the calibration laboratory is responsible to keep all customer information and documentation obtained or created during the performance of laboratory activities confidential. Laboratories should only use customer information for communication purposes or to assist in the facilitation of laboratory activities.
The laboratory should have controlled policies and procedures in place to ensure the protection of its customers’ confidential information, including procedures for protecting the electronic storage and transmission of results.
Information which is already known to be available in the public domain may be disclosed without further authorization. If any additional information will be made publicly available by the laboratory, the laboratory shall inform the customer in advance. If customer information is obtained from sources other than the customer, that information must be confidential between the customer and the laboratory.
In any instance where the release of confidential information is prohibited by law, or required by law to release information to an authority having jurisdiction, the laboratory shall comply with the appropriate local laws.
Handling of Confidential Information
Measures will need to be implemented to ensure that confidential information is well protected within the laboratory. Confidential paper documents and records should be placed in a secure location out of contact from non-laboratory personnel. Confidential paper documents should also be shredded when they’re no longer required. Electronic documentation should be stored on a secure network and only viewed on secure devices. Information should only be shared with other personnel when it’s necessary and authorized.
All laboratory personnel need to be aware of the confidentiality requirements, including other employees that have access to customer information, audit or assessment bodies, contractors and subcontracted calibration laboratories, or all personnel acting on the laboratory’s behalf.
Laboratory management and employees should be trained in the laboratory’s confidentiality policies and procedures. Confidentiality training should be a part of new employee orientation or completed within a reasonable time after personnel begin work within the laboratory. The laboratory’s policies and procedures should be communicated to all laboratory personnel through regular staff meetings and at the annual management review, where the employees can ask questions about the policies.
Formal confidentiality or non-disclosure agreements (NDAs) may need to be signed and obtained from all personnel prior to obtaining access to confidential information. These agreements are necessary to most businesses today, considering that employees have the capabilities to easily transfer large amounts of data electronically. Most confidentiality agreements remain in effect indefinitely and can protect the laboratory long after personnel leave the employ of the laboratory.
to request a FREE quote from one of our experts.