INTRODUCTION

All information must be held in secure and safe manner to ensure confidentiality and integrity of data. This includes Client’s data, employer’s data and other individual or business-related information. The procedure shall align with GDPR law UK.

PURPOSE

This document will aim to ensure that all information that is collated during certification is handled and stored with confidentiality and treated in a responsible way to prevent any damage or deterioration.

SCOPE

All confidential information, including computer data, applicable to Customers/ clients.

DEFINITIONS

Third Party - A third party shall be any party other than Global Standards Assurance (GSA) or the Client.

PROCEDURE TO ENSURE CONFEDENTIALITY

GSA as a certification body will be responsible and accountable for ensuring information confidentiality through legally enforceable agreements, for the management of all information obtained or created during the audit the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on behalf of GSA.

Confidential Information

All the information, except that information that are publicly made accessible by the client of GSA shall be considered as confidential. It will be a duty of GSA to inform and get approval from the client well in advance of the information it intends to place in the public domain. (As per GDPR law information should not be shared apart from as legal/ business purpose requisition and subject to approval and agreement)

Information about the client from sources other than the client (e.g., Complainant, regulators) shall be treated as confidential, and should align with the confidentiality policy.

Disclosure

In no circumstance the client information shall be disclosed to a third party without the written consent of the client concerned. This will not bind the information shared according to the requirements of ISO/IEC 17021-1:2015.

However, when such information sharing required by law or by authorized by contractual arrangements (such as with accreditation body) to release any confidential information, the client or the individual concerned shall be notified well in advance, unless or until prohibited by law.

Protection

GSA has made the necessary arrangements, including contractual arrangements and has the necessary equipment, Non-disclosure agreements and facilities that ensure the secure handling of confidential information.

This at the minimum applied directly to all the personnel employed by and carrying out services of GSA to sign a Non-Disclosure/Confidentiality Agreement GSA and Statement of declaration form.

It is the responsibility of all persons working for GSA to ensure that:

Any information acquired during the certification process is not shared in any form to a third party. All documents and computer data containing information relating to the certification process are always kept in a secure environment, to maintain confidentiality and prevent damage or deterioration. All electronic data / hard copies must be maintained under an allocated filing system with security and passwords, to ensure the confidentiality and security of information during use, retention, and disposal.

The CB shall ensure that documents containing confidential information shall be disposed of by shredding when no longer required. Confidential information held on computer files shall be deleted when no longer required and will align GDPR law and information confidentiality policy. The management shall ensure that a register is kept of all staff/persons who have access to confidential information to record the signed confidentiality agreement and declaration of impartiality statements. All signed statements shall be kept.

MANAGING CONFIDENTIAL INFORMATION/DATA

In no circumstance any confidential or identifiable information must be released outside the CB without prior agreement with the CB management, unless required under law proceedings. Data protection Act must be always abiding by. Any request of information release, freedom of information shall be reviewed by Caldicott/ Data guardian (Quality Manager of CB) before release of any information.