MSC Global Confidentiality Policy

Purpose

This policy establishes guidelines and principles to ensure the confidentiality of information related to certification activities conducted by MSC Global in accordance with ISO/IEC 17021: Conformity assessment-Requirements for bodies providing audit and certification of management systems.

Scope

This policy applies to all personnel, contractors, and stakeholders involved in certification activities, including but not limited to auditors, certification decision-makers, administrative staff, and external parties interacting with MSC Global.

Principles

• Confidentiality Obligation: We are committed to maintaining the confidentiality of all information obtained or generated during the certification process.
• Legal Compliance: We comply with applicable laws and regulations regarding the protection of confidential information, including data protection and privacy laws.
• Protection of Information: We implement measures to protect confidential information from unauthorised access, disclosure, alteration, or destruction.

Guidelines

Types of Confidential Information

Confidential information includes but is not limited to:

• Client information (e.g., company details, contact information)
• Audit findings, reports, and documentation
• Internal procedures, processes, and methodologies
• Personal data of individuals processed during certification activities
• Information about the client sourced from complainants or regulators

Access Control

Access to confidential information is limited to personnel involved directly in the certification process. This is controlled through the management of file permissions in SharePoint.

Non-Disclosure

Personnel are prohibited from disclosing confidential information to external parties without proper authorization, except as required by law. All staff are required to sign an agreement with MSC Global to ensure they understand the requirement to maintain client confidentiality.

Handling of Information

Confidential information is handled with care and stored securely during the audit. No client documentation or records are maintained once the audit is completed. Auditors are required to delete all client information from their devices post audit.

All data is retained on MSC Global SharePoint and CertCrowd for the purposes of maintaining certification records and planning future audits.

Third-Party Confidentiality

We ensure that confidentiality obligations are extended to third parties, such as subcontractors or consultants involved in certification activities. Confidentiality requirements are included in signed agreements with all subcontractors and consultants to satisfy the requirements of ISO/IEC 17021 section 8.4.1.

Release of Information About Clients

Clients will be informed in advance of any information MSC Global intends to place in the public domain. All information (except that made public by the client) is considered confidential.

Except as required in ISO/IEC 17021 section 8.4, information about a particular client will not be disclosed without the consent of the client or individual concerned.

Where MSC Global is required by law to release information about a client or individual, the client or individual shall be notified (unless prohibited by law).

Information about the client from other sources, such as regulators, shall be treated as confidential and in accordance with this policy.

All personnel, including committee members, contractors, and personnel acting on behalf of MSC Global shall keep all information provided or created during certification activities confidential, except as required by law.

Information about clients obtained through other sources, such as complainants and regulators, will be treated as confidential in accordance with this policy.

Responsibilities

Handling of Client Information

MSC Global uses SharePoint to store audit reports, audit plans, client contracts and other certification-related documentation. The client profile, which contains key information for the purposes of granting and maintaining certification, is stored in CertCrowd.

Auditors are required to acknowledge the following:

• No client data is stored locally on laptops, phones or other portable devices.
• No photos are to be taken on client sites as part of audits.
• All client documentation is to be returned to the client at the close of the audit or destroyed.
• Client documentation in electronic form will be purged from the SharePoint system at the close of the audit.
• Auditors are encouraged to gain access to client documents through the client system, rather than having clients send documents to them.

Training and Awareness

Confidentiality requirements are covered during the induction process. Workers are required to sign an agreement to acknowledge that they understand confidentiality requirements.

Yearly refreshers are conducted to ensure workers maintain an understanding of the importance of confidentiality in certification activities.

Incident Reporting and Response

Breaches of confidentiality are reported to the managing director.

Investigations are conducted to determine the cause of the breach and implement corrective actions to prevent recurrence.

Conclusion

This confidentiality policy reinforces our commitment to protecting sensitive information and maintaining trust and integrity in our certification services. It ensures that confidentiality obligations are respected and upheld throughout all stages of certification activities, contributing to the credibility and reliability of MSC Global.