ISO 17020 General requirements

4.0 General requirements

4.1 Impartiality and independence

Inspection activities shall be undertaken impartially. To be impartial to the inspection body’s activities is being free to exercise professional judgment and competency as per the actual data results that are gathered during inspection activities using the established procedures. Impartiality can be ensured by maintaining independence, freedom from conflict of interests, freedom from bias, lack of prejudice, neutrality, fairness, open-mindedness, even-handedness, detachment and balance in the day to day operations of the inspection body. Impartiality may arise due to:

• Commercial interest
• Financial interest
• Relationship interest

Relationships that threaten the impartiality of the inspection body can be based on ownership, governance, management, personnel, shared resources, finances, contracts, marketing (including branding), and payment of a sales commission or other inducement for the referral of new clients, etc. Top management of the inspection body shall be committed to impartiality. A proactive approach will help the inspection body to safeguard impartiality, so that personnel are free from both internal and external pressures that may compromise impartiality. This can be achieved through the approach given below:

• Identify the risks to impartiality and implement controls
• Implement an impartiality policy
• Monitor day to day activities

Implementing the impartiality policy

An impartiality policy can be prepared and circulated so that all employees are aware of the requirement. It is a good idea to display impartiality policy in all departments. Request employees to read and accept the impartiality policy. Ensure that the impartiality policy states employees to not practice the following,

• A scientifically unsound or technically unjustified omission, manipulation, or alteration of procedures or data making the results appear acceptable
• The deliberate falsification of inspection or quality assurance results, where failed method requirements are made to appear acceptable
• The intentional recording or reporting of incorrect tests
• An intentional gross deviation from method-specified in the inspection practices, combined with the intent to conceal the deviation
• Inappropriate data entry, falsifying existing data, data manipulation or fabrication
• Failure to follow standard operating procedures
• Improper calibration and verification of instruments
• Incomplete recordkeeping or intentionally altering records for personnel or business gain
• Improper manipulation of samples
• Mislabeling inspection items
• Creating data or reporting data for inspection activities not performed
• Unauthorised use or unwarranted manipulation of software used in inspection activities
• Creating information that is not true
• Claiming ownership for work performed by external bodies and subcontractors

Identify the risks to impartiality and implement controls

Some of the activities that have risks to impartiality are:

• Salary of the personnel is based on the number of inspection activities carried out or some incentive is paid based on the number of inspection activities
• Inspection body is part of projects team which is implementing and commissioning a project (eg building a bridge, installing electrical substation)
• The owner is also the manager of inspection department
• Auditing own work during internal audit activity
• Personnel involved in inspection activities are also involved in marketing activities
• Special favor is given for returning customers
• A special commission is paid to personnel who operates in favor of customer demands
• The customer requests a specific personnel to perform inspection activities
• Employee performing inspection activities for the previous employer
• The deliberate falsification of analytical or quality assurance results, where failed method requirements are made to appear acceptable on client request

Management can start the risk identification process before the job begins by identifying risks that are known to exist on site and documenting them.  By identifying risks early, the organisation may be able to implement controls before any impartiality issue arise. In order to identify the risks to impartiality:

• Look at all aspects of the work
• Include non-routine activities such as marketing, order processing, payroll management etc
• Look at previous incidents
• Look at the way the work is organized or “done” (include experience and age of people doing the work, systems being used, etc)
• Look at foreseeable unusual conditions such as emergency inspection requests, information system break down etc
• Examine risks from customers, especially from those provide repeating jobs
• Include an assessment of groups that may have a different level of risk such as young or newly joined employees
• Risks originating outside the workplace
• Risks associated with changes in the organization, the management system or its activities
• Risks associated with supporting activities such as procurement, logistics, human resources, accounts

After identifying risks, they shall be ranked to help determine which risks is the most serious and thus which one to control first. The following factors play an important role:

• Amount of activities exposed
• Frequency of exposure
• Degree of harm likely to result from the exposure
• Probability of occurrence and recurrence

Impact of a risk can be assessed by multiplying the severity of risk with the probability of that risk to happen. Severity is the extent of interruptions/non conformities the risk can cause on functions or processes. Probability is the chances of occurrence of the risks. Ranking risks can be done as given in the following table:

  Those risks having risk rating greater than 4 can be considered significant and control measures can be planned and implemented. Once the control has been put into place, the employees need to be trained in how to use it. Repeat the risk assessment process at least once in a year or whenever:

• Work conditions change
• When new processes are added
• Any change in process happens

Monitoring activities

Besides risk assessments, identify and safeguard impartiality on a continual basis in an integrated way, during monitoring and assessment activities. This means that these activities should be integrated into other activities such as quality meetings, internal audits, root cause analysis, corrective action, and review of the management system.

• Verify during internal audits
• Document review
• Verify financial transactions
• Interview personnel to see if the level of awareness is acceptable
• Review the risk register regularly and update it based on current operations
• Ensure that impartiality is given sufficient consideration during management review

4.2 Confidentiality

Inspection bodies are responsible for properly managing all information obtained and created by them. Information generated as part of the inspection activities shall be kept confidential. No information regarding a client shall be disclosed to third parties or put in public domain without getting consent from that client. In a situation if the inspection body has to release information related to a customer according to the law, that customer shall be informed of the information provided to regulatory or enforcement bodies. Inspection body is not required to pass such information if it is prohibited by the law. Information about the client obtained from sources other than the client (e.g. complainant, regulators) shall also be treated as confidential. Confidential information may be breached in multiple ways such as:

• Publishing inspection reports and client details on websites and in public domains
• Device in which sensitive information is stored is stolen
• An employee accidentally sends confidential information to the wrong recipient
• An employee who is leaving the organisation copies and carries confidential information
• Releasing inspection reports to wrong recipient
• Data leak caused by malware attack on the information system

Different types of controls can be implemented for protecting the confidentiality of information. Some of them are:

• Labeling
• Signing contracts
• Training employees
• Access control to the facilities
• Limit access and secure the computer system
• Provide lockable cabinets
• Implementing exit clearance system for employees leaving the organisation

Labeling

Labelling confidential information also serves as a practical disincentive for someone to abuse confidential information. Labelling can be provided on electronic and hard copy documents. A label could be: “Confidential information. No part of these materials may be copied, used or disclosed except with written permission.’

Signing contracts

Contracts detailing the confidentiality policy and control measures can be put in place with employees, visitors and sub contractors. Request all employees who have access to confidential information sign an employment contract which contains non-disclosure provisions. The employee should be obligated to return confidential information when employment terminates. Confidentiality provisions in an employment contract make it abundantly clear that the employer is serious about confidentiality, and therefore help prevent problems from a legal and practical perspective.

Training employees

Company’s own employees pose the biggest risk to confidentiality of information. In most of the cases confidential data is leaked through employees. Often the information is leaked simply because the right training was not provided. Employees shall be trained frequently so that they have up to date information regarding the confidentiality requirements. All new recruits shall be trained prior to assigning job responsibilities.

Access control to the facilities

Access to the laboratory facilities and critical areas shall be controlled so that only authorised personnel enter the premises. The physical security can be ensured by implementing biometric access or installing access control doors. Visitors and contractors shall be allowed only based on requests. It is good to have an employee escorting them for the entire time period they are within the premises. They shall be informed about what they are allowed to access and what they are not allowed.

Provide lockable cabinets

Provide lockable storage cabinets for storing hard copy documents. Ensure only a few select people have the key for.

Limit access and secure the computer system

A company with confidential information should be careful to limit access to confidential information to only those employees who have a “need to know”. By doing so, the company strengthens its legal position and also helps establish a practical “roadblock”. Hard copies of documents should be kept locked, and electronic copies should be password protected. Computer access should be monitored. In order to protect the computer from external threats such as malware attack, antivirus software can be implemented.

Exit clearance

Proper exit clearance mechanism can be implemented so that any employees leaving the job will securely handover the hardware and the data handled during the employment period.

Limit access and securing the computer system

A company with confidential information should be careful to limit access to confidential information to only those employees who have a “need to know”. By doing so, the company strengthens its legal position and also helps establish a practical “roadblock”. Hard copies of documents should be kept locked, and electronic copies should be password protected. Computer access should be monitored. In order to protect the computer from external threats such as malware attack, antivirus software can be implemented.

Exit clearance

Proper exit clearance mechanism can be implemented so that any employees leaving the job will securely handover the hardware and the data handled during the employment period. It is also important to ensure that any access privileges given to the employee are revoked.