ISO 17025 General requirements

4 General requirements

4.1 Impartiality

Laboratory activities shall be undertaken impartially. To be impartial to the laboratory’s activities is being free to exercise professional judgment and competency as per the actual data results that are gathered during laboratory activities using the established procedures. Impartiality can be ensured by maintaining independence, freedom from conflict of interests, freedom from bias, lack of prejudice, neutrality, fairness, open-mindedness, even-handedness, detachment and balance in the day to day operations of the laboratory. Impartiality may arise due to:

• Commercial interest
• Financial interest
• Relationship interest

Relationships that threaten the impartiality of the laboratory can be based on ownership, governance, management, personnel, shared resources, finances, contracts, marketing (including branding), and payment of a sales commission or other inducement for the referral of new clients, etc. Top management of the laboratory shall be committed to impartiality. A proactive approach will help the laboratory to safeguard impartiality, so that personnel will be free from both internal and external pressures that may compromise impartiality. This can be achieved through the approach given below:

• Identify the risks to impartiality and implement controls
• Implement an impartiality policy
• Monitor day to day activities

1. Implementing the impartiality policy

An impartiality policy can be prepared and circulated so that all employees are aware of the requirement. It is a good idea to display impartiality policy in all departments. Request employees to read and accept the impartiality policy. Ensure that the impartiality policy states employees to not practice the following,

• A scientifically unsound or technically unjustified omission, manipulation, or alteration of procedures or data making the results appear acceptable
• The deliberate falsification of testing or calibration results, where failed method requirements are made to appear acceptable
• The intentional recording or reporting of incorrect tests
• An intentional gross deviation from method-specified in the testing practices, combined with the intent to conceal the deviation
• Inappropriate data entry, falsifying existing data, data manipulation or fabrication
• Failure to follow standard operating procedures
• Improper calibration and verification of instruments
• Incomplete recordkeeping or intentionally altering records for personnel or business gain
• Improper manipulation of samples
• Mislabeling testing items
• Creating data or reporting data for laboratory activities not performed
• Unauthorised use or unwarranted manipulation of software used in laboratory activities
• Creating information that is not true
• Claiming ownership for work performed by external laboratories and subcontractors

1. Identify the risks to impartiality and implement controls

Some of the activities that have risks to impartiality in laboratory activities are:

• Salary of the personnel is based on the number of laboratory activities carried out or some incentive is paid based on the number of laboratory activities
• Laboratory is part of projects team which is implementing and commissioning a project (eg building a bridge, installing electrical substation)
• The owner is also the manager of testing department
• Auditing own work during internal audit activity
• Personnel involved in laboratory activities are also involved in marketing activities
• Special favor is given for returning customers
• A special commission is paid to personnel who operates in favor of customer demands
• The customer requests a specific personnel to perform laboratory activities
• Employee performing laboratory activities for the previous employer

1. Monitoring activities

Besides risk assessments, identify and safeguard impartiality on a continual basis in an integrated way, during monitoring and assessment activities. This means that these activities should be integrated into other activities such as quality meetings, internal audits, root cause analysis, corrective action, and review of the management system.

• Verify during internal audits
• Document review
• Verify financial transactions
• Interview personnel to see if the level of awareness is acceptable
• Review the risk register regularly and update it based on current operations
• Ensure that impartiality is given sufficient consideration during management review

4.2 Confidentiality

Laboratories are responsible for properly managing all information obtained and created by them. Information generated as part of the laboratory activities shall be kept confidential. No information regarding a client shall be disclosed to third parties or put in public domain without getting consent from that client. In a situation if the laboratory has to release information related to a customer according to the law, that customer shall be informed of the information provided to regulatory or enforcement laboratories. Laboratory is not required to pass such information if it is prohibited by the law. Information about the client obtained from sources other than the client (e.g. complainant, regulators) shall also be treated as confidential. Confidential information may be breached in multiple ways such as:

• Publishing test reports and client details on websites and in public domains
• Device in which sensitive information is stored is stolen
• An employee accidentally sends confidential information to the wrong recipient
• An employee who is leaving the organisation copies and carries confidential information
• Releasing test reports to wrong recipient
• Data leak caused by malware attack on the information system

Following parties associated with the laboratory shall also keep confidential all information obtained or created during the performance of laboratory activities, except as required by law.

• Personnel, including any committee members
• Contractors
• Personnel of external laboratories
• Individuals acting on the laboratory’s behalf

Different types of controls can be implemented for protecting the confidentiality of information. Some of them are:

• Labeling
• Signing contracts
• Training employees
• Access control to the facilities
• Limit access and secure the computer system
• Providing lockable cabinets
• Implementing exit clearance system for employees leaving the organisation

Labeling

Labelling confidential information also serves as a practical disincentive for someone to abuse confidential information. Labelling can be provided on electronic and hard copy documents. A label could be something stating that: “Confidential information. No part of these materials may be copied, used or disclosed except with written permission.’

Signing contracts

Contracts detailing the confidentiality policy and control measures can be put in place with employees, visitors and sub contractors. Request all employees who have access to confidential information to sign an employment contract which contains non-disclosure provisions. The employee should be obligated to return confidential information when employment terminates. Confidentiality provisions in an employment contract make it abundantly clear that the employer is serious about confidentiality, and therefore help prevent problems from a legal and practical perspective.

Training employees

Company’s own employees pose the biggest risk to confidentiality of information. In most of the cases confidential data is leaked through employees. Often the information is leaked simply because the right training was not provided. Employees shall be trained frequently so that they have up to date information regarding the confidentiality requirements. All new recruits shall be trained prior to assigning job responsibilities.

Access control to the facilities

Access to the laboratory facilities and critical areas shall be controlled so that only authorised personnel enter the premises. The physical security can be ensured by implementing biometric access or installing access control doors. Visitors and contractors shall be allowed only based on requests. It is good to have an employee escorting them for the entire time period they are within the premises. They shall be informed about what they are allowed to access and what they are not allowed.

Provide lockable cabinets

Provide lockable storage cabinets for storing hard copy documents. Ensure only a few select people have the key for.

Limit access and secure the computer system

A company with confidential information should be careful to limit access to confidential information to only those employees who have a “need to know”. By doing so, the company strengthens its legal position and also helps establish a practical “roadblock”. Hard copies of documents should be kept locked, and electronic copies should be password protected. Computer access should be monitored. In order to protect the computer from external threats such as malware attack, antivirus software can be implemented. Digital records and electronic information shall be controlled by using passwords, firewalls and encryption. Avoid storing information on smaller storage devices such as USB drives that can be easily misplaced. Ensure that the passwords used are secure and changed regularly.

Exit clearance

Proper exit clearance mechanism can be implemented so that any employees leaving the job will securely handover the hardware and the data handled during the employment period. It is also important to ensure that any access privileges given to the employee are revoked.