Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Tracking revisions and document numbering

    The essence of document control is to ensure that the correct, valid documents are available to the right people, in the right place, at the right time. There must be no confusion regarding the process and numbering. The system of review, revision, approval and implementation should also be simple and easy to implement. The actual system varies extensively between laboratories. Your approach also depends on how automated your document management system. A more funstional system provides for links to the correct documents so the impact / risk of a complicated naming and numbering system is less of an issue.

    As you are still implementing you system, I suggest you look at the risk of change /adoption but also opportunity going forward and decide on what the best approach is for you. Best practices includes archiving and making documents or versions obsolete, so and you can decide, if risk is acceptable, to “retire” and recycle/reissue document numbers – as long as it does not create confusion or traceability issues.

    Typically I would not advise on a single operational procedure document. A Quality Manual serves the purpose of stating policies and integrating all the processes and document in one place. For review and control purposes, separate procedures makes more sense and works better in terms of scalability as your laboratory develops. Either way the central document is your Document Control procedure and your List of internal documents and records.

    For more information on document control, see the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

  • Complying with GDPR

    Yes, this purpose shall fall under the legitimate interest (Art. 6 par. 1 let. f GDPR) as an anti-fraud purpose. You need to explain it in the privacy notice but you do not need the consent of the data subject.

    Here you can find more information about the legal basis for data processing:

    If you need to understand how to implement EU GDPR in your project you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

  • 17025: 2017 differences

    You asked

    I need to know if there are any differences between the FINAL DRAFT version and the one that was actually issued?

    Please note that both the Final Draft International Standard (FDIS) and the final published document are copyright protected. The FDIS is circulated to all ISO members for an 8 week  vote,  For more details on the ISO various stages to publication, see  https://www.iso.org/stages-and-resources-for-standards-development.html
    I cannot provide a comparison. Although you will see ISO state that “Only editorial corrections are made to the final text”, these corrections can have a significant impact on the interpretation and required implementation steps for the laboratory. ISO state that from FDIS to Publication stage, the project leaders may submit comments on the FDIS. Then the committee managers and project leaders get a two-week sign off period before the standard is published.

    You also asked

    So if someone uses the final draft as guidance, are there any changes that they can be held to?

    ISO 17025:2017 requires the laboratory to have

    • the available resources necessary to manage and perform its laboratory activities (Clause 6.1)
    • relevant versions of all applicable documents  to be available at points of use.

    This will clearly include the need to have the latest version of ISO 17025:2017. 
    For further information on ISO 17025 requirements, see the following:

    The whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
    The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
     

  • Question about joint controller

    It depends on how you intend to structure the application and how data will be processed.

    If you decide how data will be processed by the app you can be the data controller of data of users, while the shop will be the data controller of the users who purchased something on their shop for their own purposes (i.e., billing, shipping, marketing), then, you may be separate controllers (you of the app, seller of the single mall), instead, if data are connected and jointly determine how data will be processed then you will be joint controllers.

    Here you can find more information on data controller:

    If you need how to implement EU GDPR, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Does ISO 17025 cover dimensions measured of a product sold?

    ISO 17025:2017 is the applicable standard for all non-medical testing and calibrations, including dimensional tests such as length.  Depending on the country and accreditation body, the laboratory’s testing scope will fall under, for example, the Dimensional Testing program of the accreditation body for ISO 17025 accreditation.  Note that because there are many ISO standards for packaging, including medical devices and other high-risk goods, the client laboratory is responsible for ensuring the specific requirements of standard test specifications are met.

    Perhaps you do not need accredited tests for dimensions but just want assurance in verifying the measurements? In that case, testing accreditation may not be necessary, but the calibrated measuring devices used for testing must be suitable for use (e.g resolution, range and precision). The laboratory calibrating the devices should be accredited as an ISO 17025 calibration laboratory for dimension metrology (length) and provide ISO 17025 compliant calibration certificates.

    For general information regarding ISO 17025, have a look at the article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/

  • Document 14.1

    I’m assuming you are referring to Appendix 1 – Specification of Information System Requirements.

    Considering that, you should create this record for each software listed in your Risk Treatment Table for which you have identified risks that need to be treated by control A.14.1.1 (Information security requirements analysis and specification). Please note that these records can be created either for each individual software or as a single record for a set of software which share the same security requirements.

    Considering the software under development, you need to create a record for each new version (this will help you track the changes and evolution in security requirements)

    For further information, see:

  • Security and Privacy

    ISO 27001 is a management framework for the protection of information in general, and does not cover specifics related to privacy and medical data, depending upon the defined requirement (e.g., GDPR, HIPAA, etc.).

    Considering that ISO 27001 may not be enough to ensure fulfillment of privacy requirements. In this case, you should consider using additional ISO 27001 supporting standards, like ISO 27701 (for privacy protection) and ISO 27799 (for health organizations).

    For further information, see:

  • Risk Assessments for Early Start up

    ISO 27001 does not prescribe assets and threats to be used for risk assessment, so you should consider assets and threats regarding your own organizational context (e.g., industry, adopted technologies, etc.). Without this kind of information is not possible to provide a more detailed answer.

    What we can say at this moment is that you should avoid using so broad categories, because assets/threats related to them may require different treatment approaches. For example, in software, you can have off-the-shelf software and internally developed software. For the network, you can have firewalls and switches. As for the environment, you may have fire and flood.

    Included in your toolkit you have a Risk Assessment Table with lists of assets, threats, and vulnerabilities commonly used in information risk assessment. It is located in folder 05 Risk Assessment and Risk Treatment. Additionally, you have access to a video to a video tutorial that can help you perform risk assessment, using real data as an example.  

    These articles will provide you a further explanation about risk assessment:

  • Videos and names

    EU GDPR requires the data controller when processing personal data (i.e., the names of participants to a Zoom lesson) to inform the data subjects about the use of personal data. If the data controller aims to modify and add some further use (i.e., publishing the video on Youtube) it shall inform the data subjects and require their consent. Of course, it is needed to have consent from the students mentioned.Another solution can be to anonymize the video by editing the lesson and removing the name of the student. In that case, being only your voice the video may be published.

    Here you can find more information about consent:

    If you need to understand how to comply with the EU GDPR and manage consent you can consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • GDPR query

    1. We are a processor and have received a data subject access request via the controller for a personal data that is bundled together with personal data from several different persons - how should we respond, because if we provide any information, we would reveal personal data from other data subjects as well?

    Article 28 par 1 h) GDPR requires the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.This means that you will inform your data controller who is in charge of the relationship with the data subject that the access request should be rejected because it infringes third parties' privacy. The data controller will decide how to behave.

    2. For a company based in the UK, should we register the name of our DPO with the ICO?

    Yes. Consider that a UK-based company is under UK GDPR since UK has left the EU.

    If you need more information about the difference between data controller and processors or data subjects rights, here you can find some resources:

    If you need to understand how to comply with the EU GDPR you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 
Page 152-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +