Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR and doctors
Answer: Although doctors have a statutory requirement to keep patient data confidential, they may also have access on a daily basis to data belonging, for example, to other medical staff within the hospital or even patients' next of kin data. Since this is not covered by the statutory requirement, I would suggest that the doctors have a confidentiality agreement signed.
2. What about if the hospital insists on signing such an agreement emphasizing on the code of contact of the hospital?
Answer: The hospital administration would need to justify this by the need to also ensure that confidentiality is extended beyond patient data.
If you want to find out more about the EU GDPR, check out our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Establish QMS compliance to ISO 13485 as a reagent manufacturer
Answer:
Even though your company does not manufacture the IVD set, the reagent forms part of the IVD set. Therefore, the above clauses of the medical device file, advisory notice, risk analysis, complaint handling still applies. Do take note that ISO 13485 is applicable to any company that deals with medical devices regardless of whether they are just providing design, installation, servicing and etc. For instance, in the case of complaint handling, if there is a reporting of contamination in the reagent, this is required to be documented with corrections and corrective actions taken. This would also escalate to field safety notice if the contamin ation leads to an erroneous result of the IVD kit leading to a batch recall.
For more information, please refer to the following material:
-Clause-by-clause explanation of ISO 13485:2016:
https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485
-How to use ISO 14971 to manage risks for medical devices
https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/ -
Gateway payment provider
Answer:
If the gateway payment providers are companies such as PayPal which process payments of your customers, they are independent controllers as they decide which information to ask and process from your customers to operate the payment. But we may have a different view on what a gateway provider is. If you refer to a company that only issued invoices on your behalf, then that company would be a processor.
2. You mentioned a controller to controller terms in place, could you provide us with a sample document of this sample?
Answer:
A controller to controller document can be found here https://advisera.com/eugdpracademy/documentation/controller-to-controller-data-processing-agreement/ and it is not part of the standard toolkit.
3. We need one in place as our Affiliate/Partners as we are likely being a processor to them. This is our scenario: Our company sells tic kets to customers using our own database. Our Affiliate/Partners has their own set of customer database. As we provide a commission to them for driving their customer's traffic to our website, we process their data by providing the tax invoice to their customers. Does this mean we have become their processors? Or is this independent controller? Please advise. If this is independent controller, please share us a draft document the control.
Answer:
Based on your description, both you and your Affiliates/Partners are acting as data controllers as they both use their own databases of customers and the fact that you are paying them to forward traffic to your website does not make you their processor. For any user/visitor data coming to your website, you are acting as a data controller. -
Supervisory authority and extra-territorial provisions
Answer:
Where the extra-territorial provisions of the EU GDPR apply, the controller or the processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data.
So, there is this obligation to have a representative in the EU and the representative will have to face the relevant supervisory authorities and accept liability for breach of the Regulation, which could now be substantial. -
Certification requirements
CES environment is high secure virtual environment built in AZURE cloud. Goal is to seek certification of this virtual data center to ISO 27001 certification. To ensure that new applications enjoy the ISO certification credentials that is issued to the CES environment, any new internal Applications and COTS software that will live in the above environment will follow an onboarding process. The on-boarding process will be managed thru an Operating Level Agreement with clearly defined security criteria that should be met (8 access, 9 asset, 14 development etc…). The development teams are out of scope for this audit as they are located all around the world. Having said that the development and production environment will all live within the CES environment. Teams will access the development environment by remote access thru the CES communication channels. Development or production communication channels into the virtual environment will be managed by the CES virtual security control s. All of this criteria will be internally audited and approved by CES team prior to allowing dev teams to live and operate within the CES environment. Customers accessing the applications, can only do so by first being authenticated by the CES front end. All networking, communication activities will be monitored, managed and controlled by the CES front end.
Analogy, CES is a highly secure hotel. Applications can only get a room in this hotel only by checking in and meeting all the stipulated CES security checklists and being approved by the CES team. Once checked in, any communication with the applications or other systems in the hotel by someone or something must past thru the gate that CES controls, monitors and manages. We are hoping that with this design, any applications that are on boarded after the certification is issued are also automatically conferred the ISO 27001 credentials. Assumption the on-boarding process gets audited during the certification audit.
Thoughts, will this be acceptable from a certification registrar perspective.
Answer:
ISO 27001 cannot be used to certify software, only the processes that support them (e.g., development and maintenance processes). Considering that, if you can show evidences that your on boarding process can reduce the identified relevant risks of introducing new applications to the environment to acceptable levels, handle incidents properly , and that the environment is continuously improved, this will be sufficient for a successful certification audit.
These article will provide you further explanation about security on software development and defining ISMS scope on the cloud:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
In case you understand you need further assistance, you can schedule a meeting with one of our experts at this link: https://advisera.com/27001academy/consultation/ -
Certifying a family of products under ISO13485 when company is ISO 9001 compliant
What do you recommend me in terms of elaborate an implementation plan?
Answer:
The first step of the implementation plan is to adapt your current company’s QMS to the type of medical devices that your organization will be dealing with such as the inclusion of medical device files, design and development file, software validation and sterilization process just to name a few.
Here are the steps to successful implementation of ISO 13485:
1) Get management support.
2) Identify requirements.
3) Define the scope.
4) Define processes and procedures.
5) Implement processes and procedures.
6) Deploy training and awareness programs.
7) Choose a certification body.
8) Operate the QMS / Measure the system.
9) Conduct internal audits.
10) Conduct a management review.
11) Take corrective action.
12) Perform the stage 1 certification audit.
13) Stage 2 certification audit.
For more information, please refer to:
-ISO 9001 vs. ISO 13485
https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
- List of mandatory documents required by ISO 13485:2016
https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/
-Checklist of ISO 13485 implementation and certification steps
https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/ -
Contract of consulting services
Answer:
By “facilitation body” I believe you mean “consulting company”.
I can suggest including:
What is the purpose of the project – Implementation of an EMS according to ISO 14001:2015
What are the deliverables – The success criteria will be getting the ISO 14001:2015 certification by an accredited certification body
What is the timeline agreed – When will the project start, when will the project finish, what kind of work rhythm will be followed
Who will work with us – Be careful to ensure that you will have someone with experience working with you. Sometimes, consulting companies start the negotiations with an experienced consultant and then, when the work starts they put an inexperienced junior working with you
How will the project be controlled – What kind of information they will issue, with what frequency, abo ut the project monitoring and control. And monitoring and control meeting frequency
Ownership and accountability – Who will be responsible for handling problems and complaints
Payment conditions – You can consider link partial payments to meeting and approval of project milestones
Cancellation terms and notice required
Confidentiality - Details the terms of confidentiality the consultant must uphold.
Date of contract
The following material will provide you with information about implementing ISO 14001:
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- Free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/
- Book - The ISO 14001:2015 Companion – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Auditing top management
Answer:
The whole management system must be internally audited every year, including top management. Your organization can prepare an internal audit program where the whole management system is audited on 3 partial audits spread over a year, and one of those audits will include in its scope auditing top management specific topics.
The following material will provide you with more information about internal audits:
- What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
- Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- eBook - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditing the whole QMS every year
Answer:
Actually, the management system standards do not prescribe that the whole QMS should be internally audited every year. However, all certified organizations internally audit their QMS every year because that is a requirement from the certification bodies, written in the contract between organizations and certification bodies.
The following material will provide you more information about internal audits:
- Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- eBook - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Use of ISO 27017 and ISO 27018
Answer:
ISOs 27017 and 27018 do not make sense without implementing 27001 as well, because this way you would only have the controls without the management system that can maintain and correct the controls when needed.
And although ISO 27017/18 provides more guidance and orientation for controls to be applied to cloud/virtualized companies, if you do not have specific requirements demanding implementation of cloud/virtualized related controls (e.g., to comply with GDPR) you can go with only ISO 27001, because this standard already provides a good coverage for cloud/virtualized environments.
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/