Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 30 September 2013

ISO 14001, The Environmental Standard, Revision

Readers of my blog might remember I reported that the revision of this Environmental Standard was due to be completed in 2014 and the new Standard would be named ISO 14001:2014.
ISO received a vast number of comments following the release of the first committee draft and some serious revisions would have to be made if the Standard was to have been universally accepted.  Some of the comments were not particularly complimentary.

This has meant that the final issue has been put back to 2015.  This will give the ISO committee time to consider all the comments raised and incorporate these into the revised Standard.

The Environment and Environmental issues are very much in the public eye at the moment with scientists putting forward the view that mankind has been responsible for the climate change and resulting extreme weather conditions we have all experienced.

Getting the Standard ready for the rest of the 21st century is vital if we are to limit further damage to the environment.  Clearly it must also be readily adopted by companies across the world to be effective.  Setting unrealistic targets will be counter-productive.

Editors will note that ISO 9001 is also to be published in 2015,   so it will be an interesting year.

Monday, 16 September 2013

Data Protection Audit

Last year we were commissioned to carry out a data protection audit for a large public company and we have been asked to repeat the exercise again this year.

The Data Protection Act 1998 defines the Law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. It follows the European Union directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data.

The Eight Data Principles are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. Personal data shall be accurate and, where necessary, kept up to date.

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

In auditing the requirements of the Act it was necessary to carry out two separate phases:

Adequacy Audit- Where the systems employed by the company were checked to see if they addressed all the requirements of the Act.

  • Were the eight data protection principles addressed?
  • Were there provisions for training of staff?
  • Was the Company registered with the Information Commissioners Office?
  • Was there a named Data Protection Officer?

Compliance Audit – where each of the eight data principles were tested to see what level of compliance had been achieved.

  • What data was being processed?
  • What level of Personal Data was being used?
  • Had a risk assessment for data usage been undertaken?
  • Did the staff understand what the eight data principles were?
  • What training in the DPA (Data Protection Act) had taken place?
  • What checks were in place to ensure the Act was being implemented?
  • What action was required if a breach of the Act was suspected or had taken place?
  • What corrective action would be taken to rectify a data breach?

Once the audit had been completed a number on non-conformities were declared and an action plan for rectification was agreed.

We checked back with the Company that the agreed actions had been completed and within the agreed timescale before concluding the audit.

Monday, 2 September 2013

Changes in Management Standards

ISO9001:2008, The most recognisable standard. This is a Quality Management Standard and addresses best practice for all processes within a business, be it small, medium or large. This is often an entry point to many tenders. Without 9001 you may not get past the starting gate;

Due to be updated and re-issued in 2015

ISO14001:2004, The Environmental Management Standard. This standard is used to show that you are protecting the environment, as well as saving money, by using practices that ensure your aspects (anything that interacts with the environment) are as kind to the planet as possible. You should be able to demonstrate that you take care not to pollute and use energy as efficiently as possible. This is often the second entry point to tenders and contracts that specify environmental protection as a requirement;

Due to be updated and re-issued in 2014

ISO27001:2005, The Information Security Management Standard. This standard is fast becoming the standard that companies are seeking. Those holding data or information that requires protection can show that the systems in place can ensure data is confidential, integrity is protected and available to authorised users;

Due to be updated and re-issued towards the end of 2013

We will endeavour to update our readers as these changes become clear. 

ISO9001 redraft is at the very early committee stage and some of the proposed changes could make the update relatively unworkable to smaller companies, however it may change considerably before publication.

ISO14001 redraft is a bit further along but still has a long way to go before publication.  The latest draft does have some merits and has brought environmental management up to date.

ISO27001 redraft is at the draft for public comment.  This draft cannot be considered final. It has become clear that the committee has received a vast number of comments and the final draft will reflect some of these comments.  We shall see.

Each of these standards will have a transition period where new applicants can choose to apply the existing standard or the new one.

Eventually though all users will have to update their systems to meet the revised standards.   Once these are known we will report them on this blog.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design