16 replies to this topic

[3esa]

hello,

I've been tasked with writing a confidentiality policy which would apply to some of our records.  Basically, my company wants some records to be declared confidential, and 3rd parties would have to write a formal request to access those records.  Would anyone be willing to share a template or other to help my endeavor?  

[GMO]

Sorry, not got anything.  We do have an NDA which we make some people sign but to be honest there has to be a certain amount of information sharing or otherwise people can't check your systems.  What is the purpose of the formal request apart from to annoy the 3rd party?  Presumably they're still going to get them anyway, just be frustrated with you as well.  Why not just convert them all to PDF with a "confidential" watermark on them when sending to 3rd parties?

[MWidra]

We also use an NDA. 

 

Remember that in the US, you usually cannot restrict a regulatory agency from accessing your records because it is in the public interest to strictly regulate your industry.  This is called an "administrative search warrant exception."  And if you manage to turn them away, they'll come back with a warrant anyway, and be unhappy with you.

 

*Disclaimer, this is NOT legal advice!  Consult your corporate attorney first!*

 

When you enter into an agreement to pay someone to audit you, you usually consent to allowing them access in the contract, at least those that I have seen.

 

If you want to restrict access of a 3rd party auditor sent by your customers, that may jeopardize your relationship with the customer.  I would think twice about denying access.

 

You may want to write a very solid NDA instead, but that's my humble opinion.

 

Martha

[RMAV]

There's another reason to have a confidentiality policy.  I've seen where unscrupulous individuals employed by a customer mine for information by directly contacting some unwitting clerk.  Said unwitting clerk, likely wanting to be important, supplies them with important information.  It's helpful to have information they cannot share marked or covered by a written policy.

 

A formal request, reviewed by the appropriate company officers, helps ensure the right people get the right information and information that should not be shared does not get shared.

[MWidra]

There's another reason to have a confidentiality policy.  I've seen where unscrupulous individuals employed by a customer mine for information by directly contacting some unwitting clerk.  Said unwitting clerk, likely wanting to be important, supplies them with important information.  It's helpful to have information they cannot share marked or covered by a written policy.

 

A formal request, reviewed by the appropriate company officers, helps ensure the right people get the right information and information that should not be shared does not get shared.

Agreed.  You should have a policy where all document requests are to pass through particular managers.  That usually extends to pricing as well.  But that would not include what are usually called "3rd party" individuals, who normally are employed by the company or a customer for auditing or inspection purposes.

 

I guess that the OP needs to define what is meant by 3rd party.  I had used the definition normally used in our industry, and that may have been in error.

 

Good point, RMAV.

 

Martha

[MWidra]

It can be put into an Inspector and Visitor Policy, which we all usually have.  This one does not allow removal of documents without permission.  It would be easy to add something about documents requested via mail, telephone, or email.

 

Martha

 

 

Attached Files

•  Visitor & Inspector Policy generic.docx   18.79KB   80 downloads

[GMO]

Agreed.  You should have a policy where all document requests are to pass through particular managers.  That usually extends to pricing as well.  But that would not include what are usually called "3rd party" individuals, who normally are employed by the company or a customer for auditing or inspection purposes.

 

I guess that the OP needs to define what is meant by 3rd party.  I had used the definition normally used in our industry, and that may have been in error.

 

Good point, RMAV.

 

Martha

 

I know what you mean but the amount of requests we get for technical info; everything would go through a manager.  Our teams have to use a bit of sense otherwise you will tie up your managers with basic admin.

 

It might help to decide what is truly "secret" in your company anyway.  There's probably very little which is a risk and then control those documents instead.

[MWidra]

I know what you mean but the amount of requests we get for technical info; everything would go through a manager.  Our teams have to use a bit of sense otherwise you will tie up your managers with basic admin.

 

It might help to decide what is truly "secret" in your company anyway.  There's probably very little which is a risk and then control those documents instead.

Requests for technical documents go through Customer Service here, and there are "canned" documents prepared that are for release.  Requests for food safety related docs go through me, and I also have some "canned" docs available.

 

Anything more detailed go through the President, who is one of the owners.

 

We have a VERY small company, so it's manageable.  If you are PepsiCo, you probably have an entire department that does that.  Companies in between, you have to decide which is more of a problem, the loss of manager time or the loss of docs.

 

Having those "canned" docs helps out a lot, since most of our requests are similar.

 

The worry about trade secrets, which cannot be patented or copyrighted, is that once they are released to anyone, they are no longer a trade secret.  Better to have something available to share that does not reveal anything important.

 

This has actually turned into an interesting discussion, and it is cool to see how others handle this issue.

 

Martha

[RMAV]

MWidra and GMO, I agree with your comments. 

 

"3rd party" in our circles, typically means the auditor.  But even then one must be cautious.  I recall several years ago an auditor was asking probing questions not germane to the standard that were perilously close to what I would refer to as corporate espionage.  We told him to go jump in the lake.  It's unfortunate, but there are people out there who have no conscience with regard to an NDA they signed.

 

I keep an electronic version of canned and vetted documents as well.  Attach to email and you're done.

[Kellio]

Confidentially agreements should be written by Legal Consult or Legal Department.  I would make sure any Legal advise must have expertise in the Food Industry.  More and More I have been reading and hearing about this subject.in the industry

 

FDA will not ask for formulations or proprietary specifications; however, if the product has caused damages, this is the power FDA has gained with FSMA and refusal to show documentation will be considered a criminal act.  As far as GFSI standards, they will be subject to the Third Party Audit Rule and refusal to show evidence of their standard may bring collateral consequences with FDA because FDA will be certifying GFSI Certifying Bodies. SQF will unveil their Version 8.0 and It include an Addendum for Preventive Controls.

 

If you follow and understand the GFSI standards, you will not have any issues with Confidentially Agreements.

 

I will strongly suggest you Google and review all information pertaining Peanut of America and learn from their mistakes. 

 

This is my personal comment.

 

I hope this helps,

 

Kellio

[MWidra]

"3rd party" in our circles, typically means the auditor.  But even then one must be cautious.  I recall several years ago an auditor was asking probing questions not germane to the standard that were perilously close to what I would refer to as corporate espionage.  We told him to go jump in the lake.  It's unfortunate, but there are people out there who have no conscience with regard to an NDA they signed.

That would prompt an immediate call to the company who provides the auditor, to state my objections.  That way, the auditor could not ding me on not providing docs, but also to document that the auditor was asking for items that were not appropriate.

 

If an auditor is spying on the companies he is visiting, his employer would want to know.  If he reveals something he learned in the course of his employment, they will be sued.  Go for the deep pockets...

 

Martha

[RMAV]

I, of course, will not comment on what happened to said "auditor."  I couldn't find an emoji for it, but he may or may not have had a similar experience to Wile E. Coyote.

 

"As far as GFSI standards, they will be subject to the Third Party Audit Rule and refusal to show evidence of their standard may bring collateral consequences with FDA because FDA will be certifying GFSI Certifying Bodies." -Kellio

 

I'm no expert on FSMA...I thought the 3rd party auditor spy for the government was only for importers and exporters to U.S...?

[Kellio]

I, of course, will not comment on what happened to said "auditor."  I couldn't find an emoji for it, but he may or may not have had a similar experience to Wile E. Coyote.

 

"As far as GFSI standards, they will be subject to the Third Party Audit Rule and refusal to show evidence of their standard may bring collateral consequences with FDA because FDA will be certifying GFSI Certifying Bodies." -Kellio

 

I'm no expert on FSMA...I thought the 3rd party auditor spy for the government was only for importers and exporters to U.S...?

Not necessarily, it may affect US domestic also, The Auditor whether in the US or Outside the US has a code of conduct from the Certifying body.  He is there for an scheduled audit or an scheduled consultation. Anything outside of that scope, you should report the Certifying Body immediately. For every Audit , you should have an agreement letter you have to sign which includes terms of confidentiality. We do for SQF and Certifying Body for every audit and scope.

FDA Inspectors (now called Investigators) they have to follow the law as well. There is section under FSMA where explains "the rights of the supplier or the organization" .  I had a training on this subject and the instructor emphasized 'to know your rights".  This is all new to a certain extent so Legal counsel with expertise on FSMA and on the Food Industry is probably a must have at the beginning. 

 

I hope this helps,

 

Kellio

[Kellio]

Welcome to Preventive Controls in Human Foods!

 

One of the Preventive Controls measures is "Supply-Chain Preventive Controls" programs. 

 

As a warehouse, you are definitionally part of the supply chain. IF the people using YOUR services determine through THEIR hazard analysis that YOUR facility and functions may pose a significant risk to THEIR product, they need EVIDENCE that you are adequately minimizing those risks. 

 

How do they know you are receiving materials properly? Checking for sealed incoming shipments? Checking for damage, signs of pests, correct lots and items received, etc.?

 

How do they know you have a clean and sanitary facility? How do they know you adequately control for allergen hazards (and other separation concerns like kosher, halal, organic, etc.)

 

How do they know you pick and pull the right stuff?  Make sure the right things go to the right customers in the right quantities? 

 

Do you do any relabeling for your customers?  That's a processing step, and often regarded as a critical control point.  How do they know you put the right label on the right bag and didn't introduce a hazard like incorrectly declared allergens at this step?

 

Do you receive in any damaged or returned from customers items?  How are you managing that?  How do they know that your storage of damage prevents cross contact as well as prevents accidental shipment of on hold items?

 

(and so on).

 

Everyone is going to have to get WAY more comfortable in dancing WAY closer.  The only way that you can satisfy the requirements of the customer asking how you do all that stuff up there is to provide them with examples of your programs and evidence that you are DOING all that stuff and doing it RIGHT. 

 

You will be sending out a metric buttload more documentation.  Also, non-conformances in the supply chain will REQUIRE a WRITTEN root cause analysis as well as a 30 day verification of effectiveness report. 

 

GOOD TIMES AHEAD!!

[MWidra]

Not necessarily, it may affect US domestic also,...

 

FDA Inspectors (now called Investigators) they have to follow the law as well. There is section under FSMA where explains "the rights of the supplier or the organization" .  I had a training on this subject and the instructor emphasized 'to know your rights".  This is all new to a certain extent so Legal counsel with expertise on FSMA and on the Food Industry is probably a must have at the beginning. 

The FDA 3rd party certification program is for auditors who will be visiting foreign facilities.  It will be used to verify that food to be imported is safe, or to help an importer qualify for the Voluntary Qualified Importer Program.  A GFSI auditing entity could do it if they are accredited by the FDA to do FSMA audits, but this is not about GFSI audits.

 

http://www.fda.gov/F...A/ucm361903.htm

 

http://www.fda.gov/F...A/ucm361902.htm

 

I would like to know the section that talks about  "the rights of the supplier or the organization" and what that term means.  Do you have the CFR citation for it?  I don't see anything that talks about the rights of the entity that is being inspected in the Human Food Preventive Controls regulations, but I may have missed it.

 

Martha

[3esa]

Ok guys.  Thank you for all your replies.  I was not aware it would be this involved.  I discussed with my boss and have received the approval from top management to have our legal advisors work out a policy.  They're in the best position to know what to say and how to say it. 

 

Thank you all

[GMO]

Some interesting points have come out of this.  We also have some simplified documents which get sent out and put on specs.  Ok, the sent out I understand but recently it's become obvious that those put onto specs are actually wrong, not just a simplification but wrong.  It depends on your product sector certainly but are there really all these secrets going on in the food industry?  Are there really so many different sites all doing their own thing?  Maybe it's just the UK but whenever I go into a factory to audit or visit, there is rarely something I see which is genuinely new (with a couple of very specialised processes aside.)  Sure you sometimes pick up some hints and tips which are different but do you ever really think "WOW!  I've seen something ground breaking!"  Not in my experience.

 

I once worked in a new build project where we'd put in line machines which had never been run in that way before.  Top secret, very few visitors who were kept away from the lines.  The thinking was that no other manufacturer would be able to afford to do what we'd did.  A few years later, I saw an almost identical set up to the main guts of that process in a factory with a turnover 1/4 of the size.  Neither had visited the other.

 

In another vein some level of sharing deliberately can be good.  I found out about one method for disinfecting a piece of equipment from a friend which we're going to try and passed it onto another friend who is also going to try it.  Basically by being on here we are all, at times, sharing to get best practice.  

 

That said, I will consider putting onto our visitor's questionnaire a statement regarding secrecy just before they sign...