Handling Confidential Customer Documentation During Audit

Good Morning all.

I'm looking for some advice.

We are BRCGS Grade AA accredited.  We have a customer audit next month and I'm just wondering about confidentiality when some documentation relates to other customers (eg a customer complaint or production records etc).  We haven't had a customer audit since we got certification to BRCGS 15 years ago and so this has me puzzled.

Would really appreciate any advice on this.

Thanks.

Hi, for the last three BRC audits I've been involved with, all customer information has been abbreviated by the auditor. The auditor also follows strict confidently rules and has always stated this in the opening meeting.

Edit: I've just realised I read the post wrong and you have a customer audit. When we've had customers they're only interested in there orders documentation. Not sure if it will be the same for every customer audit though. 

Hi Mike,

Thanks for the quick reply.

I suppose my concern is that if he looks for evidence of a complaints procedure and analysis, this will include details of another customer/product?  I'm not sure how to show evidence of root cause analysis without showing the other customer name / details?

Maybe a way is save the log as a second copy and change customer names with "Company A" and "Company B". Use this as the evidence. Then make sure you tell the auditor certain information has been redacted due to confidentiality, usually in the opening meeting this can be discussed.

Thinking back we had a customer audit 2 months ago, but it was an independent auditor on behalf of our customer, he made sure not to record other customer names.

Yes I think that's the best option.

Many thanks.

Assuming an NDA is on file, we share records related to their account and their production typically for existing customers. For new customers we will review records for production of a general item and they can review policies/procedures for customer complaints as well as an example complaint that outlines the process. We MIGHT show customer complaint trending without names associated to the data if they press. We are audited by customers NUMEROUS times EVERY year despite BRC AA rating. Consider yourself very lucky to have dodged the bullet up to this point :D 

Hi Norma,

My first question would be anything particularly exclusive in the general records you wouldn’t want to show?

The other thing is, if I’m your customer I want to see records for my products, not someone elses anyway. If they do ask to see any documents related to anything other than their own products then you should politely refuse on the grounds of confidentiality.

Good to hear that being BRCGS AA graded has meant that this is your first customer audit in 15 years.  :thumbup:

Some members have a real downer on the whole GFSI benchmarking system and the value of it. Having previously worked at site that had 1 to 2 customer audits/visits per week I’m all for it.

Kind regards,

Tony

Redact!  We scan and redact anything with vendor, customer or proprietary information on it prior to showing a customer.  No one has ever complained.  It takes planning upfront, but makes the audit much smoother.