Validation of Document control - Electronic

Hello !

We are in the process of switching to paperless for all our forms and such. I am able to do a validation and internal audit of our documents and archives control, but I am having a bit of issues to see how I could prove that the paperless system is secure, protected and data cannot be changed after it is submitted. We are with SQF, level 2.

Anyone have some insight on how to do this ? Or if you are paperless now, how do you prove to your auditor that the documents are compliant to :

If you are going paperless, I would assume IT would have to be involved in some way. IT would also be able to encrypt or set specific parameters for document viewing. (i.e. someone from another department will not have access to your files, and vice versa). 

A way to audit and verify that document control is happening would be to try to access specific documents from an external source. 

If your IT is not involved, then whomever is responsible for your server would be the person to go to in regards to documentation privacy changes. 

Hope this helps. 

What are you using for your paperless documents?

Marshall

Hello !

We are trying out GoCanvas. So far I really like them. They are a bit more expensive than the other companies, but they offer more.

We are a very small company, so we don't have an IT department on site... I will however check with the technician that usually comes when we have issues, see if he has a way to encrypt it for the outside of the company.

Thank you !

Hello !

 

We are trying out GoCanvas. So far I really like them. They are a bit more expensive than the other companies, but they offer more.

 

We are a very small company, so we don't have an IT department on site... I will however check with the technician that usually comes when we have issues, see if he has a way to encrypt it for the outside of the company.

 

Thank you !

Out of curiosity, as small as your company is, does your own personnel take care of landscaping, if there is any? And by landscaping i mean cutting grass, pulling and spraying weeds, and trimming hedges? 

Good morning kkalpakidis !

A few years ago we used to do it in-house. We usually have a day or two within the week where production is lower, so we used to take care of landscaping. Production picked up, so now we no longer have the time so we have an external company do it. We still, however, take care of our own office cleaning (dust, floors, etc.).

Have a good day !

Hey,

I don't have any experience with this audit scheme, but spent a long time in the IT industry.  Maybe some of these approaches might be useful to you.

1.) The provider (Go Canvas) will have a disaster recovery (DR) plan in place.  You should be able to point to that for the 2.2.2.3 section.  Most of these "cloud" providers use Amazon Web Services (or Microsoft's Azure) so they would just likely point to that, but you can just ask them who they are hosted on/by and probably get some documentation on that entity's DR efforts via google.  It's a fairly common question for someone like GoCanvas to answer (They may have info about it online). 

2.) For electronic storage in house, typically in manufacturing only a few people have PCs and those are password protected, so you can say that the access is both limited and secured.  If you have your own data backed up off-site somehow (and you should) then you can point to that as well.  

3.) PDF's themselves are generally considered secure, although it is possible to break them, but since you would have data stored via Go Canvas and locally, you would bypass any concerns for that.  And that's being darn nit-picky.  

4.) Because you are relying on online forms, document control becomes a non-issue.  If you make a change to the underlying design, it is immediately reflected in any subsequent submissions.

I wouldn't stress out too much about the security given how you have described how it works.  I cannot see a Food Safety auditor being that IT savvy as to try and nit-pick you around hypothetical risk in this area. 

"We use this online provider.  They use this hosting service who has these disaster recovery capabilities and services.  We also store copies locally with our own off-site storage/DR plan.  Our local document storage is controlled this way.  The documentation itself is in PDF format and cannot be changed after submission.  Finally, the forms themselves (being online) automatically provide document control." 

Anyway, maybe something of value is buried in here.  Hope the transition goes well.

Good luck,

Todd