OSS Middle East shall be responsible, through the signed Certification Agreement, for the management of all information obtained or created during the performance of certification activities. All information about the client, including documentation, records, data (hard copy and electronic formats), and verbal information that comes into the possession of OSS Middle East or any of its representatives shall be treated as confidential. Information about the client obtained either through the client, its representatives or from sources other than the client (e.g. complainant, regulators) shall be treated as confidential. Staff, including board members, contractors, staff of external bodies and individuals acting on OSS Middle East’s behalf, shall keep confidential all information obtained or created during the performance of OSS Certification’s activities Management of confidential information shall be as follows: a) Confidential information shall not be disclosed to another without permission – per Certification Agreements and Staff agreements; b) Confidential information shall be stored securely at all times and will not be left accessible such as on screens or desks when staff are away from their seats; c) Emails and confidential electronic information shall be password protected on the computer network; staff shall not share passwords; d) Hard copies of confidential documents shall be stored in lockable filing cabinets within a locked office; e) When hard copies are being moved (e.g. between the client and OSS Certification premises), confidential information shall be kept within a locked case; f) Hard copies in transit (per clause e) shall not be left unattended in cars or other locations; g) Confidential information that is no longer required shall be shredded and electronic copies deleted from the computer system, or returned to the client if applicable. Except for information that the client makes publically available, or when agreed between OSS and the client (e.g. for the purpose of responding to complaints), all other information is considered proprietary information and shall be regarded as confidential.

Documentation relating to any agreements made with the client regarding exceptions to confidentiality as per this clause shall be kept. Clients shall be informed in advance of the information OSS Middle East intends placing in the public domain. Wherever possible, clients shall be informed in writing. Where this is not feasible, clients shall be notified by phone and documentation kept of the conversation including specifics of the information to be placed in the public domain, the client’s representative’s name, the OSS Middle East representative’s name and position, date and any limitations stated by the client. Where OSS Middle East is required by law or authorized contractual arrangements to release confidential information, the client or person concerned shall, unless prohibited by law, be notified of the information to be provided. Wherever possible, clients shall preferably be informed in writing. Where this is not feasible, clients shall be notified by phone and documentation kept of the conversation including specifics of the information to be placed in the public domain, the client’s representative’s name, the OSS Middle East representative’s name and position, date and any limitations stated by the client. Where OSS Middle East wishes to disclose information about a client to its responsible body, it shall first seek the client’s permission. If permission is denied, OSS Middle East shall only disclose this information to the responsible body if it takes the view that to do so would be in the best interests of the client’s consumers, or in accordance with any applicable legislation

ForPDF file Please download