Here’s an interesting, if offbeat, little nugget. Many of the world’s ISO certification bodies (CBs) are borrowing each other’s Confidentiality Policies in order to get themselves accredited. That’s not illegal, and it’s probably not even quite unethical, but it is both ironic — they are “confidentiality” policies, after all — and hilarious. It illustrates two things: first, CBs almost never have in-house counsel advising them on important legal matters or contract development, and second, they are lazy bastards.

First, understand that as a requirement to be accredited, such CBs must have legally-enforceable contracts in place which ensure they will protect the confidential information of their clients or others. The irony here is that the CBs who have these agreements in place just ignore them anyway; every time your auditor prefaces his consulting advice by saying, “I can’t consult, but here is what I’ve seen in other companies…” he’s violating the NDAs and confidentiality agreements he has on file. It doesn’t matter if he names the other companies or not; he’s not allowed to reveal their corporate information in any context, whatsoever. And yet they all do it, because they are trained to do it. (But that’s the stuff for another article.)

So, sure, they have to write one of these policies in order to get accredited; but they don’t have to spend any money on it; instead, they just steal whatever policy they can find from one of their competitors. Yay, cannibalism!

Let’s take a look. Here’s the first few sentences of the confidentiality policy for registrar Alcumus ISOQAR (this comes from their India website, but likely was taken from ISOQAR’s UK HQ):

Staff and Sub contractor Requirements

All information received by or available to ISOQAR staff, sub-contractors or committee members (in whatever format) received in conducting audit activities, or during other certification activities, or during any dealings with an organisation for any other reason shall be regarded as strictly confidential and shall not be divulged to any 3rd party (unless specified in ISO 17021:2011) without the express permission of the organisation or individual concerned.

And here’s the policy appearing on the website for registrar CERTIND (Egypt):

Staff, Auditors and Sub Contractor Requirements

All information received by or available to CERTIND-ME, staff, auditors, sub-contractors or committee members (in whatever format) received in conducting audit activities, or during other certification activities, or during any dealings with an organization for any other reason shall be regarded as strictly confidential and shall not be divulged to any 3rd party (unless specified in ISO 17021-1:2015) without the express permission of the organization or individual concerned.

The same exact language appears on the site for Traib Cert (UK):

Staff and Sub contractor Requirements

All information received by or available to TRAIBCERT LIMITED. staff, sub-contractors or committee members (in whatever format) received in conducting audit activities, or during other certification activities, or during any dealings with an organisation for any other reason shall be regarded as strictly confidential and shall not be divulged to any 3rd party (unless specified in ISO 17021:2015) without the express permission of the organisation or individual concerned. The requirement to keep confidential any information will also include any organisation that has a legitimate right to audit or inspect TRAIBCERT LIMITED.

The exact same policy is in use by Certi-Trust (Luxembourg) here. And H-R-I Assurance Services (Australia) here. And South West Certification (Dubai) here. And Prime Certification & Inspection (UAE) here. And so on.

So just bask in that irony: the policy that CBs claim will protect your intellectual property was stolen from some other CB’s intellectual property.

The Accreditation Bodies who accept these policies don’t care, because they are even lazier than their CB clients. They just want to hurry up and start collecting accreditation fees. The policies could have been written in blood at a murder scene, and they’d still accredit the killer if his check cleared.

The same copying-and-pasting shows up in other key CB policies, too. Apparently, many registrars have ignored that pesky little “©” symbol that appeared on SGS’s Certification Mark policy published way back in 2003 (here) and started copying it for themselves. The same language crops up in the “use of mark” policies for Bureau Veritas (here), Certified Conformity (here) and Certi-Trust (here) among others. If SGS was the original author of this — and that’s not a sure thing — then it means the CBs are using a stolen, rights-protected document to tell you how to ensure you don’t steal their rights-protected logo.

Using boilerplate contract or pleading language is normal in legal circles, and often legal services companies may even publish such templates for general use (see NoLo, for example.) But CBs are not lawyers, and it does look bad. You’d think they would spend a few dollars to at least try to customize these agreements and policies a bit, other than cutting out their competitor’s name and slathering on their own.

But, as I said, these registrars are the bottom of the barrel. To expect them to do anything in an upright, honorable manner is like expecting water to stop being wet, or the dolphins to sprout wings and start shooting beer from their blowholes.

 

 

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.