At GCAI Certification, we recognize that trust in our certification services depends on how responsibly we handle the confidential information shared with us. This policy explains how we protect all client and stakeholder information in line with ISO/IEC 17021-1:2015 Clause 8.4, ISO/IEC 27006:2024, applicable legal requirements, and our contractual obligations.
1. Purpose
The purpose of this policy is to:
- Protect the confidentiality of information obtained or created during certification activities.
- Ensure information is used strictly for its intended purpose.
- Provide transparency to clients on how their information is managed and under what circumstances disclosure may occur.
2. Scope
This policy applies to:
- All GCAI employees, contracted auditors, technical experts, committee members, and external providers.
- All forms of information, whether written, electronic, oral, or visual, obtained during:
- Application and contracting
- Audits and assessments
- Certification decision-making
- Appeals, complaints, and impartiality reviews
3. What We Consider Confidential
Examples of confidential information include (but are not limited to):
- Client audit reports, findings, and corrective action records.
- Certification documentation, applications, and contracts.
- Proprietary or sensitive client data (processes, trade secrets, business practices).
- Internal GCAI records, decisions, and communications not made public.
- Information obtained from complaints, regulators, or whistleblowers.
Note: Information already in the public domain (e.g., certification status on our website) is not treated as confidential.
4. How We Manage Confidentiality
- All personnel sign Confidentiality & Non-Disclosure Agreements (NDAs) before undertaking certification work.
- Confidentiality obligations extend beyond the duration of employment or contract.
- Confidentiality requirements are embedded in our contracts with subcontractors and external experts.
- Information shared internally is strictly on a need-to-know basis.
5. Rules for Disclosure
Confidential information will only be disclosed:
- With written consent from the client.
- When required by law (e.g., court orders, government/regulatory investigations).
- When required by an accreditation body or IAF peer evaluation, limited to what is necessary.
👉 In such cases, unless prohibited by law, the client will always be notified in advance.
6. Information Security Controls
- Access to confidential information is role-based and controlled by secure authentication systems.
- Electronic records are encrypted and backed up.
- Physical records are stored in locked facilities with restricted access.
- Secure transmission methods (encrypted email, secure portals) are used when sharing client information.
- Information retention and disposal follow documented procedures aligned with ISO 27001 practices.
7. Personnel Responsibilities
All GCAI personnel must:
- Complete confidentiality and data protection training annually.
- Report any suspected breaches immediately to the Confidentiality Officer.
- Avoid discussing client information outside of professional duties.
- Sign ongoing acknowledgment of confidentiality obligations.
8. Breaches & Violations
Any misuse, unauthorized disclosure, or breach of confidentiality may result in:
- Revocation of access rights.
- Disciplinary action, up to termination of employment or contracts.
- Legal action where applicable.
- Notification of affected clients, regulators, or accreditation bodies.
9. Oversight & Review
- Oversight of confidentiality practices is carried out by Top Management and the Impartiality Committee.
- Risk assessments are conducted annually to identify new confidentiality threats.
- This policy is reviewed every year (or earlier if required by law or standards changes).
10. Contact Us
Questions, clarifications, or reports of concerns may be directed to:
📧 operations@gcaicert.com | ☎️ +91 9986877136