1.0 Purpose
This bulletin has been produced to clarify UKAS expectations on the inclusion of client data within UKAS CertCheck, specifically regarding the limitation of information in exceptional circumstances. It is important for the effectiveness of CertCheck in achieving its aims that all information is included wherever possible and therefore limitations should be minimised, based on the policy below.
This bulletin applies to all certification bodies that hold UKAS accreditation under ISO/IEC 17021-1. Further details on UKAS expectations regarding UKAS CertCheck can be found in Schedule A of the UKAS Customer Agreement (available from the customer area of the UKAS website).
UKAS CertCheck is a mandatory mechanism that supports UKAS accredited management systems certification bodies to meet clause 8.1.2 in ISO/IEC 17021-1 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements:
Reference: ISO/IEC 17021-1 clause 8.1.2, note 1
8.1.2 The certification body shall provide upon request information about:
- geographical areas in which it operates;
- the status of a given certification;
- the name, related normative document, scope and geographical location (city and country) for a specific certified client.
NOTE 1 In exceptional cases, access to certain information can be limited on the request of the client (e.g., for security reasons).
2.0 UKAS policy on what constitutes ‘exceptional cases’ for Note 1 of ISO/IEC 17021-1 Clause 8.1.2
2.1 In all cases data on clients certified by ISO/IEC 17021-1 accredited certification bodies must be uploaded to UKAS CertCheck and maintained up to date at least once every 4 weeks.
2.2 Where appropriate and justifiable, certification bodies may mark a client as ‘confidential’. Where this is the case, data relating to the client (beyond that specified in section 2.4 below) will not be visible to UKAS CertCheck visitors. Justifiable reasons for marking a client as confidential are as below:
2.2.1 Where the client is certified for activities related to National Security
2.2.2 Where publishing the location of, scope of, or activities of the client could reasonably present a significant safety risk to the client, their employees, or the client’s customers
2.2.3 Where there is a Government or regulatory requirement that such information is kept confidential
2.2.4 Other – to be justified and agreed with UKAS (see section 2.3)
2.3 Upon request from UKAS, certification bodies shall provide justification for the marking of a client as ‘confidential’ within UKAS CertCheck. Where the justification for marking a customer as ‘confidential’ is not covered under subsections 2.2.1 to 2.2.3 above then agreement must be sought from UKAS before marking the client as ‘confidential’.
2.4 Where a client is marked as ‘confidential’ then visitors who search UKAS CertCheck on the clients’ name or certificate number will only be presented with the following details:
2.4.1 Confirmation that the organisation is certified
2.4.2 Confirmation of the certification body that certifies that organisation
2.4.3 Contact details of the certification body that awarded the certification, allowing the verifier to contact the certification body should it need further information
Queries relating to this policy should be addressed to the Certification Body’s appointed UKAS Assessment Manager.
Download a pdf copy of this Technical Bulletin.