ISO/IEC 17025:2017 requires in article 4.2.1 that the laboratory shall be responsible … for the management of all information obtained or created during the performance of laboratory activities. … all (other) information is considered proprietary information and shall be regarded as confidential.
If a laboratory operates a common computer platform with another legal entity, the question arises as to how comprehensive this confidentiality should be considered.
a) Is permitted that the other legal entity can see the name, address etc. of the laboratory´s customer on the common computer platform if there are legally enforceable commitments on confidentiality toward third parties with the other legal entity?
b) Is permitted that the other legal entity can see also test results, test reports etc. if there are legally enforceable commitments as above mentioned.
c) If (a) or (b) are answered with “Yes” shall be the laboratory´s customer be informed in advance, since this considered as “placed in public domain”? (article 4.2.1: The laboratory shall inform the customer in advance, of the information it intends to place in the public domain)
d) Would the answers with respect to the questions as mentioned as above be identical or different if the laboratory is part of the same legal entity with which it shares the common computer platform but this other organizational unit is not part of the accredited area?
If a laboratory operates a common computer platform with another legal entity then the requirements set in ISO/IEC 17025:2017 about confidentiality shall apply: legally enforcement commitments shall be in place between the laboratory and the providers of the common computer platform and access to records shall be consistent with the confidentiality commitments agreed with the customer or established by legal obligations (cl. 4.2 and 8.4.2).
According to cl. 4.2.1 ISO/IEC 17025, if the laboratory intends to place information in the public domain then the customer shall be informed.