Firstly, we need to clear up a misunderstanding. In ISO speak a record is NOT a procedure, a policy, or a work instruction. These are documents. A record provides evidence that a task has been completed or results achieved. So I can prove that I did an internal audit because I “wrote” (could be an electronic record and may include pictures to support your findings) an audit report. Another example is that I can prove the required result was achieved because I have a record of the weights of finished products or I have a checklist that shows that all the activities were completed. ISO Standards impose different controls on records because they are time related and once produced they must not be changed.

4.2 Documentation Requirements

4.2.4 Control of Records

What does ISO 9001 Say?

ISO 9001 Quality Management Systems has this to say about records –

Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.
The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records.
Records shall remain legible, readily identifiable and retrievable.

Why?

Records are the best way of proving that your quality management system, OHS management system, environmental management system, or food safety (HACCP) system works. More importantly though, as far as I’m concerned, is the fact that records enable you to:

  • Communicate information from one part of your business to another.
  • Support accountability and transparency.
  • Support decision making.
  • Preserve the memory of your organisation.
  • Show compliance with legal and regulatory obligations thus avoiding expensive fines, litigation and damage to your company’s reputation.
  • Establish normal operations soon after an emergency or disaster.
  • Reduce business risk.

Interpretation

Let’s Break it Down

Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.

Most organisations produce lots of records such as financial records but this clause tells us that only records associated with your quality management system need to be controlled In other words,  just the records generated by the policies, procedures and work instructions you have developed for your quality management system.

The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records.

Records have a lifecycle. They are created, analysed, stored then destroyed. Records are identified by their title, and often at least a date and the name of the person who created the record. This information helps us to make sense of the information the record contains and to use it for analysis and problem solving.

Records may be left at a workstation shortly after generation before being transferred to a more permanent storage location. During storage they need to be protected or deliberate destruction. Once they are no longer useful they need to be destroyed and as they may contain confidential information about your organisation or about your customers (e.g. address, phone number, medical history, etc) they may need to be destroyed securely. This applies to hard copy records as well as electronic ones.

The information that records contain can only be used if the records can be easily retrieved from storage. The retention period is the time you decide to keep a record for before destroying it. This may be governed by legislation, industry codes, warranties, or the expected life span of a product.

How is this Demonstrated?

To demonstrate that your records are under control you need to:

  • Show that records are up-to-date.
  • Demonstrate that you can retrieve any record or show when it was destroyed.
  • Records are in good condition.
  • Records cannot be altered without authorisation.

Alterations to records should be prohibited as it brings into doubt the credibility of  the record. However, where alterations are necessary for economic or time reasons then the original record should be struckthrough so that it is still legible and the change endorsed by the person authorised to do so. Much in the way that one changes details on a cheque.

When it comes to storage you may decide to create a PDF of your records to reduce the mountains of paperwork. If you decide to keep the PDF records then you need to explain how they are archived so that you can easily retrieve the specific record you want. The same applies to electronic storage in that you need to have a file structure that enables easy retrieval.

The protection of records applies when they are in use and in storage. You need to consider how you protect records from fire (your fire alarm and sprinkler system perhaps), from theft (e.g. through the buildings security system). You need to explain how you protect electronic records from viruses (your virus software), unauthorised access (e.g. staff require logins and passwords), deletion, corruption and loss (your back-up system). If you have records that are absolutely critical, whose loss would be costly, then you may wish to state which records these are and take additional precautions to protect them.

It is important that records are not destroyed before their useful life is over and there are several factors to consider in this:

  • The duration of the contract with the customer.
  • The life of the product as you may be asked to produce records at the end of your products lifespan.
  • Legal requirements.
  • Codes of practice in an industry may state a retention period for certain types of records.
  • The period between management system audits as auditors may need to see evidence that corrective actions have been taken.

You can pick the longest of these and then apply a blanket rule that all records must be kept for this period of time. This means that you only need to state this once in the procedure but it may result in storage problems.

Records should not be destroyed without authorisation from the custodian of the record. You also need to state how you will destroy the records once they are past the retention period. For example, electronic records may simply be overwritten, paper records recycled or, if they contain confidential information you may need to engage the services of a secure disposal company. If you have a customer that specifies a retention period greater than your normal one you will need to make special provisions.

You must have a procedure that explains how you meet the requirements of this clause.

If you’d like some guidance or need a sounding board please email me at liz.cole@groweq.com.au. Alternatively, visit my website where you’ll find my Top 5 Essential Tips and free ISO 9001 procedures.