Confidentiality & Information Security

CAS treats all information obtained or created during its certification activities as confidential, and protects it accordingly. We are responsible, through legally enforceable commitments, for the management of all information obtained or created during the performance of certification activities. This applies to our personnel, committees, contracted auditors, and any external bodies or individuals acting on our behalf.

• Information about a client’s organisation, processes, products, premises and people obtained during application, audit, and the certification cycle.
• Audit findings, reports, non-conformities and certification decisions.
• Commercial, contractual and pricing information.
• Personal data of client personnel and of individuals who contact us.

We will not disclose your information to a third party without your written consent, except where:

• The law requires it, or it is authorised by contractual arrangements (for example a court order); in that case, and unless prohibited by law, we inform you of the information provided.
• Accreditation oversight requires it — our accreditation body (and, through it, the wider accreditation system) may access records as part of assessing CAS. Personnel of the accreditation body are themselves bound by confidentiality.
• Verification is requested — the validity and scope of a certificate is, by design, not confidential and can be confirmed through our certificate verifier and public registers.

When CAS obtains information about a client from a source other than the client itself (for example a complainant, or a regulator), we treat that information as confidential too, consistent with this policy.

CAS protects certification information and personal data with proportionate organisational and technical controls:

• Access control. Records are held in access-controlled systems; staff see only what their role requires, and actions on certification records are logged in an audit trail.
• Secure transfer & storage. Data is transferred and stored over encrypted channels; backups are taken and protected.
• Retention & disposal. Certification records are retained for the period required by the standard and accreditation rules, then securely disposed of.
• Confidentiality undertakings. Personnel, auditors and outsourced parties sign confidentiality and impartiality commitments before they handle client information.
• Incident handling. Suspected information-security incidents are recorded, investigated and, where appropriate, notified.

Where CAS processes personal data, it does so in line with its Privacy Policy, for the purposes of operating as a certification body and meeting accreditation obligations.

If you believe your information has been handled in breach of this policy, please raise it through our complaints process. We investigate every report confidentially.