To view or not to view?

[irish634]

....that is the question.

This question is really for those of you familiar with the ISO 9001 Quality Systems.

I am creating an ISO compliant database to track items such as:

1. Documentation Control (SOPs, Instructions, Forms, etc)
2. Corrective Actions
3. Non-Conformances
4. Employee Training

Part of the system is record retention and revision history. Hence, the Audit Trail use.

My question is: Would you allow the users to view the audit trail, or would you keep it so the users do not know they are being tracked, but allowing admins to produce the audit trail?

I have arguments for both sides. The big thing is users editing records at will trying to be sneaky etc. It's really more of a data security issue, though some users will need to have "edit" privileges due to the nature of what I am setting up.

My thought is let everyone see the changes... then those making changes for less than honest reasons will know and curb the problem.

What do you guys think?

 

[gemma-the-husky]

how does a dbs become iso9000 compliant?

don't you determine yourself what constitutes "quality control" within a quality control system

but anyway, if this is more a management control tool, then i think it should be treated as an extension of your personnel system - and you should let employees see things to the extent they would see their paper personnel records

note also your records should comply with the data protection act as well. i am sure

 

[irish634]

how does a dbs become iso9000 compliant?

don't you determine yourself what constitutes "quality control" within a quality control system

but anyway, if this is more a management control tool, then i think it should be treated as an extension of your personnel system - and you should let employees see things to the extent they would see their paper personnel records

note also your records should comply with the data protection act as well. i am sure

LOL of course the db doesn't become iso compliant. It's a tool to help the company become compliant.

I'll have to read up on the data protection act, but but if I am tracking record changes, I have a hunch that complies.

I am leaning toward letting admins only view the changes, then they can decide who needs to see them from there.

It's been a lively debate here for a few days so I thought I'd solicit some other opinions.

Thanks Gemma, what you said, does make sense.

 

[Ron_dK]

Part of the system is record retention and revision history. Hence, the Audit Trail use.

My question is: Would you allow the users to view the audit trail, or would you keep it so the users do not know they are being tracked, but allowing admins to produce the audit trail?

ISO 9001 2000 is all about managing processes. Now for each process in your organization , there should be one (or more) persons responsible for the management of that process. So I would say, why not allow each process manager to make the necessary changes in the relevant process and have others ( who don't control that process) only view the records.

Hope that makes sense.

 

[irish634]

ISO 9001 2000 is all about managing processes. Now for each process in your organization , there should be one (or more) persons responsible for the management of that process. So I would say, why not allow each process manager to make the necessary changes in the relevant process and have others ( who don't control that process) only view the records.

Hope that makes sense.

That does make sense. I have a friend in another company (who is an ISO coordinator) basically said the same thing. The argument from others in my company for keeping the audit records hidden was basically for disciplinary measures. Though I really haven't been able to get across the point I can assign read/add privileges and those users will not be able to edit anything once its saved.

Monday, I'll most likely follow this and allow users to view the report.

Thank you.
Craig

 

[DCrake]

For each user who has access to the application will, or should have, their own profile within the application, such as access rights, etc. Why not add a further flag to indicate as to whether this user can edit their own audit, or edit someone else's audit. And also put an audit on the audit that is only accessable by the system administrator. That way you can see who has accessed the audit trail, who has amended it and which records were amended. This will give you full traceablility on all changes made.

David

 

[irish634]

For each user who has access to the application will, or should have, their own profile within the application, such as access rights, etc. Why not add a further flag to indicate as to whether this user can edit their own audit, or edit someone else's audit. And also put an audit on the audit that is only accessable by the system administrator. That way you can see who has accessed the audit trail, who has amended it and which records were amended. This will give you full traceablility on all changes made.

David

Each user that has access to the app does indeed have their own profile. My levels are:

1. No DB access (for obsolete users - I want to retain any data from previous employees, etc.)
2. Read Only Access
3. Read/Add - Users can add records only and read them.
4. Read/Add/Edit - A select few (process owners) that can add to or edit a record in order to disposition or close out an NCMR or CAR.
5. Admin - Self explanatory.

Adding some extra flags sounds feasible in certain areas of the app, so I'll have to give it some thought as to how I want to implement it.

Thanks for the feedback.
Craig