IRM is responsible for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf.

IRM shall not disclose any information about a particular client or individual to a third party without the written consent of the client or individual concerned.

When IRM is required by law or authorized by contractual arrangements (such as with the accreditation body) to release confidential information, the client or individual concerned shall be notified of the information provided.

IRM shall keep confidential all information obtained or created during the performance of the audit except as required by law.

IRM shall have processes and facility to ensure the secure handling of confidential information.