Criterion: Intellectual Property

Version 3.0.0 | Status: Active

Supersedes: 2.0.0

UN conformity topic code:

Intellectual Property Protection

Requirements for protecting intellectual property rights and confidential information

Full Description

D3. Intellectual Property

Code 8.0

Intellectual property rights shall be respected. Transfer of technology and know-how is to be done in a manner that protects intellectual property rights, and customer and supplier information shall be safeguarded.

Elements to Demonstrate Compliance to RBA Code

1. Policy

Ensure facility ethics and/or intellectual property protection policy includes the following elements:

a. Information received from suppliers and customers as part of the contracting process is protected.
b. IP and IP ownership are protected.
c. IT measures and guidelines about the handling, distribution/dissemination of information to protect information from suppliers and customers and IP.

2. Procedures & Practices

Procedures & Practices are in place such that:

a. Ensure non-disclosure and protection of information about its customers, channel partners, suppliers, workers, and other business partners in accordance with applicable laws and regulations.
b. The company/facility has a means to protect its suppliers' customers' confidential information and ensure it is not disclosed to third parties.
c. Adequate and effective process and administrative control of records and IT systems
d. Commercial nondisclosure agreements are a part of all customer and supplier contracts to protect the intellectual property rights of all parties.
e. Investigations of unauthorized disclosures and/or loss of IP information are undertaken.
f. Customers/suppliers are notified if violations should occur.
g. Personal information protection agreements (NDA, confidentiality…) are in place for staff, workers, suppliers, and customers.

3. Controls & Monitoring

Controls & Monitoring should include:

a. There are procedures in place to review intellectual property ownership and to ensure intellectual property rights are upheld and respected (their own and that of their customers).

4. Serious conditions that will result in a severe finding

IP from any source (own company, customer, other) which the facility is in possession of is not protected.

Profiles using this criterion

RBA Assessment Program

VAP Full Assessment | 8.0.2
VAP Full Assessment | 8.0.1

Conformity Alignment

Priority

Pass: No
Definition: "Critical non-conformance requiring immediate action"
Remediation: 30 days

Major

Pass: No
Definition: "Significant non-conformance requiring corrective action"
Remediation: 90 days

Minor

Pass: Yes
Definition: "Non-conformance with limited impact"
Conditions: Corrective action plan required
Remediation: 180 days

Opportunity

Pass: Yes
Definition: "Opportunity for improvement identified"

Conformance

Pass: Yes
Definition: "Full conformance with criterion requirements"

Related Criterion

VAP: Privacy

Relationship: Related
Protection of confidential information

VAP: Business Integrity and No Improper Advantage

Relationship: Related
Ethical handling of sensitive business information

VAP: Ethics Management System

Relationship: Parent
Management system for ethics practices

VAP: Supplier Responsibility

Relationship: Related
Supplier IP protection requirements

Change Log

3.0.0 (2024-01-01)

Changed

New mandatory NDA-in-all-contracts, investigation, and notification procedures added: The 8.0.0 audit criteria were restructured into the Policy / Procedures & Practices / Controls & Monitoring template and gained previously-unspecified mandatory conditions absent from the stripped-down 8.0.0 AC set (IT access controls + NDAs only): commercial non-disclosure agreements must be a part of ALL customer and supplier contracts (standalone NDAs no longer sufficient); unauthorized disclosures and/or loss of IP information must be investigated; and customers/suppliers must be notified if violations occur. An 8.0.0 facility with standalone NDAs and no formal disclosure-investigation/notification procedure passed 8.0.0 but fails these new conditions, hence major. The severe-finding trigger ('IP from any source is not protected') is equivalent to 8.0.0's Priority 'IP is not protected' and is unchanged.

2.0.0 (2022-06-01)

Changed

New 'IP is not protected' Priority trigger; NDA scope expanded to suppliers and customers: The provision was renumbered D4 -> D3 (cosmetic). Two changes can flip a 7.0.0 pass to a fail. A new Priority/severe-finding trigger 'IP is not protected' was added (7.0.0 had no IP-related fail outcome). The mandatory protection-agreement (NDA/confidentiality) scope was expanded from 'workers and management' to Employees, Workers, Suppliers, and Customers; a facility with NDAs only for workers/management passed 7.0.0 but fails the new supplier/customer requirement. Offsetting loosenings exist (the trigger dropped 'identified risk or'; Major/Minor rating bands genericised to 'See finding severity definition'), but the net direction is breaking.

1.0.0 (2021-01-01)

Changed

Initial historical baseline — Intellectual Property (RBA Code of Conduct 7.0, criterion D4): Earliest imported version, published as criterion D4 in VAP 7.0.0. Required an adequate and effective policy/program to protect information received from suppliers and customers and to protect IP ownership; IT guidelines on information distribution/dissemination; non-disclosure agreements for workers and management; and procedures to identify and protect IP, notify customers/suppliers of violations, and investigate unauthorized disclosures. No IP-related Priority/severe finding existed; the rating was Major ('No detailed and understandable policy and procedures implemented') / Minor ('Partial policy or procedures or implementation').