In July 2016, the Medicines and Healthcare products Regulatory Agency (MHRA) released its draft guidance on data integrity. The guidance covers the importance of and tips for designing systems that encourage good data integrity practices. It defines popular data integrity terms and presents their applications in common data integrity topics.
The MHRA defines data as facts and statistics collected together for reference or analysis. Data should be attributable to the person generating the data, legible, permanent, contemporaneous, original, and accurate (ALCOA). Data can be found in different formats throughout its lifecycle. Original or raw data is stored in the file or format that was originally generated. Raw data must permit the full reconstruction of activities resulting in the generation of the data. A true copy of data is a copy of the original information that has been verified as an exact copy with all of the same attributes and information. If the record is electronic, a true copy can be retained in a different file format than the original record if it maintains the same static or dynamic nature of the original record.
All data must have associated data that provide context and meaning, or metadata. Metadata is typically captured by an audit trail. An audit trail must permit the reconstruction of activities and associate all changes to data including the individual who made the changes. There must be a time stamp and a reason for change. Only system administrator should have the ability to switch an audit trail off, and even then the audit trail should never be turned off. The system administrator role should be limited to as few people as possible. Each user should have access rights appropriate for their role and training. Every individual should have a unique login and password that should never be shared. In some cases there are limitations in computer systems where the system design does not support individual user access.
It is proposed that GxP facilities should upgrade to an audit trailed system if their paper based or hybrid systems cannot demonstrate equivalence to a fully automated audit trail. It is also suggested that GxP facilities upgrade to computer systems that allow for each user to have an individual login with audit trails. It is recommended that both of these changes be made by the end of 2017.
The MHRA defines data integrity as the extent to which all data are complete, consistent, and accurate throughout the data lifecycle. Each GxP facility must have a data governance plan to ensure that all data is recorded, processed, retained, and used to ensure a complete, consistent and accurate record throughout the data lifecycle. A data governance plan should address data ownership of the data throughout its lifecycle, especially when any third party is involved. Staff should be trained on the importance of data integrity principles and on how to create a work environment with a blame free culture. The work environment should facilitate visibility of errors, omissions, and any abnormal results.
As part of the data governance plan, the roles of senior management in maintaining data integrity must be defined. Senior management is responsible for implementing systems and procedures that minimize the risk to data integrity. Good techniques and principles for risk management can be found in ICH Q9 (Quality Risk Management). In addition to securing data, management should also ensure that data are readily available on request. Data accessibility is critical especially where regulatory bodies request access to data for auditing purposes.
Data migration and data transfer processes must be designed and validated to ensure data integrity. Data recording techniques should ensure the accuracy, completeness, content, and meaning are collected and kept for their proposed use. Any data that is excluded from results must still be retained in a format that can be reviewed easily and the reasoning behind excluding data from results must be documented.
As part of the data governance plan there must be defined procedures for data review and approval. Both data and associated metadata/audit trails must be reviewed. Review must be of the original data or a true copy of the data. All data review should be documented. Where electronic signatures are used there must be associated metadata. An inserted image of a signature or a footnote stating that a document has been reviewed is insufficient.
Archiving data means that it is protected for long term storage. Data that is archived should be protected so that it cannot be altered or deleted without detection. It should permit recovery and readability of the data and associated metadata through its retention period. The data retention period is defined as part of the risk assessment. Data backup is used for disaster recovery and means that the data is stored, but dynamic. These archive and back up processes should be validated and periodically tested. Computerized systems should also be validated for their intended purpose and should comply with the appropriate governing regulatory requirements and associated guidance.
Written based off the MHRA GxP Data Integrity Definitions and Guidance for Industry