Data Integrity (DI) has become a common issue and a key area of focus for regulators in our industry. Trust is at the cornerstone of relations between industry, regulatory bodies, the health sector, and patients(consumer). Data is evidence of the activity that has been performed. Regulatory bodies entirely rely on the accuracy and completeness of evidence and records presented to them, and when the integrity of the data is compromised - trust is lost. To maintain trust, the industry has steadily improved its practices by applying technology and engineering controls that can assure data integrity to a great degree. Regulatory agencies have also come up with guidelines on data integrity and data management. The TGA, for instance, releasing PI-041-01 on the 1st of July 2021 - “Guidance on data integrity and good practice for data management and integrity in regulated GMP/GDP environment” as the latest in a series of guidance documents.
It is easy and familiar to interchange data integrity with human error and vice versa. Even with new guidelines in place, the deliberation can be subjective depending on the auditor’s experience in this area and other contributing factors like the auditor's impression of the site being audited. It is very unusual for auditors to link a finding to Data Integrity unless the auditor has solid reasons to do so. Generally, it is several factors and incidents that lead an auditor to this conclusion.
Data Integrity is defined as "the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these data characteristics are maintained throughout the data life cycle". It is essential to break down the concept of Data Integrity into three main components to understand it further.
The first criteria are intentionally compromising data. Intentional DI is where the data is deliberately manipulated to generate desired results. Deleting or ignoring unfavourable data falls into this category. Other examples of intentional DI are falsifying product labels, tampering with data on clinical trials and misleading label claims.
The second criterion is unintentionally compromising data integrity. This is a situation where the operator is following an approved procedure, unaware that the actions may be causing data integrity issues. A typical example is overwriting the previous data due to system limitations that the operator is ignorant of or periodically backing up data. The most common cause of unintentional data integrity incidents is lack of technical assessment before the system is used and incompetent or untrained staff.
The final criteria are potential data integrity issues. In this situation, the data is not compromised intentionally but has the potential to be compromised. The most common examples are raw electronic data on an unsecured drive and inappropriate user privileges.
Having discussed the three forms of Data Integrity scenarios, it is essential to dive into the controls that can prevent these from happening. In the case of intentional data tampering, the company culture is a primary or even sole contributor, nothing significant can be achieved without the commitment of management to change its practices. All guidelines point to a management committee as the first step to achieve data compliance; however, the underlying message is that top management is responsible for ensuring the integrity of the data and should put adequate measures in place to ensure the same (Section 6: organisational influences on successful data integrity management, PI-041-01). This is a message which resonates throughout the guidelines and includes appointing data managers/data custodians with direct access to top management. A role similar to a management representative, discussing DI as part of management review meetings, utilising escalation mechanisms to raise DI issues and taking DI related incidents more seriously. Regulatory agencies have issued steep penalties on companies for violating DI principles to set an example to drive home the message. The most noticeable was a 500 million USD penalty imposed by the USFDA on Ranbaxy for falsifying data. DI GEMBA Walk* by the leadership team is an effective way to show management commitment to this topic and improve site culture around data integrity practices.
* A GEMBA Walk is a way to gather information through observation and interaction with workers and get their input. It is NOT: To find fault and call out employees on it, try to implement a change on the spot quickly, or disregard employee input.
The area of unintentional and potential data integrity is where companies should significantly invest their resources. Though it looks overwhelming, improving data compliance or integrity is a systemic and structured assessment of system capability and controls. Performing a comprehensive Electronic Record /Electronic signature (ER/ES) assessment by a competent cross-functional team goes a long way in identifying system capabilities. It is vital to have the right skill set for the group performing the evaluation and should involve the System Administrator, QA or DI expert, User and IT department (if the lab instrument or production equipment is networked) at a minimum. Appropriate actions should be initiated as necessary via the established CAPA system. Any residual risk should be evaluated to assess the risk it poses towards data integrity and should be adequately documented. Having periodic DI specific training and workshops for all staff handling, GMP Data is an excellent way to keep the topic current and avoid unintentional and potential data integrity issues.
In real-world situations, a considerable number of instruments could be ageing and lack Data integrity capabilities. In this situation, a common approach is to place a hybrid control mechanism, i.e. a combination of procedural and available technical controls. Logbook, restricted accesses system, well defined and documented segregation of duties along clear and accurate procedural guidance for Data review/audit trail review are examples that can be applied for a hybrid system to ensure data integrity. Additionally, “off-the-shelf” security products, e.g. Deskman and FileAudit, may be considered.
It is always advantageous to consider the DI requirements when compiling the URS and verify the DI features as part of the validation activity. To phase out ageing and non-compliant instruments/equipment, management should also consider recapitalisation processes, replacing them with modern and complaint systems. It is important to note here that with many modern instruments using cloud-based storage and third-party services for data storage, cyber security measures need to be evaluated as part of DI control.
To summarise, Data Integrity is a complex and evolving topic. Still, with the proper skillset and efforts, organisations can mitigate the issue, avoiding regulatory penalties, but more importantly, ensure patient safety.
- PI-041-01: Guidance on data integrity and good practice for data management and integrity in regulated GMP/GDP environment dated the 1st of July 2021.
- MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018
- Data Integrity and Compliance With Drug CGMP dated December 2018
Contact us for tailored workshops or advice on business areas where greater data control and management might be required.
You may also be interested in these related posts: