Version 1.6.1
David Trew
Consulting Ltd
Data Integrity in Regulated and Accredited Environments
Part 2: Strategies for Ensuring Comprehensive Data Integrity
Dr David Trew BSc(Hons), PhD, CChem MRSC
1 Introduction
With the current scrutiny, regulated and accredited organisations need to adopt a proactive strategy to provide a high level of assurance that all records and data are both reliable and trustworthy. Organisations not only need reliable and trustworthy data and records, but also need to ensure the integrity of their records and data can withstand scrutiny by sceptical regulators and other stakeholders.
This paper will apply the fundamentals and principles of data integrity, discussed in the previous paper in this series, and recommend approaches to developing and establishing a comprehensive data integrity management system that is designed to ensure the trustworthiness and reliability of all records and data produced by the organisation. A data integrity strategy is essentially a collection of policies and procedures which are used by your staff in their daily work. These policies are designed to provide a high degree of assurance that all of the records and data created by the organisation during the conduct of its operations accurately reflect the events that occur during your organisation’s operations. In addition, the data integrity policies and procedures need to provide a high degree of assurance that those records also remain complete and reflect their original content, and have not been altered without retaining their original content. In light of the wide area that data integrity covers it is recommended a multi-
2 Data Integrity Management Master Plan (DIMMP)
It is recommended that a Data Integrity Management Master Plan (DIMMP) be created to serve as a roadmap to control and direct data integrity activities, and which:
Discusses the organisation’s philosophy and strategy to data integrity management
Establishes a management organisation to oversee data integrity management processes
Defines roles and responsibilities for members of the management organisation
Establishes an appropriate data integrity culture within the organisation
Defines and discusses the risk assessment and management strategy
Identifies the policies and procedures that need to be established
Identifies staff training requirements
Determines how compliance with data integrity policies and procedures will be monitored
Establishes mechanisms for protecting data and records from being lost or damaged in the event of a disaster and ensuring records will be available throughout their lifetime
Establishes mechanisms for identifying and investigating incidences that may adversely affect the reliability of records and data
Establishes mechanisms for correcting and preventing non-
The DIMMP is a key quality document that helps a variety of stakeholders who have particular interests in the data integrity management process. In particular, the DIMMP helps senior management estimate how the data integrity program impacts time, people, and money. All members of the data integrity team know their tasks and responsibilities and it
helps plan all necessary activities into the schedule, with no 11th hour surprises! In particular, the IT department understands how to support data integrity activities. Finally, clients and auditors understand the firm's approach to assuring the reliability and trustworthiness of its records and data.
3 Policies and Procedures
Policies that need to be established include:
i. Good documentation practices
ii. Prohibiting sharing of computer accounts
iii. Prohibiting use of computer accounts by anyone other than their authorised user, this should include such practices as sharing passwords with other people. As using someone else’s computer account can amount to criminal fraud, the policies should include sanctions such as dismissal from employment and reporting to law enforcement
iv. Prohibiting using someone else’s electronic signature. As with using someone else’s computer account signing a document using someone else’s electronic signature can amount to criminal fraud, the policies should include sanctions such as dismissal from employment and reporting to law enforcement
v. Defining the legal status of electronic signatures as legally equivalent to a traditional handwritten signature
vi. Password management policies such as
Minimum length
Complexity
Expiry
Re-
vii. Account management policies such as
Username format
Account privileges
Disabling when no longer required
viii. Audit trails
Disabling prohibited
What will be captured
Review
ix. Data review
x. Monitoring Compliance
xi. Identifying, investigating, tracking, correcting and preventing non-
xii. Backup and archive
In addition to the policies, standard operating procedures (SOPs) need to be established to cover
i. Account management. This should cover the opening, suspension and disabling of accounts
ii. Data review. This should explain who is responsible for carrying out data reviews, and in particular should explain what needs to be reviewed to achieve the necessary confidence in the reliability of the data being reviewed. Some audit trails create many entries, it is important for the reviewer to understand the significance and meaning of these entries, and whether it is necessary to review each entry.
iii. Data backup. This should cover responsibilities, the backup and restore process and the process for confirming the integrity of backed up data. In addition, it should establish a schedule for both the backing up of data and for confirming the ability to restore data
iv. Monitoring compliance with data integrity policies, such as audits. This should define responsibilities, establish procedures for identifying, investigation and appropriate metrics for tracking non-
4 Data Integrity Culture
Many of the practices that undermine the reliability and trustworthiness of data and records appear to be motivated by unwillingness to accept results which did not support some particular preconceived requirement, such as batches of drug product meeting specifications, with the consequences of having to reject out of specification products and the resulting loss of revenue. When an organisation develops a reluctance to accept results which do not conform to some preconceived expectation it undermines the entire purpose of quality control testing.
If the management of an organisation is assuming an out of specification result is due to a laboratory assignable cause, such as analyst error, instrument malfunction or an issue with the validity of the test method, in the absence of evidence to the contrary. This undermines confidence in the entire laboratory testing process, and would lead to questions about the validity of the all the results created by the laboratory, including those that do conform to predetermined specification or expectations. It is fundamental that all scientific work is approached with an open mind and without preconceived conceptions as to what the final results will be.
It is therefore imperative that an appropriate quality and data integrity culture is established within the organisation. This culture should reflect management’s philosophy on quality and can be achieved by establishing policies that are aligned to the quality and data integrity culture and develop an environment of trust, where all individuals are responsible and accountable for ensuring patient safety and product quality. The organisation should also establish general ethics and integrity standards which should clearly define the expectation of ethical behaviour, such as honesty. These expectations should be communicated frequently and consistently.
Personnel must be fully aware of the importance of their role in ensuring data integrity and the implication of their activities to assuring product quality and protecting patient safety. This should be communicated to and be well understood by all personnel, which should also include why the standards were established, and the consequences of failing to fulfil the requirements.
Unacceptable behaviours, such as the deliberate falsification of data, unauthorised changes, destruction of data, or other conduct that compromises data integrity should be addressed promptly. Disciplinary action may be taken, when warranted. It is particularly important that all members of staff understand that data integrity issues, and especially the falsification of data, can have extremely serious, even fatal, consequences for patients. In addition, data reliability issues can have very serious consequences for the business and could even affect its commercial viability. It is also important emphasise that data fabrication and falsification can result in criminal exposure for the individual members of staff. This can include prison time and the inability to secure future employment. Conversely, acceptable behaviour should be appropriately recognised.
Management should not put undue pressures on members of staff that may result in non-
A confidential mechanism, supported by company policy and procedures, should be established that encourages personnel to bring instances of possible breaches of the ethics and integrity standards to the attention of management, without consequence.
This culture, ethics and integrity standards needs to be initiated by the most senior management within the organisation and should be communicated to all levels. This culture can be facilitated by policies of transparency, openness and approachability.
It is recommended that the installation of the data integrity and quality culture starts during the induction process of new members of staff, and frequent refresher training is carried out thereafter. This could include discussing incidences where data integrity has been questioned, together with the consequences for patients or customers, business and individuals.
Page
Page