The UK Medicines and Healthcare products Regulatory Agency (MHRA) has published for public consultation a draft guidance on GxP Data Integrity which includes definitions of key terms.
The draft Guidance applies to both paper and electronic data in all areas of GxP (good laboratory practice, good clinical practice, good manufacturing practice, good distribution practice and good pharmacovigilance practice). It is intended to assist organisations involved in all aspects of chemical and pharmaceutical development that are regulated by MHRA to comply with regulatory requirements relating to data quality and integrity. The Guidance should be read in conjunction with existing guidelines for each GxP.
The draft document provides guidance on the arrangements that organisations should put in place with respect to people, systems and facilities to ensure “Data Integrity” i.e. that data is complete, consistent and accurate throughout the data lifecycle. The scope of the measures will depend on related risks to data integrity and the importance of the data for making decisions relating to quality, safety and efficacy. The draft Guidance provides that senior management of organisations are responsible for the implementation of appropriate corporate Data Governance systems and identifying the risks.
The draft Guidance provides factors to be taken into account in conducting risk assessment. These include:
- The type of data or data processing (e.g. the guidance recommends supervisory measures for manually recorded data such as second person verification or cross checks of data);
- The degree to which data can be deleted, amended, manipulated or repeated (e.g. to achieve desired outcomes);
- Complexity of the data system (e.g. a simple pH meter as opposed to statistical analysis tools or other complex software);
- Subjectivity of outcomes;
- Inconsistency of processes; and
- The extent of human intervention, in particular where this would influence how or what data is recorded.
All assessments of risk and appropriate measures within organisations should be documented, communicated to senior management and monitored.
Companies should provide for appropriate staff training on the principals of data integrity; adequate access by staff to proper facilities for recording or processing data; appropriate accessibility of data for data processing and checks; and restriction of unauthorised access.
A corporate Data Governance system should ensure that data is:
- attributable to the person generating the data;
- legible and permanent;
- original record (or true copy); and
Companies should describe appropriate procedures for data recording including the process for supervisory (scribe) recording to record activity performed by another, which should be limited to exceptional circumstances. The procedure should provide that in these circumstances, recording should be contemporaneous, and any supervisory records should preferably be countersigned by the task performer.
Corporate data systems should ensure that access to data is limited to specific individuals, rather than through a shared or generic user access. System administrator access should be assigned to a minimum number of people; in particular such access by individuals with a direct interest in the data should be restricted where possible. An audit trail system should be put in place that records any changes or deletions of electronic data, throughout the processes of data capture, process, report, storing and archiving. Previous versions and the original data should be retained, and the time/date and author of any changes should be recorded. If data is to be excluded, this should be scientifically justified and documented.
The draft Guidance distinguishes between “original records” and “true copies”. Companies may retain true copies in place of the original record, provided that each copy is verified by a dated signature or validated electronic signature, and the integrity of the record is preserved. Additionally the draft Guidance provides that paper copies of electronic raw/source data is not considered to be “raw data” itself.
Corporate arrangements for the retention of data should ensure that the data is protected from deliberate or inadvertent alteration or loss. Where data is stored through cloud providers or equivalent services, service contracts should define responsibilities for the security and storage of the data and ownership of the data. Data storage should comply with the laws applicable to the physical location where the data is held. The contract should also ensure that data owners and competent authorities have timely access to the stored data upon request.
The draft Guidance provides that companies should undertake routine reviews of individual data sets, as well as periodic audits to verify the effectiveness of control measures and the possibility of unauthorised activity. These data reviews should be documented, and a procedure should also be put in place that describes the corrective actions to be taken if any errors or omissions are identified during reviews.
The draft Guidance also includes definitions of key terms including “data transfer/migration”, “data processing”, “computer system transactions”, “electronic signatures” and “data retention”.
Interested parties have until 31 October 2016 to submit any comments on the draft Guidance.
For further information including how to submit comments on the draft Guidance visit https://www.gov.uk/government/news/mhra-gxp-data-integrity-definitions-and-guidance-for-industry.