adversely affect the quality of their work and integrity of their data. Management should also make staff aware of the relevance of data integrity and importance of their role in protecting the safety of the patient and the reputation of the organization for quality products and services.
Management should create a work environment in which staff are encouraged to communicate failures and mistakes, including data reliability issues, so that corrective and preventative actions can be taken and the quality of an organization’s products and services enhanced. This includes ensuring adequate information flow between staff at all levels. Senior management should actively discourage any management practices that might reasonably be expected to inhibit the active and complete reporting of such issues.
Management reviews and regular reporting of quality metrics facilitate these objectives. This requires designation of a quality manager who has direct access to the highest level of management in order to directly communicate risks so that senior management is aware and can allocate resources to address any issues. To fulfil this role the quality unit should conduct and report to management formal, documented risk reviews of the key performance indicators of the quality management system. These should include metrics related to data integrity to help identify opportunities for improvement. For example:
? tracking and trending the occurrence of invalid and aberrant data may reveal unforeseen variability in processes and procedures previously believed to be robust,
opportunities to enhance analytical procedures and their validation, validation of processes, training of personnel or sourcing of raw materials and components; ?
regular review of audit trails may reveal incorrect processing of data and help prevent incorrect results from being reported and identify the need for additional training of personnel; ?
routine inspections of computerized systems may reveal gaps in security controls that inadvertently allow personnel to access and potentially alter time/date stamps. These findings help raise awareness to management of need to allocate resources to improve computerized systems validation controls; ?
monitoring of contract acceptors and tracking and trending of
associated quality metrics for these sites help to better identify risks that may indicate the need for more active engagement and allocation of additional resources by the contract giver to ensure quality standards are met.
Quality audits of suppliers, self-inspections and risk reviews should identify and inform management of opportunities to improve foundational systems and processes that impact data reliability. Management allocation of resources to these improvements may most efficiently reduce data integrity risks. For example, identifying and
addressing technical difficulties of equipment used to perform multiple GxP operations may greatly improve the reliability of data for all of these operations; identifying security conflicts and allocating independent information technology (IT) personnel to perform system administration for computerized systems, including managing security,
backup and archival, reduces potential conflicts of interest and may greatly streamline and improve data management efficiencies.
All GxP records held by the GxP organization are subject to inspection by health authorities. This includes original electronic data and metadata, such as audit trails maintained in computerized systems. Management – at both contract givers and contract acceptors – should ensure adequate resources and available procedures, computerized systems and system administrator personnel to readily retrieve these records and facilitate such inspections.
7. CONTRACTED ORGANIZATIONS, SUPPLIERS, AND SERVICE PROVIDERS
The increasing outsourcing of GxP work to contracted organizations, e.g. contract research organizations, suppliers and other service providers, emphasizes the need to establish and robustly maintain defined roles and responsibilities to assure complete and accurate data and records throughout these relationships. The responsibilities of the contract giver and acceptor defined in a contract as described in WHO guidelines should comprehensively address the data integrity processes of both parties covering the outsourced work or services provided.
The organization outsourcing work has responsibility for the integrity of all results reported, including those furnished by any subcontracting organization or service provider. These responsibilities extend to any providers of relevant computing services, such as contracted IT data centres, contracted IT system and database support personnel and cloud computing solution providers.
To fulfil this responsibility, in addition to having their own governance systems, outsourcing organizations should verify the adequacy of comparable systems at the contract acceptor and any significant authorized third parties used by the contract acceptor.
The personnel who evaluate and periodically assess the competence of a contracted organization or service provider should have the appropriate background,
qualifications, experience and training to assess data integrity governance systems and to detect validity issues. The evaluation and frequency and approach to monitoring or periodically assessing the contract acceptor should be based upon documented risk assessment that includes an assessment of data processes.
The expected data integrity control strategies should be included in quality agreements and written contract and technical arrangements, as appropriate and applicable, between the contract giver and the contract acceptor. These should include provisions for the contract giver to have access to all of the data held by the contracted
organization relevant to the contract giver’s product or service as well as all relevant quality systems records. This should include ensuring access by the contract giver to electronic records, including audit trails, held in the contracted organization’s computerized systems as well as any printed reports and other relevant paper or electronic records.
Where data and document retention is contracted to a third party, particular attention should be paid to understanding the ownership and retrieval of data held under this arrangement. The physical location, in which the data is held, including impact of any
laws applicable to that geographic location, should also be considered. Agreements and contracts should establish mutually-agreed upon consequences if the contract acceptor denies, refuses or limits the contract giver’s access to their records held by the contract acceptor.
When outsourcing databases the contract giver should ensure that if subcontractors are used, in particular cloud-based service providers, that they are included in the quality agreement and are appropriately qualified and trained in good record and data management. Their activities should be monitored on a regular basis determined through risk assessment.
8. TRAINING IN GOOD DATA AND RECORD MANAGEMENT
Personnel should be trained in data integrity policies and agree to abide by them. Management should ensure personnel are trained to understand and distinguish between proper and improper conduct, including deliberate falsification and potential consequences.
In addition, key personnel, including managers, supervisors and quality unit personnel, should be trained in measures to prevent and detect data issues. This may require specific training in evaluating the configuration settings and reviewing electronic data and metadata, such as audit trails, for individual computerized systems used in the generation, processing and reporting of data. For example, the quality unit should learn how to evaluate