The European Medicines Agency (EMA) has released new good manufacturing practice (GMP) guidance concerning measures intended to ensure data integrity throughout the “data lifecycle” from generation of data, processing, use in decision making, to disposal. The document provides a set of frequently asked questions and answers for companies that process data generated in the process of testing, manufacturing, packaging, distribution and monitoring of medicinal products.

The Q&A was developed by the GMP / Good Distribution Practice (GDP) Inspectors Working Group to facilitate implementation of national and EMA guidance related to the data integrity ALCOA principals:

  • Attributable to the person generating the data;
  • Legible and permanent;
  • Contemporaneous;
  • Original record (or true copy); and
  • Accurate.

The guidance provides that senior management of companies are responsible for assessing data integrity risks and the implementation of proportionate corporate data governance systems. Data integrity should be ensured from the manufacture of starting materials to the delivery of products to persons authorised to supply medicinal products to the public in the EU. This requires cooperation by staff at all levels, as well as with suppliers and distributors, and the importance of data integrity should be included in training programmes. Responsibility for data integrity at different stages along the supply chain should be defined in contracts between relevant actors. Ultimately, responsibility for ensuring compliance throughout the supply chain lies with the Qualified Person responsible for certifying batch release.

The scope of the measures taken should be commensurate with the risks to data integrity, the type of decision that the data is relevant for (e.g. whether decisions relate to product quality or safety) and the importance of the data in making such decisions. The guidance provides factors that senior management should take into account when assessing risks such as the complexity and consistency of data processes, subjectivity of outcomes, and vulnerability of data to involuntary or deliberate amendment or deletion.

The guidance provides examples of data risks to be assessed and recommendations at each stage of the data lifecycle:

  • Generation and recording of data e.g. the completeness of recorded meta data and ability to reconstruct processing activities; storage of data in temporary or permanent memory; vulnerability of original data to amendment or deletion.
  • Processing of data to useable information e.g. the use of approved, identifiable and version controlled methods of processing; documentation of data processing; extent of human influence on how data is reported or presented (e.g. whether employees can change the scale of graphical reports).
  • Checking completeness and accuracy e.g. availability of original data and a complete audit trail; access to all data generated and all processing activities including any failed or aborted activities and any data excluded from the final decision-making process.
  • Use of data for decision making e.g. whether any decisions are taken before a record is made and therefore excluded from the audit trail.
  • Retention of data e.g. security of storage; limiting access to authorised persons; back-up procedures and storage of original data or ‘true copies’; contracts that define ownership and retrieval arrangements particularly for outsourced data storage.
  • Disposal of data e.g. regulatory requirements for data retention period; compliance with an approved disposal procedure.

The advice applies to both paper-based and electronic systems, and the Q&A includes additional measures to take that are specific to each system. Companies’ paper documentation system should provide template forms, each with a unique reference number, and ensure that distribution of forms is controlled and traceable. Electronic data should be reviewed in light of the risks detailed above before making batch release decisions and other quality related decisions.

The guidance also includes responsibility of companies and measures to ensure data integrity for activities contracted out to another company. Companies outsourcing activities should formally assess the systems and procedures of contractors and suppliers for their competency and compliance in relation to data integrity principals prior to approval, and on a regular periodic basis thereafter. If an approved contractor is issued a statement of non-compliance regarding data integrity from an authority, the contract-provider should carry out a risk assessment to determine the appropriate action to take including whether to terminate existing arrangements with the contractor.

The Q&A guidance is available on the EMA’s website.