Data breaches can be catastrophic. Senior QA Specialist Nicola Brady tells you how to avoid them and protect Data Integrity in your business.
Protecting and preserving Data Integrity is one of the biggest challenges faced by GxP regulated companies today, but did you know that the FDA (Food & Drug Administration) consider a drug product to be adulterated under US law if a Data Integrity breach is observed?
What exactly does this mean?
A data integrity breach is considered to be any unauthorised or accidental alteration of data.The Food Drug & Cosmetics Act section 501(a)(2)(B)states: “a drug shall be deemed adulterated if ‘methods used in, or the facilities or controls used for, its manufacture, processing, packing, or holding do not conform to or are not operated or administered in conformity with current good manufacturing practice to assure that such drug meets the requirement of the act as to safety and has the identity and strength, and meets the quality and purity characteristics, which it purports or is represented to possess.”
Essentially, if your data is bad then you do not comply with current Good Manufacturing Practice and therefore your drug product is not suitable for the market,even if it does not impose any health or quality risk to patients. The cost of bad data is immense! A data integrity breach not only has a direct impact on the ability of the GxP regulated company to market the product that has been deemed adulterated-it may also result in drug seizures and recalls. The regulators trust in the company will definitely be impaired and the reputation and brand of the company may be damaged. The cost of damage, the investigations and the remediations required will have a significant time, resource and financial impact on the company.Significant shareholder value can be stripped from a brand overnight as a result of these breaches.
Critically, how can we be sure that the ultimate patient safety is assured at all times?
So how do we ensure that the data breaches don’t happen?
Let’s recap on what a data integrity breach is; it is an “unauthorised”or “accidental”alteration of data.
So,there are two different angles of vulnerability.
The unauthorised alteration of data has two potential failure modes; bad practices and intentional falsification. Bad practices encompass activities where the individual is performing an activity but does not know or understand that it represents a data integrity issue, e.g.changing critical process parameters because their access allows it. Intentional falsification is where an individual performs a modification or alteration to data to intentionally hide something. This individual has acted in contravention to GMP through the intentional falsification of data.
The accidental alteration of data is often related to a process or system deficiency, for example when an individual forgets to save a test run and the data is lostor data is truncated prior to rounding. Whatever the data integrity problems, they can be difficult to identify and just as difficult to address.
So how do I protect my data?
In order to protect your data from unauthorised or accidental alteration it is important to ensure that you have implemented controls at every stage of the data lifecycle. To implement these controls,you need to have a comprehensive understanding of how and where the data flows within your system and what the different data types are. The level of control should be commensurate with the criticality associated with the data. The types of data integrity controls include but are not limited tothe following:
-Access control –restrict access to administer the system, assign role permissions based on least privilege
-System control –enhance system controls to eliminate potential for record deletion
-Back Up & Recovery –back up data periodically so that if there is a corruption of data the original record is available and retrievable
-Audit Trail –implement audit trails to track all activities and ensure that they are reviewed in a meaningful way
-Training –ensure that personnel interacting with the system are aware of and understand what is acceptable and what is not acceptable within the system.
It is important that all these controls are supplemented by a data governance program where management establish and communicate clear and consistent expectations and requirements to preserve data integrity, and where a positive quality culture is promoted to minimise the risk of unauthorised or accidental data alterations and data integrity issues within the organisation.
Remember, patient safety, product quality and data integrity are the three drivers for all our quality activities. Ask yourself, “would I take this product knowing what I know about its data?”