Part 1 of a 2 part series from an education session at the 2017 ISPE Annual Meeting & Expo. Check out part 2:
Christopher H. White, Associate Director, IT Quality, Alexion Pharmaceuticals, led “Data Integrity Concepts: A Broader Approach,” an education session in the information systems track at the 2017 ISPE Annual Meeting & Expo in San Diego, California, on Tuesday, 31 October.
He began by noting that citations for data integrity violations issued by the US Food and Drug Administration have been increasing. One citation went to a company that had distributed blank preapproved and signed forms—and was shredding others. Another was backdating entries, and allowed unrestricted access to QC records and hard drives. As a result, anyone could change or delete information.
“These are just two ‘highlights,’” he noted wryly, “that show the importance of enforcement to ensure data integrity.”
White was followed by Lisa Ackerson, Privacy Officer and VP of Marketing, and Rebecca Santorios, VP of Governance, Risk, and Compliance, both from ByteGrid, who presented “Data Integrity, the Cloud, and Compliance with cGMP.”
When moving to the cloud, they explained, three elements are critical: validation, risk management, and supplier management/quality. “During the initial system realization stage, when you’re analyzing your requirements, don’t let ease of use determine choice. Make sure it fits your security needs,” they said. “In addition, make sure you have appropriate encryption for each kind of access. Upfront analytical activities will save you headaches as you move forward.”
The effort should be based on a documented assessment. Look at each aspect of system management over the life cycle to know where to focus your efforts. Regardless of the risk level, trace regulatory requirements to the service agreement.
The pair presented three case studies that compared company experiences with community and private cloud providers. Attendees also shared their experiences. Ackerson and Santorios told the audience to “perform a public audit on the service you’re looking at and have the provider respond to the issues identified. This brings a lot of best practices.”
Santorios also noted that “We get audited a lot,” and most of the audits involve supplier questionnaires. “They’re all very similar,” she said. “We get hundreds a year.” Often, however, clients will ask about retention of their records, but don’t address record retention on the supplier’s part. “If you do use a supplier,” she concluded, “make sure you address not just your own data, but the data you need to get from the supplier.”