On March 9, 2018 the UK Medicines and Healthcare products Regulatory Agency (MHRA) released a new guidance¹ on data integrity (DI), which lays out expectations to be considered by any organization involved in the pharmaceutical lifecycle regulated by the Agency. The guidance entitled, “’GXP’ Data Integrity Guidance and Definitions,” goes beyond the earlier MHRA 2015 guidance entitled “Good Manufacturing Practice: Data Integrity Definitions and Guidance.”² This article highlights important elements of MHRA’s new DI guidance and the differences between the new guidance and the 2015 guidance. Comparisons to FDA’s draft guidance on Data Integrity are also highlighted.

Those responsible for DI policy and procedures will want to carefully scrutinize this new guidance. It solidifies concepts MHRA has been working out for over three years as the Agency takes note of the ever-increasing use of electronic data capture, automation of systems, and use of electronic remote technologies. The guidance also addresses increased complexity of supply chains and ways of working, such as the growing use of third party service providers.

In its newly issued guidance, MHRA expands on its GMP predecessor “in that everything contained within the guide is GXP unless stated otherwise.” And, even though the previous guidance focused on GMP, those in charge of DI should now consider this broadened focus, along with applicable regulations and companion documents from PIC/S, WHO, and EMA as well as ICH Q9.  Comparisons to FDA’s draft guidance on Data Integrity released in April 2016³  should also be made.

“‘GXP’ Data Integrity Guidance and Definitions” delivers its concepts primarily through a set of definitions of terms and interpretation of requirements, providing a means of understanding MHRA’s position on data integrity and minimum expectations to achieve compliance. Comparing these newly released definitions and accompanying explanations and examples to those in your own organization’s policy and procedures on DI will be instructive.  For U.S. based companies it is worth understanding that MHRA has been out in front of other global regulatory bodies on the subject of DI. MHRA will undoubtedly have an influence on FDA and other leading agencies attempting to focus industry on this critical topic.

Principles of Data Integrity
The “‘GXP’ Data Integrity Guidance and Definitions” includes a section not contained in its 2015 predecessor called “The Principles of Data Integrity.”  The ten points in this section provide a condensed read on the fundamental elements of DI the Agency expects all organizations under its purview to understand and put into place. For example, in this part the guidance states:

“Organizations are expected to implement, design and operate a documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where data is obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks are documented.”

And:

“The effort and resource applied to assure the integrity of the data should be commensurate with the risk and impact of a data integrity failure to the patient or environment. Collectively these arrangements fulfil the concept of data governance.”

MHRA and other regulatory agencies have advocated a risk-based approach to DI for some time now, so such an expectation should not come as a surprise. Similarly, in its draft DI guidance, FDA states:

“Firms should implement meaningful and effective strategies to manage their data integrity risks based upon their process understanding and knowledge management of technologies and business models.”

Yet, many firms still neglect to utilize the benefits of a risk-based approach that can be realized by prioritizing and justifying which data should be under DI procedural control.  Such neglect leaves on the table the opportunity to more effectively utilize budgets and resources earmarked for DI compliance. As recommended by the Agency, a data integrity risk assessment is a good starting place for organizations now focusing on DI.

“Data governance” is the umbrella term organizations should be using to define the broad scope of activities involved in efforts to put in place a comprehensive DI program in their organization. MHRA’s definition in the old guidance is similar to the new guidance defining “data governance” as:

“The arrangements to ensure that data, irrespective of the format in which they are generated, are recorded, processes, retained and used to ensure the record throughout the data lifecycle.”

In line with expanding the scope to GXP, the new guidance’s accompanying explanation adds discussion about the responsibility of contract givers to pay close attention to include the requirements for DI ownership, governance, and accessibility. These requirements should be included in third party agreements, such as with labs and clinical trial entities. Again, this emphasizes MHRA’s expectation that third party vendor systems will be considered in your organization’s DI governance program.

Also, in the accompanying explanation of the term “data governance,” MHRA makes clear its expectation that DI governance programs ensure that data is readily available for inspection on request. This includes data necessary to be able to reconstruct activities germane to DI investigations. Often this will include metadata as part of an original record, such as in the following example given in the new guidance (demonstrating the expanded scope to GXP overall):

“Trial subject A123, sample ref X789 taken 30/06/14 at 1456hrs. 3.5mg. Analyst: J Smith 01/Jul/14.”

In this example, the italicized text is the included metadata, giving context and meaning to 3.5mg. In fact, the FDA also focuses on metadata in its draft guidance on DI, emphasizing that a “data value is by itself meaningless without additional information about the data.” It also highlights the expectation that “data should be maintained throughout the record’s retention period with all associated metadata required to reconstruct the cGMP activity.”

A good data governance program will lay out the requirements that metadata must be captured in original records and held throughout the retention period, available for inspection at any time across the data lifecycle. Interestingly, MHRA’s guidance discusses the important concepts of data governance and data lifecycle reflecting a holistic view of data integrity in an organization, while the FDA guidance wholly ignores this concept.

IT Suppliers and Service Providers
An additional definition in the new guidance is “IT Suppliers and Service Providers” covering cloud providers and virtual service/platforms—also referred to as software as a service (SaaS)/platform as service (Paas)/infrastructure as a service (Iaas))—and focus on responsibilities when using such service providers. Including this new definition and accompanying explanation demonstrates an increasing push by MHRA, and other agencies likely to follow suit, to get industry to understand DI risks. This includes taking ownership of the services provided by third party vendors, particularly as related to retrieval, retention and security of data. Having confidence in the quality and integrity of data generated to ensure patient safety and quality of products and being able to reconstruct DI related activities is not absolved when data passes into or out of third party vendor systems.

In an earlier draft of this latest MHRA DI guidance, there was some controversy over the definition of “computerized system user access/system administrator roles” by those commenting. The Agency wanted a definition requiring that “GMP facilities should upgrade to systems with individual login and audit trail(s) by the end of 2017.” After much feedback during the input period, this earlier definition was scaled back to: “should be implementing systems that comply with current regulatory expectations.” Look for this to come up in inspections.

Fundamentally, MHRA and FDA have chosen to devote substantial portions of their guidances to defining terms of DI, in an apparent bid to get the industry on the same page with respect to DI terminology and together all involved speaking the same language. FDA’s draft DI guidance answers 18 questions on the topic, with the first question clarifying six basic terms: data integrity, metadata, audit trails, static/dynamic (as they relate to data formats), backup, and systems (as related to computerized systems), and follows with additional defining language in the Q&A about issues related to electronic signature and “testing into compliance.”

MHRA’s list of definitions is much more extensive than its previous 2015 guidance adding all of the following terms: recording and collecting data, data transfer/migration, data processing, excluding data, electronic signature, and approval (appended to Data Review in the earlier guidance). MHRA also brings up “testing into compliance” when discussing establishing data criticality and inherent integrity risk by pointing out, “…it may be possible to manipulate data or repeat testing to achieve the desired outcome with limited opportunity for detection.”  Still, the whole discussion here on definitions only serves to illustrate how it is necessary to dig into the definitions provided in each guidance to really understand the depth of MHRA and FDA’s thoughts and expectations on the topic of DI. And while, for some, it may seem like navigating a foreign language for the first time, such an effort will reap significant rewards when carefully planning a data governance program in your organization.

The new MHRA guidance received over 1300 comments from companies, trade and professional groups across a wide range of GXP practices during the consultation period, demonstrating tremendous stakeholder interest. While not as prescriptive as the draft “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments” released by PIC/S in August 2016,⁴ a careful review of the new MHRA guidance will be an important reference in putting in place a comprehensive data governance program in your organization. For additional information on ways an organization can form a culture and cost-effective means to meet the various challenges in sustaining data integrity, see the article, “Data Integrity: A Practical and Risk-Based Approach” featured in the September 2016 issue of Contract Pharma.⁵ 

References
1. https://www.gov.uk/government/publications/guidance-on-gxp-data-integrity
2. https://www.gov.uk/government/publications/good-manufacturing-practice-data-integrity-definitions
3. https://www.fda.gov/downloads/drugs/guidances/ucm495891.pdf
4. https://www.picscheme.org/layout/document.php?id=714
5. https://www.contractpharma.com/issues/2017-09-01/view_features/data-integrity-a-practical-and-risk-based-approach/

---

Robert Marohn
ClinLogic, LLC

Robert Marohn consults with organizations on all aspects of developing and implementing comprehensive quality information technology policy/procedures, frameworks, computer system validation, and data integrity plans and programs. He has worked in the life science industry for over twenty years. He served as the Chief Information Officer of Worldwide Clinical Trials for eight years. He holds a Master of Science in the Management of Technology from Georgia Institute of Technology. He can be reached at rmarohn@clinlogic.com.