Data governance requires a multi-layered approach that runs throughout a regulated organization from top to bottom. Although data governance features in the majority of GxP data integrity guidance documents, the approach to the topic should be business-driven rather than regulatory-driven.
Data governance to ensure GXP data integrity requires a multilayered approach that runs throughout a regulated organization. Although data governance features in the majority of GXP data integrity guidance documents, any approach should be business-driven rather than regulatory-driven. In the first part we discuss the subject at a corporate level.
Data governance is a topic in the data integrity guidance documents from the Medicines and Healthcare products Regulatory Agency (MHRA), European Medicines Agency (EMA), Pharmaceutical Inspection Co-operation Scheme (PIC/S), and World Health Organization (WHO) (1–4). In fact, the only data integrity guidance documents not to explicitly mention data governance are from the United States Food and Drug Administration (FDA) (5) and the Chinese FDA (6). In an earlier “Focus on Quality” column on the subject of data integrity training (7), I mentioned the subject of data governance and provided some discussion on the subject before going into detail on training for data integrity. The data integrity model that I discussed earlier this year (8) has, in the foundation layer, the core of data governance, but I did not discuss the subject further. In this column, I would like to delve into the topic of data governance in more detail. I will start in the pharmaceutical domain and then look at what has been published on data governance in the general literature. The reason for taking this approach is that the regulators have provided so little information on the subject. Part I of this column series starts with the corporate level, and part II will look to see how data governance impacts the regulated analytical laboratory.
Although there is the regulatory drive for data governance in the recent publications cited above, the regulatory boot provides the impetus for implementation. Pause and take some time to consider the following two questions: Should data governance be a business imperative? Should business needs pull data governance and hence data integrity rather than regulations push? A pharmaceutical company, and a regulated laboratory in particular, require the acquisition and processing of reliable data to generate reliable information and knowledge to make decisions in a timely manner (9,10). This process, of course, involves documented evidence of regulated activities using a variety of media. When using laboratory computerized systems, remember that the cost of compliance is always cheaper than the cost of noncompliance (11). Doing it right first time may take a little more time to think things through before implementing and validating adequate record controls, but this approach is preferable and cheaper than the cost of corrective actions. Companies either find the money the second time around when there is a regulatory boot driving their corrective actions or they cease to exist.
Viewed from the insular world of the pharmaceutical industry, data governance may appear to be a new subject. In the world outside, we find that data governance is not new. The subject has been around for more than 10 years but not in a good (anything . . . ) practice (GXP) context. The problem comes when you compare data governance definitions as shown in Table I. In the left-hand column are the data governance definitions from WHO and MHRA, which are very similar and have essentially the same meaning. The problem is how to interpret the “sum total of arrangements” or “totality of arrangements” directly from the definitions? However, when you read the four guidance documents in detail (1–4), you will discover that what the regulators want is the engagement of the whole regulated organization from senior management down to the laboratory bench. Data governance in the pharmaceutical context is all encompassing.
Looking outside of the regulated GXP world, the term data governance is given a different and more focussed approach as shown in the right-hand column of Table I. Here, the emphasis is on data-perhaps this emphasis is not surprising because the subject is data governance. Thomas identifies the need to define who can generate, manipulate, and take actions based on the derived information (12), and the more recent definition by Seiner (13) is a simpler definition for using authority levels to the same end.
These two definitions focus on the data--and less on the wider context implied by the MHRA and WHO definitions.
Does this focus mean that we should not look outside of the pharmaceutical industry and gain from other’s experience? No, because when you explore the wider data governance subject outside of the pharmaceutical industry you will find the need to engage senior management, and control access to data and information in much the same way as required by the current crop of pharmaceutical data integrity guidance documents. Indeed, both Thomas and Seiner acknowledge the need for executive management involvement to establish and maintain effective data governance when discussing the subject in more detail.
For the avid reader who wants to find out more about data governance the following books are suggestions:
Following a look outside the regulated environment, we need to turn inward and consider the subject of this column-data governance within the pharmaceutical industry.
As the data integrity guidance documents make perfectly clear, senior management is responsible for data governance, including setting and maintaining the overall quality culture of an organization. Thus, to begin this discussion we can start with Section 2.1 of International Conference on Harmonization (ICH)Q10 on Pharmaceutical Quality Systems, which is entitled “Management Commitment” (19) and states: “(a) senior management has the ultimate responsibility to ensure an effective pharmaceutical quality system is in place to achieve the quality objectives, and that roles, responsibilities, and authorities are defined, communicated, and implemented throughout the company.”
In this joint publication by the regulators and industry in the European Union (EU), United States, and Japan, we have a definitive statement that senior management is responsible for the quality objectives throughout a pharmaceutical organization and communicating them to the staff. One of those quality objectives is data integrity. Therefore, senior management must ensure that any data supporting a marketing authorization or used for batch release are complete, consistent, and accurate, thus meeting the regulatory requirements of the authorities (1,5).
An International Society for Pharmaceutical Engineering (ISPE) publication earlier this year, entitled Considerations for a Corporate Data Integrity Program (20), is worth reading for help implementing data integrity from the top down in an organization. Taking the key elements of the ISPE document (20), the WHO guidance (2), and my discussion of the topic (11), we can come up with the following elements of a data governance structure within an organization:
That is a snapshot of data governance elements at a high level in an organization, but we still need answers to the following questions:
Let us start at the top of a regulated organisation and work down to the analytical laboratory.
As ICH Q10 (19) makes clear, senior management is responsible for quality and, hence, data integrity. An example of a data governance organization can be found in the 2012 Ranbaxy consent decree, where a post of Chief Data Integrity Officer with associated staff was created (21) to investigate the systematic falsification within the organization. This approach may not be appropriate for the majority of regulated companies, because we should avoid creating parallel organizational structures. That said, there will be some additional roles, committees, and responsibilities, but as much as possible this role should be an extension or reinforcement of many individuals normal working practices. The guiding principles here are as follows:
Figure 1 shows the main organizational elements involved in data governance at a corporate level that involves the following individuals and organizational elements:
Figure 1: Data governance organization at the corporate level.
The responsibilities of each area or individual are presented in Table II and discussed below.
Senior management must provide the leadership, resources ,and direction for the overall data integrity program. Note the use of the word program-there will be multiple work streams involved in data governance to ensure the integrity of data within an organization. One member of the senior management team should be the executive sponsor who monitors overall progress of the program, sits on the corporate data integrity steering committee and liaises between it and the senior management team.
A data governance steering committee is in charge of devising, implementing, managing and monitoring the corporate data governance and data integrity program. It is important at this stage to set and manage expectations. You will recall that the abstract for this column states that an overall approach should bring business benefit and if designed well should provide adequate regulatory compliance as well. Some of the other main responsibilities of this committee are outlined in Table II but please note that this list is not exhaustive. Depending on the size of the organization, there should be an option for site or division data governance committees to manage the data integrity program and project at a local level. The responsibilities of a site or divisional committee are broadly similar to the corporate steering committee to whom they report a site or division’s progress in the overall program of work.
Line management takes the policies and procedures from the corporate data governance steering committee and ensures that they are implemented in the areas for which they are responsible. At the corporate level there will be policies and procedures for data integrity and good documentation practices, but in the analytical laboratory there will be requirements for interpretation of data and second person review that are typically a local requirement. However, the most important role of line management members is to take the corporate requirement for an open culture and implement it in their laboratories. Allowing analytical scientists to admit their mistakes in an open way and without finger pointing in some laboratories is a big ask-but it must be implemented and maintained. In addition, line management must ensure that there is not undue pressure placed on staff to perform work that could lead to working practices that compromise the integrity of data.
Quality assurance provides the interpretation of regulations and quality oversight in the form of interpretation of regulations and advice, approval of updated computer validation documents, data integrity audits, and data integrity investigations. Because much of the supply chain is globalized, quality assurance must provide the data integrity input to quality and technical agreements for suppliers and also audit them against these agreements.
Corporate IT also needs to be involved at the steering committee level because the function will be responsible for storing the electronic records generated by the user departments. This means that the IT infrastructure must be resilient with redundant data storage and must also be secure from internal and external threats.
Data Integrity Policy
One of the functions of the corporate data governance steering committee and the executive sponsor is to ensure that there is a corporate data integrity policy and associated training material available for communication to all employees including part-time and temporary staff. An outline of such a data integrity policy is shown in Figure 2 with the approval by the executive sponsor on behalf of the senior management team.
There needs to be effective training for all members of staff in what the policy means for them and at the end there should be a test to check each person’s understanding of the policy.
In addition, the data integrity policy and data governance structures described above must be integrated within the pharmaceutical quality system of an organization.
Figure 2: Overview of a corporate data integrity policy.
Management, Monitoring,and Metrics
To help manage and monitor the various data integrity program streams, there is a need for metrics:
However, don’t forget that, as with all compliance projects, data integrity is a journey and not an event. As processes and systems are assessed and remediated, the data integrity program moves into the operational phase and the metrics change from remediation to monitoring the effectiveness of the new processes and systems, with metrics such as
The aims of these metrics are to keep senior management aware of the residual risk associated with a process or computerized system.
Process and System Level
I do not wish to bore you to death discussing data governance at the corporate level anymore, so in part II, I will focus on the laboratory and discuss the impact of the data governance scheme as it cascades down to the processes and systems at the bench. Line management will be responsible for ensuring that the corporate policies and procedures as well as the requirements for an open culture are communicated down the line to the operational staff as outlined in Table II. My main focus here will be on data ownership and data stewards because the ISPE paper only has a single passing reference to data owners (20), but data ownership is mentioned in the MHRA and WHO data integrity guidance documents (1,2).
R.D. McDowall is the director of R.D. McDowall Limited, as well as the editor of the “Questions of Quality” column for LCGC Europe, Spectroscopy’s sister magazine. Direct correspondence to: SpectroscopyEdit@UBM.com