The data integrity triad

Chinmoy Roy, Data Integrity SME, US and Arjun Guha Thakurta, Director, Life Science Consulting, a ConvalGroup Company, India, explain that data integrity hinges on a multi-faceted approach comprising the triad of management controls, procedural controls and technical controls

The rise in data integrity warning letters are forcing companies to make a beeline for obtaining an understanding of data integrity. A close examination of management objectives where data integrity issues have unravelled indicates that they have been driven by the self-interest of profit. They hesitate to switch out older equipment for newer ones with technical controls to enforce data integrity.  They also hesitate to provide the required level of personnel resources for regular audit trail reviews, investigation of data integrity issues etc.

While regulatory agencies are actively hiring computer savvy personnel familiar with the intricacies of electronic data, business expediency dictates pharma industry management to shadow those efforts by ensuring that adequate budgets are allocated to hire personnel with the right blend of IT and compliance expertise.

Contaminated data

MHRA’s July 2016 draft version for GxP Data Integration Definitions and Guidance for Industry defines data integrity as “the extent to which all data are complete, consistent and accurate throughout the data lifecycle.” We may consider data integrity as synonymous with product purity wherein the product is either contaminated or not contaminated. So too with data integrity where the metric is binary in nature. Data is either contaminated or not contaminated. There is no in between to signify a ‘degree of breach or contamination.’

So what is data integrity?

Data integrity may be appropriately defined as ‘the state of completeness, consistency, timeliness, accuracy and validity that makes data appropriate for a stated use.’ It is a data characteristic that lends it the assurance of trustworthiness.  It is defined by the oft-mentioned ALCOA+ attributes. NIST SP 800-33 defines data integrity as the state when data has not been altered in an unauthorised manner. It covers data in storage, during processing and while in transit. Data integrity’s guiding principles include:

• The care, custody and continuous control of data
• Measures implemented to ensure that GxP regulated computerised systems and paper based as well as computerised data are adequately and securely protected against willful or accidental loss, damage or unauthorised change.
• Such measures should ensure the continuous control, integrity, availability and where appropriate the confidentiality of regulated data.

Thus, data integrity is a process wherein data is not modified in an uncontrolled manner as it progresses through several operations within an operation to undergo any number of operations such as capture, storage, retrieval, update and transfer. It is a measure of the validity and fidelity of a data object.

Assuring enterprise wide data integrity

When it comes to assuring data integrity, the situation is more complex because words mean different things to different people. To the IT Security group it is the assurance that information can be accessed and modified only by those authorised to do so.  To the database administrator it is about data entered into the database are accurate, valid and consistent.  To the data owner it is a measure of quality, with existence of appropriate business rules and defined relationships between different business entities and to the regulator, data integrity is the quality of correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data. This difference in meaning creates a fertile ground for miscommunication and misunderstandings, with the risk that the activity will not be done well enough because of unclear accountabilities. Notwithstanding the impossibility of eliminating all vulnerabilities to data integrity in the organisation, controls should be established to reduce the propensity for data integrity errors and vulnerabilities.  Such controls should integrate and coordinate the capabilities of people, operations, and technology through a data integrity assurance infrastructure. It hinges upon a multi-faceted approach consisting of the following triad components:

• Management controls
• Procedural controls
• Technical controls

Management controls

Management controls address the people and business factors of data integrity. They describe the means by which individuals and groups within an organisation are directed to perform certain actions while avoiding other actions to ensure the integrity of data. These controls are enumerated in the company’s Ethics Policy, Code of Conduct directive, Data Governance program etc. They serve as the enabler of a collaborative approach for governance of data that affect product quality and patient safety. The four key areas that management controls should address are:

1. Control environment
2. Control activities
3. Information and communication
4. Monitoring

Control environment is the establishment and maintenance of a working environment also called the company’s culture.  It is the declaration of the company’s ethics and code of conduct for all employees.  Ethics is management’s declaration of their moral values and philosophy. Code of conduct is a set of rules according to which people in the company are supposed to behave and the consequences they would have to face for failure to do so.

Control activities are captured in a data governance programme. It includes items such as data ownership, data stewardship, roles and responsibilities of different groups, risk assessment and alignment, controls performance metrics etc. Gartner describes information/ data governance as follows:

The specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving, and deletion of information (or data).

The processes, roles and policies, standards, and metrics that ensure the effective and efficient use of information (or data) in enabling an organisation to achieve its goals.

Information and communication is management’s commitment to encourage all to communicate data integrity failures and mistakes. This may be accomplished through a regularly scheduled reporting mechanism wherein stakeholders receive reports on data integrity controls’ Key Performance Indicators (KPIs).  These reports enable stakeholders to direct their business to achieve the desired data integrity goals. The KPI details, frequency of issuing reports, typical report contents etc. are some of the items that data governance programme should identify.

Monitoring is one of the most critical but often misunderstood process. It involves regular reviews of performance of data integrity. It helps to identify and remediate deficiencies in the controls. It also determines if and when data integrity directives need modification in order to meet changing business needs.

Procedural controls

Procedural and administrative controls are guidelines that require or advise people to act in certain ways with the goal of preserving data integrity. They are embedded in the company’s core business activities. They consist of a suite of approved documents that provide company personnel specific directives for activities that preserve and protect the integrity of data. These controls fulfill the ALCOA+ dimension of data integrity. The following is a non – exhaustive list of directives for the respective ALCOA+ dimensions:

Technical controls

Technical controls are controls or counter measures that use technology-based contrivances in order to protect information systems from harm. These can include mechanisms such as passwords, access controls for operating systems or application software programmes, network protocols, firewalls and intrusion detection systems, encryption technology, network traffic flow regulators, and so forth. When used together, the adoption of these different types of controls allows for the establishment of a layered defense, and provides the best chance possible of preventing data from integrity breaches. Whereas procedural control is primarily applied to practices and procedures during data’s lifecycle, technical control is designed into products to preserve data integrity during the three data states, which are as follows:

• Data at rest
• Data in motion
• Data in use

Some consider 21 CFR Part 11 and Annex 11 regulations as the ‘data integrity’ regulation. This is partially true. These regulations primarily address the technical controls that address data security. They should be designed into products and include features like role-based access control, audit trail capture and storage, capability to accept global reset of clock time etc.

Design consistency, an ALCOA+ attribute, is also a manifestation of technical control.  An example of such a realisation of consistency is through an enterprise IT architecture design centered on a SOA (service-oriented architecture).  Such a design provides a common standard for data interchange and along with a common information model provide the boost to data consistency during ‘data in motion’ state. Besides system architecture, design controls are also realised via Master Data Management (MDM), Common Data Model (CDM). Data integrity benefits accruing from a consistent design philosophy enhances data integrity in the following ways:

• Ease of engineering design and development of IT systems requiring data exchange. Adhering to a standard provides for significant decrease in the proneness for data exchange errors during ‘data in motion’ state.
• New systems can now be introduced with the least amount of disruption to other systems    This insularity maintains the validated state of other systems to a significant extent and their revalidation requirements when new systems are introduced are minimised

The following is a non-exhaustive list of directives for technical controls.

• Engineering design directive
• Enterprise IT architecture
• Computer systems security management
• System design, includes audit trail design
• Master data management
• Data model
• Computerised systems control
• GxP records management

Management’s pivotal role for triad’s success

Data integrity efforts’ success in an organisation is largely dependent on it’s culture. Since executive management primarily influences company culture, it is their ultimate responsibility to ensure data integrity. They should not delude themselves into a false sense of complacency and pretend they do not have any data integrity problem. Instead, they should prioritise their company’s efforts towards establishing a data integrity infrastructure and provide the leadership by allocating necessary funds and resources to developing the infrastructure.

To fulfill the leadership role, executive management should be familiar with the following key data integrity concepts:

• Data integrity context
• Obligation
• Ramification
• Controls

Data integrity context has been defined in various ways by different regulatory agencies.  All those definitions coalesce to ‘the assurance of trustworthiness of data.’ Management should not labour under the impression that data integrity is limited to falsification or fraud but that inadvertent error in capturing and recording of data, lack of data integrity training are also some of the reasons that data integrity issues occur.

Obligation is a management responsibility to establish a work culture wherein employees are sensitised to treating data as a valuable company asset. It also includes an obligation for establishing robust systems and processes to ensure data integrity.  Also included is the creation of a work culture where data integrity is incentivised and lapses are not dealt with in a punitive manner but instead with increased level of training and supervision.

Ramification is a management awareness of legal consequences for presenting untrustworthy data to regulators.  Other consequential impacts of data integrity lapses include patient safety, employee morale, decrease in stock value etc. Awareness of these consequences serves as the management’s driver to provide the leadership to establish the triad controls.

Controls are the triad controls mentioned above. They are mechanisms, which prevent data integrity issues from occurring. They also address how to avoid future occurrences of issues that may crop up in spite of the controls being in place.

In addition to the leadership role that executive management provides, they also serve as the driving force for developing and implementing management controls while delegating the leadership role to middle level management to develop the procedural and technical controls. When establishing management controls, they should seek the expertise of outside consultants. These consultants provide the data integrity expertise along with valuable external perspectives on the company’s dynamics that can be difficult to see from the inside. The consultants also help in negotiating differences of opinions among team members by providing their valuable opinions based on their experiences with other companies.

Executive management should also recognise the contributions of all their employees. As a result, they should empower them with decision-making and encourage them to be critical and divergent thinkers. Towards that end, they need to provide the necessary funding and hire the right people to develop the procedural and technical controls while they and their consultants develop the management controls.

Conclusion

A pharma company’s supply chain consists of business processes that produce and use regulatory data. Consequently, the triad controls along with the company’s Quality Management System (QMS) are applicable to all these processes.  Hence, business expediency dictates that the triad controls are integrated with the QMS.  Accordingly, the same managers who are responsible for day-to-day operations and product quality decisions should also be responsible for ensuring the integrity of data they use or create.

The triad controls should be designed to complement one another with no overlaps. Since management controls consists of a Data Governance program, which is the company’s overarching programme to ensure data integrity, the program elements must be traceable to the procedural and technical control elements.  This triad inter-dependency is the key to ensuring an effective data integrity assurance infrastructure. The developers of triad controls cannot effectively judge the data integrity safeguards that the controls represent. Experienced data integrity consultants routinely find issues with the controls that are unknown to management or has eluded their attention.  Nor were these detected during management oversights and internal audits.  A fresh set of eyes of experienced consultants could significantly enhance the assurance of trustworthiness of data that triad controls are designed to achieve.