Records and data integrity refer to the accuracy, completeness, and consistency of data and records. In our day and age, where the use of information technology is omnipresent, records and data integrity are essential for ensuring that information is reliable and can be used to effectively carry out critical decision-making processes, supporting general operations.
Maintaining records and data integrity involves implementing measures to prevent errors, corruption, or unauthorized changes to data. This can include processes such as data validation, access controls, backup and recovery procedures, and regular audits.
In this blog, we will provide a high level 360-degree view on applying a risk-based approach to records and data integrity. We will cover risk management principles, will provide examples of typical risks to avoid, and we will discuss applying a risk-based approach to manage them.
The Case for Records and Data Integrity
Maintaining adequate records and data integrity are important for several reasons; amongst others, it helps to ensure that decisions are based on accurate and reliable information, it reduces the risk of errors and inconsistencies, and it helps to maintain trust and confidence in the data.
Almost anyone working in the life sciences industry knows about Good Automated Manufacturing Processes (GAMP) guides from the International Society for Pharmaceutical engineering (ISPE), which aims to safeguard patient safety, product quality, and data integrity in the use of computerized systems. GAMP promotes a system lifecycle approach based on good practice, clarifies roles and responsibilities, provides practical interpretation and suggestions that facilitate the interpretation of regulatory requirements, while establishing a common language and terminology for the practitioners.
One of the key principles of GAMP is the use of a risk-based approach. This approach ensures that adequate resources are allocated and that control strategies for maintaining the integrity of data are commensurate with their potential impact on product quality and patient safety. In turn, strategies that are rooted in a risk-based approach and are geared towards preventing records and data integrity issues from occurring, are likely to be the most effective when considered from a combined outcome-cost perspective.
Here are several reasons why this approach is important:
Resource Allocation: Not all data and records are equally critical. By identifying and assessing risks associated with different types of data and records, organizations can allocate resources appropriately. They can focus more attention and resources on high-risk areas where the potential impact of errors or integrity issues is greater.
Proactive Identification of Vulnerabilities: A risk-based approach encourages organizations to proactively identify vulnerabilities in their data management processes. By assessing risks, organizations can uncover potential weaknesses in their systems, processes, or controls that could compromise data integrity. This enables them to take targeted preventive measures to mitigate these risks before they cause problems.
Compliance Requirements: Many industries have regulatory requirements related to data integrity and records-keeping. A risk-based approach helps organizations ensure compliance with these requirements by prioritizing efforts and implementing controls and processes, on areas that pose the highest compliance risks/concerns.
Continuous Improvement: A Risk assessment is not a one-time activity; it's an ongoing process. By regularly assessing risks to data integrity, organizations can identify new threats, changes in the operating environment, or weaknesses in their controls. This enables them to continuously improve their data management practices and maintain high levels of integrity over time.
Cost-Effectiveness: Indiscriminately investing in comprehensive data integrity measures for all data and records can be costly and inefficient. A risk-based approach helps organizations prioritize their investments, focusing resources on areas where they can have the most significant impact on reducing risks to data integrity. This ensures that resources are used efficiently and effectively.
How Can I Implement a Risk-Based Approach to Records and Data Management?
To implement a risk-based approach to records and data management, you can follow the principles of Quality Risk Management (QRM) as outlined in the ISPE's GAMP guides. This involves assessing, mitigating, communicating, and reviewing records and data integrity risks throughout the data life cycle.
Here are the four primary steps generally included when implementing a risk-based approach to records and data integrity:
Identify: Identify potential risks to records and data integrity by conducting a risk assessment. This activity should include establishing data criticality and inherent risk to said data. This should involve defining and analyzing the data life cycle for potential sources of errors or data corruptions. It should also include evaluating the potential impact of these risks on product quality and patient safety. This exercise should not be limited to electronic format. Records and data in paper, hybrid and other formats should also be considered.
Develop: Develop and implement strategies and controls to mitigate identified risks. This can include implementing access controls, data validation checks, and audit trails to ensure that data is accurate and secure.
Communicate: Communicate risks and control strategies to relevant stakeholders, including management, IT personnel, and end-users. This can involve providing training and clear instructions on good data management practices and ensuring that everyone understands their roles and responsibilities. Each type of system should be treated in a similar manner and communication should include other teams conducting risk assessments.
Monitor: Monitor and review the effectiveness of control strategies on an ongoing basis, including the effectiveness of provided training. This can involve conducting regular audits and assessments to ensure that control strategies are working as intended, that records and data management policies are respected, and that data integrity is maintained. When deemed necessary, this should include tests that can expose system vulnerabilities. Systems evolve over time, and so does hacker capabilities, so systems should be periodically monitored/tested, making use of automated testing where possible.
Understanding the Difference Between Business Risks and Control Deficiencies
In risk management, a business risk refers to the possibility of an event or circumstance that could negatively impact an organization's ability to achieve its objectives. This could include financial loss, reputational damage, legal consequences, and operational disruption, among others.
On the other hand, a deficient mitigation measure refers to a control or strategy that is intended to reduce or manage a specific risk, but that is not effective in doing so. This could be due to several reasons, such as the measure not being properly implemented, not being comprehensive enough, or not being regularly reviewed and updated.
To summarize, a business risk is a potential negative outcome that an organization seeks to avoid, while a deficient mitigation measure is an ineffective strategy for managing that risk. As IT risk management specialists, we often see people mixing the two and classifying issues as risks. If you are taking a shorter-term view, it may not matter that much because treating an issue as a risk will still help improve your risk profile. However, if you are developing and deploying a risk management system, where risks are monitored and tracked, it will have consequences that go beyond semantics. This is partly because issues (e.g., deficient controls) can be eliminated while major organizational risks are usually a lot more permanent, as they can only be mitigated. Take data loss as an example: a loss of data event cannot be completely predicted, nor can impact of such events be fully realized ahead of time. Even with top mitigation measures, the risk remains, it is simply “brought down” to an acceptable, more manageable level.
If you are classifying deficient controls or mitigation measures as risks, you’ll end up with risks constantly popping in and out of existence. It will make it much harder to determine when to act or to follow the evolution of your risk profile. Afterall, not all risks should be eliminated, they just need to be reduced to acceptable levels, based on your risk appetite. Issues, however, should and can generally be corrected/eliminated. When issues are treated as risks, you’ll often forget why certain controls do exist (what risk is this control helping mitigate again?). Their presence can easily become the unique reason for their existence. This makes it hard to choose what controls should be improved, deployed or even, believe it or not, eliminated based on risk.
To come back to our original topic, it is important to understand that the risk data and records integrity (or lack of) represents for a business, is not the same as what may present itself as a risk to data and records integrity. Confused? Let me try to explain with an example: A deficient data back-up and recovery process is not a business risk. It is an issue that prevents you from mitigating risks associated with records and data integrity. The “true risk”, what you are trying to avoid, is data or records loss, which could have serious consequences for your business. This risk will remain, whether or not you fix your data back-up process, but it’s magnitude (e.g., high, medium, low) would obviously be impacted by the solidity of this process.
Common Business Risks from Records and Data Integrity
Here are some common high level business risks from records and data integrity issues that organizations wish to avoid:
Loss of trust: Data is found to be inaccurate or unreliable and results in a loss of trust from customers, partners, and other stakeholders.
Financial loss: Data integrity issues result in financial loss due to incorrect billing, lost sales, or fines for non-compliance with regulations.
Legal repercussions: Data is found to be inaccurate or unreliable, and results in legal consequences such as lawsuits, product recalls, or regulatory action.
Reputational damage: Data integrity issues result in damage to an organization's reputation, which can have long-term negative effects on its ability to do business.
Operational disruption: Data integrity issues can result in operational disruption, as systems and processes may need to be shut down or modified to address the issue.
To avoid these negative consequences, it is important for organizations to implement good data management practices and control strategies to mitigate risks to records and data integrity. This is done by deploying mitigation measures and controls that will prevent the occurrence of undesirable situations or reduce the negative impact of an undesirable situation, when it occurs.
ALCOA++, A Framework for Records and Data Integrity
ALCOA++ is an expanded version of the ALCOA acronym, which stands for Attributable, Legible, Contemporaneous, Original and Accurate. The "+" in ALCOA+ added the Complete principle to this initial list. The "++" in ALCOA++ groups even more principles, to form the following list of data integrity quality attributes:
Attributable: Data should be traceable to the person who recorded it and the time and date of the recording.
Legible: Data should be recorded in a clear and legible manner.
Contemporaneous: Data should be recorded at the time the activity being recorded is performed.
Original: Data should be recorded in its original form, without any alterations or modifications. Controlled mechanisms should be in place if true copies are required to be used to in-place original records.
Accurate: Data should be correct, precise, and free from errors.
Complete: All data, including any repeat or reanalysis of data, should be recorded and maintained.
Consistent: All data should be consistent with the time and date of the activity being recorded.
Enduring: Data should last for the duration that it is required to be maintained, throughout its entire intended life cycle.
Available: Data should be readily available for review and inspection.
Unalterable: Data should be recorded in a manner that prevents unauthorized changes or tampering.
Traceable: Data should be traceable to the source and the person responsible for recording it.
Reviewed: Data should be regularly reviewed to ensure its accuracy and completeness.
Protected: Data should be protected from unauthorized access or tampering
Working toward records and data integrity means striving to preserve those attributes. It means “fighting off” events or risk scenarios that could negatively affect those attributes, and consequently, negatively impacts the business.
The goal of Implementing a risk-based approach to records and data integrity is to prevent those attributes from being compromised, and to ensure that mechanisms are in place to detect and remediate the effects of those quality attributes being compromised when a risk does manifest itself. This is not an all or nothing approach. The mitigation measures should be commensurate to the risks that the undesirable outcomes may represent for the organization.
Pro Tip: If you want to learn more about the evolution of ALCOA, you appreciate reading Is Traceability the Glue for ALCOA, ALCOA+, or ALCOA++? from spectroscopyonline.com. GXP’ Data Integrity Guidance and Definitions from the Medicines & Healthcare products Regulatory Agency (MHRA) is also a great asset to consult too if you are looking for a list of standard definitions and practical guiding principles about data integrity.
Typical Control Strategies to Mitigate Records and Data Integrity Risks Include
As previously stated, control strategies should be commensurate to the risks the undesirable outcomes may represent for the organization. But what are common control strategies (i.e. controls) used to mitigate records and data integrity risks? Here are some typical examples:
Access Controls: Implementing access controls ensures that only authorized individuals have access to sensitive data and records. This includes user authentication mechanisms such as passwords, biometric authentication, multi-factor authentication (MFA), and role-based access control (RBAC) to restrict access based on job responsibilities and permissions.
Data Encryption: Encrypting data at rest and in transit helps protect it from unauthorized access or tampering. Encryption techniques such as AES (Advanced Encryption Standard) are commonly used to secure data stored on servers, databases, and other storage devices, as well as data transmitted over networks.
Data Integrity Checks: Employing data integrity checks ensures that data remains accurate and consistent throughout its lifecycle. Techniques such as checksums, hash functions, and digital signatures can be used to verify the integrity of data and detect any unauthorized modifications.
Audit Trails: Implementing audit trails enables organizations to track and monitor access to data and records. By logging details such as user activities, timestamps, and system events, audit trails provide a historical record of who accessed, modified, or deleted data, helping to detect and investigate potential integrity breaches.
Version Control: Implementing version control mechanisms helps manage changes to data and records over time. By maintaining a history of revisions and documenting changes, version control systems enable organizations to track and revert to previous versions if integrity issues arise.
Data Backup and Recovery: Regularly backing up data and records ensures that they can be recovered in the event of data loss, corruption, or other integrity issues. Implementing robust backup and recovery procedures, including offsite backups and disaster recovery plans, helps minimize the impact of integrity breaches on business operations.
Training and Awareness: Providing training and awareness programs for employees helps promote a culture of data integrity and security within the organization. Educating staff about the importance of data integrity, best practices for handling sensitive information, and potential risks can help mitigate human error and insider threats.
Data Incident Response: Establishing a data incident response plan enables organizations to respond promptly and effectively to data integrity breaches. This includes procedures for incident detection, analysis, containment, eradication, and recovery, as well as communication protocols for notifying stakeholders and regulatory authorities.
In Retrospect…
Overall, a risk-based approach to ensuring good records and data integrity enables organizations to manage their risks more effectively, ensuring compliance with regulatory requirements while allocating resources efficiently to protect critical data and records.
We hope you found our take on how you can benefit from a risk-based records and data integrity approach useful. If you have any questions, comments or suggestions, or if you want to dive deeper into this topic, we would love the chance to have a conversation with you and share our knowledge. For more information, click here or reach out to us directly at info@innnovx.org.
References:
ISPE. (2022, July). ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition). InnovX - ISPE GAMP 5 - 2nd Edition - G5ED2DL-Watermarked-1076747.pdf - All Documents. Retrieved from internal Sharepoint
McDowall, R.D. (2022, April). Is Traceability the Glue for ALCOA, ALCOA+, or ALCOA++? Spectroscopy, 37(4), 13–19. https://doi.org/10.56530/spectroscopy.up8185n1
Medicines & Healthcare products Regulatory Agency. (2018, March). ‘GXP’ Data Integrity Guidance and Definitions. Retrieved from https://assets.publishing.service.gov.uk/media/5aa2b9ede5274a3e391e37f3/MHRA_GxP_data_integrity_guide_March_edited_Final.pdf
World Health Organization. (2016). Guidance on good data and records management practices. Retrieved from https://rx-360.org/wp-content/uploads/2018/08/WHO_TRS_996_annex05.pdf