MHRA revises its Guideline on Data Integrity in the short Term
The topic "Data Integrity" (electronically generated data as well as data on paper) has moved up recently in the ranking of the most important "hot GMP topics" - not least due to the fact that insufficient or missing data integrity have increasingly been cited as a GMP violation in FDA warning letters.
Just this past January the British authority MHRA has already published a "Data Integrity Guidance" which industry and associations commented on extensively. Already in March a revised version of this guidance was published. This revision is more accurate in some places and partially appears more rigorous with regard to the authority's expectations. Here are some examples:
Primary Record: In the event that primary data are recorded simultaneously by multiple systems, the system that generates and stores the data has to be defined. A risk assessment respectively a risk management has to ensure that the so-defined primary records have the maximum possible accuracy, completeness and relevance. It is not allowed to define so-called static data (prints or manual records), if there are dynamic (electronic) data as primary records. If there are data anomalies (e.g. OOS results), all data (static and dynamic) will have to be included in a risk-based investigation.
True Copy: The new guidance defines a "true copy" as a precise and verified copy of an original recording. This record can either be static (pure paper records or a non-editable electronic file in pdf-format) or dynamic (editable electronic file in which, for instance, certain sections of a diagram can be enlarged or expanded). The MHRA expects critical data to be stored in dynamic form to make sure that in inspections they can get to detailed information, which cannot be retrieved with static data.
System Administrator Access: According to the new guidance, the authority expects that the generic system administrator access is not used. Instead every employee with administrative privileges is supposed to log in only with his individual password, to ensure that the actions recorded in the audit trail can be associated with the respective person.