The introduction of cloud services into the GMP environment increases. The cost factor dominates the discussion; however, specific risks need to be taken into consideration. Especially the issue of data integrity in cloud applications is not to be underestimated. What agreements need to be included in contracts with cloud service providers in order to ensure data integrity?
The necessity for contractual agreements is laid down in chapter 7 "Outsourced Activities" of the EU GMP Guidelines as well as in Annex 11 "Computerized Systems" of the guidance. The following are requirements for contractual agreements between a Regulated User (RU) and a Cloud Service Provider (CSP) which are meant to ensure the integrity of data (in motion and at rest). These requirements cannot explicitly be found in the EU GMP Guidelines, they should however be considered as useful:
Data transfer should only occur in encrypted form and in a way which ensures that the data being transferred are complete and unchanged.
CSP handling sensitive data or data with high availability requirements must have a certified ISMS (Information Security Management System) in place (e.g. as per DIN 27001).
CSP handling sensitive data or data with high criticality must submit to penetration testing in the course of their qualification.
Sensitive or critical data may only be stored in encrypted (or pseudonymized) form.
A deployment model should be chosen based on criticality. Private or community cloud models should be chosen rather than a public cloud for sensitive data.
Sharing data with a third party (e.g. subcontractors), e.g. providing infrastructure (storage space for backups, redundant computing power, etc) should be prohibited or dependent on the RU's approval.
The deletion of data must be fully guaranteed.
It must be possible to export data in a way that allows RUs to switch CSPs or get the data back on premise.
Only a limited, specifically selected and qualified group of people from the CSP should be able to access the data.
If data has been encrypted, the key management should lie with the RU.
The CSP informs the RU about changes which might impact the application or database. A notification of change with release note is expected, ideally issued before the actual implementation of the change so that the RU may check the effects of those changes, if necessary.