The way in which regulatory data is generated has continued to evolve in line with the introduction and ongoing development of supporting technologies, supply chains and ways of working. Systems to support these ways of working can range from manual processes with paper records to the use of computerised systems. However the main purpose of the regulatory requirements remains the same; having confidence in the quality and the integrity of the data generated and being able to reconstruct activities remains a fundamental requirement.

This document (PDF, 207KB, 14 pages) provides guidance on the data integrity expectations that should be considered by organisations involved in all aspects of the chemical and pharmaceutical development lifecycle or GLP studies regulated by MHRA.

This guidance should be read in conjunction with the applicable regulations and the general guidance specific to each GxP. Where GxP-specific references are made within this document (e.g. ICH Q9), consideration of the principles of these documents may provide guidance and further information.

Arrangements in place within an organisation with respect to people, systems and facilities should be designed, operated and where appropriate adapted to support a working environment and organisational culture that ensures data is complete consistent and accurate in all its forms, i.e. paper and electronic. The effort and resource applied to assure the validity and integrity of the data should be commensurate with the risk and impact of a data integrity failure to the patient or environment.

When taken collectively these arrangements fulfill the concept of data governance.
Organisations are not expected to implement a forensic approach to data checking on a routine basis, but instead design and operate a fully documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. In addition to routine data review, the wider data governance system should ensure that periodic audits are capable of detecting opportunities for data integrity failures within the company’s system, e.g. routine data review should consider the integrity of an individual data set, whereas the periodic system review might verify the effectiveness of existing control measures and consider the possibility of unauthorised activity.

It should be noted that data integrity requirements apply equally to manual (paper) and electronic data. Organisations should be aware that reverting from automated / computerised to manual / paper-based systems will not in itself remove the need for appropriate data integrity controls. Where data integrity weaknesses are identified, either as a result of audit or regulatory inspection, companies with multiple sites should ensure that appropriate corrective and preventive actions are implemented across the organisation. Appropriate notification to regulatory authorities should be made where applicable.

Although not included in this guidance, the impact of organisational culture and senior management behaviour on the success of data governance measures should not be underestimated. Establishing data criticality and inherent integrity risk:

The degree of effort and resource applied to the organisational and technical control of data lifecycle elements should be commensurate with its criticality in terms of impact to quality attributes.

Data may be generated by (i) manual means – a paper-based record of a manual observation, or (ii) electronic means – in terms of equipment, a spectrum of simple machines through to complex highly configurable computerised systems.

When manually recorded data requires stringent oversight, consideration should be given to risk-reducing supervisory measures. Examples include contemporaneous second person verification of data entry, or cross checks of related information sources (e.g. equipment log books).

The inherent risks to data integrity relating to equipment and computerised systems may differ depending upon the degree to which data (or the system generating or using the data) can be configured, and therefore potentially manipulated.

The guidance is intended to be a useful resource on the core elements of a compliant data governance system across all GxP sectors (good laboratory practice, good clinical practice, good manufacturing practice, good distribution practice and good pharmacovigilance practice).

It addresses fundamental failures identified by MHRA and international regulatory partners during GLP, GCP, GMP and GDP inspections; many of which have resulted in regulatory action.
Finally, MHRA welcome comments via the comment sheet (MS Word Document, 224KB) which can be emailed to
Deadline for comments: 31 October 2016.