Can I trust your product if I can’t trust your data?

Data breaches can be catastrophic. Senior QA Specialist Nicola Bradytells you how to avoid them and protect Data Integrity in your business.

Data breaches can be catastrophic. Senior QA Specialist Nicola Brady tells you how to avoid them and protect Data Integrity in your business.

Protecting and preserving Data Integrity is one of the biggest challenges faced by GxP regulated companies today, but did you know that the FDA (Food & Drug Administration) consider a drug product to be adulterated under US law if a Data Integrity breach is observed?

What exactly does this mean?

A data integrity breach is considered to be any unauthorised or accidental alteration of data.The Food Drug & Cosmetics Act section 501(a)(2)(B)states: “a drug shall be deemed adulterated if ‘methods used in, or the facilities or controls used for, its manufacture, processing, packing, or holding do not conform to or are not operated or administered in conformity with current good manufacturing practice to assure that such drug meets the requirement of the act as to safety and has the identity and strength, and meets the quality and purity characteristics, which it purports or is represented to possess.”

Essentially, if your data is bad then you do not comply with current Good Manufacturing Practice and therefore your drug product is not suitable for the market,even if it does not impose any health or quality risk to patients. The cost of bad data is immense! A data integrity breach not only has a direct impact on the ability of the GxP regulated company to market the product that has been deemed adulterated-it may also result in drug seizures and recalls. The regulators trust in the company will definitely be impaired and the reputation and brand of the company may be damaged. The cost of damage, the investigations and the remediations required will have a significant time, resource and financial impact on the company.Significant shareholder value can be stripped from a brand overnight as a result of these breaches.

Critically, how can we be sure that the ultimate patient safety is assured at all times?

So how do we ensure that the data breaches don’t happen?

Let’s recap on what a data integrity breach is; it is an “unauthorised”or “accidental”alteration of data.

So,there are two different angles of vulnerability.


The unauthorised alteration of data has two potential failure modes; bad practices and intentional falsification. Bad practices encompass activities where the individual is performing an activity but does not know or understand that it represents a data integrity issue, e.g.changing critical process parameters because their access allows it. Intentional falsification is where an individual performs a modification or alteration to data to intentionally hide something. This individual has acted in contravention to GMP through the intentional falsification of data.


The accidental alteration of data is often related to a process or system deficiency, for example when an individual forgets to save a test run and the data is lostor data is truncated prior to rounding. Whatever the data integrity problems, they can be difficult to identify and just as difficult to address.

So how do I protect my data?

In order to protect your data from unauthorised or accidental alteration it is important to ensure that you have implemented controls at every stage of the data lifecycle. To implement these controls,you need to have a comprehensive understanding of how and where the data flows within your system and what the different data types are. The level of control should be commensurate with the criticality associated with the data. The types of data integrity controls include but are not limited tothe following:

-Access control –restrict access to administer the system, assign role permissions based on least privilege

-System control –enhance system controls to eliminate potential for record deletion

-Back Up & Recovery –back up data periodically so that if there is a corruption of data the original record is available and retrievable

-Audit Trail –implement audit trails to track all activities and ensure that they are reviewed in a meaningful way

-Training –ensure that personnel interacting with the system are aware of and understand what is acceptable and what is not acceptable within the system.

It is important that all these controls are supplemented by a data governance program where management establish and communicate clear and consistent expectations and requirements to preserve data integrity,and where a positive quality culture is promoted to minimise the risk of unauthorised or accidental data alterations and data integrity issues within the organisation.

Remember, patient safety, product quality and data integrity are the three drivers for all our quality activities. Ask yourself, “would I take this product knowing what I know about its data?”

Whatever happened to the “paperless office”?

Validated Workflows: the New Paperless
Webinar – Thursday, October 24th 2019, 11am GMT

By Marta Rosa Spiga

Since the beginning of the great IT revolution, the complete digitisation of any document has been predicted as a point of arrival for business organizations, the most striking example of what is called the “Paperless Society”. In 1980 The Economist had published an article, “Towards the Paperless”, in which the advent of the computer was identified as the factor that would mark the beginning of the paperless office era and the triumph of data digitisation.

“We should ‘reduce the flow of paper, ultimately aiming to abolish it’,” the article said, boldly proclaiming the intention for a new future. More than 30 years later, The Economist asked: “WHATEVER happened to the “paperless office”? Since then, alas, global paper consumption has increased by half”.

According to Quocirca’s Global Print 2025 market insight the crucial role of innovation is well understood, but endorsing it is seen as a challenge, particularly amongst SMEs. A kind or revolution is expected, with 70% of industry executives predicting a major change to their business models due to external forces. Only 31% currently feel well-prepared to respond to the challenge.

The study covers 575 small, mid-sized and enterprise organisations across the USA and Europe. It analyses plans for investment in security, cloud, mobility, analytics and digitisation– all essential ingredients for flexible working, to ensure employees remain productive regardless of location. But if paper is our present, why can it not be our future? Why should we all be going paperless?

There are the primary forces challenging the status quo, like for example the rapid rise in mobility, the acceleration of digitisation and the shift to the ‘as-a-service’ economy. A new era of connectivity, collaboration and innovation is born. In fact, teams distributed across the world will require tools that allow a better collaboration, cloud services that help the digitisation of workflows, which will further contribute to a reduction in demand for print volumes.

Patrick Murray, the Compliant Cloud Technical SME for Pharma VIEW (Validated Integrated Enterprise Workflows) is speaking in a webinar on the 24th of October that will help you to understand the benefits of going paperless, using some common use cases as inspiration. Save the date and don’t miss the opportunity to know more about validated workflows, the new paperless.

Find more here:

Where’s my data gone?

Understanding how data flows within an organisation is key to ensuring that it can be managed and analysed effectively.


Photo Credit of Silvia Paola Lai

By Nicola Brady, QA Compliance Specialist
Data is already everywhere and as information technologies evolve and the world in which we live becomes more automated available data gets even bigger and more prolific.  Understanding how data flows within an organisation is key to ensuring that it can be managed and analysed effectively.  The bigger data gets, the more complex it is to deal with.  Therefore, understanding the supply chain of your data is so important.  This is particularly true for the life science industry where quality and GMP decisions are made every day based on data, and where data itself is a critical product as it underpins all products and processes.  As such it is imperative that we understand how and where data flows i.e. do you know where your data is and who is accessing your data at any given time during its lifecycle and how can you assure the preservation of data integrity?

The data flow for a given process or system can be defined as the supply chain for all data, metadata, inputs and outputs for that process and
system.  All data goes through a process of creation, processing, review, reporting and use, retention and retrieval,
and destruction.  During the data lifecycle the data may cross between different systems, between manual
(paper) processes and computerized systems, to cloud-based applications and storage.  Data may move across
organisational boundaries, e.g. internally between departments, or externally  between regulated companies and third parties. 
Understanding and controlling these hand offs between processes, systems and entities is already complex and even more so where the data is moving in and out of cloud-based applications provisioned by a third party!

Has your organisation made a decision to outsource activities, such as data storage, to external cloud service
providers?  Are you taking a risk handing over your data to an unknown entity?  Do you understand how your data will be protected and controlled by the external service provider? Does the external service provider fully understand what’s expected from a life-science regulatory perspective? Are they
willing and able to demonstrate this?

To mitigate the potential risk to your data when outsourcing to a third party you must have a clear understanding of exactly where your data will reside, whether other third-party suppliers / subcontractors will have access to it and what security control measures will be implemented to safeguard it.  This can only be achieved through appropriate vetting of your potential third party supplier.  Once you are satisfied with the potential third party supplier you should then ensure that an agreement and contract is established and approved containing explicit requirements and controls prior to using the supplier for the outsourced activity.  Once in use you should ensure a periodic evaluation of your third-party supplier to ensure that the requirements and controls per the contract agreements are being adhered to.   

So irrespective of the process or system or its interfaces and boundaries, once an organisation can pin point where all associated data is at any given time during the data life-cycle and understand the controls in place to protect the data, even when it is stored in a cloud-based application managed by a third-party supplier, they can be confident that data integrity can be assured.

Good Culture Equals Good Data: The Importance of Quality Culture in Assuring Data Integrity

By Nicola Brady

What is a Quality Culture?

A Quality Culture within an organisation can be defined as a culture where everyone is focused on quality. It sounds pretty obvious doesn’t it? But this can be difficult to achieve. 

A Quality Culture within an organisation can be defined as a culture where everyone is focused on quality.
Photo credit of @markusspiske

How do you achieve a Quality Culture?

To achieve a Quality Culture, it must start at the top and filter down to all personnel in all functions, irrespective of their level in the organisation. The leadership team must be committed to the Quality Mandate. They must lead by example and empower their teams to act in accordance with good quality practices. This is only achieved through clear articulation and communication of expectations. The Leadership Team must ensure that expectations are supported by policies and procedures, that individuals have the appropriate skills and are provided the required training to perform in accordance with these expectations.

Processes are fundamental to achieving a successful Quality Culture.  Uniform and robust processes must be in place to ensure consistency and standardisation of work. There should only be one way of doing things – the right way. Having processes in place through procedures, policies and methods ensures continuity and stability. It is important that continuous improvement is also encouraged. If there is a more optimised or streamlined way to do something that is science based and quality centric then personnel should feel empowered to propose alternative approaches and challenge the status quo. 

The next essential element to achieving and maintaining a Quality Culture is Teamwork. Teamwork is vital at all levels of the organisation. Cross functionally, personnel must be able to work together, to share experience and best practices, to learn lessons. Trust is key. Team members must feel that they can trust their colleagues to do the right thing every time and they themselves must be trusted to operate in the same manner.This ties in closely with the final element of a Quality Culture, Code of Conduct. The Code of Conduct for the organisation must be established and appropriately communicated to ensure that personnel at all levels of the organisation understand the importance of conducting themselves in an honest, trustworthy, ethical manner. The Code of Conduct should clarify acceptable behaviours and practices as well as organisation expectations ultimately promoting the Quality Culture. All personnel at all levels of the organisation must observe the established Code of Conduct.

The culture of an organisation directly correlates with the validity and accuracy of the data that it generates. 


The culture of an organisation directly correlates with the validity and accuracy of the data that it generates.  In the  on data integrity (Data Integrity and Compliance with Drug cGMP: Questions and Answers Guidance for Industry (2018)) the following is stated ‘it is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organisational core value and employees are encouraged to identify and promptly report data integrity issues’.  An organisation with a poor or immature Quality Culture can often have poor or immature quality practices, whereby issues are not appropriately documented, investigated and remediated.  These organisations inevitably encounter challenges in adhering to and often have poor regulatory inspection records with repeat observations and violations.  Conversely, organisations with a strong Quality Culture perform well with the regulators.  These organisations are not error-free but their quality culture promotes a ‘do the right thing’ ethos when errors and issues arise.This transparency and openness gives the regulators confidence that the organisations data integrity is assured.