Home About Learning Products Chemistry Consultancy Services ISO 17025 Consultancy Services Resources Contact Site Map

Copywrite © David Trew Consulting Ltd and Dr. David Trew  2013-2020

Terms of Use

Privacy Policy

Version 1.6.0

David Trew

Consulting Ltd

Data Integrity in Regulated and Accredited Environments

Part 2: Strategies for Ensuring Comprehensive Data Integrity

Dr David Trew BSc(Hons), PhD, CChem MRSC

1 Introduction

With the current scrutiny, regulated and accredited organisations need to adopt a proactive strategy to provide a high level of assurance that all records and data are both reliable and trustworthy. Organisations not only need reliable and trustworthy data and records, but also need to ensure the integrity of their records and data can withstand scrutiny by sceptical regulators and other stakeholders.

This paper will apply the fundamentals and principles of data integrity, discussed in the previous paper in this series, and recommend approaches to developing and establishing a comprehensive data integrity management system that is designed to ensure the trustworthiness and reliability of all records and data produced by the organisation. A data integrity strategy is essentially a collection of policies and procedures which are used by your staff in their daily work. These policies are designed to provide a high degree of assurance that all of the records and data created by the organisation during the conduct of its operations accurately reflect the events that occur during your organisation’s operations. In addition, the data integrity policies and procedures need to provide a high degree of assurance that those records also remain complete and reflect their original content, and have not been altered without retaining their original content.  In light of the wide area that data integrity covers it is recommended a multi-disciplinary team be appointed to manage the development and implementation process.

2 Data Integrity Management Master Plan (DIMMP)

It is recommended that a Data Integrity Management Master Plan (DIMMP) be created to serve as a roadmap to control and direct data integrity activities, and which:

Discusses the organisation’s philosophy and strategy to data integrity management

Establishes a management organisation to oversee data integrity management processes

Defines roles and responsibilities for members of the management organisation

Establishes an appropriate data integrity culture within the organisation

Defines and discusses the risk assessment and management strategy

Identifies the policies and procedures that need to be established

Identifies staff training requirements

Determines how compliance with data integrity policies and procedures will be monitored

Establishes mechanisms for protecting data and records from being lost or damaged in the event of a disaster and ensuring records will be available throughout their lifetime

Establishes mechanisms for identifying and investigating incidences that may adversely affect the reliability of records and data

Establishes mechanisms for correcting and preventing non-compliance with data integrity policies and procedures

The DIMMP is a key quality document that helps a variety of stakeholders who have particular interests in the data integrity management process. In particular, the DIMMP helps senior management estimate how the data integrity program impacts time, people, and money. All members of the data integrity team know their tasks and responsibilities and it

helps plan all necessary activities into the schedule, with no 11th hour surprises! In particular, the IT department understands how to support data integrity activities. Finally, clients and auditors understand the firm's approach to assuring the reliability and trustworthiness of its records and data.

3 Policies and Procedures

Policies that need to be established include:

i. Good documentation practices

ii. Prohibiting sharing of computer accounts

iii. Prohibiting use of computer accounts by anyone other than their authorised user, this should include such practices as sharing passwords with other people. As using someone else’s computer account can amount to criminal fraud, the policies should include sanctions such as dismissal from employment and reporting to law enforcement

iv. Prohibiting using someone else’s electronic signature. As with using someone else’s computer account signing a document using someone else’s electronic signature can amount to criminal fraud, the policies should include sanctions such as dismissal from employment and reporting to law enforcement

v. Defining the legal status of electronic signatures as legally equivalent to a traditional handwritten signature

vi. Password management policies such as

Minimum length




vii. Account management policies such as

Username format

Account privileges

Disabling when no longer required

viii. Audit trails

Disabling prohibited

What will be captured


ix. Data review

x. Monitoring Compliance

xi. Identifying, investigating, tracking, correcting and preventing non-compliance

xii. Backup and archive

In addition to the policies, standard operating procedures (SOPs) need to be established to cover

i. Account management. This should cover the opening, suspension and disabling of accounts

ii. Data review. This should explain who is responsible for carrying out data reviews, and in particular should explain what needs to be reviewed to achieve the necessary confidence in the reliability of the data being reviewed. Some audit trails create many entries, it is important for the reviewer to understand the significance and meaning of these entries, and whether it is necessary to review each entry.

iii. Data backup. This should cover responsibilities, the backup and restore process and the process for confirming the integrity of backed up data. In addition, it should establish a schedule for both the backing up of data and for confirming the ability to restore data

iv. Monitoring compliance with data integrity policies, such as audits. This should define responsibilities, establish procedures for identifying, investigation and appropriate metrics for tracking non-compliance. In addition, procedures for correcting incidents of non-compliance, together with prevention plans should be established.

4 Data Integrity Culture

Many of the practices that undermine the reliability and trustworthiness of data and records appear to be motivated by unwillingness to accept results which did not support some particular preconceived requirement, such as batches of drug product meeting specifications, with the consequences of having to reject out of specification products and the resulting loss of revenue. When an organisation develops a reluctance to accept results which do not conform to some preconceived expectation it undermines the entire purpose of quality control testing.

If the management of an organisation is assuming an out of specification result is due to a laboratory assignable cause, such as analyst error, instrument malfunction or an issue with the validity of the test method, in the absence of evidence to the contrary. This undermines confidence in the entire laboratory testing process, and would lead to questions about the validity of the all the results created by the laboratory, including those that do conform to predetermined specification or expectations. It is fundamental that all scientific work is approached with an open mind and without preconceived conceptions as to what the final results will be.

It is therefore imperative that an appropriate quality and data integrity culture is established within the organisation. This culture should reflect management’s philosophy on quality and can be achieved by establishing policies that are aligned to the quality and data integrity culture and develop an environment of trust, where all individuals are responsible and accountable for ensuring patient safety and product quality.  The organisation should also establish general ethics and integrity standards which should clearly define the expectation of ethical behaviour, such as honesty. These expectations should be communicated frequently and consistently.

Personnel must be fully aware of the importance of their role in ensuring data integrity and the implication of their activities to assuring product quality and protecting patient safety.   This should be communicated to and be well understood by all personnel, which should also include why the standards were established, and the consequences of failing to fulfil the requirements.

Unacceptable behaviours, such as the deliberate falsification of data, unauthorised changes, destruction of data, or other conduct that compromises data integrity should be addressed promptly.  Disciplinary action may be taken, when warranted. It is particularly important that all members of staff understand that data integrity issues, and especially the falsification of data, can have extremely serious, even fatal, consequences for patients. In addition, data reliability issues can have very serious consequences for the business and could even affect its commercial viability. It is also important emphasise that data fabrication and falsification can result in criminal exposure for the individual members of staff. This can include prison time and the inability to secure future employment. Conversely, acceptable behaviour should be appropriately recognised.

Management should not put undue pressures on members of staff that may result in non-compliance with established ethical and integrity standards. Realistic work expectations should be set, considering the availability and allocation of resources.

A confidential mechanism, supported by company policy and procedures, should be established that encourages personnel to bring instances of possible breaches of the ethics and integrity standards to the attention of management, without consequence.

This culture, ethics and integrity standards needs to be initiated by the most senior management within the organisation and should be communicated to all levels. This culture can be facilitated by policies of transparency, openness and approachability.

It is recommended that the installation of the data integrity and quality culture starts during the induction process of new members of staff, and frequent refresher training is carried out thereafter. This could include discussing incidences where data integrity has been questioned, together with the consequences for patients or customers, business and individuals.  

1 2 3 4 5

Please Click Here to Find Out How David Trew Consulting Ltd can Help Your Laboratory Achieve Comprehensive Data Integrity


Please Click Here to Find Out How David Trew Consulting Ltd can Help Your Laboratory Achieve Comprehensive Data Integrity


1 2 3 4 5