Issue link: https://www.e-digitaleditions.com/i/1394390
18 BioPharm International eBook July 2021 www.biopharminternational.com detection) should be controlled through technical, administra- tive, or procedural means. • Hy br id pap er/elec t ron ic pro- cesses may be capt ured in the vendor ag reement, but in any case, should be documented and assessed for data integrity risks. • Deletions or mod if ications of data or metadata (e.g., dates) shou ld not obscure prev iously recorded information and should be attributable. Scenario C: Vendor-generated data stored on the IT infrastruc- ture of the vendor O n e o f t h e c r it i c a l e l e m e nt s o f d a t a i n t e g r i t y f o r d a t a g e n e r- ated by a third-par t y is where the r aw a nd rep or ted d at a a re stored a nd to whom t he d ata a re acce s- sible. R eg a rd le s s , d at a shou ld b e retained and archived in accordance with a quality agreement (or equiv- alent) and in compliance with reg- ulatory requirements. These written agreements shou ld establish spon- sor expectations and vendor respon- sibi l it ies related to data integ r it y c ont rol s for g o o d m a nu f a c t u r i n g practice (GMP) or good laborator y practice (GLP) records, as wel l as how communication and auditing of such records should take place. The agreement should ensure the follow- ing, for the vendor: • Vendor procedures are in place t o e n s u r e t h a t f o r a l l d a t a , whether paper or electronic, at a minimum the ALCOA require- ments are met. • Ve n d o r t e s t i n g r e c o r d s a r e r e v i e w e d b y t h e v e n d o r t o ensure compliance with all pro- cedures, specif ications, and reg- ulatory requirements. • Vendor investigations and ven- dor i nter na l aud it i ng i nc lude data integrity (e.g., calculations, qualit y of procedures/processes to uncover data integrity issues, d o c u m e n t e d t r a i n i n g w i t h a foc us on data integ r it y a nd responsibilities for the vendor). The sponsor should agree to reg- ularly update, review, and commu- nicate the following to the vendor: • A n y u p d a t e s t o p r o c e d u r e s ref lecting data integrity practices providing a quality environment between sponsor and vendor • Audit/investigation results and reviews of vendor data integrity quality metrics. The sponsor should clearly com- municate that sponsor audits of the vendor will include a focus on data integrity elements and practices, and the sponsor should ensure that audits include assessment and evaluation of data integrity controls in place. T he w r it ten a g re ement shou ld add it iona l ly del i ne ate t he record retention responsibilities of the two pa r ties and any handof fs bet ween vendor and sponsor at specif ic mile- stones. In cases where data are col- lected using software that the sponsor does not have, t he vendor shou ld reta in e-records a nd t he sof t wa re necessary to make them human-read- able (including metadata). A primary concern is that of security of the raw data. Data stored on the IT infrastructure of a third party are inher- ently less under the control and protec- tion of the sponsor. In cases where the third party retains the original data, it is critical that appropriate expectations and responsibilities are clearly defined in a quality agreement (or equivalent). These agreements should include the following considerations: • Because the sponsor may, in some cases, receive only reports of final data (e.g., from sample analysis or from calibration, maintenance, and qualif ication), an audit for s e le c t i n g a n e x ter n a l v endor should challenge the process from raw data generation through to distribution of f inal reports to ensure the accuracy and reliabil- ity of raw data generated by the vendor. This audit should include a review of the mechanisms used to generate and distribute data summaries and reports. • Transpa renc y a round the ven- dor's IT infrastructure (including the subcontracting of IT infra- st r uct u re to c loud-based pro- v iders) shou ld be def ined in a written agreement. This agree- ment should include notification of the unauthor iz ed accessing of sponsor data (e.g., through a hacking attack). • Responsibilities, including clearly defined ownership and retention requirements/schedules, should be clearly described in the written agreement. • W h e r e d a t a a r e t r a n s f e r r e d bet ween the sponsor and their vendor site, the written agree- ment shou ld specif y how this is done to ensure adherence to ALCOA + principles, including management of true copies. • All electronic data (or certif ied t r ue copy t hereof ) shou ld be retained and include a means to retrieve/read these data (including metadata such as audit trails, etc.). In particular, the vendor must retain the ability to read data from retired instruments through the retention period of the data (as defined by the sponsor). • Electronic data should be main- ta i ned i n its or ig i na l for mat Biopharmaceutical Analysis Data Integrity Data stored on the IT infrastructure of a third party are less under the control and protection of the sponsor.