A Summary of the New MHRA ‘GXP’ Data Integrity Guidance and Definitions – March 2018

A Summary of the New MHRA ‘GXP’ Data Integrity Guidance and Definitions – March 2018

For over 20 years, there have been Health Authority regulations governing the use of Electronic Records and Electronic Signatures (eReS) for GxP purposes. These regulations (the US part 11, the EU Annex 11, and their ilk globally) are arguably among the most elegant, concise, and consistent across jurisdictions (with differences mostly limited to context and emphasis rather than substance).

That being said, there has been a considerable amount of confusion in interpreting and applying the eReS regulations as both the Regulators and those in Industry have evolved their understanding of these regulations as the various guidance documents have emerged, been rescinded, revised, re-issued, clarified, etc.

This latest guidance document (which can and should be read in its entirety here (21 pages): https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/687246/MHR), is very mature in its outlook and takes what has come before and builds upon it. The result adds a huge amount of clarity by specifically expounding on the general theme “This what we want, yes it means exactly that, and yes we understand the practical considerations and resource impact of what we want”.

Some key items in the guidance include:

  • Its application is intended across all GxP areas (Excepting Medical Devices – which I found interesting)
  • The principles of data integrity (which are separate from those of data quality) are meant to be adaptable, and are designed to evolve with Technology and promote a risk-based approach.
  • The non-technical aspects of data integrity are addressed, including the organizational responsibility to create a culture and environment (controls) that ensures that data is complete, consistent, and accurate in all forms (They focus on the oft neglected idea that PEOPLE are part of the process).
  • They revisit both ALOCA and ALCOA+ (Attributable, Legible, Contemporaneous, Original, and Accurate + Complete, Consistent, Enduring, and Available. They go on to clarify that these two acronyms are differing ways of explaining the same expectations.
  • Differing paper, electronic, hybrid scenarios are discussed as are the ideas around Risk, Risk mitigation, and documentation around both. Warnings are made about poor organizational controls and the over-reliance on a system’s validated state.
  • Challenges and considerations around designing data processes and controls are discussed in some detail.
  • Key definitions are explained in some detail for: Data, ALCOA, Raw = Source Data, Metadata, Data Integrity, Data Governance, Data Lifecycle, Recording & collection of data, Data transfer & migration, Data Processing, Data Exclusion, True Copy, Transactional data, Audit Trail, Reconstructability, Electronic Signatures, Data review and approval, Data Retention/Backup/Archival, System Access, the Admin Role, Validation, and IT Suppliers including Cloud providers).