What Is Data Compliance?

In the old days, running a lab and organizing your data involved a lot of lab books and spreadsheets. These days, the regulations around storing and managing data are increasing and becoming more complex.

Complying with FDA Title 21 CFR Part 11 may seem like a daunting task, but it doesn’t have to be.

Nowadays, laboratory information management systems (LIMS) or electronic laboratory notebooks (ELNs) can do all the heavy lifting for you, integrating audit trails, data integrity and data security protocols as standard.

If you’re wondering whether your lab is data compliant or worrying what you can do about it, this guide will help you understand what you need to get started.

What is data compliance?

Data compliance is the practice of ensuring that organizations follow regulations to ensure the sensitive digital assets (data) it possesses are organized, stored and managed so that they are guarded against loss, corruption, theft and misuse.

These regulations spell out what data need to be protected, what processes are acceptable and what the penalties will be for failure to follow the rules.

Whilst this may sound like data security, data compliance and data security are not the same. While data compliance and data security have the same goals – to minimize and manage risk associated with collecting, storing and handling data – data compliance only ensures you meet the minimum legal requirements. Data security covers all the processes and technologies of securing sensitive data, including firewalls, authentication and password protection protocols. Just because you’re data compliant, it doesn’t mean that your data are secure.

Data integrity is also often confused with data security and data compliance. In truth, there are areas of similarity between all of them, but there are key differences. Data integrity is the application of policies to keep data accurate and complete and can include security policies to prevent users from modifying data inappropriately.

You can think of data compliance as an umbrella, under which data integrity and data security reside, although bear in mind that your data integrity and data security policies can go far beyond that required under data compliance regulations, if necessary.

Data compliance regulations for laboratories

There are many different data compliance regulations in use, depending on the industry. For laboratories, there are 5 main ones:

• FDA 21 CFR Part 1
• MHRA: GxP
• EU GMP Annex 1
•   FDA Data Integrity and Compliance with cGMP
• WHO Good Data and Record Management Practices

Of these, the first – Title 21 of the FDA’s Code of Federal Regulations Part 11 – is the most used and required standard for correct data management, and we’ll refer to this throughout.

Data compliance in industry and academia

You would think that when the government sets out strict data compliance regulations that labs in universities, companies and even government labs would comply.

Not so.

Less than half of 4,209 clinical trials published their results to the FDA within the mandated 1 year of completion between March 2018 and September 2019. Of these, only 2,686 published results, with just 1,722 reporting within the 1-year deadline (the Lancet).

Compliance was generally far higher in companies (50.3%) than in University labs (33.8%), probably because of the availability of resources and staffing to cope with the increased demands of compliance. Interestingly, only 31.4% of government labs complied with their own regulations!

Failing to report results with the FDA can bring fines of up to $10,000 for each day of non-compliance, but there is little-to-no enforcement from the FDA. According to the Lancet study, strict enforcement would have yielded more than $4 billion in fines.

 

Why is data compliance important?

According to Compliance Online:

“Data is the fuel of decision making, continuous improvement, quality and demonstration of clinical value. Data is to an organization what fuel is to a car. If the fuel is contaminated, it damages the engine. If the integrity of the data is at risk, it can damage the organization’s reputation and can even lead to the extent of business shutdown”.

In its April 2016 document, Data Integrity and Compliance With Drug cGMP (current good manufacturing practice) Questions and Answers Guidance for Industry, the FDA stated that:

“In recent years, FDA has increasingly observed cGMP violations involving data integrity during cGMP inspections. This is troubling because ensuring data integrity is an important component of industry’s responsibility to ensure the safety, efficacy and quality of drugs, and of FDA’s ability to protect the public health. These data integrity-related cGMP violations have led to numerous regulatory actions, including warning letters, import alerts and consent decrees”.

Clearly, then, data integrity and data security are important not just to data compliance, but also to the success of your organization.

Data compliance is important to engender trust between the organization and the regulatory bodies, but also to the end users of those data.

 

Data compliance regulations – Title 21 CFR Part 11, CGMP

Title 21 of the Code of Federal Regulations Part 11 is FDA’s standard for the management of electronic records that are created, modified, maintained, retrieved or transmitted.
There are 3 subparts to this document:

1.  General Provisions

2. Electronic Records

3.   Electronic Signatures

Title 21 CFR Part 11, Subpart 1 – General Provisions

This section gives an overview of the document, its terminology and the types of records that do/not apply.

 

Title 21 CFR Part 11, Subpart 2 – Electronic Records

When keeping electronic records, procedures should be in place to ensure the authenticity, integrity and the confidentiality of electronic records, including:

• Protection of records to enable their accurate and ready retrieval
• Limiting system access to authorized individuals (username/password, configuration of individual and/or group privileges, e.g. operator, supervisor, administrator)
• Use of time-stamped audit trails to record the date and time of operator entries
• Checks to ensure that only authorized users can access the system
• Only users with the necessary training and experience can use the system
• Accountability and responsibility for actions initiated under a user’s electronic signature

 

In terms of accountability, signed electronic records should contain:

• The signer’s name
• Date and time when the signature was executed
• Signature’s meaning (e.g. review, approval, responsibility or authorship)

 

Title 21 CFR Part 11, Subpart 3 – Electronic Signatures

In terms of electronic signatures:

• Each electronic signature should be unique to an individual and should not be reused or reassigned
• The organization should verify the identity of the individual before issuing an electronic 
• Unique password and ID code (username) should be used (as a minimum)
•  Each username/password should only be used by their owners
• Periodic password checks/changes

 

Audit trails – what are they and how do LIMS incorporate them?

Hansel and Gretel is a wonderful German fairy tale by the Brothers Grimm that told the tale of a brother and sister left in the forest to die by their stepmother. To ensure their safety, Hansel takes a slice of bread and leaves a trail of breadcrumbs for them to follow home.

This is the principle of audit trails.

Audit trails are the breadcrumbs along the research trail, telling you what was done, when, why and by whom, and all good LIMS have them to automate and control all stages of routine processes, such as sample receipt, work allocation, data entry, sample approval and so on.

Audit trails are great for routine reviews and the approval process, allowing you to find areas of process weakness and continually improve procedures.

They are also crucial for inspections, allowing the investigators to review all data, processes and procedures. This gives confidence that your lab is following strict guidelines and protocols correctly.

Audit trails can also help with finding more efficient ways of working.

 

Temporary memory – what is it and how does it relate to data integrity?

Imagine you’re entering data into a form in a page and you move to the next page on your LIMS without first pressing Save. Should those data be saved automatically by your LIMS?

Both the MHRA and FDA think so and are issuing strong guidance to that effect.

Data that has been entered into a LIMS but not saved to permanent memory is called ‘temporary memory’, and this is what MHRA had to say about temporary memory in their July 2016 document MHRA GxP Data Integrity Definitions and Guidance for Industry:

“Computerised systems should enforce saving immediately after critical data entry. Data entry prior to saving to permanent memory with audit trail (server, database) is considered to be temporary memory. These data are at risk of amendment or deletion without audit trail visibility. The length of time that data is held in temporary memory should be minimised”.

To enable this and ensure data integrity and strong audit trails, LIMS should:

• Automatically record unsaved data as temporary memory and saved data as permanent memory
• Allow users to upgrade temporary memory to permanent memory without explanation as long as the data remains unaltered
• Allow users to alter records, as long as all entries are preserved along with explanations for alterations.

Metadata – what is it and how do informatics systems make it easier to capture?

Metadata are ‘data that provides information about other data’.

For example, when you measure the temperature and pH of chemicals in a test-tube, you are collecting data. When you also record your name and the time/date of these measurements, these are called ‘metadata’.

You can capture metadata in a LIMS as samples progress through their life cycle. These metadata can include details such as the equipment used for testing, the standards, reagents and solutions, along with their expiration status, and so on.

A LIMS also gives you the ability to standardize your workflow by, for example, configuring templates so that you have the same sections being filled out, including the entry of appropriate metadata, for every experiment performed.

By capturing all data and metadata through the LIMS you can effectively enforce the consistency of what is documented and how it is documented, and makes it possible to enforce a prescribed step-by-step execution of methods.

 

How can informatics systems help with data compliance?

Making sure your organization can live up to its data compliance obligations is a daunting task, and although Title 21 CFR Part 11 is a stuffy read, it is incredibly important.

It’s not as difficult as you might think, though. These days, most good laboratory information management systems (LIMS) and electronic laboratory notebooks (ELNs) automatically incorporate everything you need to comply with all of the main regulatory bodies.

 

LIMS and Title 21 CFR Part 11 Data Compliance

A LIMS is, essentially, a piece of software used to manage samples and store all the associated data.

Actually, they are a lot more sophisticated than that these days (workflow automation, instrument integration, data security, etc.), but that’s the bottom line. One of the coolest things about most up-to-date LIMS is that everything you need to ensure data compliance is built in, so you don’t need to do it.

Of course, it’s not quite as easy as all that – to use software that is as complex and sophisticated as this requires a steep learning curve for all users.

The pay-off is worth it, though.

Using your LIMS to optimize your lab’s supplies, consumables and to organize your lab’s studies, protocols and SOPs typically leads to huge increases in efficiency, reliability and productivity.

And once you’ve done all that, you’ll know that you’ve ensured your lab’s data security, data integrity and data compliance, all without having to build it yourself.

 

ELNs and Title 21 CFR Part 11 Data Compliance

At its heart, an Electronic Laboratory Notebook (ELN) is a digital replacement for the traditional paper-based lab notebook where you record everything associated with your experiment.

The more modern implementations are quite sophisticated in that they can also allow you to standardize your workflows and provide structure around your experiments.

ELNs can automate compliance with Title 21 CFR Part 11 using audit trails, digital records and electronic signatures. As with LIMS, the best ELNs:

• Ensure that your data are secure. ELNs must meet specific data security requirements up to Part 11 standards to ensure privacy and disaster recovery.
• Emphasise the importance of audit trails. Part 11 also requires that robust audit trail systems must be built into ELN solutions to ensure data trustworthiness.
• Emphasise the importance of electronic signatures. Generation and management of electronic signatures is critical in ELNs to minimise the risk of fraud, and electronic signatures must be displayed on all printed and electronic versions of signed documents.
• Control access to ELN systems. Data security is the ultimate goal of Part 11, and ELNs ensure system access is strictly controlled so that unauthorized attempts at access are detected and repelled.

 

Summary

Data compliance isn’t as difficult as it used to be.

Although the regulations are more complex, the latest LIMS and ELNs have kept up and have your back.

Staying compliant is as easy as getting your lab organized and training your staff to use a little well-documented software – which you should be doing anyway.

The latest LIMS and ELNs will not only help you organize your research, supplies and consumables, but they will also ensure that you are protected from the regulator and from data breaches.