Exploring data integrity guideline changes moving into 2020

European Pharmaceutical Review explores how a surge in the number of warning letters for data integrity failings have prompted regulators to publish new guidelines.

man selecting a data/information about research

Several reports highlight a rise in the number of health authority enforcement actions, such as warning letters, import alerts, product detentions and suspensions or revocations of marketing authorisations, as a result of poor data integrity (DI) practices in the manufacture and testing of pharmaceuticals.

One report produced by Deloitte implies that DI violations account for over 40 percent of warning letters issued globally. Of note, Asian pharmaceutical manufacturers received almost three quarters of the total number of DI-based warning letters in 2017.1

These unacceptable documentation and record management practices have been highlighted during inspections of good manufacturing practice (GMP), good clinical practice (GCP) and good laboratory practice (GLP).

To combat failings in DI, the World Health Organization (WHO), UK Medicines and Healthcare products Regulatory Agency (MHRA) and US Food and Drug Administration (FDA) have all issued draft guidance on practices, which may come into effect during 2020.

According to the WHO guidelines: “Data integrity is the degree to which data are complete, consistent, accurate, trustworthy and reliable.”2

The WHO guidelines suggest the rise in DI infringements may be due to:

  • too much reliance on human practices
  • the use of computerised systems that are not appropriately managed and validated
  • failure to adequately review and manage original data and records.

Complete and accurate data is vital because regulatory bodies use this as an indication of product efficacy  and reliability of each piece of equipment or process. Regulatory bodies do not look at every individual data item at each clinical or manufacturing facility they audit.

The FDA and data integrity

The FDA breaks down the requirements for DI under the acronym ‘ALCOA’:3

  • Attributable – each data item must record who created it, and when and why it was created
  • Legible – records must be able to be read and be permanent enough to be accessible throughout their data lifecycle
  • Contemporaneous – data should be recorded at the time the work is performed; this can be using the server time from the organisation’s system or by adding a time zone
  • Original – original data (also known as primary data) should be recorded
  • Accurate – without error, the data should be complete, truthful and reflective of the observation.

Each of these principles were contravened at some point in 2019 by pharma who received warning letters sent by the FDA. Some of the letters cited editing or deleting data so that only passing results were included in batch reviews, repeated retesting of data to achieve a specific result, deleting raw data, blocking audit trails and backdating data entries.

Challenges in maintaining data integrity

According to some, the main pressure in DI compliance is the drive to convert to electronic records, which has left some companies with a ‘hybrid system’ – half on paper and half digital. The WHO guidelines state these systems should be avoided and updating to an all-digital system should be the priority for any companies in this position.

…Among the challenges for companies attempting to maintain DI is the rise of digitalisation, which can be time consuming and complicated”

However, this is easier said than done. If an average pharmaceutical quality control laboratory needed to update its systems, the process of installing a fully computerised structure may take over six months to validate. One expert, Dr Christoph Jansen, Mettler Toledo’s Technical Key Account Manager, suggested that off-the-shelf software solutions are likely to give the best levels of compliance, because individualised software systems may not capture all the data required and can be difficult to validate and maintain, as well as add new equipment to.4

Another factor impacting DI is the insufficient or inefficient training of employees. Many employees, especially in developing countries, may undergo a high number of training sessions in a short time period, yet reports indicate as much as 75 percent of this type of intense training is worthless.5 Instead, experts suggest a gradual learning process could result in better knowledge surrounding DI. A report by Deloitte indicates companies should also ensure their training materials are of sufficient quality and that staff are able to attend every training session.1

Takeaways from the new guidelines

data chain with various changes displayed on a screen

Senior management is responsible for establishing and implementing a data governance system. Should that system be digital, there must be an access and privileges framework in place that applies the appropriate controls for each user (eg, no modification, deletion or creation of data). Furthermore, unique usernames and passwords should be utilised for systems and should not be shared or used by other staff members.2,6

Audit trails should reflect users, dates, times, original data and results, changes and reasons for changes. They should be enabled when software is installed and remain enabled throughout the equipment’s lifespan.2

Any known falsification or data changes cannot be dealt with informally. Instead, they should be fully investigated under a Good Practice control system to ascertain the possible impact on patient safety, product quality and data reliability. Furthermore, companies must ensure they determine the root cause and ensure any corrective actions are taken. Companies should be able to demonstrate evidence of the investigation and actions taken.6

Enterprises must also be cognisant that they are responsible for the integrity of data regarding their product even if the work is outsourced. Beyond their own internal governance systems, companies that use subcontractors or outsourcing organisations must verify that the external company’s systems are adequate and that they maintain data integrity across all sources. The WHO guidelines state clauses should be laid out in writing about how often and who is responsible for checking that outsourcing facility data records are compliant.2


A rise in the number of DI breeches during 2019 has encouraged regulatory bodies, such as the WHO and FDA, to publish guidelines on good documentation practices and how data should be inputted and handled. Among the challenges for companies attempting to maintain DI is the rise of digitalisation, which can be time consuming and complicated, but there are regulations and advice for companies to ensure they can fully comply.


  1. Under the spotlight: Data Integrity in life sciences [Internet]. Deloitte LLP. 2017. [Cited: 4 March 2020]. Available at:
  2. Guideline on Data Integrity [Internet]. World Health Organisation. October 2019. [Cited: 4 March 2020]. Available at:
  3. FDA ALCOA Guidance [Internet]. Beckman Coulter Life Sciences. Undated. [Cited: 5 March 2020]. Available at:
  4. [Cited: 3 March 2020]. Available at:
  5. Data Integrity in the Pharmaceutical Industry [Internet]. 29 July 2019. [Cited: 5 March 2020]. Available at:
  6. Data Integrity and Compliance With Drug CGMP: Questions and Answers Guidance for Industry [Internet]. US Food and Drug Administration. December 2018. [Cited: 6 March 2020]. Available at: