MASTER / CONTROLLED

Title: Data Security and Integrity (Draft) COPY STAMP HERE

Preparation, Review, Approval & Authorization

Name Designation Signature Date
Prepared By

Reviewed By

Approved By

Authorized By

1.0 OBJECTIVE
The objective of this document is to define a procedure to access, review, monitoring, and assuring
the Data Integrity of the entire data generated, to apply robust system that inhibit data risk, to
improve the detection of data reliability and to address the root causes when failure observed.

2.0 SCOPE
This SOP is applicable to all type of data generated in the form of paper or electronic data across the
all the functions of (Company Name) throughout the data life cycle.

3.0 RESPONSIBILITY
3.1 All employees to follow the procedure for data security and integrity.
3.2 All HODs to comply with the SOP for data security and integrity.
3.3 QA department shall conduct the periodic review of data handling in accordance to the SOP.

4.0 ABBREVIATIONS AND DEFINITIONS

4.1 ABBREVIATIONS
GxP : Good ‘X’ Practices

4.2 DEFINITIONS
4.2.1 Data: The information derived or obtained from raw data and generated in form of paper based or
electronic record is called as data.
4.2.2 Raw Data: Original records, documentation and printed data output, retained in the format in
which they were originally generated (i.e. paper or electronic).
4.2.3 Meta Data: Metadata is the contextual information required to understand data. A data value is by
itself meaningless without additional information about the data. Metadata is often described as
data about data.
4.2.4 Data Security and Integrity: Refers to the completeness, consistency, and accuracy of data.
Complete, consistent, and accurate data shall be attributable, legible, contemporaneously recorded,
original or a true copy, and accurate (ALCOA).
4.2.5 Audit Trial: a secure, computer-generated, time-stamped electronic record that allows for
reconstruction of the course of events relating to the creation, modification, or deletion of an
electronic record. An audit trail is a chronology of the “who, what, when, and why” of a record.

FOR RESTRICTED CIRCULATION ONLY

 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

4.2.6 Back-up: to refer to a true copy of the original data that is maintained securely throughout the
records retention period for recovery. The backup file shall contain the data (which includes
associated metadata) and shall be in the original format or in a format compatible with the original
format.
4.2.7 Data Life Cycle: All phases in the life of the data (including raw data) from initial generation and
recording through processing (including transformation or migration), use, data retention, archive /
retrieval and destruction.
4.2.8 Attributable: Data record linked to name of person or the source from where data was acquired,
who performed any action on or with the data.
4.2.9 Legible: Paper based data shall be in handwriting that is decipherable or readable.
4.2.10 Contemporaneous: Data shall be recorded at the time of data capture or when work is performed
and date/time shall follow in order. The evidence of actions, events or decisions shall be recorded
as they take place.
4.2.11 Original: Data shall be recorded on the original sheet or the database/table. Also signifies the
importance of maintaining raw data and metadata. The original record can be described as the first
capture of information whether recorded in paper or electronically.
4.2.12 Accurate: The data contains correct value. Accurate data not only adheres to integrity constraints
and measurement rules but is data that reflect actuality.
4.2.13 GxP: GxP stands for Good X Practices (X can mean: Clinical, Laboratory, Manufacturing,
Pharmaceutical, etc.)
4.2.14 Documentation: Documentation provides objective evidence of compliance. It is recorded
information, written or electronic, used to establish specifications, processes, direct work, and
collect records which ensure compliance with Quality systems. A well prepared document must be
permanent, legible, accurate, consistent, clear and truthful.

5.0 FLOW CHART

Paper Data Manual Recording

Manual Recording Data

DATA Combined Data Supported with Equipment
generated data /values

Computer Generated Data

Electronic Data
Equipment Generated Data
(PLC/HMI)
 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

6.0 PROCEDURE
6.1 General Instructions:
6.1.1 The overall goal of any data integrity is to ensure data is recorded exactly as intended and, upon
later retrieval, ensure the data is the same as it was when it was originally recorded.
6.1.2 Data integrity intents to prevent unintentional changes to information. There must be adequate
controls to prevent manipulation of data.
6.1.3 Any unintended changes to data as the result of a storage, retrieval or processing operation,
including malicious intent, unexpected hardware failure, and human error, is failure of data
integrity. If the changes are the result of unauthorized access, it may also be a failure of data
security.
6.1.4 Controls and systems must be in place to ensure that data is secure and not fraudulent, that it cannot
be manipulated, and that changes that occur are easy to detect.
6.1.5 The requirements with respect to data integrity include among others the following:
 The backup data shall be exact and complete. In addition, the backup data shall be secured from
alteration, inadvertent erasures, or loss.
 The data shall be stored to prevent deterioration or loss.
 Activities shall be documented at the time of performance (contemporaneously recorded).
 Records shall be retained as original records, true copies or other accurate reproduction of the
original records.
 Complete information, complete data obtained from all tests, complete record of all data, and
complete records of all tests performed including the audit trail.
6.1.6 All data created as part of a cGMP record must be evaluated by Quality Assurance as part of the
release criteria. To exclude data from the release criteria a scientific justification must be valid and
documented.
6.1.7 Electronic systems administrator rights shall be with independent authority preferably IT
department.
6.1.8 Throughout the data life cycle, the custodian of each document shall be determined and assessed.
6.1.9 Appropriate and approved review procedure shall be in place to ensure accuracy and integrity of
data.
6.1.10 All electronic systems administrators must have appropriate access responsibilities towards data
review and release
6.1.11 Appropriate and controlled storage and retrieval procedure shall be available for both paper and
electronic records.
6.1.12 All records shall be in durable format which can be made readily available whenever required.
6.1.13 There shall be adequate controls to prevent manipulation of data.
6.1.14 Computerized systems exchanging data electronically with other systems shall include appropriate
built-in checks for the correct and secure entry, processing, and storage of data, in order to
minimize the risks.
6.1.15 Any unintended changes to data as the result of a storage, retrieval, or processing operation,
including malicious intent, unexpected hardware failure, unauthorized access, and human error, is a
failure of data assurance and reliability and must be investigated.
6.1.16 Electronic system controls shall include the use of secure, computer-generated, time- stamped audit
trails to independently record the date and time of operator entries and actions that create, modify,
 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

or delete electronic records (with all permissible actions by users controlled by system access
controls).
6.1.17 Audit trail documentation shall be retained along with the appropriate data throughout its life cycle.
6.1.18 Controls/ procedure shall be in place, defined and protected from unauthorized access and also been
tested as part of computer system validation.
6.1.19 Linkage/cross-reference between two hard copies and/or electronic data and hard copies shall be
made available recorded on documents.
6.1.20 Traceability of metadata, equipments used, material used shall be made available on records.
6.1.21 A second individual to ensure accuracy, completeness, and confirmation with procedures must
check data and the reportable values.

6.2 Important Characteristics of Data

Who performed an action and when? If a Who did
A Attributable record is changed, who did it and why? it? Source
Link to the source data.
data

L Legible Data must be recorded permanently in a Can you read it?

durable medium and be readable. Permanently
recorded
The data shall be recorded at the time
C Contemporaneous the work is performed and date / time Was it done in “real time”?
stamps shall follow in order.

O Original Is the information the original Is it original or true copy?

record or a certified true copy?

A Accurate No errors or editing performed Is it accurate?

without documented
amendments.
Complete All information that would be critical to recreating an event is important
when trying to understand the event. The level of detail required for
information set to be considered complete would depend on the
criticality of the information. A complete record of data generated
electronically includes relevant metadata.

Example: All data including repeat or reanalysis performed on the

sample.
Consistent Good Documentation Practices should be applied throughout any
process without exception, including deviations that may occur during
the process.
Example: Consistent application of data time stamps in the expected
sequence.
Enduring Part of ensuring records are available is making sure they exist for the
entire period during which they might be needed. This means they need
to remain intact and accessible as an indelible/durable record.
Example: Recorded on controlled worksheets, laboratory notebooks or
electronic media.
 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

Available Records must be available for review at any time during the defined
retention period, accessible in a readable format to all applicable
personnel who are responsible for their review whether for routine
release decisions, investigations, trending, annual reports, audits or
inspections.
Example: Available / accessible for review / audit for the life time of
the record.

6.3 Data Integrity Expectation:

6.3.1 Attributable: means information is captured in the record so that it is uniquely identified as having
been executed by the originator of the data (e.g, a person or computer system).
6.3.1.1 For paper based records,
 Person shall put his/her initials or full signature along with date and time of activity (as
applicable).
 The use of a scribe to record an activity on behalf of another operator shall be considered only
on an exceptional basis and shall only take place where the act of recording places the product
or activity at risk,
e.g. documenting line interventions by aseptic area operators. In such case, the supervisory
recording shall be contemporaneous with the task being performed and shall identify both the
person performing the observed task and the person completing the record.
6.3.1.2 For electronic data records,
 Individual Login ID shall be assigned.
 Authorization shall be defined that link the user to actions that create, modify or delete data.
 An audit trail that shall capture user identification (ID), date/ time stamps and action performed
6.3.1.3 Do not use stored digital images of a person's handwritten signature to sign a document.

6.3.2 Legible: The terms legible, traceable and permanent refer to the requirements that data are
readable, understandable and allow a clear picture of the sequencing of steps or events in the record
s o that all GXP activities conducted can be fully reconstructed by people reviewing these records at
any point during the defined record retention period.
6.3.2.1 For paper record,
 Good documentation practices for recording of data and results shall be followed as per SOP
No. SP-QA-027.
 Controlled issuance and archival shall be established for logbooks/bound books, formats,
procedures. All logbooks must be in place, controlled, numbered pages, and provide adequate
traceability
6.3.2.2 For electronic records,
 When archival of electronic records is used, the archiving process shall be done in a controlled
manner to preserve the integrity of the records.
 The system access (admin) permissions shall only be granted to personnel with system
maintenance roles i.e. IT, engineering that are fully independent of the content of the records
(e.g. laboratory and production analysts/ management).
 Electronic data shall be saved at the time of recorded activity and before proceeding to the next
step of the sequence of events.
 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

 Audit trials shall be secured, time-stamped, and attributable for individual activities. Data
overwriting shall not be allowed.
 Backup of electronic data shall be validated for disaster recovery.
6.3.3 Contemporaneous: Contemporaneous data are data recorded at the time they are generated or
observed. This documentation shall serve as an accurate attestation of what was done, or what was
decided and why, i.e. what influenced the decision at that time.
6.3.3.1 For paper record,
 Contemporaneous recording of actions in paper records shall occur, ensure data entries and
information at the time of the activity directly in official controlled documents (e.g, log
books, batch records, analytical work sheets)
 Documents shall be appropriately designed to ensure recording of manual activities as
occurred.
 Date and time of activities shall be recorded using synchronized time sources (facility and
computerized system clocks)

6.3.3.2 For electronic records

 Contemporaneous recording of actions in electronic records shall occur, ensure that data
recorded in temporary memory are committed to durable media/permanent storage upon
completion of the step or event and before proceeding to the next step or e vent in order to
ensure the permanent recording of the step or event at the time it is conducted.
 Electronic data shall be secured with time/date stamps that cannot be altered by any
user/personnel.
 Ensure time/date stamps are synchronized across the GxP operations.

6.3.4 Original: Original data include the first or source capture of data or information and all subsequent
data required to fully reconstruct the conduct of the GxP activity. The GxP requirements for
original data include the following:
 Original data shall be reviewed. Verification checks must be established to ensure that the
people performing/checking the action were present at that time
 Original data and/or true and verified copies that preserve the content and meaning of the
original data shall be retained.
6.3.4.1 For paper record,
 Ensure controls that ensure that personnel conduct an adequate review and approval of original
paper records, including those used to record the contemporaneous capture of information.
 Data review procedures describing review of relevant metadata and justified with evidence and
made available when required.
 Data corrections or clarifications shall be done as per SOP No. SP-QA-027, providing visibility
of the original record and traceability of the corrections made.
 Original paper record shall always be reviewed by second competent person.
 Controlled and secure storage areas including archives shall be provided for storage of paper
data.
 Handling and retention of paper records shall be done as per SOP No. SP-QA-040.
 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

 Records shall be retained as original records, true copies or other accurate reproductions of the
original records.
 Records shall be indexed to permit ready retrieval.
6.3.4.2 For Electronic records,
 Ensure controls that ensure that personnel conduct an adequate review of original electronic
records electronic records, including source data.
 Any changes in electronic data or metadata shall be documented in audit trials or history fields,
justified and available.
 Audit trail review shall be part of the routine data review/ approval process.
 Data corrections or clarifications shall provide visibility of the original record and traceability
of the corrections made through audit trials or history fields.
 Controls/ procedure shall be in place, defined and protected from unauthorized access and also
been tested as part of computer system validation.
 Original electronic record shall always be reviewed by second competent person
 Data shall be retained in a non-editable format or PDF format to maintain the integrity of
original data.
 Archived record shall be locked, cannot be altered or deleted without detection and audit trail.
 Electronic data shall be automatically saved permanently after each separate entry.
 Back-up copies of original electronic records shall be stored in another location as a safeguard
in case of disaster.
 Archival and back-up process shall be validated.
6.3.5 Accurate: means data are correct, truthful, complete, valid and reliable. For paper and electronic
records, adequate procedures, processes, systems and controls shall be in place to ensure accuracy
of data.
 When the activity is time critical, printed records shall display the time/date stamp.
 Activity based, doer & checker concept shall be in place to ensure that activities are done
accurately.
 Only qualified/ calibrated/ validated equipment/ instruments/ system shall be used.
 Appropriate data review procedures shall be available to verify adherence to procedural
requirements.
 Activities shall be performed only by qualified and well trained personnel.

6.4 Data Integrity and Security Assessment:

6.4.1 Data integrity assessment audits can be performed along with scheduled internal quality audits. A
separate/ additional data integrity audit may be conducted by site QA/ Corporate QA to any
function/department if any observation related to data integrity is noticed either during regulatory
inspection, customer audit, periodic self inspections or observed in routine.
6.4.2 Data assessment and review shall be performed periodically as per the “Checklist for Data Integrity
assessment” (Refer Format No-XXX.1) in accordance to the data integrity requirements.
6.4.3 Assessment shall be done not limited to the checklist identifying the improper practices, breach of
data integrity or potential source for probable breach of data integrity.
6.4.4 Identified breach of data integrity shall be assessed for potential impact on the product or process.
6.4.5 Any confirmed data integrity issue shall be documented and investigated as a deviation per SP-QA-
018.
 MASTER / CONTROLLED
Title: Data Security and Integrity (Draft) COPY STAMP HERE

6.4.6 Identified source for breach of data integrity shall be eliminated with appropriate procedure.
Immediate rectification of breach of data integrity shall be done immediately followed by
assessment of risk related to the identified issue.
6.4.7 The investigation of deviation for the inaccuracies in data records and reporting should include, but
not limited to,
a. Interviews of current and former employees to identify the nature, scope, and root cause of data
inaccuracies
b. Determination of the scope and extent and timeframe for the incident
c. A comprehensive retrospective evaluation of the nature of the testing and manufacturing data
integrity deficiencies, and the potential root cause(s).
d. A risk assessment of the potential effects of the observed failures on the quality of the batches
involved.

7.0 ADDITIONAL INFORMATION

SOP References to be added after finalization.

8.0 REFERENCES
Reference Guidelines to be added.

9.0 DOCUMENT HISTORY