DATA GOVERNANCE: ROLES AND RESPONSIBILITIES
Data governance is the overall umbrella for data integrity and this is defined by the MHRA as:
The sum total of arrangements to ensure that data, irrespective of the format in which it is generated, is recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle1.
Although there is the current regulatory drive for data governance, any approach to the issue should be driven by business imperatives to ensure reliable data. This article discusses the roles and responsibilities of all staff involved with data governance within an organisation.
Who is Responsible for Data Governance?
The data integrity guidance documents make clear that senior management is responsible for data governance including setting and maintaining the overall quality culture of an organisation. As stated in Section 2.1 of ICH Q10 on Pharmaceutical Quality Systems:
(a) Senior management has the ultimate responsibility to ensure an effective pharmaceutical quality system is in place to achieve the quality objectives, and that roles, responsibilities, and authorities are defined, communicated and implemented throughout the company.
One of the quality objectives is data integrity and Senior Management must ensure that any data used for batch release are complete, consistent and accurate. Therefore, it is pertinent to ask the following questions:
- Who are involved?
- What organisational structures are required?
- What are everybody's responsibilities?
Let us start at the top of a regulated company and work down through the organisation.
Data Governance Roles and Responsibilities - Corporate Level
The main organisational roles in data governance at a corporate level are:
- Senior Management
- Executive Sponsor
- Corporate Data Governance Steering Committee
- Site / Division Data Governance Committee (optional)
- Line Management
- Quality Assurance
- Information Technology
Tuesday, 23 March 2021 9 .00 - 18.00 h
Live Online Training - Computerised System Validation: Introduction to Risk Management
The responsibilities of each role are presented in Table 1 (see next page) and discussed following.
Management, Monitoring and Metrics
To help manage and monitor the various data integrity programme streams, there will be the need for metrics, such as:
- Percentage of staff trained in the corporate integrity policy against the target timescale
- Percentage of processes and systems assessed for data integrity
- Percentage of processes and systems remediation plans approved
- Number of remediation projects on schedule
However, don't forget that, as with all compliance projects, data integrity is a journey and not an event. As processes and systems are assessed and remediated, the data integrity programme moves into the operational phase and the metrics change from remediation to monitoring the effectiveness of the new processes and systems, e.g.:
- Percentage of out of specification results as a percentage of samples analysed
- Number of repeat analyses
- Number of reported mistakes
The aims of these metrics are to keep senior management aware of the residual risk associated with a process or computerised system.
Data Governance Roles and Responsibilities - Process and System Level
The main focus in this section is on data ownership as mentioned in the WHO data integrity guidance documents2:
4.10 To ensure that the organization, assimilation and analysis of data into a format or structure that facilitates evidence-based and reliable decision making, data governance should address data ownership and accountability for data process(es) and risk management of the data life cycle.
As we can see, a part of data governance is data ownership and accountability for data processes and associated risk management in any data life cycle. The process owner, already defined in Annex 11, should also be the data owner as they are currently responsible for the system.
In addition to the data owner, there are two other roles as follows:
- Data stewards: enabling the requirements of the data owner for the system. (These people would typically be the power users or system administrators in the laboratory)
- Technology stewards: enabling the IT requirements of the data owner and is a person or persons who, for a networked system is or reports to the system owner. This role is essential for segregation of duties and to avoid conflicts of interest when administering the system. Note that this role will not be found in a paper based process as it is only where a computerised system is involved.
It is important to realise that data integrity and data quality begin at the point of data acquisition by the process and not in the computer centre. If data acquisition is compromised by poor working practices or using an uncalibrated instrument, data integrity is compromised or lost from this point forward. Therefore, the data owner's responsibilities for a regulated computerised system from the business side include:
- Definition what is required of system in terms of data quality, data integrity and data security. This will result either in inputs to the configuration specification for the setting of application policies, writing of SOPs for using the system or the agreement with IT to support the system (e.g. backup, user account management, etc.). This begins from the start of the analytical procedure.
- Assessment of the system to determine if there are vulnerabilities of the records contained therein. Although a system may be validated, record vulnerabilities may exist which have to be managed3
- Development of a remediation plan with the data and technology stewards for any remediation to secure the records and reduce or eliminate data vulnerabilities following the assessment
- Approve access to the system for new users and changes in access privileges for existing ones for IT administrators to implement
- Approval or rejection of change control requests
- Approval for archiving data and removing them from the system
- Receive feedback from the data stewards of the system of issues involving quality, integrity and security of the CDS data and implement any modifications of procedures, etc. for the data stewards to implement.
That's the good news for data owners.
The data stewardship concept is defined in the literature as the enabling capability of data governance. Defining different types of stewardship addressing different aspects of the data governance process are also described in the literature4 but the focus in this column is only on data and technology stewards.
As the data owner probably will not have the time or the training to implement the requirements for data integrity and quality that they have mandated, this is the role of the data stewards for the system.
- The data stewards, in the form of power users or super users, are the first point of contact for user questions for help with the system
- The stewards will also be instrumental in ensuring the smooth running of the system such as developing custom reports or custom calculations.
- As expert users of the system, they will be responsible for ensuring that the requirements for data integrity and data quality set by the data owner have been implemented and are working.
- They are also responsible for data queries and monitoring data integrity from a system perspective e.g. regular review of system level audit trails for system related issues rather than data integrity problems or aiding QA data integrity audits.
24-26 March 2021
Live Online Training - Computerised System Validation: The GAMP 5 Approach
In monitoring the system from the business perspective they can raise issues for discussion with the data owner to resolve as noted earlier in this section.
In this article, we have looked at data governance throughout an organisation together with the responsibilities. All data governance for data integrity must be integrated into the pharmaceutical quality system for an organisation. The guiding principles here are:
- Data integrity is more than just numbers
- Quality does not own quality anymore
- Take responsibility for your own work: right fi rst time, every time
- Tell somebody if you make a mistake and don't cover it up.
Dr Bob McDowall
... from R D McDowall Limited is a consultant and member of the ECA IT Compliance Group Board - with more than 30 years of experience in the validation of computer-controlled systems.
1 MHRA GMP Data Integrity Defi nitions and Guidance for Industry 2nd Edition. 2015, Medicines and Healthcare products Regulatory Agency: London.
2 WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management Practices. 2016, World Health Organisation: Geneva.
3 R.D.McDowall, Welcome to the Brave New CSV World? LC-GC Europe, 2016. 30(1): p. 93-96.
4 Plotkin, D., Data Stewardship. An Actionable Guide to Eff ective Data Management and Data Governance. 2014, Waltham, MA: Morgan Kaufman.