Data Integrity and Data Governance - Part 1: What is Data Governance?
There has been a significant increase in data integrity and data governance observations during inspections since 2012. Dozens of FDA 483s and warning letters as well as EU non-compliance reports cover such issues. Hence, it does not come as a surprise that a whole series of guidance documents around these topics has been published in draft and/or final status by public authorities in the period of 2015-2019. These guidance documents are, unfortunately, not fully consistent, especially when it comes to terminology. This first part of a series of papers around data integrity and data governance deals with the term data governance.
When reading or using the term data governance in practice, it should be considered that it may have two different meanings9:
1. an interpretation referring to the actual use of data governance measures, i.e., referring to the activity of governing, and
2. a second interpretation rather referring to the established totality of measures without reference to a specific point in time, i.e., referring to the governance system. 1, 2, 8
Data governance is a topic and term which has been existing for several decades in the information sciences. Despite of this fact, the term was almost unknown in the life sciences industries, and regulatory guidance documents associated with that industry did not mention it until 2015. This paper is dealing with the term data governance, whereas data governance systems will be covered by a following paper of this series.
Recommendation
Berlin, Germany23 April 2024
Computerised System Validation: Introduction to Risk Management
The multitude and inconsistency of existing definitions of the term data governance is shown by the following selected definitions:
"The sum total of arrangements to ensure that data, irrespective of the format in which it is generated, recorded, processed, retained and used to ensure a complete, consistent and accurate record throughout the data lifecycle." 1; 2 almost identical
"Data governance is the sum total of arrangements which provide assurance of data quality." 1
"A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision making parameters related to the data produced or managed by the enterprise." 3
"Strong data governance ensures that the right information, of the right quality, is available to the right person, for the right purpose, at the right time." 4
"Information Governance: The purpose of this task is to implement structures, policies, procedures, processes, controls, roles, and metrics to manage corporate information in a way that supports the organization's legal, environmental, risk, regulatory, and operational requirements." 5
The definitions above have in common that data governance systems consist of a set of processes and controls serving a specific control objective. The control objective(s), however, differs from definition to definition. This is an essential inconsistency, and highly relevant when implementing such a system.
Following and maintaining several data governance systems in parallel can be considered impracticable. Thus, the control objective of the data governance system should be sufficiently comprehensive to cover all essential business needs associated with data resp. information. Data quality is a universal concept covering all control objectives addressed in the definitions above. Data integrity, for instance, can be seen as a data quality characteristic, and is, therefore, a subset of data quality.
Data governance concepts and definitions in public authority guidances published within the last four years are often limited to data integrity, being only one single data quality characteristic among many. This is due to the fact that these guidance documents generally have a limited scope on data integrity, and do not cover the broader concept of data quality. 21 CFR Part 116 as well as Annex 11 to the EU GMP Guideline7 also cover the data quality characteristic of data availability. 21 CFR Part 11 mentions data confidentiality as well, and shares this control objective with various data privacy / data protection laws and directives. All these and numerous further data quality characteristics can be most effectively controlled by a data governance system having the overarching data quality as control objective.
Basically, a data governance system is nothing other than a special type of management system. A requirement can be found in several guidance documents that this data governance system must be embedded into the pharmaceutical quality management system1, 2, 8.
The PIC/S mentions data management systems in their current third draft guidance besides data governance1. They write: "The responsibility for good practices regarding data management and integrity lies with the manufacturer or distributor undergoing inspection. They have full responsibility and a duty to assess their data management systems for potential vulnerabilities and take steps to design and implement good data governance practices to ensure data integrity is maintained."
The second sentence may be understood in a way that good data governance practices would be part of so-called data management systems, and that the data governance practices have to ensure data integrity (only) is maintained. The phrasing is ambiguous, and does not exclude there were other control objectives besides data integrity. It also is ambiguous in that it does not clearly say data governance practices were a subpart of the data management systems.
The data management systems could well be under the common umbrella of the data governance system. This is supported by the fact that governance is a theme typically associated with the strategic layer, whereas management typically is associated with the tactical and operational layer. The idea that data governance was a subset of data management would be rather unconventional and an inappropriate definition from that perspective.
The author proposes the following definition for a data governance system in the pharmaceutical environment9:
A data governance system is a fully documented and risk-based system being embedded into the pharmaceutical quality management system, and having the objective to provide any business need with the necessary data of required quality.
Recommendation
Berlin, Germany24-26 April 2024
Computerised System Validation: The GAMP 5 Approach
Data is of high quality if it is fit for its intended purpose in operations, decision making, and/or planning9.
When dealing in more detail with the regulatory requirements and expectations pertaining to data governance systems, and thinking of which controls else support the control objective of data quality, you will notice that most of these requirements, expectations and controls are already existing in up-to-date pharmaceutical quality management systems. The new buzz-word "data governance system" can be seen as a new envelope. Its content is not really new, and there is no need to fear it. A data governance system is more a kind of alternative perspective onto your business. Instead of looking at processes, at systems, or other aspects, you take the data perspective. Data is what is flowing through processes and systems, and through process and system interfaces.
The next part of this paper series will present an overview on what a data governance system may look like, and will provide some helpful and foundational concepts in that context.
Author:
Dr Thierry Dietrich
... has been working in executive and advisory positions in the pharmaceutical industry for over 20 years.
Source:
1 PIC/S (2018). Draft PIC/S Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments. PI 041-1 (Draft 3)
2 WHO (2016). Guidance Good Data and Record Management Practices
3 NIST CSRC (Computer Security Resource Center). Online Glossary of Key Information Security Terms. Current online version
4 KPMG (2018). Data governance: Driving value in healthcare.
5 Unified Compliance Framework. (Online) Compliance Dictionary.
6 FDA (1997). U.S. 21 CFR Part 11 Electronic Records; Electronic Signatures.
7 EU (2011). Annex 11 to EC guidance on good manufacturing practices.
8 MHRA (2018). 'GXP' Data Integrity Guidance and Definitions
9 Dietrich, Thierry (2019). Data Governance: Terminologie & Basiskonzepte. In: Pharma Technologie Journal Datenintegrität in der pharmazeutischen Industrie. Aulendorf: Editio Cantor Verlag
