Data Integrity & Data Governance Part 2: What does a Data Governance System look like?
The first part of this series1 addressed the definition of the term data governance and the reasons why its control objective should be data quality. It has already been discussed elsewhere2 that a limitation of data governance to data integrity is suggested in some definitions and text passages of most guidance documents. However, they clarify elsewhere that data governance goes beyond data integrity. A data governance system has been defined as follows:
"A data governance system is a fully documented and risk-based system that is completely embedded into a pharmaceutical quality management system, and has the objective to provide any business purpose with the necessary data in the required quality."1
This data governance system and its structure are addressed in the present second part of the series on data integrity and data governance. In the first place, it must be noted that some guidance documents require the data governance system to be an integral part of the pharmaceutical quality system3,4,5. This makes very much sense, as the true purpose of a quality system is to represent a system which generates quality. This should also encompass data quality.
Quality can be defined from the perspective of different objects. The main perspective of GMP quality systems in their initial phase was the aspect of product quality. The focus was put on the quality of input materials and on the quality of the products. The process perspective was introduced in the next development step. It was postulated that a high process quality almost automatically provides a high product quality. Data quality was required in both process quality and product quality but it had not been put in the focus of consideration.
A process receives not only input materials but also input data and it produces not only products but it also generates output data. Therefore it can be assumed that the following also applies to data: A high process quality (guaranteed by validated processes and systems) provides a high data quality. The integration of data governance systems into the pharmaceutical quality system absolutely makes sense, also due to this analogy.
What is the structure of a data governance system?
A data governance system as well as the overarching quality management system itself are management systems. Both management systems share general management processes (e.g.: internal auditing, key indicators and monitoring), other elements of a management system (e.g.: management responsibility) as well as a number of fundamental quality management processes (such as: CAPA, change management and deviation management). Hence, there is a great overlap creating huge synergies or saving a lot of effort if an integrated data governance system is introduced into an existing quality system. The reason is that much is already there. The following figure shows a simple model of a data governance system.2 Data quality is the overarching control objective and is represented by a roof resting on three pillars:
- organisational structure
- operational structure
External requirements, standards as well as the actual state of the art serve as basis.
The organisational structure consists of actors, roles and responsibilities, reporting lines and hierarchies, the company's culture and similar elements. The operational structure is mainly composed of business processes and procedures. Utilities are referring to relevant methods, tools, technologies, information systems, metrics and performance indicators, etc.
Another model suitable to describe a data governance system is NIST's (U. S. National Institute of Standards and Technology) threetiered model6. A comparison of the three-tiered model with the model illustrated above shows that the three tiers actually reflect the pillars shown in the model above.
The tree-tiered model has been designed for the management of information security risks6, but it can also be applied to data governance. Taking a closer look it is not surprising that the management of information security risks is not so much different from data governance. Strictly speaking, data governance should be named information governance. The guidance documents published in the last years treat the terms "data" and "information" as synonyms although they actually are not (find a comparing discussion of both terms in footnote 7).
Information security, in turn, covers a large part of data quality (usually, the three control parameters information availability, information integrity and information confidentiality are used in information security systems).
The NIST model is also interesting since it constitutes a risk management system for information/data security. Data governance systems are also required to be risk based.1,3,5,8,9,10 This is another reason why the NIST model can easily be transferred to this topic. It should, however, not be limited to information security only and be applied to information/data quality as a whole.
As far as the implementation of a data governance system is concerned the following conclusion can be drawn from this article: it is less a question of writing a lot of new standard operating and working procedures or even of turning an existing quality system upside down than a question of taking a further additional quality perspective, namely from the data perspective.
EMA gave the following answer to the question about the necessity to implement a specific procedure for data integrity: "There is no requirement for a specific procedure, however it may be beneficial to provide a summary document which outlines the organisation's total approach to data governance."4
The author fully supports this answer. This "summary document" could have a model - for instance one of the two presented here - as basis, and then map the relevant processes, elements and controls of the existing quality system to the different components of the data governance model. Only those gaps have to be closed or complemented which have not existed in the actual quality system. To a large degree this summary document would virtually only be an alternative "table of contents" of the existing quality system, arranged according to another (data) perspective. This can be done with manageable effort.
About the Author
Dr Thierry Dietrich
... has been working in executive and advisory positions in the pharmaceutical industry for over 20 years.
1 Dietrich, Thierry (2019). Data Integrity and Data Governance – Part 1: What is Data Governance? In: GMP-Journal, issue 26, Sep/Oct 2019 p. 9.-10.
2 Dietrich, Thierry (2019). Data Governance: Datenlenkungssysteme. In: Pharma Technologie Journal Datenintegrität in der pharmazeutischen Industrie. Aulendorf: Editio Cantor Verlag.
3 WHO (2016). Guidance Good Data and Record Management Practices.
4 EMA (2016). Guidance on good manufacturing practice and good distribution practice: Questions and answers. Data integrity.
5 PIC/S (2018). Draft PIC/S Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments. PI 041-1 (Draft 3).
6 NIST (2011). Managing Information Security Risk. NIST Special Publication 800-39.
7 Dietrich, Thierry (2019). Data Governance: Terminologie & Basiskonzepte. In: Pharma Technologie Journal Datenintegrität in der pharmazeutischen Industrie. Aulendorf: Editio Cantor
8 ISO/IEC 38505-1:2017-04. Information technology - Governance of IT - Governance of data - Part 1: Application of ISO/IEC 38500 to the governance of data Berlin: Beuth.
9 MHRA (2018). ’GXP’ Data Integrity Guidance and Definitions.
10 FDA (2018). Guidance for Industry: Data Integrity and Compliance with Drug CGMP – Questions and Answers.