With the increased adoption of cloud-based applications in the life science sector, Compliant Cloud CSV Engineer Eliane Veiga details the fundamentals of data integrity and data privacy.

Data integrity (DI) and data privacy (DP) challenges have received increased regulatory attention in recent years. When considering GxP applications, a robust approach to risk-based computerized system lifecycle management requires well-defined processes, use of a qualified infrastructure, validated design and deployment of software, qualified personnel, rigorous change management and version control.

With the increased adoption of cloud-based applications in the life science sector, cloud computing solutions such as Software as a Service (SaaS) offer many advantages including enhanced cost-effectiveness, ease of implementation, and flexible, highly scalable platforms. However, assuring data integrity and data privacy in the cloud requires a well-informed, proactive approach by the regulated organization in planning and maintaining control of their data once it is hosted on the cloud provider’s site.

In Europe, protection of data privacy is now regulated under the General Data Protection Regulation(GDPR), which came into force on the 25th May 2018 replacing the existing data protection framework under the EU Data Protection Directive.

Data Integrity – The Fundamentals

The UK Medicines & Healthcare products Regulatory Agency (MHRA) defines data integrity as “the degree to which data are complete, consistent, accurate, trustworthy, reliable and that these characteristics of the data are maintained throughout the data lifecycle” (MHRA, 2018).

Assuring data integrity requires effective quality and risk management systems which enable consistent adherence to sound scientific principles and good documentation practices. The international regulators have defined an acronym (ALCOA) as the five elements necessary to assure data integrity throughout the data life-cycle. Even though ALCOA has been widely discussed in many publications, evidence from the US FDA warning letters and EU Statements of Non-Compliance (SNCs) indicate that there still are many who do not understand the fundamentals of ALCOA.

More recent publications, including the WHO Guidance on Good Data and Record Management Practices, have expanded these principles to describe ALCOA+ expectations, which puts additional emphasis on ensuring that data and records are “complete, consistent, enduring and available” (WHO, 2016).

Data Privacy – The Fundamentals

The General Data Protection Regulation (GDPR) came into force in the EU on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. The GDPR emphasizes transparency, security and accountability by both data controllers and data processors, while at the same time standardizing and strengthening the right of European citizens to data privacy.

From a health care and cloud-based solutions prospective, the GDPR brings some significant changes from the current directive including:

definition of “sensitive personal data” imposes stricter obligation on both data controllers & processors appointment of a Data Protection Officer (DPO) conducting Data Protection Impact Assessments (DPIA) assuring security of data processing



As data controllers and processors have been allocated shared, stricter responsibilities under the GDPR, the obligations on both controllers and processors have been a surprise for the IT Sector.

Under GDPR, the data controller must implement organizational and technical measures to demonstrate compliance of the processing activities undertaken on their behalf. Furthermore, data controllers have the responsibility for selection and oversight of their service providers (data processors). The GDPR defines such a data processor as “a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller”.

The compliance burden is now shared between processors and controllers. One of the significant requirements that GDPR imposes for processors is that if they intend to hire another processor to assist with data management, e.g. a cloud computing supplier, the data controller must approve this appointment prior to commencement. This requirement is intended to protect personal data from transfer to a third party, even to another country, without the controller’s prior authorization.

Conclusion

As the adoption of digital technology – such as cloud-based – has increased in the life science sector, under the GDPR it will no longer be possible for cloud provider services (processors) to position themselves as mere processors and evade the reach of data protection rules. Recent publications have shown that to achieve assurance of DI in the cloud, service providers must still learn how to comply with the GxP regulatory bodies.