Sitting in StorageOne of the most important things to understand is that we need to take a lifecycle approach to data integrity. Remember that adverse events records will have to be stored for 10 years, and batch records for seven or eight years. The key is to focus on the record. Documents and e-data spend more than 80% of their lifespan in an archived (e.g., stored) state, according to ARMA [Authority on Managing Records and Information]. It’s important to recognize that the records we’ve created and used are going to spend most of their lifetimes sitting in storage, with nobody looking at them. This is absolutely critical to understand, because if you don’t build in controls to spot check those archived records, you may find that they’re gone.Carnegie Mellon studied data storage and found that, on average, two percent of data we store electronically literally vanishes—portions of hard drives are gone. Consider your CD’s. After years pass, you’ll see holes where data has evaporated . . . the key point to understand is that we have to build in controls.You don’t want to have to tell an FDA inspector that “you don’t know” where the two percent of data went.Following are some proactive and cross-functional best practices for ensuring data integrity. • Form a cross-functional e-data working group• Clearly define accountabilities vs. responsibilities• Rely upon your records retention schedules• Take advantage of and reuse IT controls• Plan for at least one data migration during record lifecycle• Incorporate e-data archive audits into internal quality audits• Verify progress (and identify gaps) with a Part 11/Annex 11 mock FDA auditDo not:• Overlook the record lifecycle and focus on systems• Rely on one-time validation of a system• Assume e-data is “safe” in storage• Turn it over to IT or to Validation or to Records Management• Avoid tracking regulatory expectations in your regulatory intelligence program• Forget that e-data is your proof of safety, efficacy, and compliance• Lose sight of the costs–minimum 12:1 ROIRemember that you need procedural controls. The following are the components of an effective data integrity SOP: Start with critical records sets, as defined by your RRS [record retention schedule]. Identify reasonable risks to each records set. Determine confidence level in integrity required. Set controls over the entire data lifecycle, then generate proof (checklists and audit summaries for instance).Remember that the final SOP needs to fulfill FDA’s ALCOA acronym.Here are other SOPs companies ask about. All of these might be things to consider, depending on how you manage data, who is involved, and how many people are involved. Obviously, the requirements for a 10-person virtual company will differ from those for a 5,000-person operation.Additional SOPs should cover:• Virtual Data Storage Verification (“cloud computing”)• Secure Archived e-Data and Media Handling• Data Maps–Creation and Maintenance• Data Integrity/Controls Matrices–Creation and Maintenance• Data Migration Protocols• Data Transfers and Verification• Maintaining Long-Term Confidentiality and/or Privacy• Data Sampling and Archive Auditing• Scanning of Paper Records for e-Data Archival• Transfer and Retrieval of Long-Term e-Data Archives• Secure Disposal of Clinical Patient & Adverse Event e-Data• Qualification of Record and Data Storage ProvidersFocus on FAQsBelow are questions that I am often asked. Each of these is very particular and the responses will be very specific to the company and context involved, but they are important to think about:• What if we don’t have a records retention schedule?• How much detail do we need in our data maps?• Should we do a data-integrity/controls-matrix for each product or each system?• Can we configure our network and computers for default data integrity?• When can inspectors ask for system access?• Do we have to keep all of our electronic raw data?• How do we translate “data integrity” into budgets and projects?• What are records that prove “safety and efficacy”?• How do we document controls associated with records and personnel system usage?• How best can we take advantage of IT, records and archival, quality management, and regulatory affairs?It can be useful to take a very concrete “kick start” approach to ensure an effective Part 11 compliance approach within your organization.1. Show sample enforcement actions that have cost and humiliated other firms. 2. Discuss how data integrity controls can limit risks and costs, with a focus on ROI.3. Suggest next steps such as a management workshop to build momentum, talk to management and get a sponsor.