Data Integrity in the Pharmaceutical Industry
Introduction
In the pharmaceutical industry, large-scale incidents of falsification of manufacturing records and quality test records continue to occur, forcing regulatory authorities to strengthen inspections to ensure patient safety.
Whether in paper or electronic format, ensuring the reliability of records (data) and documents is extremely important.
Recently, I was interviewed three times by a major newspaper reporter regarding fraudulent practices at a certain pharmaceutical company that has been making headlines. The reporter’s primary interests were the differences between inspection methods in Japan and the United States, and the penalties imposed when fraud is discovered in the United States.
As many readers may be aware, the United States imposes extremely high financial penalties. Pharmaceutical companies have faced substantial fines for organized data manipulation. For instance, in 2013, a major pharmaceutical manufacturer was fined $500 million for systematically falsifying quality control (QC) data, and numerous other companies have faced penalties ranging from hundreds of millions to billions of dollars for various violations including data integrity breaches, off-label marketing, and failure to comply with good manufacturing practices.
Understanding Data Integrity
When you look up “integrity” in a dictionary, you will find it means “honesty” or “uprightness.” So what does it mean for data to have integrity?
The answer is that the data is trustworthy to regulatory authorities.
To achieve this, data must maintain a clear history from its creation to the present day, including any changes. In other words, whether in paper or electronic format, an audit trail is essential. The need for an audit trail means that data must be complete, including not just raw data but also metadata.
Therefore, data integrity is often translated as “data completeness” or “data completeness and reliability.”
The ALCOA+ Principles
Modern data integrity requirements are often summarized using the ALCOA+ principles:
| Principle | Description |
| Attributable | Data must be attributable to the individual who generated it |
| Legible | Data must be readable and understandable throughout its lifecycle |
| Contemporaneous | Data must be recorded at the time the activity is performed |
| Original | Original data and records (or certified true copies) must be retained |
| Accurate | Data must be free from errors and reflect the true values |
| +Complete | All data must be retained, including repeat tests and failed results |
| +Consistent | Data must be internally consistent with related information |
| +Enduring | Data must remain accessible and readable throughout its retention period |
| +Available | Data must be readily available for review and inspection |
Why Data Integrity Matters
What exactly should we pay attention to in order to ensure data completeness? And what problems arise when data integrity is compromised?
The answer lies in the maintenance of audit trails. Electronic records without audit trails provide no evidence of whether alteration or fabrication has occurred. This makes it impossible for regulatory authorities to conduct proper inspections, because inspecting records of questionable reliability is meaningless. When inspections cannot be conducted, regulatory authorities cannot authorize product shipment, which ultimately causes inconvenience to patients and may compromise public health.
The Evolution from Paper to Electronic Records
In recent years, pharmaceutical companies have significantly reduced the creation of handwritten records. In most cases, records are created electronically. However, many companies still use a hybrid method for record storage: printing electronic records onto paper and applying handwritten signatures (signatures and seals). Unfortunately, hybrid systems facilitate fraud, as electronic records can be altered, reprinted, and then backdated with signatures.
FDA inspectors are trained to recognize electronic record fraud techniques and have developed skills to detect such violations. Proper management of both electronic records and paper media is essential.
Regulatory Framework and Evolution
21 CFR Part 11: The Foundation
In 1997, the FDA issued 21 CFR Part 11, which clarified requirements for the reliability of electronic records. The regulation was published as a final rule on March 20, 1997, and became effective on August 20, 1997. However, many of these requirements proved difficult to implement in practice. The primary concern was compliance costs. While regulatory authorities need to strengthen regulatory requirements to ensure patient safety, overly stringent requirements increase compliance costs. These compliance costs borne by pharmaceutical companies are transferred to drug prices, ultimately becoming a burden on patients. In other words, unnecessarily increasing compliance costs paradoxically places a burden on patients.
Risk-Based Approach
In response to these challenges, the FDA announced a new pharmaceutical oversight policy in 2003 called the “Risk-Based Approach.” On September 5, 2003, the FDA published guidance titled “Part 11, Electronic Records; Electronic Signatures — Scope and Application,” which significantly clarified the agency’s interpretation and provided enforcement discretion for certain Part 11 requirements. This guidance emphasized that:
- FDA would apply a narrower interpretation of Part 11’s scope
- The focus should be on predicate rules (underlying regulatory requirements)
- Organizations should implement controls proportionate to risk
- Legacy systems (those operational before August 20, 1997) would be subject to enforcement discretion
It is important to stay informed about the FDA’s current expectations and guidance regarding Part 11 compliance.
International Harmonization
In March 2015, the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) issued guidance titled “MHRA GMP Data Integrity Definitions and Guidance for Industry.” This guidance has proven to be highly valuable for the industry. The MHRA subsequently published an expanded version in March 2018 titled “GXP Data Integrity Guidance and Definitions,” which broadened the scope to cover all GxP areas (Good Laboratory Practice, Good Clinical Practice, Good Manufacturing Practice, Good Distribution Practice, and Good Pharmacovigilance Practice).
Going forward, regulatory authorities worldwide are expected to increasingly articulate their expectations regarding data integrity. Key international guidance documents include:
| Organization | Document | Year | Scope |
| FDA | Data Integrity and Compliance with Drug CGMP: Questions and Answers | 2016 (Final) | GMP |
| MHRA | GXP Data Integrity Guidance and Definitions | 2018 | All GxP |
| PIC/S | Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments | 2021 | GMP/GDP |
| WHO | Guidance on Good Data and Record Management Practices | 2016 (Updated 2021) | All GxP |
In April 2024, the FDA released a draft guidance titled “Data Integrity for In Vivo Bioavailability and Bioequivalence Studies,” demonstrating continued regulatory focus on data integrity across all aspects of pharmaceutical development and manufacturing.
Current Best Practices
Data Governance Framework
Organizations should implement a comprehensive data governance framework that includes:
- Senior Management Commitment: Data integrity starts with leadership commitment and a culture of quality throughout the organization.
- Risk Assessment: Application of ICH Q9 Quality Risk Management principles to identify critical data and systems requiring enhanced controls.
- Training and Awareness: Regular training programs to ensure all personnel understand data integrity principles and their role in maintaining them.
- Procedural Controls: Clear standard operating procedures (SOPs) that define data lifecycle management, including data generation, processing, reporting, retention, and destruction.
- Technical Controls: Implementation of appropriate technological safeguards such as:
- Access controls with unique user credentials
- Audit trails that capture all data changes
- Data backup and disaster recovery systems
- Secure archiving systems
- System validation
- Quality Oversight: Regular internal audits, data reviews, and periodic risk assessments to verify the effectiveness of data integrity controls.
Managing Hybrid Systems
While fully electronic systems are preferred, hybrid systems (combining electronic and paper records) remain common. For organizations using hybrid systems:
- Electronic records should be maintained with full audit trails
- Printed copies should be clearly identified as copies, not originals
- The relationship between electronic and paper versions must be documented
- Controls must prevent unauthorized alteration of electronic records after printing
- Any handwritten entries on printed records must follow strict procedural controls
Organizations should develop migration plans to transition from hybrid to fully electronic systems where feasible and appropriate.
Looking Forward
Data integrity remains a critical focus area for global regulatory authorities. The increasing sophistication of electronic systems, cloud computing, artificial intelligence, and data analytics presents both opportunities and challenges for maintaining data integrity.
Organizations must remain vigilant and proactive in:
- Monitoring regulatory developments across all jurisdictions where they operate
- Adapting their data governance systems to address emerging technologies
- Fostering a culture where data integrity is understood as fundamental to product quality and patient safety, not merely as a compliance requirement
- Investing in modern, validated systems that build data integrity controls into their design
- Ensuring that cost considerations do not compromise the integrity of data that ultimately protects patients
The fundamental principle remains unchanged: regulatory authorities, healthcare professionals, and patients must be able to trust the data that supports pharmaceutical product quality and safety. Data integrity is not just a regulatory requirement—it is an ethical imperative and a cornerstone of pharmaceutical quality assurance.
Conclusion
Data integrity has evolved from a relatively obscure technical requirement to a central pillar of pharmaceutical quality systems. The convergence of regulatory expectations globally, combined with advances in technology, provides both the motivation and the means to achieve robust data integrity.
Organizations that view data integrity as integral to their quality culture, rather than as a compliance burden, will be best positioned to meet regulatory expectations, maintain operational efficiency, and ultimately fulfill their responsibility to patients. The journey toward comprehensive data integrity requires commitment, investment, and continuous improvement, but the destination—trustworthy data that ensures patient safety—makes it an essential undertaking for all pharmaceutical organizations.
This article provides general guidance on data integrity in the pharmaceutical industry. Organizations should consult current regulatory guidance and seek expert advice when implementing data integrity programs tailored to their specific circumstances.
Comment