Common Misconceptions About Data Integrity

In recent years, interest in data integrity has grown significantly within the pharmaceutical industry. However, many companies, consultants who give lectures, and authors of books do not appear to have an appropriate understanding of data integrity.

Misconception 1: Focus on Fraud and Falsification

Data integrity is frequently perceived as primarily focusing on fraud and falsification. However, data integrity should not focus solely on fraud or falsification.

Consider this question: Which poses a greater risk to patient safety—data deliberately altered with malicious intent, or data inadvertently modified through accident or carelessness? The answer is that both present exactly the same level of risk to patient safety.

The question then becomes: Is fraud and falsification really so prevalent in the pharmaceutical industry that it occurs on a daily basis? The answer is no. Intentional fraud represents a relatively small proportion of data integrity issues encountered in practice.

What is truly important in data integrity is protecting data from all unintended changes, regardless of whether they occur through intent or accident. The fundamental principle is ensuring data accuracy, completeness, and reliability throughout the data lifecycle, as emphasized by regulatory authorities worldwide including the FDA’s 2018 guidance “Data Integrity and Compliance with Drug CGMP: Questions and Answers” and the MHRA’s 2018 “GXP Data Integrity Guidance and Definitions.”

Misconception 2: Exclusive Focus on Electronic Records

In most discussions of data integrity, the focus is placed almost exclusively on electronic records. However, consider this question again: Which is more important for patient safety—falsification of paper records or falsification of electronic records? The answer is, once more, that they are exactly the same.

The principles of data integrity must be applied equally to both paper records and electronic records. This is explicitly stated in regulatory guidance documents. The MHRA GXP Data Integrity Guidance (2018) clearly states: “Data integrity requirements apply equally to manual (paper) and electronic data. Manufacturers and analytical laboratories should be aware that reverting from automated/computerised to manual/paper-based systems will not in itself remove the need for data integrity controls.”

Similarly, hybrid systems—those that combine both paper and electronic elements—must maintain data integrity across both components. The WHO Technical Report Series No. 996 Annex 5 (2016) provides comprehensive guidance on good data and record management practices that explicitly addresses paper, electronic, and hybrid systems.

The ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) apply universally to all data formats. Some organizations have extended these to ALCOA++ by adding “Traceable,” providing an even more comprehensive framework for data integrity that transcends the medium of data capture.

Misconception 3: Definition of Falsification

When people hear the word “falsification,” they often imagine fraudulent activity. However, this understanding is incomplete.

Falsification refers to “unintended changes” to data. Whether the change occurs with or without malicious intent, if it was not an authorized, documented change, it constitutes falsification. This means that data altered through accidents, careless mistakes, or system errors all constitute falsification.

From a patient safety perspective, the origin of the data corruption—whether from deliberate fraud, procedural error, system malfunction, or simple carelessness—is less relevant than the fact that the data no longer accurately represents the original observation or measurement. All such changes compromise the integrity of the data and, consequently, the reliability of decisions based on that data.

Modern data integrity frameworks emphasize system design and controls that prevent both intentional and unintentional data corruption. This includes robust audit trails, access controls, and automated data capture systems that reduce opportunities for human error.

Misconception 4: Definition of Intentional Changes

The phrase “intentional changes” might also lead one to imagine malicious activity (fraud). However, this is not the correct understanding.

For example, creating or modifying data based on a misunderstanding of Standard Operating Procedures (SOPs) also constitutes an intentional change. These are routine errors that occur in daily operations. Workers believe they are performing their tasks correctly, but insufficient training, accumulated misconceptions over years of performing the same work, ingrained assumptions, or simple misunderstandings can lead to improper data handling.

This is precisely why dual verification (independent checks by a second qualified person) and regular retraining are critically important. Human factors engineering and error prevention strategies have become increasingly important components of modern pharmaceutical quality systems.

The concept of “data governance,” as emphasized by the MHRA since 2014 and subsequently adopted globally, addresses these issues through systematic management of data-related risks. A robust data governance system includes clearly defined roles and responsibilities, appropriate training programs, and regular review of data handling procedures to identify and correct systemic issues before they compromise data integrity.

Misconception 5: Risk-Based Approach

Many people believe that a risk-based approach focuses exclusively on high-risk products or processes. This understanding is incomplete and misses the fundamental purpose of the risk-based regulatory framework.

To understand the true meaning of risk-based approaches, we must examine the historical context. Regulatory authorities strengthen regulatory requirements to ensure patient safety. However, when regulatory requirements are strengthened, companies must incur compliance costs. These increased compliance costs are not absorbed by the companies themselves but are reflected in drug prices, ultimately increasing the burden on patients. In extreme terms, healthcare could become accessible only to high-income individuals.

This represents a significant dilemma for regulatory authorities: how to ensure patient safety without making medicines unaffordable.

In August 2002, the FDA announced a transformational initiative titled “Pharmaceutical CGMPs for the 21st Century: A Risk-Based Approach.” This initiative was formally detailed in the FDA’s 2004 final report and represented a fundamental shift in pharmaceutical quality regulation.

Prior to this initiative, GMP required the same manufacturing and quality control standards for all pharmaceutical products, regardless of their inherent risks. The risk-based approach introduced a more sophisticated framework. Under this approach, high-risk products such as anticancer drugs, psychotropic drugs, vaccines, and blood products continue to require stringent manufacturing and quality control measures, as they always have. However, for relatively low-risk pharmaceutical products, such as vitamins and nutritional supplements, the approach allows for appropriately scaled controls that maintain adequate safety assurance without unnecessary regulatory burden.

The fundamental concept of the risk-based approach is to reduce compliance costs in proportion to the actual risk, thereby ensuring patient safety while simultaneously reducing the financial burden on patients. This approach recognizes that regulatory resources—both industry resources and inspection resources—are finite and should be allocated where they provide the greatest benefit to public health.

The risk-based approach has been further refined and expanded through subsequent regulatory developments, including:

• ICH Q9 Quality Risk Management (2005), which provides systematic processes for risk assessment, control, communication, and review
• ICH Q10 Pharmaceutical Quality System (2008), which describes how quality risk management should be integrated throughout the product lifecycle
• The FDA’s guidance on process validation (2011), which explicitly incorporates risk-based thinking into validation strategies
• Various data integrity guidances that emphasize risk-based approaches to data governance and system controls

It is important to note that “risk-based” does not mean “less rigorous” for lower-risk products. Rather, it means that the nature and extent of controls should be appropriate to the actual risks presented by the product, process, or system. For example, a vitamin supplement may not require the same environmental monitoring frequency as a sterile injectable product, but it must still comply with fundamental GMP principles appropriate to its risk profile.

In the context of data integrity, a risk-based approach means that the rigor of data governance systems, the frequency of data reviews, and the sophistication of technical controls should be scaled according to factors such as:

• The criticality of the data to patient safety and product quality decisions
• The complexity of the manufacturing process
• The likelihood of data integrity failures based on system design
• The detectability of potential data integrity issues
• The potential impact of undetected data integrity failures

This approach allows organizations to focus their resources where they will have the greatest impact on ensuring data reliability and, ultimately, patient safety.

Summary and Current Regulatory Landscape

Data integrity is fundamentally about ensuring the accuracy, completeness, consistency, and reliability of data throughout its lifecycle. Modern regulatory frameworks, including those from the FDA, EMA, MHRA, WHO, and PIC/S, emphasize several key principles:

Universal Application: Data integrity principles apply to all data types (paper, electronic, and hybrid), all pharmaceutical activities (development, manufacturing, testing, distribution), and throughout the entire product lifecycle.

Systematic Management: Organizations must implement robust data governance systems that address data integrity risks through appropriate organizational structure, procedures, training, and technical controls.

Culture of Quality: Data integrity begins with organizational culture and management commitment. As emphasized in recent regulatory guidance, creating “the right environment” where data integrity is valued and supported is essential.

ALCOA++ Principles: The evolution from ALCOA to ALCOA+ and now ALCOA++ reflects the maturing understanding of data integrity requirements, with increased emphasis on completeness, consistency, enduring records, availability, and traceability.

Technology as an Enabler: Modern computerized systems, when properly designed, validated, and controlled, can significantly enhance data integrity by reducing opportunities for human error and providing robust audit trails.

Recent regulatory developments, including the 2023 draft revision of EU GMP Chapter 4 (Documentation) and ongoing updates to Annex 11 (Computerised Systems), continue to strengthen and clarify data integrity expectations. The proposed revisions explicitly incorporate ALCOA++ principles and address emerging technologies including cloud services, artificial intelligence/machine learning systems, and enhanced cybersecurity requirements.

The pharmaceutical industry must recognize that data integrity is not merely a compliance issue to be checked off but rather a fundamental quality attribute that underpins patient safety. By correctly understanding these concepts and implementing appropriate controls scaled to actual risks, organizations can maintain the trust of patients, regulators, and other stakeholders while optimizing the use of resources to achieve genuine quality improvements.