Do You Destroy Records Securely?

When it comes to destroying records at the end of their retention period, I’m guessing that most records managers and archivists will have a well-established program to ensure such records are destroyed securely. There are industry standards for secure destruction, including for example, BS EN 15713:2009 Secure destruction of confidential material and I know many of my colleagues destroy to this standard either in-house or via reputable vendors.

However, are you sure the same is true for electronic records? I don’t mean the deletion of expired records from network drives and backup tapes but the physical destruction of storage media. A recent report from the Information Commissioner’s Office highlighted a big problem in this area. They asked a security company to purchase used hard drives, memory sticks and mobile phones from a variety of sources and identify the contents, if any. 48% of the hard drives still contained data, including 11% containing personal data some of which could enable identity theft to occur. Given that many large companies outsource removal and destruction of hard drives and the like to third parties, can we be sure that our data is actually being securely destroyed?

Posted in Document Storage, Records management practice, Technology | 1 Comment

Use of Digital Signatures

I’ve just come across a White Paper from AIIM on the use of digital signature technology. As this makes for interesting reading, I thought I’d just share some highlights and provide a link to the full report:

  • In 63% of organizations without digital signature systems, more than half of the printed process documents are printed just to add a signature.
  • Speeding up approval processes and saving staff time are considered to be the biggest benefits by those who have implemented a digital signature solution.
  • For 40% of people not using digital signatures, half or more of their electronic document workflows are interrupted by the need for physical sign offs. For 23% of non-users, this results in a week or more of process delay on average.
  • 63% of digital signature users achieved a ROI in 12 months or less (i.e. the technology is cheap!!)
  • 43% of SharePoint users would like to apply digital signatures to SharePoint workflow processes.
  • 24% of research respondents are already using digital signatures. A further 21% plan to implement them in the next 12 months.

The report can be located HERE.

Posted in e-records, Records management practice, Technology | Leave a comment

Is Facebook a Validated System?

Well, of course the answer to the question posed in the title is a clear “No”…. at least as far as the pharmaceutical and biopharmaceutical industry understands and interprets validation. So why the question?

My eye was drawn to an article over the weekend that reported on a High Court ruling that legal documents could be served on an individual via Facebook. In the case in question, the claimant stated that there were doubts raised whether the defendant actually lived at the address that court documents were originally sent to. However, his Facebook account was active and it was judged to be an authentic site belonging to the defendant. Mr. Justice Tear therefore rules that court papers could be served via Facebook.

Relevance? Well it just got me thinking about how as an industry we make strenuous efforts (most of the time!) to ensure our IT systems are developed to the highest standards and comply with finest details of validation requirements… and for good reason. But out in “the real world” the issue of validation often doesn’t really come into the discussion. Case law is often about “the balance of probability”. On the balance of probability, Facebook is probably a reliable electronic delivery mechanism and so its use was authorised. What impact would this philosophy have on the time, resources and effort we expend on development of our IT systems? Perhaps some of our regulations need a little more “real world thinking”? To use an old business saying, do we really need a Rolls Royce all of the time when perhaps a Ford Focus would suffice? Wishfull thinking????

Posted in e-records, Regulations | Tagged , | Leave a comment

Ensure Your Informed Consent Forms Comply With New Requirements

For those sponsors conducting clinical trials that need to comply with FDA regulations, remember that from 7th March 2012 your informed consent documentation must comply with the new 21 CFR § 50.25(c) requirement. This requires the informed consent form to inform the clinical trial subject about the website. Specifically, it has to include the following statement word-for-word:

“A description of this clinical trial will be available on, as required by U.S. Law. This Web site will not include information that can identify you. At most, the Web site will include a summary of the results. You can search this Web site at any time.”

A guidance document on the new requirements is available from the FDA website by following this link.

Posted in Compliance, Regulations | Leave a comment

GMP Directive (2003/94/EC) to cover active substances?

The European Commission are proposing to extend the scope of Directive 2003/94/EC to cover active substances, including the manufacture of active substances. The intent is to bring cohesion of requirements for active substances and medicinal products. However, since all of the provisions for medicinal products would then also apply to active substances, there are significant implications, including requirements for document and records management.

A consultation process on the impact of this proposed change has now opened, with responses requested by 20 April 2012. Click HERE to download the concept paper.

Posted in Compliance, GMP, Regulations | Leave a comment

Is it OK to “manipulate” PDFs to improve records management?

This is a question that I hear posed fairly frequently, I guess as a result of organisations managing electronic records rather than – or in addition to – traditional paper records. A typical scenario is an electronic document received into the Records Centre as two individual components; is it legitimate for the Records Manager to combine the individual files into a single PDF. Another scenario I’m often asked about is a large report that is circulated as a hard-copy for signature. Is it OK for the Records Manager to scan just the signature page and integrate it into an existing PDF of the same report; scanning of the whole paper document would create a file that was too large to manage and would not necessarily be text searchable.

For the regulated pharmaceutical and biotechnology sectors, I have been unable to locate a regulation or law that deals specifically with these scenarios (if anyone can point me to one, please comment below!). So to answer the question we really need to look at the regulations and guidance to identify any predicate rules or principles for us to base an answer upon. The best guidance that I think is relevant here is a reflection paper from the European Medicines Agency on “Expectations for Electronic Source Documents Used in Clinical Trials“. This paper also refers to the CDISC Standard for Electronic Source Data Within Clinical Trials which discusses a group of 12 high-level principles which, if adhered to, provide a good basis for the acceptability of electronic source data. Compliance with these principles helps us to answer the question posed.

Regulated documents need to be trustworthy. Furthermore, their trustworthiness must be able to withstand scrutiny, either by an auditor, a regulatory inspector or legal counsel. The EMEA reflection paper requires that documents are: accurate; legible; contemporaneous; original; attributable; complete; consistent; enduring; and available. The CDISC standard also adds ‘not modified’.

Whilst the manipulation of PDF files is well meant and helps to reduce duplication and encourage good records management working practices, it has the potential to introduce a question as to the reliability and authenticity of the record. Take the example of the signed study report. The signatory did not read, review and sign the content of the PDF file. Although the Records Manager knows that the content of the PDF and the hard-copy are the same – or assumes that they are – , the signature was not applied to the PDF and should therefore not be attached or associated with it. This would be akin to taking the signature page from a hard-copy study report and stapling it to an alternative version. Or taking the signature from one contract and attaching it to a paper version of a different copy. An alternative approach for signatures is to create a standalone signature sheet where the signatory affirms his/her approval of the content of a separate document that he/she has reviewed.

The example of combining different PDF files has similar problems. Although the Records Manager knows that the files should be combined, this process has the potential to call into question the validity of the concatenated document. If we use the analogy of the study report again, this process is like having the individual components reviewed but the Records Manager assembling the final study report and archiving it with no final approval. Following report assembly, the sponsor and investigator review and approve the compiled document.

To conclude, I said at the outset that I could not locate specific regulations on this. There will always be exceptions and the final decision has to be taken following a risk-based approach. However, my recommendation would be to identify document management processes that avoid the need to manipulate signature pages and/or manipulate individual components of a document. Our goal is always to create and manage reliable, authentic, trustworthy records.

Posted in Compliance, e-records, Litigation, Records management practice, Regulations | 1 Comment

Certification by a qualified person and batch release – Consultation

A concept paper on revising Annex 16 of the guide to good manufacturing practice: certification by a QP and batch release is currently open for consultation until 31/01/2012 using the following link to the EMA website:

The concept paper succinctly describes some of the challenges in certifying batches of manufactured drug product for release in an environment where different parts of the manufacturing process are often conducted in different places around the globe and frequently by different companies. This also presents a challenge from a document management perspective; it is not always clear who has responsibility for maintenance of the constituent parts of the product specification file and which records, if any, the QP is expected to maintain, be responsible for or simply to just have access to. It could be argued that this clarification best sits in Chapter 4 of Volume 4 GMP Guidelines but perhaps the scope of the revision to Annex 16 should also cover documentation?

Any comments on the concept paper should be submitted to the EMA by end-January.

Posted in Regulations | Tagged , , , , | Leave a comment