ICH E6(R2) and Data Integrity: Four Key Principles

Clinical Researcher—April 2018 (Volume 32, Number 4)


Michael Rutherford, MS

[DOI: 10.14524/CR-18-4021]


A few months prior to the release of the updated International Council for Harmonization Guideline for Good Clinical Practice (ICH GCP E6(R2)),1 three draft guidance documents on the topic of “Data Integrity” and an explanatory Q&A document were published by the U.S. Food and Drug Administration,2 the Medicines and Healthcare products Regulatory Agency (MHRA) in the U.K.,3 the Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme,4 and the European Medicines Agency (EMA),5 respectively. Further, in March 2018, the MHRA published its GxP Data Integrity Guidance and Definitions, Revision 1.6 This is the first of the guidance documents to be finalized and the first with a GxP (for “Good Practices” in different realms) scope.

Data integrity is defined as the extent to which all data (whether electronic or paper-based) are complete, consistent, accurate, trustworthy, and reliable throughout the data lifecycle—from creation through archival status and their eventual destruction. Regulatory agencies, as well as the biopharmaceutical industry, rely on data to ensure subject/patient rights and safety and the scientific value of clinical studies. In this column, we will examine how these documents, with a particular focus on the MHRA final guidance, can facilitate successful implementation of the ICH E6(R2) data integrity requirements.

Data integrity principles are nothing new; however, the addenda in ICH E6(R2) reinforce these principles and the role that monitoring (as redefined by ICH E6(R2)) can and should play in verifying the integrity of data throughout a study. The four key principles of data integrity are highlighted in the following sections.


Data should be Attributable, Legible, Contemporaneous, Original, and Accurate (ALCOA). These have historically been considered the attributes of data quality and Good Documentation Practices (GDocP). However, in recent years, an additional four attributes—namely Complete, Consistent, Enduring, and Available (known as ALCOA+)5,6—have been added to emphasize that the data should also be whole (i.e., include relevant metadata), consistent (e.g., date and time of activities should be in the right sequence), lasting throughout the lifecycle, and readily available for review or inspection. These attributes apply to both paper and electronic records and represent the foundation of data integrity.

Computer System Validation

Computer systems should be validated based on a risk assessment. ICH E6(R2), Section 5.5.3 emphasizes that validation should take into consideration “the intended use of the system and the potential of the system to affect human subject protection and reliability of trial results.” In other words, not all systems are the same from a risk perspective, and not all functionality within a system is the same, so the level of effort and resource applied to the validation should be commensurate with the risk.

The same section of ICH E6(R2) also states that, “When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should: (a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance.” Therefore, the user of the system (i.e., the sponsor or the contract research organization acting on behalf of the sponsor) is responsible for ensuring that the system is validated for the user’s intended use when the system is supplied by a vendor.

The MHRA guidance6 emphasizes that “risk to data may be increased by complex, inconsistent processes, with open ended and subjective outcomes compared to simple tasks that are undertaken consistently, are well defined and have a clear objective.” Other factors which should be considered include the degree of automation versus human intervention, and the ability to alter or delete data and the likelihood of its detection.

This guidance goes on to note, “Where there is human intervention, particularly influencing how or what data [are] recorded, reported or retained, an increased risk may exist from poor [organizational] controls or data verification due to an overreliance on the system’s validated state.”6 In other words, the system should not be considered in isolation of the relevant business process—the entire business process and data flow should be considered in the risk assessment. This is a critical concept that is sometimes overlooked.

Access Control

Limiting the ability to record, change, and delete data is a fundamental requirement for assuring data integrity. Roles and associated access types must be defined and assigned to clearly indicate who can do what within the system and business process.

Potential conflicts of interest between roles should also be considered to ensure individuals do not have the capability and functionality to execute steps that can impact data integrity. For example, does an individual have both an administrator and a business role that would allow him or her to circumvent the access controls in place by modifying the system configuration or the data directly?

Roles need to be defined and assigned carefully, to limit access to those who truly require it to execute the tasks that they are responsible for performing. Similarly, user access should be removed in a timely manner once it is no longer required. Routine review of user access should also occur to ensure roles are correctly assigned, conflicts of interest in roles do not exist, and access is limited to only those individuals who require it.

Metadata and Audit Trails

Data integrity principles cannot be discussed without also addressing the fourth principle of metadata and audit trails. Metadata are data that describe the attributes of other data and provide context and meaning. Typically, these are data that describe the structure, data elements, inter-relationships, and other characteristics of data. Metadata also permit data to be attributable to an individual (or if automatically generated, to the original data source).

Metadata form an integral part of the original record and, without metadata, the data have no meaning. As a result, metadata should be maintained and controlled in the same manner as the original data to which they belong.

Metadata are often maintained within the audit trail of the system, providing insight into the steps and thought process behind the original data and/or the generation of results. However, all too often, technical system logs are considered equivalent to data audit trails. Technical system logs typically record various system, configuration, and operational events while data audit trails normally record the creation, modification, or deletion of records or data.

For example, an electronic data capture audit trail should capture all changes, including deletions of data related to each subject—including the old value, the updated value, who made the change or deletion, the reason for the change or deletion (if necessary), and the time/date stamp of when the change occurred. Without this information, the principal investigator does not have the full data history before approving the subject’s data.

In-process audit trail reviews should be performed by users of the computerized system as part of the normal business process, and they should be based on a detailed understanding of the process supported by the computer system, the applicable GCP requirements, and the risk to human subject protection and the reliability of the trial results. Per ICH E6(R2), Section 5.18.1(b), part of the purpose of monitoring is verifying that “the reported trial data are accurate, complete, and verifiable from source documents.” In-process audit trail review provides a means of doing this, and should be defined and executed as part of the monitoring activities across the entire study and trial process.

Indeed, ICH E6(R2), Section 5.18.3 emphasizes the importance of centralized monitoring processes to “complement and reduce the extent and/or frequency of onsite monitoring and help distinguish between reliable data and potentially unreliable data.” Audit trail reviews conducted by data managers, statisticians, safety staff, and other roles can help identify missing data, inconsistent data, data outliers, unexpected lack of variability, and protocol deviations; plus systemic or significant errors in data collection and reporting at a site or across sites; and other data integrity issues.


The Addendum to the introduction section of ICH E6(R2) states “this guideline has been amended to encourage implementation of improved and more efficient approaches to clinical trial design, conduct, oversight, recording, and reporting while continuing to ensure human subject protection and reliability of trial results.” Sites should be examining their processes to ensure that they are meeting the data integrity expectations documented in ICH E6(R2). The draft guidance documents on Data Integrity, the EMA Q&A document, and the final MHRA Guidance document offer very useful insight into how regulators are interpreting their data integrity expectations.


  1. International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use. ICH Harmonized Guideline. Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2). Current Step 4 version dated November 9, 2016.
  2. U.S. Food and Drug Administration. 2016. Data Integrity and Compliance with CGMP Guidance for Industry (Draft Guidance). https://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM495891.pdf
  3. Medicines and Healthcare products Regulatory Agency. 2016. GxP Data Integrity Definitions and Guidance for Industry (draft version for consultation). gov.uk/government/uploads/system/uploads/attachment_data/file/538871/MHRA_GxP_data_integrity_consultation.pdf
  4. Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme. 2016. PIC/S Guidance: PI 041-1 (Draft 2) Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments. https://www.picscheme.org/en/publications
  5. European Medicines Agency. 2016. Data Integrity Q&A. ema.europa.eu/ema/index.jsp?curl=pages/regulation/q_and_a/q_and_a_detail_000027.jsp&mid=WC0b01ac05800296ca#section16
  6. Medicines and Healthcare products Regulatory Agency. 2018. GxP Data Integrity Guidance and Definitions (revision 1). https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/687246/MHRA_GxP_data_integrity_guide_March_edited_Final.pdf

Michael Rutherford, MS, (michael.rutherford@syneoshealth.com) is Executive Director of Computer Systems Quality and Data Integrity for Syneos Health.