Data security
01 Feb 2019
In the current global scenario, the Clinical Research industry has adopted online data acquisition methods using EDC clinical data management systems (CDMS), IVRS/IWRS, ePRO, etc. Sponsor pharmaceutical companies or CROs are mainly involved in conducting trials, gathering the research data from sites and patients/subjects, and processing the data. Because these research data are highly confidential and subjects’ data privacy rights are also involved, appropriate data security measures must be taken to protect the data from loss and theft.
To meet the data security measures to protect the research data, multiple levels of access control should be in-place like physical access of data storage and logical access control.
Physical and logical access of data storage (Data servers)
All computerized systems used for data acquisition and processing should be installed on servers located at secured locations where physical access to the server(s) are access controlled (by lock and key or by logical access controls like access card or biometrics) and only authorized personals should be able to access the server area. Logs for all admissions to such area should be maintained because network security starts at the physical level. All such server rooms should also be equipped with environmental factor controllers (i.e., extensive heat, dust, fire, power, etc.), and environment sensors should also be in-place to trigger alarm if there is any significant change in the controlled environment.
Data servers should be equipped with anti-virus and fire-wall protections to nullify external threats. If there are any attempts for data theft or accessing the data from hackers, it should trigger firewalls and all such incidents must be analysed further.
Data back-up
Backing up important data is an essential element in disaster recovery, and data must be backed up as per the defined frequency. It is recommended to keep a set of backups off-site at a secured location and one must take care to ensure that the backup servers are secured at the offsite location. Periodic review of the backup data is also essential to ensure required data recovery.
Validated computerized system
The computerized system used in data acquisition and processing must be validated and should have all measures to comply with 21 CFR PART 11 requirements. All transactions in the system must be audit trailed and all the data transactions should be re-producible at any point of time. Appropriate documentation of system validation must be ensured. If any significant changes are made (update) in the computerized system, they must be released after proper validation which ensures data security that is already available in the system. The system should be able to provide role based access to the users where-in users can only perform activities which they are intended to do. Access rights for each role should be pre-defined and appropriately documented.
Data security at user level
In order to achieve data security at the user level, several procedural controls are also needed. Procedural controls include providing access to only trained individuals involved in the activity/process and maintaining confidentiality of the user credentials (user ID and password).
User access management (it includes creation of user profile, modification of profile, and revocation of the user) should be handled by an authorized individual or an authorized group of people. And creation, modification and revocation of the user profile should be performed upon receiving the request from the designated authority.
All users should understand that their electronic signatures (ID and password) are equivalent to their hand written signatures and they are responsible for the data. Users of the system must not share their user ID and password with anyone in any case. If at any point of time they feel that their password is compromised, the system administrator should be immediately informed and the password changed. If any individual leaves the organization, his/her access to the system must be revoked immediately upon departure from the organization.
Overall, considering the importance of patient privacy and criticality of scientific research, data security is considered an essential element of clinical research.