In an earlier blog, Collaboration in the Modern Biotech Era, we explored the scope, dynamics, and complexity of collaboration in modern biotech and how “…these external partnerships have made the life sciences industry more distributed, networked, and collaborative than ever before.” But data security, integrity, structure, and storage present a number of concerns that need to be addressed to strengthen your GxP compliance envelope when working with external partners.

When considering potential collaborations with partners, institutions, or other entities, the potential for security and compliance risk is a primary concern for both parties. Because sharing data and files are such a critical aspect of biotech partnerships, organizations need to ensure they have the right tool to manage how content is shared and stored. Using a content services platform like Egnyte gives all parties a common, shared approach to data, but it also ensures consistency for issues of security and compliance.  

Key data concern: a common bad habit or the “Three S’s”
Even in fully 21CFR Part 11-validated environments – across R&D, manufacturing, clinical, regulatory, and other functional areas – data problems often arise due to the “Three S’s.”  No matter how advanced a life sciences company’s technology landscape, vast stores of regularly used data typically reside in these formats:

  • Spreadsheets: Life sciences companies have spent millions on broad and single-point technology tools across their enterprises to manage data, documents, and other information. But spreadsheets are still the norm and are used in almost every department to track key semi-structured data elements that may or may not be standard, current or an authoritative “source of truth.”
  • Shared drives: Starting in the early 2000s, shared drives became a way of internally collaborating on data and documents within a company’s 21 CFR Part 11-validated environment. But shared drives can become convoluted messes over time, with periodic attempts to apply structure and standards to come up with the latest version of a product’s core data. And pruning obsolete data – for fear of losing something important – is usually not done. This can lead to many duplicate and conflicting versions of the same data elements and documents in a single shared drive. 
  • Shared collaboration spaces (e.g., SharePoint): Most purpose-built team collaboration spaces start out well, but without continual curation and use many devolve into a maze of folders, subfolders, and documents that can have many of the same attributes of digital overgrowth as described above.

Problems caused by the “Three S’s”
Consequences from key data residing in the “Three S’s” can be serious. The risk of not having a single source of truth for files is the most salient issue, but there are others. Data residing in the “Three S’s” tend to:

  • Be hard to find: Impeded discovery tends to be the case when data is needed for critical filings, or worse when urgently needed during a compliance inspection. Life sciences companies of all sizes feel this crunch, and finding specific files often depends on whether a specific team member “knows where things are.” And if a key resource who has this tacit knowledge leaves, that knowledge leaves too. Hard-to-find data living in the “Three S’s” can easily fall through the cracks and become “Dark Data” that bring no constructive value to the company.
  • Have duplicate, and often conflicting values, formats, sources, owners and data fields: The type of information in the Three S’s tends to vary widely from unstructured (paper or plain PDF scans) to structured output from a system of record, which may or may not be current.
  • Lack standard terms, dictionaries, and controlled vocabularies: Different companies have different ways to describe a tablet, strength, presentation of a product in manufacturing, and many different ways to capture and categorize subject information on the clinical side. Most companies are quite aware of these inconsistencies and usually handle these disconnects with manual workarounds that can introduce serious risk.
  • Have poor security controls: Security controls may be inconsistent and not adhere to your organization’s – or potential collaboration partner’s – data governance standard operating procedures (SOPs). In some cases, data governance is done informally, without a governing SOP, especially in early-stage-growth companies. To establish or enhance the framework for a sturdy GxP compliance envelope, data governance and security controls are essential.

Long term considerations for data collaboration
Another dimension of data concerns inter-institutional collaboration as it relates to the length of time over which collaboration will occur with a partner. In Egnyte’s work with our customers we usually see these collaborations occurring across three general timeframes: 

  • Transactional (days) – (e.g., a third party is engaged to monitor a remote clinical site as a backup to the regular monitor). Short collaborations are not always on the risk radar but can introduce serious data errors that can become areas of compliance risk if unchecked or undetected.
  • Transient (months) – (e.g., stability testing of a product by a partner). Transient collaborations are where more systemic data management issues, including security, data element structure, and other concerns tend to surface. Mutual risk-based review of data governance SOPs and test audits are essential when entering into a transient inter-institutional collaboration.
  • Long-Term (years) – (e.g., a third party is engaged to manufacture and release your product in a specific global region). In long-term collaborations, you are placing great trust in the hands of your partner and complete and recurring audits are essential to ensure the integrity of your GxP compliance envelope.

Regardless of the timeframe, all considerations surrounding data security, integrity, and standardization in inter-institutional collaboration are being carefully watched by health authorities, especially as they relate to adherence to data-governance SOPs. 

Another area of health-authority inspection focus that has emerged in recent years is the expectation that data handling will follow ALCOA+ principles (mandating data be Attributable, Legible, Contemporaneous, Original, and Accurate, + Complete, Consistent, Enduring and Available). (Editor’s note: We will share Egnyte’s insight around adopting and integrating ALCOA+ principles in a future blog post.)

The Egnyte team has found that data and compliance issues in inter-institutional collaboration can be both serious – and hard to detect – due to the tendency of storing data in the “Three S’s” and in the early stages of transactional, transient, and long-term collaboration. Our experience in minimizing risk is extensive, and Egnyte can scan your digital content repositories in real-time and suggest immediate actions to lower threats to your GxP compliance envelope.

Photo by Maarten van den Heuvel on Unsplash

Comments are closed.