Today, in our continuing series on implementing E6 R3, we consider this statement from section III. 3.16 of the guideline:  "The sponsor should not have exclusive control of data captured in data acquisition tools in order to prevent undetectable changes."  

The statement has an interesting lineage. It appeared in the May 2023 draft of E6 R3 in a truncated form:  "The sponsor should not have exclusive control of data captured in data acquisition tools."  Before that, it was included in the EMA Guideline on Computerized Systems, drafted in MAY-2021 and finalized in MAR-2023.  Before that, it appeared in a "Q&A" posted on EMA's website, which in turn references a "reflection paper" that dates back to 2010.  

Despite the long tenure of this statement in the public discourse, many US sponsors are unfamiliar with it.  The negative construction makes it difficult to parse. What does it mean for a sponsor NOT to have "exclusive control" of data? 

This EMA Guideline on Computerized Systems includes additional information that helps us make sense of it:  

"The sponsor should not have exclusive control of the data entered in a computerized system at any point in time.  All data held by the sponsor that has been generated in a clinical trial should be verifiable to a copy of these data that is not held (or that has not been held) by the sponsor.  The requirements above are not met if data are captured in a computerised system and the data are stored on a central server under the sole control of the sponsor or under the control of a service provider that is not considered to be independent from the sponsor or if the sponsor (instead of the service provider) is distributing the data to the investigator. This is because the investigator does not hold an independent copy of the data and therefore the sponsor has exclusive control of the data. In order to meet the requirements, the investigator should be able to download a contemporaneous certified copy of the data. This is in addition to the record maintained at a service provider."

The key to understanding this issue lies in the concept of the NCR CRF that we raised in the previous blog post. In the old days, investigators would transcribe source data onto paper CRFs that were printed on three-part NCR paper, then keep the white copy and send the pink and yellow copies to the sponsor.  Thus, the investigator always had a "copy of the data" that was in the sponsor's database.  If the sponsor's data entry personnel tried to falsify data - or, more commonly, if they made a data entry error or changed data as a result of a query - then the regulatory authorities could always compare the data in the database against the CRF page at the clinical site to see how the data had been altered. (Fun fact:  the queries were on NCR paper too.)

Just as we used to leave a paper NCR copy of the CRF at the site, we now need to leave an electronic copy of the eCRF data at the site. Throughout the study, the investigator has continuous access to the eCRF data held in the sponsor database, so the site has their own "copy."  The danger point, then, is the end of the study. If the sponsor removes the site's read access to the EDC system, then downloads the eCRF representations and audit trails and sends them to the sites, this creates an opportunity for the sponsor to alter the data without detection, because the site does not have its own "independent copy" of the data to compare to the sponsor's copy. 

To guard against the sponsor's manipulation of the data, then, either the site should be able to download a contemporaneous certified copy of the data from the EDC system, or a service provider that is "independent from the sponsor" should be contracted to download and transmit the eCRFs to the site.

There are a few blind alleys and dark corners in this line of reasoning.  First, if the sponsor wanted to manipulate data, they would probably start manipulating it in the EDC system, rather than after export.  For example, if I wanted to falsify data, I would re-set a site team member's password, log in as that site member, and change the data in the EDC system, then re-set the password.  Then, even if the site were to download a copy of the eCRFs from the EDC system, they would be downloading the changed data, which the PI would likely never notice among the thousands of pages of data that they would be endorsing. (Which is why we're going to be talking about audit trails in a future post!  Stay tuned.)

Second - what defines a service provider that is "independent of the sponsor"? It's an obvious attempt to distinguish between a CRO to whom regulatory responsibilities are transferred and another service provided that is providing a narrow service.  But...since database management is ultimately the sponsor's responsibility, surely they are transferring regulatory obligations to the "independent" service provider who is downloading and transmitting eCRFs just as they are transferring regulatory obligations to the CRO providing other data management services?

Setting these points aside, the intention of this statement is clear, at least from the EMA guideline. Investigators should be able to download eCRFs directly from the EDC system.  They should be able to download any other data that sponsors would typically provide (IRT, RTSM, ePRO, eCOA, etc.) directly from those systems as well. When a regulatory authority inspects a site, they should always be able to verify the data from the tables, figures, and listings in the submission against the "copy" of the data held by the site, as well as against the original source.