What's New in E6 R3?  Sponsor Responsibilities Part 9 - Data and Records

What's New in E6 R3? Sponsor Responsibilities Part 9 - Data and Records

Denise Lacey
6 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

As we discussed in our earlier blog post on changes to Good Clinical Practice E6 R3, sponsor responsibilities for data and record-keeping are now divided between the sponsor Data and Records section, which has been significantly augmented with new requirements, and a completely new Data Governance section that applies to both sponsors and clinical sites.  Today, we look at what's new in the sponsor Data and Records section.  Buckle up - there's a LOT to cover in three of this section's four subsections.

Data handling.  The following requirements are new:

  • The sponsor should pre-specify data to be collected and methods of collection in the protocol.  This section also recommends a data flow diagram in the study's Data Management Plan, the first time we've seen a specific recommendation about the contents of a plan.
  • The sponsor should ensure the investigator's access to data throughout the trial, with particular attention to data collected outside the clinical database, such as laboratory data, ePRO data, and other data required to make participant care decisions, taking care to safeguard the study blind. In a related step, sponsors should not have "exclusive control" of data in any data capture tools. The provision is intended to protect participant safety, but both requirements speak to data integrity concerns.  If investigators do not have continuous access to their data, the fear among regulators is that sponsors will be able to manipulate it without detection. EMA's guideline on computerized systems states this a bit more explicitly in section 6.6:  "All data held by the sponsor that has been generated in a clinical trial should be verifiable to a copy of these data that is not held (or that has not been held) by the sponsor."  The guideline goes on to say that the requirement would NOT be met if data are on a central server under control of the sponsor "or under control of a service provider that is not considered to be independent from the sponsor." How do we arrange for an "independent" service provider? EMA suggests that if this is not possible, the sponsor may take other "adequate technical measures that preclude sole control," such as ensuring verifiability of transactions by an "independent (distributed) tamper-proof ledger."  Ladies and gentleman, blockchain has entered the chat!
  • Sponsors should ask investigators to "endorse" (sign) data at pre-determined milestones.
  • Sponsors should document planned data management activities for each type of analysis.  During preparations for interim analysis, changes to data should be restricted.
  • Deviations from the planned statistical analysis AND post-lock changes should be clearly documented, justified, reported in the Clinical Study Report. It is odd that this statement on changes to the SAP is shoehorned into the Data Handling subsection, instead of the new Statistical Programming and Data Analysis subsection.  This step goes on to say that any post-lock data changes must be authorized by an investigator and reflected in an audit trail, which precludes "hard-coding" of changes.
  • Sponsors should protect privacy and confidentiality of personal information, a nod to the General Data Protection Regulation.
  • Sponsors should document "what happens to data" when a participant withdraws or discontinues from the study.  This statement is a bit difficult to parse.  Its proximity to other statements about privacy and confidentiality suggest that it  means that sponsors should document what will happen to data when a participant withdraws from the study.  In other words, will the participant's data remain in the dataset, or will it be withdrawn for privacy reasons?
  • Sponsors should have processes for reporting "incidents and security breaches that have a significant impact on the trial data to relevant parties."  The phrase "to relevant parties" is awkwardly placed; we assume this means that sponsor procedures should have processes for reporting privacy and confidentiality breaches to parties whose data may have been compromised (e.g., reporting a data breach in an EDC system to site staff whose emails and passwords may have been stolen).
  • Sponsors should maintain records of all computerized systems used in a clinical trial, including use, functionality, interfaces, validation status, access controls, and security measures.  That's a tall order; most sponsors maintain a computer systems inventory, but it does not typically include study-specific systems contracted through a CRO.  Most study teams do not keep a single systems inventory, but rather identify systems across multiple plans. We typically create storyboards with this information during inspection readiness activities.
  • Sponsors should maintain a record of system users, roles, and privileges.  Such a record can be exported out of most data capture systems, but we have encountered many sponsors who do not require their vendors to send these reports.
  • Sponsors should ensure that permissions for clinical site staff are "in accordance with delegations" and "visible to the investigator."  Sponsors may need to implement a check of delegations against permissions in their monitoring plans.  Typically, roles and permissions are not "visible to the investigator" unless the investigator is looking over the shoulder of a staff member; sponsors may need to figure out a way for investigators to view and approve site staff roles and permissions in data capture systems.
  • During start-up, sponsors should assess and document whether systems used by investigators and institutions are "fit for purpose." Most sponsors do include such a step in their site selection process.
  • Sponsors should have processes for reporting system errors or incidents that could compromise protocol compliance.

Statistical Programming and Data Analysis.  This entire section is new except for a step carried forward from R2, which specified that sponsors should always be able to compare transformed data to pre-transformed data. Even this statement has been amended to reference "traceability of data transformations and derivations." Other new points:

  • Sponsors should ensure adequate quality control of statistical programming and data analysis activities.  Such steps are routine for most sponsors.
  • Sponsors should pre-define the "allocation to or exclusion or each trial participant from any analysis set," with the rationale.  Again, new to R3, but not new to industry.
  • Sponsors should specify unblinding procedures, including who was unblinded, when they were unblinded, and "who should remain blinded" (presumably for mid-study unblinding). Most sponsors have these procedures.
  • Sponsors should retain programming records that generated outputs, including quality control and validation documentation.  Smaller sponsors may not request statistical programs and quality control records from their statistical vendors. Most CROs have record retention periods that may not align with sponsor needs; these records should always be transferred to the sponsor and considered part of the Trial Master File, even if they are stored in a repository separate from other Trial Master File documents.

Record Keeping and Retention.  There is one new requirement here:  Sponsors should report transfer of ownership of essential records to authorities if required by regulation.

Stay tuned for coverage of the new Data Governance section, which also addresses data integrity topics.

« Back to Blog