(a) The sponsor should ensure the integrity and confidentiality of data generated and managed.
(b) The sponsor should apply quality control to the relevant stages of data handling to ensure that the data are of sufficient quality to generate reliable results. The sponsor should focus their quality assurance and quality control activities, including data review, on data of higher criticality and relevant metadata.
(c) The sponsor should pre-specify data to be collected and the method of its collection in the protocol (see Appendix B). Where necessary, additional details, including a data flow diagram, should be contained in a protocol-related document (e.g., a data management plan).
(d) The sponsor should ensure that data acquisition tools are fit for purpose and designed to capture the information required by the protocol. They should be validated and ready for use prior to their required use in the trial.
(e) The sponsor should ensure that documented processes are implemented to ensure the data integrity for the full data life cycle (see section 4.2).
(f) The sponsor should implement measures to ensure the safeguarding of the blinding, if any (e.g., maintain the blinding during data entry and processing).
(g) The sponsor should put procedures in place to describe unblinding, where applicable; these descriptions should include:
(i) Who were unblinded, at what timepoint and for what purpose they were unblinded;
(ii) Who should remain blinded;
(iii) The safeguards in place to preserve the blinding.
(h) The sponsor should provide guidance to investigators/institutions, service providers and trial participants, where relevant, on the expectations for data capture, data changes, data retention and data disposal.
(i) The sponsor should not make changes to data entered by the investigator or trial participants unless justified, agreed upon in advance by the investigator and documented.
(j) The sponsor should allow correction of errors to data, including data entered by participants, where requested by the investigators/participants. Such data corrections should be justified and supported by source records around the time of original entry.
(k) The sponsor should ensure that the investigator has timely access to data collected in accordance with the protocol during the course of the trial, including relevant data from external sources (e.g., central laboratory data, centrally read imaging data and, if appropriate, ePRO data). This enables the investigators to make decisions (e.g., on eligibility, treatment, continuing participation in the trial and care for the safety of the individual trial participants) (see section 2.12.3). The sponsor should not share data that may unblind the investigator and should include the appropriate provisions in the protocol.
(l) The sponsor should not have exclusive control of data captured in data acquisition tools in order to prevent undetectable changes.
(m) The sponsor should ensure that the investigator has access to the required data for retention purposes.
(n) The sponsor should ensure that the investigator receives instructions on how to navigate systems, data and relevant metadata for the trial participants under their responsibility.
(o) The sponsor should seek investigator endorsement of their reported data at predetermined important milestones.
(p) The sponsor should determine the data management steps to be undertaken prior to analysis to ensure the data are of sufficient quality. These steps may vary depending on the purpose of the analysis to be conducted (e.g., data for IDMC, for interim analysis or the final analysis) (see section 4.2.6). Completion of these steps should be documented.
(q) For planned interim analysis, the ability to access and change data should be managed depending on the steps to achieve data of sufficient quality for analysis.
(r) Prior to provision of the data for final analysis and, where applicable, before unblinding the trial, edit access to the data acquisition tools should be restricted.
(s) The sponsor should use an unambiguous trial participant identification code that allows identification of all the data reported for each participant.
(t) The sponsor should implement appropriate measures to protect the privacy and confidentiality of personal information of trial participants, in accordance with applicable regulatory requirements on personal data protection.
(u) In accordance with applicable regulatory requirements and in alignment with the protocol, the sponsor should describe the process by which the participant’s data will be handled when a participant withdraws or discontinues from the trial.
(v) The sponsor should ensure that trial data are protected from unauthorised access, disclosure, dissemination or alteration and from inappropriate destruction or accidental loss.
(w) The sponsor should have processes and procedures in place for reporting to relevant parties, including regulatory authorities, incidents (including security breaches) that have a significant impact on the trial data.
(x) When using computerised systems in a clinical trial, the sponsor should:
(i) Have a record of the important computerised systems used in a clinical trial. This should include the use, functionality, interfaces and validation status of each computerised system, and who is responsible for its management should be described. The record should also include a description of implemented access controls and internal and external security measures;
(ii) Ensure that the requirements for computerised systems (e.g., requirements for validation, audit trails, user management, backup, disaster recovery and IT security) are addressed and implemented and that documented procedures and adequate training are in place to ensure the correct development, maintenance and use of computerised systems in clinical trials (see section 4). These requirements should be proportionate to the importance of the computerised system and the data or activities they are expected to process;
(iii) Maintain a record of the individual users who are authorised to access the system, their roles and their access permissions;
(iv) Ensure that access permissions granted to investigator site staff are in accordance with delegations by the investigator and visible to the investigator;
(v) Ensure that there is a process in place for service providers and investigators to inform the sponsor of system defects identified;
(vi) Assess whether such systems, if identified as containing source records in the trial, (e.g., electronic health records, other record keeping systems for source data collection and investigator site files) are fit for purpose or whether the risks from a known issue(s) can be appropriately mitigated. This assessment should occur during the process of selecting clinical trial sites and should be documented;
(vii) In situations where clinical practice computerised systems are being considered for use in clinical trials (e.g., electronic health records or imaging systems used or deployed by the investigator/institution), these systems should be assessed for their fitness for purpose in the context of the trial;
(viii) The assessment should be performed before being used in the trial and should be proportionate to the importance of the data managed in the system. Factors such as data security (including measures for backup), user management and audit trails, which help ensure the protection of confidentiality and integrity of the trial data, should be considered as appropriate;
(ix) Ensure that there is a process in place for service providers and investigator(s)/institution(s) to inform the sponsor of incidents that could potentially constitute a serious noncompliance with the clinical trial protocol, trial procedures, applicable regulatory requirements or GCP in accordance with section 3.12.