The approach used by the responsible party for implementing, evaluating, accessing, managing and reviewing relevant metadata associated with data of higher criticality should entail:
(a) Evaluating the system for the types and content of metadata available to ensure that:
(i) Computerised systems maintain logs of user account creation, changes to user roles and permissions and user access;
(ii) Systems are designed to permit data changes in such a way that the initial data entry and any subsequent changes or deletions are documented, including, where appropriate, the reason for the change;
(iii) Systems record and maintain workflow actions in addition to direct data entry/changes into the system.
(b) Ensuring that audit trails, reports and logs are not disabled. Audit trails should not be modified except in rare circumstances (e.g., when a participant’s personal information is
inadvertently included in the data) and only if a log of such action and justification is maintained;
(c) Ensuring that audit trails and logs are interpretable and can support review;
(d) Ensuring that the automatic capture of date and time of data entries or transfer are unambiguous (e.g., coordinated universal time (UTC));
(e) Determining which of the identified metadata require review and retention.