Can you safely copy GxP data?

After watching our webinar "GxP data integrity: What you don't know may make you non-compliant", we received an interesting question about copying information and records in GxP applications. 

Dear Paul, 

In one of your webinars you stated that copying an SOP document for the purpose of studying it at home is  obvious violation. 

As far as I know, copying any GXP document or SOP that is not controlled means it is not updated. Therefore, it has no real risk. Copying the data would therefore impose no hazard to the company’s regulatory compliance. 

For instance, suppose that GXP data are archived in a drive of a computer and only some personnel can access the drive. This would be in order to control  access to the data, maintain it in a validated state and ensure data integrity. 

If one of the persons who has access to the data were to copy a part of it and store it in another place, to allow other employees to use the data, is it a violation? 

In my opinion data are archived in a specified place to be controlled so that they can be presented to an auditor.  Copying data to share will other employees does not pose a threat to company. If the copied  data changes, there will be a differences  with the source data. Those differences are evident. Since the source data is the only data considered reliable, what harm can come of copying some of it?

 Please let me know if I am wrong in this line of reasoning...

Sincerely, S

Dear S,

You are quite right when you say that GxP information, in electronic or paper form, should be controlled to protect it from changes.  You are also right -  copies should be labeled as such.

Let’s take a case of the employee taking a picture with his phone. The problem, which you rightly allude to, is that if he or anyone else uses the photo for reference, they may not be using up to date information.  

The correct procedure would be to go the QA Documentation department to get an official copy, which would be marked as a copy (if this was even allowed by the company policies).  It is likely that the employee had already violated company policy by taking pictures at work anyway.  

My example in the webinar was a teaching example to show how someone unfamiliar with GxP documentation management procedures using new technology can inadvertently make GxP errors.  The employee should not be taking pictures of documents, nor should he be taking copies of documents offsite. One’s home hopefully feels safe to oneself; it is not safe for a controlled GxP document. 

As far as archives, I agree with you that the purpose of an archive is to store data in a controlled manner, so that it can’t be changed, deleted, modified, etc.  I would also assume that because archived data has GxP value (that is why it is archived to begin with) that it might need protection. The data could represent intellectual property in some cases.  Probably not for temperature monitoring data, but an archived batch record, or archived lab test results, could contain enough information that it could represent intellectual property.  

So, there are business reasons to protect archived data from copying.  The only one who should have access to the archived data is the archivist or archive manager, and they should be able to make decisions on a case-by-case basis on whether the archived data is safe to copy and distribute, and if there are any limits on the distribution.  

So, we look for solutions, not workarounds. 

•    Whenever data is copied, the copies must be labeled as copies to not confuse them with the originals. 
•    Copies must (still) be protected or managed following company policy.  
•    Personnel responsible for protecting and controlling information (QA Documentation, Archivist) will have policies to follow.
•    The policies may, or may not allow the activities you are proposing (e.g. taking the data home or elsewhere for analysis.)
•    Those policies will likely be based on the risks associated with the data you want to copy.

In a functional GxP application, the quality culture mindset can feel like overkill, or at best, inefficient gatekeeping.  Safeguarding source data must become the default. Looking for loopholes or shortcuts gives you firm footing on a slippery slope. 😊