Data Governance

What data governance is

Data governance is the management framework — the policies, the named roles, the oversight, the metrics that get reviewed — that operationalises data integrity across a regulated quality system. It defines who's accountable for what data, how data is controlled across its lifecycle, what oversight catches problems, and how the program adapts when something breaks.

Data integrity is the outcome regulators want. ALCOA+ is the diagnostic framework they apply to test the outcome. Data governance is what produces and sustains the outcome over time. Without governance, data integrity becomes a series of one-off projects that work for a year and then drift.

PIC/S PI 041-1 (July 2021), Section 5, is the most detailed regulator-aligned treatment we have. MHRA's GxP DI guidance (March 2018, updated September 2021), the FDA December 2018 Data Integrity Q&A, and WHO TRS 1033 Annex 4 (2021) all address governance roles and accountability in detail.

Why data governance has moved to the centre of DI inspections

A decade ago, an inspector looking at data integrity asked about audit trails and access controls. Now they ask who owns the program. The shift happened in stages: MHRA's 2018 guidance widened the lens to roles and oversight, and PIC/S PI 041-1 made the governance expectation explicit in 2021. A firm with clean technical controls but weak governance now loses inspections it would have passed in 2013.

Most firms that lose data integrity inspections don't lose because the audit trail wasn't capturing or access wasn't restricted. They lose because no one can answer who owns the program when the inspector asks. The firms that hold up aren't always the ones with the most sophisticated controls — they're the ones who can name an owner, show a review cadence, and produce metrics that had already surfaced the problem before the inspector did.

Inspector perspective: three questions consistently surface data governance gaps in inspections. Who is accountable for this data — a name, not a role. When did that person last actually review it — show records, not assurances. What was done about anything they found — show the follow-up. A program that answers all three with documented evidence is usually a program that holds up.

Where data governance appears in regulator guidance

Data governance is addressed explicitly in modern data integrity guidance and implicitly in older predicate rules:

• PIC/S PI 041-1 (July 2021), Section 5: the most detailed regulator-aligned treatment. Covers governance structure, accountability, ownership at the data-category level, oversight expectations, integration with the broader QMS.
• MHRA "GxP" Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021): addresses governance roles, management responsibility, accountability for data integrity outcomes.
• FDA Data Integrity and Compliance With Drug CGMP — Q&A (December 2018): governance principles referenced throughout; the management responsibility section addresses accountability.
• WHO TRS 1033, Annex 4 (2021): governance treated as part of good data and record management.
• 21 CFR §211.180(e): quality unit responsibility for evaluation — the predicate for governance oversight on drug records.
• 21 CFR §211.22: quality unit responsibilities — the accountability predicate behind drug GMP data governance.
• 21 CFR §820.20: management responsibility for medical device QMS — the governance accountability predicate.
• 21 CFR Part 11: the §11.10 controls collectively require governance to operate sustainably, not just at the moment of validation.
• EU GMP Chapter 1 §1.4(xv): pharmaceutical quality system review; senior management is ultimately accountable.
• EU GMP Annex 11 §1: senior management responsibility for computerised system risk and validation state.
• ISO 13485:2016 §5.5: responsibility, authority, and communication — the role-definition predicate for device QMS governance.
• ICH Q10, Section 2: management responsibility within the pharmaceutical quality system.

What a working data governance program contains

The programs that hold up at inspection share a common shape:

• Data ownership defined at the category level. Laboratory raw data has an owner. Batch records have an owner. Training records have an owner. Audit trail evidence has an owner. The owner is a named role with documented authority, not a vague "QA" attribution.
• Governance policies live as controlled documents. The data integrity policy, the ALCOA+ implementation SOP, the access control SOP, the audit trail review SOP, the retention policy, the destruction SOP — all under document control, periodically reviewed, with training assigned when they change.
• Lifecycle controls at every stage. Generation (who can create, validated instruments, contemporaneous capture). Processing (validated calculations, change logging). Review (independent reviewer, defined criteria). Reporting (signed approval, meaning captured). Retention (immutable storage, backup verification, format stability). Retrieval (indexed access, exportable). Destruction (documented disposal with authorisation).
• Cross-functional integration. Governance touches CAPA (when data issues become CAPAs), change control (when system or process changes affect data), validation (CSV/CSA evidence quality), training (data integrity awareness), supplier qualification (data coming in from contractors), and management review (governance metrics).
• An oversight body that actually meets. Many firms run a Data Integrity Council or similar — senior representation from QA, IT, manufacturing, lab — that meets periodically to review program metrics, escalations, and emerging risks. Meeting cadence is documented; meeting evidence is retained.
• Defined leading indicators. The metrics aren't "everything we can count." They're the leading signals that say governance is weakening — audit trail exception rates, access-violation events, data-related deviations, periodic-review completion.
• Periodic self-assessment of the program itself. Once a year or so, the governance program is reviewed against PIC/S PI 041-1 and MHRA expectations. Findings drive updates. Without this, the program tends to drift from the standards it was originally built against.

What strong data governance programs do

The programs that survive sustained inspection scrutiny share these patterns:

• QA owns the program. Not IT. Not a project team. A named senior QA role accountable to the firm's leadership.
• Named data owners per category. Documented in a governance charter. Updated when roles change.
• Governance policies under document control. Periodically reviewed, training-on-change enforced, retained for the predicate-rule period.
• Lifecycle controls documented end-to-end. Not just "audit trail enabled" — the full path from creation to destruction, with controls evidenced at each stage.
• An operational audit trail review program. Risk-based cadence, independent reviewers, signed evidence, exception follow-up.
• Periodic access reviews. User access review on cadence (typically quarterly), with documented disposition for each user.
• A cross-functional governance body that meets. Documented cadence; agenda includes program metrics, emerging risks, and escalations.
• Metrics trended, not just collected. Audit trail exceptions, access violations, data-related deviations, periodic review completion, time-to-closure on data CAPAs — all tracked over time.
• Management Review includes governance as a standing input. Per ISO 13485 §5.6.2 and ICH Q10 §3.2.4.
• Annual self-assessment against PIC/S and MHRA expectations. Findings drive program updates.
• Training on data integrity expectations. Operators, analysts, reviewers, approvers, IT — all trained on the predicate rules, ALCOA+, and firm-specific SOPs.

How Complere supports data governance

Data governance is a discipline your quality team owns. No software product can deliver it for you. What Complere gives you is the infrastructure your program runs on — concrete controls your policies can point at and inspectors can see in action.

Every important record across the system carries its own history of who did what, when, and why. You can read it, you can export it, and no one can quietly change or delete it. Your records stay in your own space — your data never mixes with another customer's.

When someone in your team signs something — approving a document, closing a CAPA, authorising a change, signing off an audit finding — the signature shows who signed, the moment they signed, and why they signed (review, approval, responsibility, or authorship). Roles decide who can sign what; the system checks the person actually has the authority before letting them sign. Logins are individual, never shared.

Your governance policies — the data integrity policy, your access control SOP, your retention rules, your audit trail review SOP — live in the same controlled-document workflow as every other regulated document. They get approved, version-controlled, and trigger training when they change. Every other system you build around them inherits the same discipline.

What stays with your team: deciding who owns what, how often things get reviewed, what gets escalated, when to refresh the program against new regulator guidance. Complere makes that discipline easy to operate and easy to evidence — not easy to skip.

Related data integrity and governance terms

Data governance sits over technical controls and policy documents and connects to most of the QMS:

• Data Integrity — the outcome data governance produces
• ALCOA+ — the diagnostic framework governance applies
• Audit Trail — the principal evidence layer under governance
• 21 CFR Part 11 — the U.S. predicate for electronic-record governance
• Document Control — governance policies live as controlled documents
• Internal Audit — internal audits include data governance scope
• Management Review — data governance metrics are MR inputs