Data Integrity

What data integrity means in regulated quality

Data integrity is the assurance that regulated data stays complete, consistent, accurate, and attributable throughout its lifecycle. It applies to every record used to make GxP decisions: manufacturing batch records, laboratory results, training history, deviations, CAPAs, change requests, audits, validation evidence. It applies across all media (paper, hybrid, fully electronic).

Data integrity is an outcome. The ALCOA+ framework is the diagnostic test regulators apply to assess whether the outcome has been achieved. The Part 11 §11.10 controls, EU GMP Annex 11 controls, and the related governance practices are the mechanisms by which data integrity is produced and maintained.

Modern data integrity expectations are codified in regulator guidance from FDA, MHRA, WHO, PIC/S, and ICH. The term predates these documents, but the focused regulator emphasis followed a decade of high-profile inspection findings in laboratory data, beginning with the 2014 MHRA inspection wave and reinforced by FDA enforcement actions across the years that followed.

Why data integrity sits at the top of every regulator priority list

The 2014 MHRA inspection wave exposed systematic data integrity failures at multiple manufacturers. The FDA enforcement actions that followed, concentrated on chromatography systems, produced hundreds of warning letters across the next decade citing deleted injections, shared analyst accounts, audit trails not enabled or not reviewed, and results manually altered without justification. Several firms faced import alerts and consent decrees.

The pattern across these findings was the same. Data integrity controls hadn't kept pace with the operational shift from paper to electronic systems. Predicate rules continued to require complete, accurate, attributable records, but firms hadn't always implemented electronic controls (audit trail, unique accounts, immutable storage, reason-for-change) to the same depth as their paper-era controls.

Regulators responded with explicit data integrity guidance: MHRA in March 2018 (updated September 2021), PIC/S in July 2021, WHO in 2019, FDA's December 2018 Q&A. The sustained inspection focus continues today. Data integrity findings are now a leading driver of warning letters in regulated industries.

Inspector note: In a current inspection, I expect to see data integrity treated as a first-class quality concern, not a side-topic owned by IT. The firms that handle data integrity inspections well are the ones whose QA function owns the data integrity program, sets the controls, runs the audit trail review SOPs, and treats data integrity findings with the same seriousness as a product quality finding.

The data integrity guidance landscape

Modern data integrity guidance from each major regulator references ALCOA+ explicitly and sits on top of predicate-rule record-keeping obligations:

• MHRA 'GxP' Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021) — most-cited single document on data integrity
• PIC/S PI 041-1 (July 2021) — most detailed regulator-aligned interpretation
• WHO TRS 1033, Annex 4 (2019) — for WHO-regulated systems
• WHO TRS 996, Annex 5 (2016) — earlier WHO framework
• FDA Guidance: Data Integrity and Compliance With Drug CGMP — Q&A (December 2018) — FDA's explicit DI guidance
• 21 CFR §211.68(b) — computerized systems
• 21 CFR §211.180 + §211.194 — record retention + lab records
• 21 CFR Part 11 — §11.10(e) audit trail underpins electronic DI
• EU GMP Chapter 4 — documentation principles for GMP records
• EU GMP Annex 11 — EU electronic-record framework
• ISO 13485 §4.2.5 — control of records for device QMS
• ICH Q9(R1) (Step 4, January 2023; EU GMP adoption effective July 2023) — quality risk management; data integrity criticality drives risk-based control depth

Data integrity across the data lifecycle

Data integrity isn't a moment-in-time check. Controls apply at every stage of the data lifecycle. Inspection findings cluster around stages where controls were weakest.

• Generation. Initial capture from instrument, person, or system. Controls: validated instrument; authenticated user; server-side timestamp; original raw data preserved; contemporaneous recording. Common finding: manual transcription from instrument output to spreadsheet, original discarded.
• Processing. Transformation, calculation, aggregation, integration. Controls: validated calculations; processing parameters captured as metadata; reprocessing rules controlled; audit trail on processing changes. Common finding: chromatography reprocessing without audit trail capture of parameter changes.
• Review. Verification by a qualified reviewer. Controls: independent reviewer; documented review evidence; audit trail review on cadence; review of metadata, not just final results. Common finding: results approved without review of audit trail or raw data.
• Reporting. Release into a regulated decision. Controls: signed approval with meaning per §11.50; signature-to-record binding per §11.70; reason-for-change at post-approval edits. Common finding: signatures without meaning, or separable from the underlying record.
• Retention. Storage for predicate-rule period. Controls: immutable storage; backup with verified restore; migration validated; format-stability; tenant isolation; access controls. Common finding: records in proprietary formats unreadable after software retirement.
• Retrieval. Production for review or inspection. Controls: indexed; exportable in human-readable durable format (PDF/A, CSV, XML); retrievable in minutes. Common finding: archived records taking weeks to retrieve.
• Destruction. Secure end-of-life disposal. Controls: documented destruction (what / when / who / under whose authority). Common finding: undocumented destruction or premature destruction.

What strong data integrity programs share

The most reliable controls aren't the most technical. They're the ones that operationalize ownership and routine:

• QA owns data integrity — program sits in QA, not IT
• Data governance documented — policy, roles, responsibilities, review cadences, escalation per PIC/S PI 041-1 §5
• Periodic DI self-assessment — risk-based internal review against ALCOA+; findings tracked through CAPA
• Audit trail review SOP — independent reviewer, defined cadence, signed evidence
• Unique accounts and authentication — provisioning, deprovisioning, §11.300 password controls
• System validation includes DI — CSV/CSA explicitly addresses §11.10 + ALCOA+
• Instrument-to-system transfer automated or controlled — manual transcription has documented secondary review where unavoidable
• Backup and restore verified — periodic restore tests documented
• Migration discipline — system/media changes validated end-to-end
• Training on DI — operators, analysts, reviewers, approvers all trained

How Complere supports data integrity

Data integrity isn't something you bolt onto a system after the fact — by the time an inspector looks at your records, the controls either held or they didn't. Complere is built so the ALCOA+ controls inspectors look for are already in place for every regulated record your team creates, with the same behaviour across documents, complaints, CAPAs, audits, changes, and risk records. Your quality lead doesn't have to validate that the rules are applied the same way in five different module silos.

Every action your team takes on a regulated record — create, edit, sign, approve, view, export — is captured with who did it, when, and the reason. The history can't be quietly edited or deleted from anywhere in the application; once it's recorded, it stays. Timestamps come from a single server-side clock, so an analyst's laptop time or a roaming user's timezone can't drift your record. Across customers, your data stays in your own space; it never mixes with another firm's.

Logins are individual, never shared, so attribution holds when an auditor asks who signed the result. When someone signs something, the signature shows who signed, the moment they signed, and what they were signing for (review, approval, responsibility, or authorship), with the signer picking the meaning before applying the signature. Your team can require a reason on material edits to regulated records, so post-approval changes are explained at the moment they happen, not back-filled later.

When you need to produce evidence to an inspector — the audit trail for a batch release, the signing history for a CAPA closure, the change history on a controlled SOP — Complere produces a human-readable export your team can hand to the agency directly, filterable by record, user, action, and date. Controlled templates carry the required fields, signature settings, and validation rules so individual records inherit them; new records don't drift from the rules because someone forgot to tick a box. A Vendor Validation Package ships with the platform — VMP, URS, IQ/OQ/PQ evidence, and a traceability matrix linking each requirement to the automated CI test run that proves it — so your team starts from a CSA-aligned evidence baseline rather than building validation documentation from scratch.

What stays with your team: the data governance program, the audit trail review cadence, the periodic self-assessment against ALCOA+, the training that turns the controls into habits. Complere provides the technical controls and the evidence; the data integrity program around them stays your team's discipline.

Terms related to data integrity

Data integrity sits within a wider data governance and validation cluster. Related terms:

• ALCOA+ — diagnostic framework
• Audit Trail — principal §11.10(e) + Annex 11 §9 control
• 21 CFR Part 11 — the predicate
• Document Control
• Out of Specification
• Validation
• Deviation
• Data Integrity & Audit Trails (compliance hub)