How to Write and Implement Data Integrity Policy?


Implementation of Data Integrity Policy (DIP) is a compulsory need in today's regulatory environment. This policy helps the pharmaceutical companies to come out from the terrifying consequences of a breach of data integrity. The data integrity policy gives control to the company's management over the manufacturing activities and sets a compliance standard in the company. The regulatory agencies definitely appreciate the company that implements the data integrity policy because it's the first step in preventing the manufacture of adulterated drugs.

Today, every business is in a data-driven environment. So the pharmaceutical industry is not an exception to this.

In this era of modern technology, reliability and accuracy of the data are the growth factors for any kind of business.

The data management and the level of controls to protect the data integrity determines the future of a pharmaceutical company.

Therefore, there should be a well-defined policy on data integrity, which must reflect the core value and commitment of the company.

The data integrity policy is an important one among all other policies and every company should possess it.

It has to be written very carefully because it reflects the commitment of the company for data protection and its maintenance.

Before writing the policy, you should be aware of what data your company produces. Even before that, you should have a thorough understanding of the importance of data.

Data management plays a vital role in the pharmaceutical business.

The Importance Of Data In Pharmaceutical Industry

Importance of Data in Pharma

Pharmaceutical industry, mainly deals with the health of the public. It manufactures medicinal drugs. Pharmaceutical drugs are chemicals which are identified and used for the treatment of diseases.

Our human body also produces certain chemicals. It regulates them very intelligently to preserve and sustain its existence in nature. We all know the chemical imbalance in our human body leads to many diseases. So we take the medicines to balance these chemicals. It means the shortage of chemicals in the human body is fulfilled by sending pharmaceutical drugs into it through various ways.

So it's clear that the only chemical that can cure your disease should be in the medicine. The additional chemicals in it naturally harm the body and create new diseases. These additional chemicals are called impurities.

Impurities will come along with the main ingredient due to the limitations of the manufacturing process or inefficient manufacturing process or carelessness during the manufacturing process.

Hence, it is essential to record each and every detail of drug manufacturing. Evidence should be in place to prove the compliance of pharmaceutical drug manufacturing with cGMP. Documentary evidence must be established to show a medicinal drug contains no impurities or the impurities are within the acceptable criteria.

The accumulation of all these details, at all steps of manufacturing, is called data. Data may exist either in paper or electronic form or in a hybrid (paper + electronic) state. This data is the main source for the evaluation of the drug manufacturing process. Regulatory agencies verify this data and judges whether the drugs are manufactured as per the regulations set forth in the law or not.

Hence, the sanctity and integrity of the data have absolute importance in the drug approval process. The completeness, consistency, and accuracy of the data will decide the fate of the pharmaceutical company.

The Role Of Data Management In Pharmaceutical industry

Role of Data Management

The data provides information about the work being executed.

Based on this information, the decision will be taken to move the things further.

So data management is a crucial part of the business environment.

Management of data includes multiple tasks.

The following things are the part of data management.

  1.   Sources for the generation of data.
  2.   Type of the data. Example: videos, photographs, text/numeric, microfilms, paper records, electronic records etc.
  3.   Data structure. Example: structured data (database) and unstructured data (email, MS Office docs)
  4.   Data storage media.
  5.   Handling of Data.
  6.   Ease of searching data.
  7.   Data security measures.
  8.   The lifecycle of data.

Perfect data management ensures the accuracy of the information. The more accurate the information, the sharper the decision.

Guiding Principles To Write And Implement The Data Integrity Policy

Guiding Principles

Writing a policy for the data integrity is not an easy task as you think. It requires a complete understanding of your business, current practices, existing policies and regulatory requirements.

You must take into account the capability of the organization to implement the policy. It demands a significant technical, human and monetary resources for its successful implementation.

First of all, management has to identify and declare a responsible person (Policy Owner) to prepare and implement the data integrity policy.

You must select only the expert as a policy owner.

Then follow the steps given below to write the policy.

  1.   Define the scope of the data integrity policy.
  2.   Collect all the necessary information.
  3.   Form a team to discuss the policy include employees from all departments & work levels.
  4.   Prepare a draft of data integrity policy.
  5.   Take the legal opinion on the policy.
  6.   Publish the data integrity policy.
  7.   Prepare procedures to implement the things written in the policy.
  8.   Train the employees on the policy and its relevant procedures.
  9.   Review the data integrity policy periodically.

Let us go through some details of each step, for better understanding and effective writing of the policy.

Setting A Background To Write The Data Integrity Policy

Background to Data Integrity Policy

1. Define the scope of the data integrity policy

At first, set the goal and objective of the data integrity policy. This helps to understand to what extent the policy needs to be enhanced. The goal gives you a clear picture of the boundary of the policy.

Then prepare a blueprint of data sources in your company. It should include each and every department, which is linked to your commercial product.

Now list out the areas that fall under the policy's scope.

2. Collect all necessary information.

This is a very important step to focus on and much attention is needed. Information on data source, includes everything about the data.

Collect the information from all departments. The given below table is an example.

Data Collection

Collect all the incidents related to data integrity. List out all the root causes and verify the effectiveness of the CAPAs. Document the Limitations and failures of CAPA if any.

List out all kinds of software and firmware which are in use in the company. In the same way, collect the details of paper documentation in all departments.

List out all the possible sources that can lead to the breach of data integrity. This list should include both technical and human elements.

3. Form a team to discuss the policy

Once the goal is set and the necessary information is collected, the Policy Owner shall form a team. Invite persons from all departments and from all work levels and make them as team members.

Discuss the following things based on the above-collected information:

  1.   The necessity of the policy
  2.   The scope of the policy
  3.   Existing issues of data integrity
  4.   Solutions for the data integrity issues
  5.   Guidelines to include in the data integrity policy
  6.   Handling of policy violations
  7.   Consequences for the violation of policy
Document the discussion along with all comments of team members. The cream of the discussion should be the basis for the writing of the policy.

Preparation Of A Draft For The Data Integrity Policy


Write the policy using a clear and active language. Statements should contain few words which do not lead to any confusion and complexity.

The clarification that provided to understand a statement should never alter the core meaning of the policy.

Prepare the policy in the following format. The aim of the examples stated here is only to provide an idea to you.

You have to write the policy considering your company's size, resources, existing policies and business.

An example format of the Data Integrity Policy (DIP):

1. Title

Write a precise title with utmost care because it reflects the objective of your policy.


Title: Global Data Integrity Policy.

2. Purpose

State the purpose of this policy. Clearly write the objective and expected results of the policy in a plain language.


Quality of the pharmaceutical products is built on the accuracy and completeness the data generated during the manufacturing process. Data integrity is a core part of the pharmaceutical quality system. Compliance requirements are equally applicable to both electronic data and paper records.

The purpose of Data Integrity Policy is:
  1. To set a global standard for the maintenance of both electronic data and paper records in the organization.
  2. To bring transparency in all manufacturing activities.
  3. To meet all government regulations and ensure compliance with cGMP.

3. Scope

Define the areas and divisions that cover by this policy.


All the departments and divisions at the corporate level and all the departments in the manufacturing plants should comply with this policy.

4. Responsibility

Clearly define the responsibilities of the employee/department regarding the policy.

  1.   Compliance officer is responsible to publish and implement the policy.
  2.   Individual departments are responsible to prepare procedures in support of the policy.
  3.   The Corporate Quality Assurance department is responsible for the monitoring of performance indicators.
  4.   It is the responsibility of every employee to comply with the policy.

5. Policy

This is the section which dictates guidelines to follow for the protection of data integrity. Write the guidelines considering the key factors that endangering data integrity in your company. Put the topics in a logical order and choose a right heading/subheading. You can include instructions, forms, flowcharts, etc., which make the policy meaningful and goal oriented.


A. Software
  1. All software which is used in the business and manufacturing activities should contain an audit trail function to track the activity of the user. If this function is not available, establish the alternate tracking system.
  2. User must access the software through an individual login account.
  3. The expiry date of a password is 90 days.
  4. All software must be validated after the installation.
  5. The administrator for all software shall be from Information Technology (IT) department.

B. Electronic Data Backup
  1. Electronic data backup shall be done by Information Technology (IT) department.
  2. Use only validated data backup methods for the backup of all kinds of electronic data.

C. Employee Behaviour
  1. All employees in the organization must follow this policy and must comply at all times.
  2. Employees must report the violations immediately through the defined reporting system.
  3. Employees should not breach the data integrity, in any form, intentionally with wrong motives.
  4. An intentional approach for the breach of data integrity is subject to the disciplinary actions mentioned in the Section: Consequences for breach of the Data Integrity Policy.

6. Reporting of Data Integrity Policy Violations

Provide detailed information on how to report the violations. There should be no ambiguity in the process of reporting.

  1. It is the responsibility of every individual, department and division to bring all violations of this policy, to the notice of senior management through the below-defined reporting system.
  2. Report the issues through email. Use the below e-mail ID for the reporting of issues.
    Email ID:
  3. The chief compliance officer immediately initiates the investigation on policy violations and informs the senior management.

7. Consequences for breach of Data Integrity Policy

Describe the disciplinary actions and punishments that are applicable in case of violation of the policy.


A. Disciplinary Actions - Violation of policy due to insufficient training.
  1. Do not allow the employee to perform the tasks.
  2. Provide the employee effective training.
  3. Evaluate the employee's knowledge of the policy after the retraining.
  4. Allow the employee to perform the tasks after satisfactory completion of retraining.

B. Disciplinary Actions - Violation of policy due to negligence
  1. Give an informal warning in the form of advice for the first violation.
  2. Issue a formal warning letter for the second violation
  3. Suspend the employee for a month for the third violation.
  4. If the violation repeats more than three times consider it as an intentional violation and disciplinary action shall be initiated as per the section " Intentional violation of policy"

C. Disciplinary Actions - Intentional violation of data integrity policy
  1. Immediately suspend the employee for 6 months.
  2. File the complaint and investigate the root cause and estimate the impact of the violation on the product or patient.
  3. After the completion of the investigation, terminate the employee.

8. Definitions

Give definition to all critical terms in the policy to remove the ambiguity and confusion in understanding it. The definition provides clarity to the given statement in the policy.


Chief Compliance Officer: He is the person who is responsible to implement the policy across the organization and investigates all violations of the policy as per the laid rules in the company. He is responsible to report all violations to the senior management.

9. Related Documents

Provide a list of documents that are directly related to your policy. They may belong to other internal policies, government acts or compliance requirements of drugs. It depends on the location (country) of your company. It is also important to consider the drug laws of the countries where you are marketing your products. This list brings awareness of the statutory requirements.

After the completion of draft preparation, send the copy to all team members and all department heads and their second line of management for the review of policy. Consolidate all the opinions and suggestions; evaluate them. Consider only those points which are not affecting the goal of the policy. Make a final draft and proceed for the legal opinion.

Take Legal Opinion On The Policy


You can protect yourself from many legal disputes by seeking a legal opinion before the enforcement of the policy.

Since the pharmaceutical companies are dealing with the people (staff and patients) and regulatory agencies, the policies will fall within the jurisdiction of the courts.

Hence, you should write the policy carefully by selecting appropriate words. You must give the definition of all critical words that used in the policy, to remove the doubts and eliminate uncertainty.

Finding the right reviewer to review the policy is a great challenging task. The reviewer must be an expert and should have adequate knowledge on both statutory requirements of the company and drug regulations.

Legal opinion is required because you have to take a particular course of actions against the persons who break the policy. In such cases, you should not crush the fundamental rights provided by the constitution.

Sometimes the lapses in your policy may harm the patients significantly. So, these matters are very delicate and to be handled carefully and legally.

The policy should not go beyond the law since the existence of the company itself is based on the law. The guidelines composed in the policy should be meaningful and practical.

The company must ensure the prepared policy is legal and fair. After the expert's review, tweak the document as per his suggestions and make ready the final copy.

Publishment Of Data Integrity Policy


The final draft of the policy, which was reviewed by the attorney, should go for the approval of senior management who is ultimately responsible for the business.

Senior management has to review the document thoroughly and once again look into the requirement of resources to implement the policy effectively. Why, because the implementation of some guidelines may need resources immediately. Hence, it's better to ensure the availability of all required resources before the approval of the policy.

Otherwise, it will lead to so many other issues which may drag the company into legal disputes. It is not fair to expect the employees to comply with the policy, without proper arrangements of the needed things.

After finishing the approval process, publish the signed document and release the copies of it to all the relevant people.

Preparation Of The Procedures For The Implementation Of The Policy


Once the official copy of the data integrity policy is published, get ready to prepare the procedures to implement the policy. There is a difference between policy and procedure.

A policy gives you overall guidelines to follow. It reflects the organization's culture and values. It explains the expected behaviour of the employees and the required standards of legal, regulatory or internal standards.

On the other hand, a procedure provides the mechanism to implement the policy guidelines. It directs the ways of implementation along with the instructions and methods.

Prepare the procedures department wise. This is because the type of data, software and firmware differs based on the nature of the work and scope of the software/firmware application. Procedures must include a detailed method, instructions, and logical steps. The procedure is all about what to do, when to do, how to do and who has to do.

Example :

Policy Statement
Backup of electronic data shall be done in all departments and data shall be retained up to the necessary the period.

Electronic Data Backup Procedure for QC Department :

The electronic data is generated in the QC lab during the testing of all kinds of materials. Different types of software and firmware are used in the analytical testing process. The electronic data that generated from all the instruments of QC shall be backed up periodically. The activity shall be performed as directed below.

  1. Data backup shall be taken by the IT personnel as per the SOP: IT-SOP-QC 001 / Version:00
  2. Data backup shall be taken for every instrument as per the defined period in the SOP: IT-SOP-QC 001 / Version:00
  3. Data shall be backed up onto the media that defined in the SOP: IT-SOP-QC 001 / Version:00
  4. Electronic data shall be retained based on the product's requirements which are described in the SOP: QC-SOP 001 / Version:00 Title: Record Retention and Destruction.
  5. Backed up electronic data shall be destructed safely, after the completion of its retention period, as described in the SOP: QC-SOP 001 / Version:00 Title: Record Retention and Destruction.

The above example is just an outline of the procedure, for the understanding purpose and to give you an idea. You have to write the procedures as per your company's standard format.

It's necessary to develop procedures department wise for the implementation of the policy. Otherwise, the policy will remain only on the paper. Having a policy without the right mechanism of implementation is a quite dangerous situation and leads to severe non-compliance issues.

Train The Employees On The Policy And Its Relevant Procedures

Training on Policy

Another crucial step in the policy implementation process is training to the employee on the policy.

Circulate the policy copies to each and every employee and ask them to read and understand. Then take a signature on the copy as a token of his agreement to the policy and file it.

Conduct the training programs on the policy and procedures by showing practical examples. Evaluate the effectiveness of training and document it.

Collect the queries raised during the training program and prepare a document called "Frequently Asked Questions and Answers".

Ensure the availability of copies of 'Data Integrity Policy' and 'Frequently Asked Questions and Answers' at the workplace of the employee.

Periodical Review Of The Data Integrity Policy

Review Policy

No policy is eternal. It is subject to change based on the current needs and the latest regulatory requirements. Similarly, data Integrity policy also may need a change. So it has to be reviewed from time to time to meet the latest requirements.

You have to monitor the policy continually for its performance. The length of the success to be measured periodically, to understand what is needed for the improvement of the policy. Define the performance indicators to measure the strength of the policy to reach the specified goal.

You can consider the number of incidents, technical errors, and manual mistakes (intentional and unintentional) as the performance indicators. Measure the performance periodically and record the data.

Figure out the critical problems which are affecting the aim of the policy. Evaluate the existing procedures, based on the listed out critical problems. Identify the gaps and strengthen the procedures by including some new steps or removing the unnecessary steps.

If the performance of the policy is not satisfactory, even after the implementation of effective procedures in support of it, it means that the time has come to reassess that policy.

Revise the policy as per the needs and regulatory requirements to reach the final goal.


The data integrity policy is an essential requirement for any pharmaceutical company. This policy holds the company's staff to the defined standard and enables the company to get over all control on the business.

Prepare the policy after a rigorous brainstorming based on the existing data of data integrity issues. Take a legal opinion on the policy before its implementation.

Explain the meaning of the key terms in the policy for a better understanding of employee. Develop procedures in each department for the successful implementation of the policy.

In the whole process, training of the employee on data integrity policy is the major task to execute cautiously. Clearly define and communicate the consequences for the breach of data integrity policy.

Monitor the performance of the policy using some performance indicators and do the needful changes based on the feedback. Review the policy periodically and revise it based on the current needs and requirements.

Data integrity policy increases the confidence of the regulatory agencies in the company's manufacturing activities.

SHARE this article with your friends, if you feel this is helpful. It may help them if they are in need. Each one help one.

Author Profile


Ram Kumar Reddy

Ram Kumar Reddy is the founder of Pharma Times Now. Helping Pharmacy and Chemistry students, along with the pharma employees, in learning pharmaceutical science. He has 24 years of rich experience in the Pharmaceutical industry and well versed in quality systems. He worked with Dr.Reddys and Sai Life Sciences. He lives in Hyderabad, India.

1 comment: