Review this exciting guide to some of the recent content additions to Practical Guidance, designed to help you find the tools and insights you need to work more efficiently and effectively. Practical Guidance...
By: Romaine Marshall and Jennifer Bauer , Polsinelli PC This article addresses the broad scope of artificial intelligence (AI) laws in the United States that focus on mitigating risk, and discusses the...
By: Bijan Ghom , Saxton & Stump This article addresses existing deepfake technology and covers topics such as the available platforms to both create and detect deepfakes and the best practices for...
By: Ellen M. Taylor , SLOAN SAKAI YEUNG & WONG LLP THIS ARTICLE ADDRESSES THE BROAD SCOPE OF artificial intelligence (AI) laws in the United States that focus on mitigating risk. AI-driven employment...
By: Jessica Bishop and Sarah Stothart , GOODMANS LLP This checklist provides an overview of key legal considerations attorneys should review when advising clients on negotiating and drafting contracts...
Copyright © 2025 LexisNexis and/or its Licensors.
By: Scott Bass and Deeona Gaskin, Sidley Austin LLP
This article addresses key topics related to the management of data by drug, biologic, and medical device companies whose products are regulated by the U.S. Food and Drug Administration (FDA). This includes strategies for identifying potential data integrity compliance gaps and questions to ask drug, biologic, medical device, and other life sciences clients.
ALTHOUGH THIS ARTICLE FOCUSES PRIMARILY ON THE FDA’s approach to data integrity, you and your client should be aware that other agencies in Europe, China, Japan, and Australia have adopted similar approaches in trying to ferret out sneaky or sloppy record-keeping practices by drug and medical device companies. To the extent that your client’s business operations extend to countries other than the United States, you and your client must understand the applicable laws, regulations, and agency guidance in those other jurisdictions. Where necessary, consult with an attorney with expertise in advising clients in those jurisdictions.
In the 1970s, the FDA finalized the current good manufacturing practice (GMP) requirements for drugs. The FDA included specific data integrity requirements in the GMPs and the related good laboratory practices (GLP) regulations.
In the late 1980s, Congress investigated allegations of widespread fraud in the newly emergent generic drug industry. Wholesale document forgeries and manufacturing lapses were discovered. Senior executives went to jail, and companies closed down.
The FDA then finalized a policy entitled “Fraud, Untrue Statements of Material Facts, Bribery, and Illegal Gratuities; Final Policy” (1991), which became known as the Application Integrity Policy (AIP). When the FDA decided that wrongful acts merited the withdrawal of an application or deferral of substantive review of an application, this was known as “Invoking AIP.” The FDA has publicly listed companies for which it had invoked AIP because of data reliability concerns, and this AIP policy continues today.
In 1997, the FDA finalized 21 C.F.R. pt. 11, which addresses, in part, controls needed to ensure the data integrity of electronic records.
The FDA is not the only regulatory agency focused on data integrity. Following the United States’ lead, many other regulators have developed guidance. For example, in 2018, the United Kingdom’s Medicines and Healthcare Products Regulatory Agency (MHRA) published “‘GXP’ Data Integrity Guidance and Definitions,” which emphasizes the importance of complete, consistent, and accurate data and Attributable, Legible, Contemporaneous, Original, and Accurate (ALCOA) principles. Similarly, Health Canada has a “Good Manufacturing Practices Guide for Drug Products.”
A bad inspection with a regulator in one country can have negative ramifications with regulators in other countries. For example, the FDA has mutual recognition agreements with many European Union (EU) countries, including the United Kingdom’s MHRA, France’s Agence Nationale de Sécurité du Medicament et des Produits de Santé, and Ireland’s Health Products Regulatory Authority.
Data integrity requirements are found in the FDA’s GMP regulations located at, for example, 21 C.F.R. pt. 211, with greater detail in FDA guidance documents.
The FDA views data integrity compliance as essential to ensuring that drug and medical device products are safe, effective, and high quality. Noncompliance with data integrity rules affects the FDA’s ability to rely on and make sound decisions based on data provided by your client to the agency as part of an application or report.
Once the FDA raises a data integrity issue related to information provided by your client, the FDA no longer trusts your client. In practice, that means it will be significantly more challenging for you and your client to obtain necessary approvals from the agency, and your client may be subject to regulatory or enforcement actions (described further below).
Under GMPs, GLPs, and related guidance, a drug or medical device company’s quality assurance department is responsible for ensuring that its safety and manufacturing records accurately document the company’s actual operating procedures and reported results.
The FDA expects that your client’s data will be “attributable, legible, contemporaneously recorded, original or a true copy, and accurate.” This concept is referred to within the sciences industry as the ALCOA principle. Essentially, ALCOA means that data must be accurate and legible and contemporaneously recorded. For example, your client’s quality assurance team should be able to know from reviewing data included in internal batch records which operators completed specific tasks and the test results. Moreover, FDA investigators should be able to review batch records during inspections because the information is legible.
Additionally, data must be contemporaneously recorded, which means that manufacturing results are recorded as they occur and not hours or days later or before based on expected results.
ALCOA principles are not limited to internal GMP documents. Information submitted to the agency, like adverse event reports, new drug application supplements, or premarket approval supplements must also have accurate, legible information and must include originals or true copies of underlying, relevant data.
Under 21 C.F.R. § 211.100(b), your company’s production and process control procedures must (1) be followed in the execution of your company’s various production and process control functions and (2) be documented at the time of performance.
In addition, under 21 C.F.R. § 211.188(a), your client must keep “[a]n accurate reproduction of the appropriate master production or control record, checked for accuracy, dated, and signed.” To comply with this requirement, your client must make sure that copies are complete and match the originals. If the original record includes metadata, the copy must include this metadata as well.
Under 21 C.F.R. § 211.194, your client’s records must “include complete data derived from all tests necessary to assure compliance with established specifications and standards.” For example, in the laboratory, if there is a required test based on the specifications in the approved application and a failing test result occurs, the failing test result still needs to be recorded in the batch record, even if the test is later invalidated due to laboratory error.
Data integrity violations can lead to serious consequences, including:
The following are basic steps a company can take to comply with the FDA’s data integrity regulations and guidance:
Take the following steps to adequately address and mitigate data integrity incidents and to ensure preservation of the attorney-client privilege and work product protection for certain company materials:
Scott Bass heads Sidley Austin’s Global Life Sciences team, coordinating pharmaceutical, medical device, food, and dietary supplement matters in the United States, Europe, and Asia. He is ranked internationally among the top authorities on FDA-related enforcement and regulatory issues and has led GMP audits and investigations in the United States, EU, and China. Deeona Gaskin served as Associate Chief Counsel for Enforcement at the U.S. FDA and is now a senior associate in Sidley’s Food, Drug and Medical Device Compliance and Enforcement group. She handles current Good Manufacturing Practice, Quality System Regulation, data integrity, product recalls, and adverse event reporting matters on several continents, and also represents companies in False Claims Act enforcement actions and investigations.
To find this article in Lexis Practice Advisor, follow this research path:
RESEARCH PATH: Life Sciences > Manufacturing and Recalls > Practice Notes
For a checklist to assist with data integrity compliance risk management, see
> DATA INTEGRITY RISK MANAGEMENT FOR LIFE SCIENCES CHECKLIST
RESEARCH PATH: Life Sciences > Manufacturing and Recalls > Checklists
For information about data integrity-related U.S. Food and Drug Administration (FDA) enforcement activity and FDA regulatory activity related to data collection and maintenance standards, see
> FDA WARNING LETTERS TRACKER, FDA DRUG REGULATORY ACTIVITY TRACKER, and FDA MEDICAL DEVICE REGULATORY ACTIVITY TRACKER
RESEARCH PATH: Life Sciences > FDA Approval Process > Practice Notes
For information about FDA inspections, see
> FDA FORM 483 INSPECTION OBSERVATIONS AND RESPONSES
RESEARCH PATH: Life Sciences > Regulatory Enforcement > Practice Notes
For an overview of FDA drug and medical device regulation generally, see
> FDA REGULATION OF PHARMACEUTICALS and > FDA REGULATION OF MEDICAL DEVICES
For an overview of life sciences industry regulation in international jurisdictions, see
> HEALTHCARE ENFORCEMENT AND LITIGATION IN INTERNATIONAL JURISDICTIONS
RESEARCH PATH: Life Sciences > International Considerations > Practice Notes
1. United States v. Park, 421 U.S. 658 (1975)