Joint Arrangements for Research

_________________________________________________________________________

STANDARD OPERATING PROCEDURE

SOP 840
Clinical Data Management System: DATA MANAGEMENT AND
SECURITY

Version 2.1
Version date 19/06/2017
Effective date 10/08/2017
1 Number of pages 6
Review date June 2019

Author Joint Research Office

Approved by Ben Everitt

Role Head of NNUH IT
Signature Ben Everitt
Date 09/05/2017

Authorised by Professor Alastair Forbes

Role Chief of Research and Innovation

Signature

Date 10/08/2017

COPIES PRINTED FROM THE WEBSITE ARE VALID ONLY ON THE DAY OF PRINTING

SOP 840 v2.1 Effective Date: 10/08/2017 Page 1 of 6

 Joint Arrangements for Research
_________________________________________________________________________
It is the responsibility of all users of this SOP to ensure that the correct version is being
used.

All staff should regularly check the NNUH R&D website for information relating to the
implementation of new or revised versions of SOPs. Staff must ensure that they are
adequately trained in the new procedure and must make sure that all copies of
superseded versions are promptly withdrawn from use.

The definitive versions of all Joint NNUH/UEA health care research SOPs appear online.
If you are reading this in printed form please check that the version number and effective
date is the most recent one as shown on the NNUH R&D website.

TABLE OF CONTENTS

1 ABBREVIATIONS 3

2 INTRODUCTION 3

3 SCOPE 3

4 GENERAL SECURITY ISSUES 3

5 ACCESS TO DATA 3

6 ENCRYPTION 5

7 AUDIT TRAIL 5

8 BACK UP AND RESTORE 5

9 RELATED DOCUMENTS 5

10 REFERENCES 6

11 LIST OF APPENDICES 6

Appendix 1 : Change Control, Revision and Review Sheet 6

SOP 840 v2.1 Effective Date: 10/08/2017 Page 2 of 6

 Joint Arrangements for Research
_________________________________________________________________________
1 ABBREVIATIONS

CDMS Clinical Data Management System

CTU Clinical Trials Unit
GCP Good Clinical Practice
ICH International Conference for Harmonisation
NNUH Norfolk and Norwich University Hospital
SOP Standard Operating Procedure
SU Service User
UEA University of East Anglia

2 INTRODUCTION

This SOP describes the steps that are taken to ensure that trial data is:

 available to those that are entitled to use it;

 protected from unauthorised or accidental access and modification; and that:
 previous copies of the data are available and restorable

3 SCOPE

This SOP applies to all healthcare research which falls within the scope of the
Research Governance Framework (April 2005) sponsored by the NNUH and/or UEA.
External sponsors of research may have their own systems for data management
and security, however the general principles of this SOP and Good Clinical Practice
in data management apply to all research conducted within the UEA and NNUH.
This SOP should be applied with reference to relevant organisations’ policies and
procedures.

4 GENERAL SECURITY ISSUES

Clinical data management systems reside either on the UEA or NNUH network and
are subject to the following institution-wide policies:

 UEA High Level Information Security Policy

 UEA General Information Security Policy
 UEA Desktop Computer Procurement and Deployment Policy
 NNUH IT Security Policy

5 ACCESS TO DATA

Most data management systems designed for clinical trials are in two parts:

 the user interface

 the database

SOP 840 v2.1 Effective Date: 10/08/2017 Page 3 of 6

 Joint Arrangements for Research
_________________________________________________________________________

The user interface provides SUs with access to the database. Under normal
circumstances SUs will not have direct access to the database (but see DIRECT
ACCESS TO THE DATABASE below).

5.1 Access via the user interface

The user interface is programmed such that users must always log in with a
username and password to gain access to trial data.

In some trials, there is a requirement to restrict each user’s access to data to a

subset of the whole dataset – multi-centre trials are a good example of this
where users at each centre may only add, view and edit ‘their own’ data.
Access restrictions such as these must be listed in the Functional Specification
and they will be included in any system tests.

As a matter of principle, users should always be granted the lowest level of

access to data that enables them to perform their job satisfactorily.

5.2 Direct access to the database

Direct access to underlying databases is controlled by username and password;

however this is separate from the study team user logins and is managed by the
Data Management team.

Where users of underlying databases require access to the raw data in order to
write their own queries etc. (e.g. from MS Access or SAS), read-only access can
be provided. This allows read-only access to the data and does not give direct
access to update the underlying database.

Read-only access to the live database should only be made available to users
on the UEA network or with access via a secure remote link such as VPN.

Any direct access to the database should be restricted to the data that the
requester needs to see. Particular attention should be paid to prevent the
unblinding of a user who should remain blinded.

5.3 Access to the servers

Login access to the server where the underlying database resides is restricted
to:
 the Database Management Team
 IT Services staff at UEA

5.4 Managing exported data

Data may also be provided to users by exporting data sets from the database.
Any datasets containing randomization data or patient identifying data, and any

SOP 840 v2.1 Effective Date: 10/08/2017 Page 4 of 6

 Joint Arrangements for Research
_________________________________________________________________________
datasets that are being dispatched outside the UEA network must be encrypted
before transmission to the requester.

6 ENCRYPTION

Websites on the CTU server are set up so that web traffic between users and the
database is encrypted using SSL.

MS Access-based databases are encrypted using Microsoft’s standard encryption

facility, so that the ‘raw’ database file is not readable except via MS Access or the
Clinical Data Management System user interface.

7 AUDIT TRAIL
CDMS are built with a special facility that keeps an audit trail of:
 all data changes made
 when the change was made
 who made the change

8 BACKUP and RESTORE

MS Access databases are automatically backed up daily by the IT departments at

the UEA and NNUH. Restoration is by request to the appropriate IT team. SQL
Server and MySQL databases are each backed up daily (Full Backup). In addition to
being taken ‘off-line’ these backups are left ‘on-line’ for 3 days in a designated folder
on the server. SQL server databases are each backed up daily (Full Backup).

Copies of the backup folder are taken offline daily using a procedure provided by
UEA’s ITCS department. The files are stored offsite at a location approved by UEA
external auditors.

8.1 Backup/restore Checks

On a regular basis, the Data Manager should request a random backup from the
last 3 months, restore it to a new location and check that the contents are
readable.

9 RELATED DOCUMENTS

SOP 825 Clinical Data Management System - VALIDATION

UEA High Level Information Security Policy
UEA General Information Security Policy
UEA Desktop Computer Procurement and Deployment Policy
NNUH IT Security Policy

SOP 840 v2.1 Effective Date: 10/08/2017 Page 5 of 6

 Joint Arrangements for Research
_________________________________________________________________________

10 REFERENCES
Research Governance Framework (April 2005) and its successors (inc. Annex
updated September 2008)

11 APPENDICES

Appendix 1: Change Control, Revision and Review Sheet

Appendix 1: Change Control, Revision and Review Sheet

Revision Form: SOP 840

Version No Change Date Reason for Change

Signature and
Re-written following Reviewer: Date:
1.1 01/09/2010
MHRA inspection. 01/09/2010

Rewritten following
system wide review by Reviewer:
CTU Head of Data Tony Dyer Signature and
2.0 01/01/2014 Management and Head of Data Date:
combining SOP control Management, NCTU 01/01/2014
and revision sheets.

Reviewer:
Updated with CDMS
Martyn Pond
(instead of TDMS), Signature and
Head of Data
2.1 19/06/2017 removal of references to Date:
Management, NCTU
NCTU Templates 19/06/2017
Leodie Alibert
QA Lead, NCTU

SOP 840 v2.1 Effective Date: 10/08/2017 Page 6 of 6