Business Owners, Users or Stakeholders…

Who is Accountable for Data Quality, Integrity and

C fid ti lit ?Confidentiality?

Presented by:Eric J. Staib

Director, IT Quality

Abstract

• The debate(s) surrounding accountability for computerized systems and their associated data is a common theme in industry today.

• There are many departments, staff, and personnel involved in a computerized systems life cycle and th d t it lti t lthe data it ultimately manages.

Abstract• Where does the "buck" stop?

Wh i lti t l ibl ?• Who is ultimately responsible? • Is there an easy answer?

Objectivej• This session shall examine the who, when, and

where with regards to the roles andwhere with regards to the roles and responsibilities for data and their associated computerized system(s).

– Understand who is accountable d f h t d t d/and for what data and/or

information– Ask the appropriate questionspp p q– Hold the necessary personnel

responsible

Background

• What has made this so difficult?– The acquisition and meaningful use of information is

of immense importance to achieving corporate objectives in all areas of businessobjectives in all areas of business

– Internet, intranet, e-mail, and instant messaging play an essential part in accessing and exchanging p y p g g ginformation

– Contemporary communication channels allow companies to prepare and implement decisions faster and more effectively than in the past

Background

• What are the risks?– Progress in information technology also entails

greater risks for data quality, integrity and fid ti litconfidentiality

– Companies need to protect the personal rights of any/all individuals whose personal data it processesy p p

• Including employees, customers, contractual partners, subjects and patients in clinical trials

What is a Computerized System?

• A functional unit, consisting of one or more computers and i d i h l i d d i d i dassociated peripheral input and output devices, and associated

software, that uses common storage for all or part of a program and also for all or part of the data necessary for the execution of the program (ANSI).

Documentation`

Valid

atio

n

program (ANSI).

– Includes hardware, software, peripheral devices

Software System (Application)

DATA

Processperipheral devices, personnel, and documentation.

Users`

Middl A li ti /T l

Qua

lific

atio

n

Infrastructure (Hardware and Peripherals) Controlled Process

Operating Environment

Operating System and Database

Middleware Applications/Tools

Who are the usual responsible suspects?

• Service Providers (SP)• Senior Leadership / Management• Stakeholders

– Business Unit (BU) Owners– System Owner– Quality Assurance (QA)– Information Technology (IT)

I am a SaaS provider, what’s my Role?I am a SaaS provider, what s my Role?

• Service Provider• Software suppliers and/or providers

perform the qualification of the platform and the infrastructure that supports the application (IaaS / PaaS)

• Operational limits of the application are tested by the module and integration level testing is performed by the software supplier.pp

• Testing is performed before the release of the application to a customer (ex. UAT).

• Regulatory authorities also hold the Sponsor responsible for the quality of work and testing performed by Service Providers.

• Usually the QA unit and user team conducts an audit or walkthrough of the provider’s processes and establishes a formal audit reportthe provider s processes and establishes a formal audit report.

I am a SaaS provider, what’s my Role?

• Hosting service providers are responsible for the `da

tion

are responsible for the validation of the baseline / “vanilla” SaaS and the

lifi ti f th P S &

Software System (Application)

DATA

Documentation

Process

Valid

qualification of the PaaS & IaaS.

Users`

Middleware Applications/Tools

Qua

lific

atio

n

Infrastructure (Hardware and Peripherals) Controlled Process

Operating Environment

Operating System and Database

I am a Senior Leader, what’s my role?

• Senior Leadership– Leadership has the

overall operational responsibility for theresponsibility for the system during its usable lifetime.

– Ultimate responsibility for the regulated work, processes and dataprocesses, and data generated.

I am a Business Owner, what’s my role?

• Business Unit (BU) Owner– The BU is responsible for the

work process itself.

– This includes SOPs, training, and system specific responsibility for approvingresponsibility for approving the system validation effort (ex. UAT).

I am a Business Owner, what’s my role?

• Business and System Owners are responsible for validation of the system for business use alongvalidation of the system for business use, along with documented processes, and the BCP.

Documentation`

Valid

atio

n

Software System (Application)

DATA

Process

Users`

Middleware Applications/Tools

Qua

lific

atio

n

Infrastructure (Hardware and Peripherals) Controlled Process

Operating Environment

Operating System and Database

I am a System Owner, what’s my role?I am a System Owner, what s my role?

• System Owner– The System Owner is also usually

the key user; could be a super user.

– Responsible for system access and availability to the user community.Drives the documentation– Drives the documentation process.

– Manages testing activities (ex. UAT)UAT).

– Leads the core team in developing and maintaining the CSV package.

I am Quality Assurance, what’s my role?

• Quality Assurance– QA is responsible for auditing

the validation process, documentation package, and p g ,associated data.

– QA should remain separate from the developmentfrom the development process in order to be able to audit as an independent entityentity.

I am an IT SME, what’s my role?

• IT Subject Matter ExpertIT (i t l d/ t l id ) i• IT (internal and/or external provider) is responsible for the qualification of the platform (HW & SW), middleware, tools, etc.

Documentation`

alid

atio

n

• IT is responsible for processes, and data that supports or

Software System (Application)

DATA

Documentation

Process

Vathat supports or maintains the daily operation of the system

Users`Q

ualif

icat

ion

system.

Infrastructure (Hardware and Peripherals) Controlled Process

Operating Environment

Operating System and Database

Middleware Applications/Tools

I am an IT SME, what’s my role?I am an IT SME, what s my role?

• Qualification of the Platform• Qualification of the Platform• System Maintenance• Backup and Recovery• DR Planning• Change Control• Configuration ManagementConfiguration Management• IT SOPs

Summary of Responsibilities

Senior LeadershipDocumentation

Process

`

Valid

atio

n

BU Service Provider IT

Software System (Application)

DATA

n

System

ValidBU

Work BU Data

PaaS&

IaaS

SaaSBasel

ine SOP’s

Infrastructure

Qualific

Development

& Maintenance

IT Process

Users`

Operating System and Database

Middleware Applications/Tools

Qua

lific

atio

n

Validation SOP Data Qualifi

cationValidation

s Qualification nance

SOP’s

ess DataInfrastructure (Hardware and Peripherals) Controlled Process

Operating Environment

Question & Answer

Special thanks to: Oleg Trigub, Associate Director - IT Quality / CSV, Covance Inc.