The recent bankruptcy announcement of 23andMe is a classic case study in data ownership – not necessarily what should happen, but what actually does happen! Open and transparent discussion about data ownership is sometimes easier if the situation is not strictly a GxP issue, but the learnings and analogies in a QMS or PQS should resonate loudly for companies regulated by GxP regulations.
Simply using the PIC/S guidance “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments” as a common source, the concept of data ownership is prominent. Section 5.2.1 states:
“Data governance systems should be integral to the Pharmaceutical Quality System described in PIC/S GMP/GDP. It should address data ownership throughout the lifecycle, and consider the design, operation and monitoring of processes and systems in order to comply with the principles of data integrity, including control over intentional and unintentional changes to, and deletion of information.”
How this happens is subject to a company’s individual QMS; however, it is useful to view this example as a service purchased from a third party. With this in mind, if the data is GxP, many companies will address responsibilities with both legal controls (contract) and quality controls (quality agreement). The situation with 23andMe is amplified since the company has filed for bankruptcy; it gains certain protection as defined by bankruptcy laws. This data is now a valued asset. This is exemplified by a well-known case study when Caesars Entertainment (the company that runs Caesars Palace Las Vegas) filed for bankruptcy and estimated the value of its rewards program at USD 1 billion. Data can become a tempting asset to sell as part of a bankruptcy proceeding. It gets even more complex when a cloud provider goes bankrupt as highlighted in an article from Thompson Coburn LLP (Data in the cloud: What if the cloud provider goes bankrupt?). This should prompt a quality risk discussion on the solvency of a GxP cloud provider, and the rate of change from GxP data management occurring “on premises” to “cloud” data management should prompt a renewed interest in testing the concept of data ownership.
Your contract and quality agreement must work together as a singular control. Lachman Consultants’ industry thought leaders and recognized practitioners have helped companies globally identify these types of risks. Identifying these risks and integrating them into a robust QMS should be part of any Quality Risk Management (QRM) program. Contact Lachman at LCS@lachmanconsultants.com to see how this case study may apply to data ownership for your company.
