Business Owners, Users or Stakeholders…
Who is Accountable for Data Quality, Integrity and
C fid ti lit ?Confidentiality?
Presented by:Eric J. Staib
Director, IT Quality
Abstract
• The debate(s) surrounding accountability for computerized systems and their associated data is a common theme in industry today.
• There are many departments, staff, and personnel involved in a computerized systems life cycle and th d t it lti t lthe data it ultimately manages.
Abstract• Where does the "buck" stop?
Wh i lti t l ibl ?• Who is ultimately responsible? • Is there an easy answer?
Objectivej• This session shall examine the who, when, and
where with regards to the roles andwhere with regards to the roles and responsibilities for data and their associated computerized system(s).
– Understand who is accountable d f h t d t d/and for what data and/or
information– Ask the appropriate questionspp p q– Hold the necessary personnel
responsible
Background
• What has made this so difficult?– The acquisition and meaningful use of information is
of immense importance to achieving corporate objectives in all areas of businessobjectives in all areas of business
– Internet, intranet, e-mail, and instant messaging play an essential part in accessing and exchanging p y p g g ginformation
– Contemporary communication channels allow companies to prepare and implement decisions faster and more effectively than in the past
Background
• What are the risks?– Progress in information technology also entails
greater risks for data quality, integrity and fid ti litconfidentiality
– Companies need to protect the personal rights of any/all individuals whose personal data it processesy p p
• Including employees, customers, contractual partners, subjects and patients in clinical trials
What is a Computerized System?
• A functional unit, consisting of one or more computers and i d i h l i d d i d i dassociated peripheral input and output devices, and associated
software, that uses common storage for all or part of a program and also for all or part of the data necessary for the execution of the program (ANSI).
Documentation`
Valid
atio
n
program (ANSI).
– Includes hardware, software, peripheral devices
Software System (Application)
DATA
Processperipheral devices, personnel, and documentation.
Users`
Middl A li ti /T l
Qua
lific
atio
n
Infrastructure (Hardware and Peripherals) Controlled Process
Operating Environment
Operating System and Database
Middleware Applications/Tools
Who are the usual responsible suspects?
• Service Providers (SP)• Senior Leadership / Management• Stakeholders
– Business Unit (BU) Owners– System Owner– Quality Assurance (QA)– Information Technology (IT)
I am a SaaS provider, what’s my Role?I am a SaaS provider, what s my Role?
• Service Provider• Software suppliers and/or providers
perform the qualification of the platform and the infrastructure that supports the application (IaaS / PaaS)
• Operational limits of the application are tested by the module and integration level testing is performed by the software supplier.pp
• Testing is performed before the release of the application to a customer (ex. UAT).
• Regulatory authorities also hold the Sponsor responsible for the quality of work and testing performed by Service Providers.
• Usually the QA unit and user team conducts an audit or walkthrough of the provider’s processes and establishes a formal audit reportthe provider s processes and establishes a formal audit report.
I am a SaaS provider, what’s my Role?
• Hosting service providers are responsible for the `da
tion
are responsible for the validation of the baseline / “vanilla” SaaS and the
lifi ti f th P S &
Software System (Application)
DATA
Documentation
Process
Valid
qualification of the PaaS & IaaS.
Users`
Middleware Applications/Tools
Qua
lific
atio
n
Infrastructure (Hardware and Peripherals) Controlled Process
Operating Environment
Operating System and Database
I am a Senior Leader, what’s my role?
• Senior Leadership– Leadership has the
overall operational responsibility for theresponsibility for the system during its usable lifetime.
– Ultimate responsibility for the regulated work, processes and dataprocesses, and data generated.
I am a Business Owner, what’s my role?
• Business Unit (BU) Owner– The BU is responsible for the
work process itself.
– This includes SOPs, training, and system specific responsibility for approvingresponsibility for approving the system validation effort (ex. UAT).
I am a Business Owner, what’s my role?
• Business and System Owners are responsible for validation of the system for business use alongvalidation of the system for business use, along with documented processes, and the BCP.
Documentation`
Valid
atio
n
Software System (Application)
DATA
Process
Users`
Middleware Applications/Tools
Qua
lific
atio
n
Infrastructure (Hardware and Peripherals) Controlled Process
Operating Environment
Operating System and Database
I am a System Owner, what’s my role?I am a System Owner, what s my role?
• System Owner– The System Owner is also usually
the key user; could be a super user.
– Responsible for system access and availability to the user community.Drives the documentation– Drives the documentation process.
– Manages testing activities (ex. UAT)UAT).
– Leads the core team in developing and maintaining the CSV package.
I am Quality Assurance, what’s my role?
• Quality Assurance– QA is responsible for auditing
the validation process, documentation package, and p g ,associated data.
– QA should remain separate from the developmentfrom the development process in order to be able to audit as an independent entityentity.
I am an IT SME, what’s my role?
• IT Subject Matter ExpertIT (i t l d/ t l id ) i• IT (internal and/or external provider) is responsible for the qualification of the platform (HW & SW), middleware, tools, etc.
Documentation`
alid
atio
n
• IT is responsible for processes, and data that supports or
Software System (Application)
DATA
Documentation
Process
Vathat supports or maintains the daily operation of the system
Users`Q
ualif
icat
ion
system.
Infrastructure (Hardware and Peripherals) Controlled Process
Operating Environment
Operating System and Database
Middleware Applications/Tools
I am an IT SME, what’s my role?I am an IT SME, what s my role?
• Qualification of the Platform• Qualification of the Platform• System Maintenance• Backup and Recovery• DR Planning• Change Control• Configuration ManagementConfiguration Management• IT SOPs
Summary of Responsibilities
Senior LeadershipDocumentation
Process
`
Valid
atio
n
BU Service Provider IT
Software System (Application)
DATA
n
System
ValidBU
Work BU Data
PaaS&
IaaS
SaaSBasel
ine SOP’s
Infrastructure
Qualific
Development
& Maintenance
IT Process
Users`
Operating System and Database
Middleware Applications/Tools
Qua
lific
atio
n
Validation SOP Data Qualifi
cationValidation
s Qualification nance
SOP’s
ess DataInfrastructure (Hardware and Peripherals) Controlled Process
Operating Environment
Question & Answer
Special thanks to: Oleg Trigub, Associate Director - IT Quality / CSV, Covance Inc.