Security Requirements
This chapter will cover:
When dealing with valuable digital content that need to remain in its original form for retention periods, there must be security considerations to protect the integrity of such data.
Security
When dealing with valuable digital content that need to remain in its original form for retention periods, there must be security considerations to protect the integrity of such data.
What security measures do you have in place to protect data from unauthorised access?
Each assigned user should have their own account login details to access the system, this means no login details need to be shared. There should also be control over which users can access certain datasets or studies.
How are authorised changes made in the system processed and documented?
For authorised users, there must be tracking available (audit trails) that defines all access and changes made within the system. These should be compiled into a downloadable report that could be given to authorities.
How is it assured that data is completely destroyed after the end of retention life?
To comply with data protection requirements outlined in multiple regulatory standards and guidelines, data must be completely destroyed after the specified retention period.
How often is the system tested for vulnerabilities? (Sometimes known as penetration testing)
This should be a regular test that the vendor should undertake at least once every two years or after a major update on the system. This is usually tested by an approved third-party and there should be processes in place for actioning any issues arising from this test.
Does your system comply with GDPR?
This is particularly important regarding the processing data (see Article 28 to 34 of GDPR). Though, all articles should be complied with.
Are staff trained on processing data in a secure and confidential manor?
This question is to ensure that the vendor’s staff are aware of all security procedures and confidentiality to appropriately handle your data in accordance with data protection regulations.
Exit Strategy/End of Life
It is difficult to guarantee that data will remain in one system for the entire length of the retention period. Situations such as a drug patents being bought by another pharma sponsor, require the associated documentation to be transferred to the new owner. Transferring this data can be worrisome, so ensuring that there are secure procedures in place is critical.
Does stored digital content remain in an understandable structure that can be interpreted without the system?
In the possible case where data needs to be extracted from the archive (for whatever reason), the data must be exported in an understandable format so that it is still readable.
Can all data be exported out of the system in an organised and manageable structure?
If data needs to be transferred into a new system, it is best that the exported data is in a readable and organised structure. Without this, you may find yourselves ‘locked-in’ to using this particular vendor.
How is data removed from the system at the end of the specified period?
Here you can identify the actual process for removing data out of the system and ensure it meets your requirements.