System access, security, and audit trails: establishing governance the RC must own
Teaches the RC to design and enforce the three pillars of electronic system governance -- user access management per Section 4.3.8, security controls per Section 4.3.3, and audit trail review procedures per Section 4.2.2 -- as site-level procedures that persist across studies and staff changes.
The account that should not have existed
A sponsor-initiated audit at an investigator site managing 14 active studies reveals something unremarkable at first glance: a user account in the electronic document management system belonging to a clinical trial assistant who left the site three weeks earlier. The auditor notes the account, checks the audit trail, and confirms that no one has logged into the account since the staff member's departure. No unauthorized access occurred. No data was viewed, modified, or exported. The account simply existed -- active, with full permissions to the three studies the former staff member had been assigned to, accessible to anyone who possessed or could guess the credentials.
The auditor writes a finding. Not a critical finding, but a finding nonetheless. And the regulatory coordinator, reviewing the audit report, feels a particular frustration that is familiar to anyone who has encountered this scenario: nothing went wrong, and yet something was wrong. The system was exposed. The window was open. That no one climbed through it is a matter of fortune, not governance.
This is the distinction this lesson addresses. Governance is not the absence of bad outcomes. Governance is the presence of procedures that prevent bad outcomes from being possible. And for electronic systems used in clinical trials, governance rests on three pillars: who has access and under what conditions, how the system and its data are protected, and how the trail of activity is reviewed to verify that the first two pillars are holding.
What you will learn
By the end of this lesson, you will be able to: