Is the use of cloud storage services compliant with the principles of GLP?
Reply to Thread
Over the last 7 years or so, I've been working extensively with research facilities in Africa, providing support and guidance to them as they develop GLP compliant quality management systems and move towards applying for GLP certification. One of the perennial issues that these facilities face relates to the security of electronic data. Many have poorly developed computing infrastructure and poor internet connectivity. The impact of this is greatest where electronic files are created at remote field sites which need then to be transferred onto the computer systems at the main facility.
My question to this forum is:
Would the use of a cloud storage solution for the backing up and transfer of electronic data files be compatible with the principles of GLP?
Cloud storage service providers such as Amazon Web Services suggest that GxP certified customers make use of their services. Is this correct?
If cloud storage solutions by GLP certified facilities is not permitted, can the forum suggest workable alternate solutions?
RQA GLP Committee
You need to do your due diligence and establish where the data is held, who has access to it and who owns it. You need to do a vendor assessment. There are different levels of security with a cloud, will you have a dedicated server, or a shared server? What control measures are in place? Do you know where the data is? Can you be sure you have not handed over ownership of your data?
Find out what you are being offered and have a strong contract in place. Understand how the data is controlled, and have a service level agreement drawn up.
The OECD Guidance document 17 also gives helpful information.