I will forward to GCP Com. The GCP Com does not offer consultancy on individual issues but provides some guidance on the general principles involved.>>
Others on this forum may be able to reply with examples of what their organisations do.>>
This whole process of sending DVDs of CRF data to sites for archiving in their TMF, is the subject of inspection attention. Inspectors are concerned that investigators have control of their eCRF data at all times. They have often issued inspection findings when the sponsor (or the sponsors agent , CRO), has control of the investigator copy of the eCRF and the investigator is only given their copy after the trial is finished. The EMA has published information about this on their website. E6(R2) Addendum 8.1 "The sponsor should ensure that the investigator has control of and continuous access to the CRF data reported to the sponsor...The sponsor should not have exclusive control of those data". EMA GCP IWG Q & A “It is the expectation of the EU GCP IWG that the copy held by the investigator is a contemporaneous and independent copy of the CRF, i.e. that it is not held or has been held by the sponsor….the requirement of a contemporaneous and independent copy of the CRF is valid irrespective of whether the CRF contains source data or only transcribed data. The EU GCP inspectors do not consider the requirement above to be met if data are captured in an electronic system and the data are stored on a central server under the sole control of the sponsor.”
GCP Inspectors are also concerned as to whether investigators have checked their copy of the eCRF (for instance supplied on a DVD), to see that it is accurate and complete; and whether investigators will continue to have ready access to the data over the full retention period. >>
Ideas off the top of my head about your question on security of your process:- how secure is your process? You state “encoded” which sounds like it might be encrypted(?) You might look to your Risk Assessment of how secure your data transfer is. A risk proportionate approach might be to make sure that the discs are securely delivered to a named person and receive the signed receipt by that individual. If the discs are then password protected (not necessarily data encrypted) and the password sent by a different secure means, then in fact your process would be more secure than sending paper records that can be read by anyone opening the package. Or you could use a password controlled electronic data store where your investigators can download their data. You should archive the audit trail of this system so that you can show who downloaded what and when. Inspectors would inspect such a system.
Your Data Protection Officer may be able to help with suggestions on security.