The clinical trials today are heavily dependent on computerized systems. The data is captured, modified, transferred, stored, analyzed, and archived electronically across multiple platforms such as EDC systems, eCRFs, safety databases, cloud infrastructure, and vendor-hosted applications. Due to this, IT controls and cybersecurity are now directly tied to Good Clinical Practice (GCP) compliance rather than being considered supporting operational functions.
What is ROEB?
In Canada, ROEB is responsible for inspections and investigations of clinical trials in Canada under the Food and Drugs Act and Food and Drug Regulations (Part C, Division 5).
These inspections are risk-based and focus on two outcomes: protection of trial participants and reliability of clinical trial data. As part of this framework, Canada has adopted the ICH Good Clinical Practice (GCP) standard, which requires that clinical trial records be maintained in a manner that supports complete, accurate, and traceable regulatory review.
The finalized ICH E6(R3), which is the newest international GCP standard, effective 2025, strengthens these expectations by explicitly integrating data governance, computerized systems, and risk-based quality management into GCP. Under E6(R3), IT systems are no longer treated as supporting infrastructure; the computerized systems used to generate and manage clinical trial data, along with the controls applied to them, are now considered a direct component of GCP compliance.
Core IT and Cybersecurity Requirements in GCP
Data Governance Is Now a Core GCP Requirement
ICH E6(R3) introduces data governance as a defined GCP requirement. The sponsors, investigators, CROs, and service providers are now expected to ensure that clinical trial data is accurate, complete, attributable, and traceable throughout its entire lifecycle. This includes data creation, modification, review, transfer, storage, archiving, retention, and destruction.
Requirement | Description | Regulatory Linkage |
Data Integrity & Traceability | Ensure data is accurate, complete, and attributable; audit trails must capture all changes & metadata. | E6(R3): 4.2.2 metadata, audit trails. |
Data Lifecycle Management | Controls for data capture, transfer, storage, archiving, retention, and destruction must be defined and enforced. | E6(R3): 4.2.1–4.2.8. |
Governance Documentation | Formal procedures for data standards, ownership, responsibilities, and validation must be documented and enforced. | E6(R3): 4.1 & 4.3.1. |
From an inspection perspective, data governance is evaluated based on whether data can be reconstructed and verified. The inspectors assess whether systems maintain audit trails that capture what changed, who made the change, when it occurred, and why it occurred. So, the metadata must be preserved in a way that supports regulatory verification. This means that the governance documentation, including SOPs, defined responsibilities, and validation records, must exist and be followed in practice.
The consequent practical implication is that systems must not only store data but must also demonstrate how that data has been controlled over time.
Computerized Systems Expectations Under ICH E6(R3)
ICH E6(R3) sets explicit expectations for computerized systems used in clinical trials, regardless of whether they are sponsor-managed or vendor-hosted.
Control Area | Expectation | Example Requirement |
Security | Systems must protect data from unauthorized access, alteration, and loss. | E6(R3) 4.3.3: Security controls. |
Validation | Systems must be validated to ensure they function as intended throughout the data lifecycle. | E6(R3) 4.3.4. |
User Management | Robust identity and access controls must restrict system access based on role. | E6(R3) 4.3.8. |
System Documentation | SOPs, change control logs, and release notes must be maintained. | E6(R3) 4.3.1. |
Failure & Contingency Handling | Plans for system failure, backup, and recovery must be established. | E6(R3) 4.3.6–4.3.7. |
Cybersecurity Controls in the GCP Context
Although ROEB’s Canadian inspection strategy currently does not list detailed cybersecurity criteria, these general IT expectations are derived from ICH E6(R3) GCP compliance:
Security & Confidentiality
- Access Controls: Restrict access via strong authentication, role-based permissions, and session auditing.
- Encryption: Protect data in transit and at rest using robust cryptographic protocols. (Implied by security provisions in E6(R3) 4.3.3)
- Data Loss Prevention: Backup and restore mechanisms must be tested to ensure recoverability.
Data Integrity
- Audit Trails: Systems must record who did what and when, preserving attributable trails for regulatory inspection.
- Validation Evidence: Documentation demonstrating that systems perform as intended and errors are prevented/detected.
Risk-Based Oversight
- Sponsors must assess cybersecurity risks proportionate to the technology’s impact on data critical to safety and decision-making.
Control Area | ICH E6(R3) Expectation | Actionable Cybersecurity Measures | Typical Evidence for ROEB / Inspectors |
Security | Systems must protect data from unauthorized access, alteration, and loss (4.3.3) | • MFA for admins and remote access • Role-based access control (least privilege) • Encryption at rest (AES-256) and in transit (TLS 1.2+) • Firewalls and network segmentation • Centralized security logging and alerts | • Access control matrix • Encryption configuration screenshots • Firewall rules • Security logs / SIEM reports |
Validation | Systems must function as intended throughout the data lifecycle (4.3.4) | • Computer System Validation (CSV) plan • IQ/OQ/PQ or risk-based validation • Validation of audit trails and access controls • Change impact analysis and re-validation | • Validation plan & report • Test scripts & results • Change control records |
User Management | Access restricted based on role and responsibility (4.3.8) | • Unique user IDs (no shared accounts) • Formal onboarding/offboarding process • Quarterly access reviews with sign-off • Session timeout & account lockout | • User access list • Access review sign-off records • De-provisioning logs |
System Documentation | SOPs and system documentation must be maintained (4.3.1) | • Security SOPs (access, incident, backup) • Change management SOP • Configuration documentation • Vendor security responsibility definition | • Approved SOPs • Change tickets • System architecture diagrams |
Failure & Contingency Handling | Backup, recovery, and continuity plans required (4.3.6–4.3.7) | • Encrypted daily backups • Off-site backup storage • Defined RTO / RPO • Periodic restore testing • Incident response and DR plan | • Backup logs • Restore test reports • Incident response plan • DR documentation |
Why HIPAA Compliance Is Not Sufficient for GCP IT Compliance
HIPAA and GCP address different regulatory objectives. While HIPAA focuses on protecting the confidentiality, integrity, and availability of patient health information, GCP focuses on the integrity, traceability, auditability, and regulatory reliability of clinical trial data.
The HIPAA compliance typically covers access controls, encryption, security policies, incident response, and disaster recovery. However, HIPAA does not require computer system validation, end-to-end data lifecycle traceability, or inspection-ready audit trails capable of reconstructing clinical decisions.
Framework | Primary Purpose |
HIPAA | Protect patient health information (PHI) confidentiality, integrity, and availability |
ICH E6(R3) / ROEB | Ensure clinical trial data integrity, traceability, auditability, and regulatory trust |
As a result, an organization can be HIPAA-compliant and still fail a GCP inspection if it cannot demonstrate validated systems, complete audit trails, and controlled data lifecycle management.
A regulator-accurate way to explain this to stakeholders is:
“HIPAA compliance provides a strong security baseline, but clinical trials require additional controls under ICH E6(R3), particularly around data traceability, system validation, and inspection readiness.”
Where HIPAA Helps?
If a client is HIPAA-compliant, they likely already have:
- Access controls and authentication
- Encryption at rest and in transit
- Security policies
- Incident response process
- Backup and disaster recovery
These map to ~50–60% of GCP cybersecurity expectations.
HIPAA vs GCP (ICH E6(R3)) Cybersecurity Gap Table
Control Area | HIPAA Compliance Covers | GCP (ICH E6(R3)) Still Requires |
Access Control | Role-based access to protected health information (PHI) | Role-based access per trial role (investigator, monitor, sponsor, admin) plus traceability to each data point |
Audit Logs | General system activity logs | Immutable audit trails capturing who changed what, when, and why for clinical data |
Validation | Not required under HIPAA | Computer System Validation (CSV) demonstrating systems function as intended across the data lifecycle |
Change Control | Not mandatory | Documented change control process with risk and impact assessment |
Data Lifecycle Management | Secure storage and retention of PHI | End-to-end data lifecycle controls: creation → modification → review → archival → destruction |
Inspection Readiness | OCR privacy and security audits | Health Canada / ROEB inspections, including raw data reconstruction and traceability |
Traceability | Not explicitly required | Metadata linking user → action → timestamp → record, supporting regulatory verification |
Vendor Oversight | Business Associate Agreements (BAAs) | Vendor qualification, system validation evidence, and ongoing oversight |
System Failure Handling | General disaster recovery (DR) plans | Demonstrated data integrity during outages, backup restoration testing, and continuity procedures |
Inspection Focus and Operational Implications
Health Canada inspects a small percentage of clinical trials each year, but inspections are targeted and risk-based. For drug trials, records are typically required to be retained for long periods, often up to 15 years, and must remain accessible and verifiable for the duration of that period.
The common inspection findings globally include incomplete documentation, missing or insufficient audit trails, inadequate access control governance, and a lack of validation evidence. These findings are often related to system governance rather than clinical conduct.
So, to meet expectations, sponsors and CROs need to integrate IT risk assessments into their quality management systems, validate computerized systems in proportion to their risk, and maintain inspection-ready documentation. The IT vendors supporting clinical trials must be able to provide validation documentation, demonstrate security controls, and support audit trail extraction when required.
Summary
The key expectations from ROEB and ICH E6(R3) GCPIT are data governance, system validation, access control, auditability, and contingency planning. These have now become core regulatory expectations. This means that the ROEB inspections assess not only whether trials were conducted ethically, butalso whether the supporting systems can demonstrate data integrity and reliability.
References & Sources
- ROEB GCP inspection overview and strategy.
- ICH E6(R3) Good Clinical Practice, including data governance and computerized systems.
- Related international commentary on data governance and computerized system expectations.