Castor complies with all applicable laws and regulations, including ICH E6 Good Clinical Practice (GCP), 21 CFR Part 11, EU Annex 11, General Data Protection Regulation (GDPR), HIPAA (US), ISO 9001 and ISO 27001. By using Castor, researchers are enabled to comply with these laws and regulations. Castor is a validated system, and approved by external auditors.
On this page you can read about how we ensure GCP compliance from our side, what is required from the investigator and/or sponsor in order to be GCP compliant, and at the end, we will answer some Frequently Asked Questions about GCP.
Good Clinical Practice in Castor EDC
Trevalco audited Castor EDC in November 2017 for GCP compliance to ensure compliance. In order to help researchers figure out how GCP regulations operate, we provide an outline of the regulations, and which organizations are involved. Further, explaining the requirements the implications of data management for the researcher. Interested in the background of GCP? Read about it on the International Conference on Harmonisation (ICH) website.
When does your study have to meet GCP criteria?
Strictly speaking, only intervention studies in which medicine is administered have to meet GCP criteria. Regardless, it is advisable to follow GCP guidelines for all intervention studies. The GCP guidelines apply to the sponsor and the executing researcher.
In terms of data management, what should you pay attention to?
The sponsor is in charge for the GCP data management requirements. The researcher is required to abide by the rules set by the sponsor. When electronic systems are being used for entering research data, the sponsor must make sure that:
1. A “validated” system is being used. This is a system that meets the demands of the sponsor in terms of completeness, accuracy, reliability, and consistent intended performance;
We execute the validation process for our users through manual and automated tests in order to guarantee the validity of the application. Our quality checks have been deemed qualified by Trevalco auditors.
2. Standard Operating Procedures (SOPs) for the use of the systems are maintained;
The sponsor or researcher is expected to draft these documents in order to demonstrate how the use of Castor EDC is intended. Material made available by us can be used for this purpose (e.g. the workshop, manual, etc).
3. All initially entered data and all the changes are saved (audit trail, data trail and edit trail);
All actions that can be carried out in Castor are saved in the audit trail. This means all edits and changes in the study structure, data collection, and study management. Data can only be archived, not deleted.
4. There is a security system in place that prevents unauthorised access to the data;
The study admin invites everyone involved in the study, and gives them proper rights. Every user has their own account and sharing of accounts is not permitted. Strong passwords are enforced, SSL is used to log in, and account information is encrypted. The study admin is in charge of authorising access to data, which always happens on an individual basis, per institute. This ensures that study data cannot be accessed by unauthorised people. Our security statement offers more information about the safety of the application and system.
5. A list is maintained of all individuals who are authorised to make data changes;
An up-to-date user rights overview is available in the system, and all alterations of user rights are logged in the audit trail. You can always reconstruct which person possessed which rights when.
6. Data are adequately backed up and can be retrieved from the archive;
All changes and data are kept track of in the audit trail. This means we can always retrieve what the status of a particular record was at a particular moment in time.
7. The randomisation blinding is safeguarded;
Only users with randomization rights can randomise a patient, and only users with randomization view rights can see which group the patient ended up in.
8. An unambiguous identification code is used for subjects;
Castor creates unambiguous identification codes for patients, which can be defined by the user. IDs are anonymous and unalterable. They can also be automatically generated when a new patient is included.
9. A reason is always indicated when changes are made in a patient’s CRF;
Castor uses the reason for change feature, which makes sure that an explicit reason is provided for each data change.
10. The data is stored for at least 2 years (or more depending on local laws).
GCP prescribes that all medical data are stored for at least two years unless a longer period is required because of local regulations. Castor stores all data for 15 years after your study finishes and allows you to easily export it at any time. If your local laws require longer storage let us know and we will make sure your study complies with your local laws.
TRUE Datacenter where Castor’s data is stored in the Netherlands
Frequently Asked Questions (FAQs)
Many research institutions have other rules besides the GCP guidelines. Moreover, it is not always entirely clear what GCP means and what its consequences are for data management. To make the various rules and regulations as transparent as possible, we will answer some Frequently Asked Questions (FAQs).
FAQ 1: can personal details be stored ‘with’ medical data?
Officially, these data do not have to be separated, as long as they are properly secured. In principal, Castor EDC does not save personal details. It is the researcher’s responsibility to keep a record of the study IDs linked to personal data. In Castor you can send out surveys through patients’ email addresses, however, these are encrypted before storage, so they are properly protected and inaccessible to unauthorised persons.
FAQ 2: do the data have to be saved ‘within the walls’ of the institution?
GCP does not prescribe where data should be stored. Most importantly is that the data are properly protected. The Castor EDC servers are managed by ISO 27001 and ISO 9001 certified data centres. If your institution requires storage within the research institute, we can discuss how to set this up.
FAQ 3: can a data collection system, which is renewed as often as Castor EDC, continuously meet the GCP validation requirements?
The sponsor does not need to validate every updated version of an electronic system. However, the sponsor must be satisfied with the supplier’s quality processes. Trevalco has audited Castor for GCP, and proved that all these processes are in order. Through both manual and automated tests we execute the validation for our users.
FAQ 4: can an eCRF be used as a source document?
If the research findings were initially recorded in an eCRF, the eCRF can be used as source document. A certified copy of the eCRF can be electronically signed and locked by the researcher, including the date, saving researchers from typing the eCRF data in the patient status later.
What if I want more information?
For more information, read the complete GCP guidelines here. We will keep you up to date with the latest changes for researchers on our website.