Good Clinical Practice
Castor EDC complies with all applicable laws and regulations: Good Clinical Practice (GCP), 21 CFR Part 11, EU Annex 11, and the European Data Protection Directive. By using Castor EDC, researchers can comply with all GCP guidelines applicable to them in their role as sponsor and/or researcher. Our systems and processes have been audited to ensure compliance with GCP by Profess Medical Consultancy.
We have done our part to ensure GCP compliance but sometimes it can prove difficult for researchers to figure out how those rules and regulations operate. As a result, we will provide you with a detailed outline of GCP and which organisations are involved. Further, information will be provided on when you are required to work in accordance with GCP and what the implications are for the researcher with regards to data management. Finally, we will answer some Frequently Asked Questions that have been received in the past.
What is GCP?
GCP is an international ethical and scientific quality standard for designing, conducting, recording and reporting trials that involve the participation of human subjects. 
Who makes the GCP rules?
The International Conference on Harmonisation for Technical Requirements for the Registration of Pharmaceuticals for Human Use (ICH) set up the worldwide GCP rules. These rules have remained the same since 1996 . Subsequently, the rules are turned into guidelines by local registration authorities.
When does your study have to meet GCP criteria?
Strictly speaking, only intervention studies in which medicine is administered have to meet GCP criteria. Regardless, it is advisable to follow GCP guidelines for all intervention studies.
Who has to meet GCP criteria?
The GCP guidelines apply to the sponsor (the person authorising or initiating the study) and the researcher who is executing the study. In investigator initiated studies the sponsor and researcher are one and the same person, which means that this person has to follow the guidelines for both roles.
In terms of data management, what should you pay attention to?
GCP only has data management requirements for the sponsor, not for the researcher. The researcher is, however, required to abide by the rules set by the sponsor. When electronic systems are being used for entering research data, the sponsor must make sure that:
- A “validated” system is being used. This is a system that meets the demands of the sponsor in terms of completeness, accuracy, reliability, and consistent intended performance;
We execute the validation process for our users through manual and automated tests in order to guarantee the validity of the application. Our quality checks have been audited on GCP/GAMP by Profess Medical Consultancy and have been deemed qualified. You can request the relevant documentation with us at all times, and institutions have the right to perform an audit.
- Standard Operating Procedures (SOPs) for the use of the systems are maintained;
The sponsor or researcher is expected to draft these documents him-/herself in order to demonstrate how the use of Castor EDC is supposed to develop. Material made available by us can be used for this purpose (e.g. the workshop, user guide, etc).
- All initially entered data and all the changes are saved (audit trail, data trail and edit trail);
All actions that can be carried out in Castor are saved in the audit trail. This holds for both the building of your study (creating phases, steps and fields), the collection of data (initial inserted data, altered data) and for the managing of your study (providing and revoking rights). Data can only be archived, not deleted.
- There is a security system in place that prevents unauthorised access to the data;
The study admin (the person who starts the study) invites everyone involved in the study and gives them the proper rights. Each user has their own account and the sharing of accounts is not permitted. We enforce strong passwords, and SSL is used to log in, and account information is encrypted additionally. The study admin is always in charge of authorising access to data, which always happens on an individual basis, per institute. This ensures that data from other studies and institutions can never be accessed by unauthorised people. Our security statement offers more information about the safety of the application and system.
- A list is maintained of all individuals who are authorised to make data changes;
All alterations of user rights are logged in the audit trail. You can always reconstruct which person possessed which rights when.
- Data are adequately backed up and can be retrieved from the archive;
All changes and data are kept track of in the audit trail. This means we can always retrieve what the status of a particular record was at a particular moment in time.
- The randomisation blinding is safeguarded;
Only users with randomisation rights can randomise a patient and discover which group the patient ended up in.
- An unambiguous identification code is used for subjects;
Castor creates unambiguous identification codes for patients by using a user created construction. These are completely anonymous and unalterable. Moreover, they can be automatically generated when a new patient is included.
- A reason is always indicated when changes are made in a patient’s CRF;
Castor uses the reason for change feature, which makes sure that an explicit reason is provided for each data change.
- The data is stored for at least 2 years (or more depending on local laws).
GCP prescribes that all medical data are stored for at least two years unless a longer period is required because of local regulations. Castor stores all data for 15 years after your study finishes and allows you to easily export it at any time. If your local laws require longer storage let us know and we will guarantee it.
Frequently Asked Questions (FAQs)
Many research institutions have other rules besides the GCP guidelines. Moreover, it is not always entirely clear what GCP means and what its consequences are for data management. To make the various rules and regulations as transparent as possible, we will answer some Frequently Asked Questions (FAQs).
FAQ 1: can personal details be stored ‘with’ medical data?
Officially, these data do not have to be separated, as long as they are properly secured. In principal, Castor EDC does not save personal details. It is the researcher’s responsibility to keep a record of these in a local linkage file, which refers to the anonymous record IDs in Castor EDC. Patients’ email addresses that can be used when sending out surveys form an exception to this rule. These email addresses are encrypted before storage, so they are properly protected and inaccessible to unauthorised persons.
FAQ 2: do the data have to be saved ‘within the walls’ of the institution?
GCP does not prescribe where data should be stored. The most important thing is that the data are properly protected. The Castor EDC servers are managed by TRUE, which is a data centre that is ISO27001 and ISO9001 certified by Lloyd’s Register Quality Assurance. If storage within the research institute is required anyway, we are open to discussing how we can set this up.
FAQ 3: can a data collection system, which is renewed as often as Castor EDC, continuously meet the GCP validation requirements?
It isn’t necessary for the sponsor to validate an electronic system every time it is updated to a newer version. However, the sponsor must be satisfied with the supplier’s quality processes. Profess Medical Consultancy audited Castor for GCP, and proved that all these processes are in order. Through both manual and automated tests we execute the validation for our users, with sophisticated (automated) processes that are technically very difficult for a sponsor to replicate.
FAQ 4: can an eCRF be used as a source document?
If the research findings were initially recorded in an eCRF, the eCRF can be used as source document. A certified copy of the eCRF (signed with the date and signature of the researcher) can be recorded in the status, saving researchers from having to type up the eCRF data in the patient status later. Castor EDC covers this through the Electronic Signing and Lock Record features.
What if I want more information?
For more information, read the complete GCP guidelines here. We will keep you up to date with the latest changes for researchers on our website.