Essential Records and Data Governance: Navigating E6(R3)’s New Documentation Framework

Introduction: Clinical trials generate mountains of data and documents – from case report forms and lab results to consent forms and monitoring reports. Managing these records is crucial to confirm that a trial was conducted properly and that its findings are credible. ICH E6(R3) introduces significant updates to how we think about essential documents (now often termed essential records) and emphasizes robust data governance throughout the trial lifecycle. These changes move away from a fixed checklist mentality toward a more principle-driven approach that can adapt to modern, digital trials. In this post, we explain what’s changed and outline how sponsors and investigators can navigate the new framework to ensure compliance and data integrity.

From Essential Documents to Essential Records: What’s Changed?

Under the previous ICH E6(R2), GCP provided a list of “Essential Documents” (in Section 8) that were considered the minimum required paperwork for a trial – things like the study protocol, signed consent forms, IRB approvals, investigator brochure, case report forms, etc. While useful as a reference, this list sometimes led teams to treat documentation as a box-ticking exercise, possibly missing trial-specific needs or the reality of electronic records. ICH E6(R3) shifts this perspective:

• Principle-Based Definition: E6(R3) describes essential records broadly as those that “enable verification of the trial conduct and the quality of the data.” It’s intentionally not a static list, acknowledging that what is essential may vary with the trial’s design and context. For example, in a traditional drug trial, signed consent forms are essential; in a registry study relying on electronic health records, data use agreements and EHR extracts might be the “essential” evidence of consent and source data. The new guideline encourages investigators and sponsors to identify which records are essential for their specific trial. Essentially, if a document or dataset would be needed to reconstruct what happened in the trial or to confirm key outcomes, it should be treated as essential and preserved. Conversely, if something is truly non-critical, GCP doesn’t force you to file it just because it’s on a generic list.
• Appendices as Guidance, Not Hard Rules: E6(R3) still provides Appendices (similar to the old Section 8) that list typical essential records (like Appendix 3 for essential records before, during, after the trial). However, these are presented as examples and guidance rather than an exhaustive mandatory list. Regulators expect due diligence in maintaining records, but they also allow adaptability. For instance, if a trial uses an eRegulatory binder (electronic trial master file), E6(R3) is fine with that – it doesn’t insist on a physical paper file as long as the electronic system meets the required standards (more on that below).
• Focus on Purpose of Records: The guideline asks, in essence, “Can an independent party (like an inspector or auditor) review your records and verify that: 1) the rights and safety of participants were protected, and 2) the data are accurate and credible?” If yes, you likely have what you need. If not, identify the gaps. For example, suppose a trial uses a mobile app to collect patient symptom data. An inspector might ask: How do we know the app was working correctly and capturing data accurately? Under E6(R3), an essential record might be the validation summary of that app or an audit trail from the app’s database. Historically, that kind of item wasn’t on the “essential documents” list – now it would be considered essential because it’s directly tied to data integrity.

Data Governance: A Dedicated Emphasis

Perhaps one of the most notable additions in ICH E6(R3) is a whole section on Data Governance (Annex 1, Section 4). This is a comprehensive set of expectations around collection, handling, and retention of trial data, particularly recognizing the predominance of electronic data systems.

Key components of data governance under E6(R3):

• Validating Computerized Systems: If you didn’t hear it enough in past GCP or Part 11 regulations, E6(R3) reiterates it – any electronic system used to capture or manage trial data must be validated to ensure it does what it’s supposed to. This doesn’t mean you need expensive consultants for every spreadsheet, but it does mean there should be evidence that critical systems (like EDC, electronic patient-reported outcome tools, IVRS/IWRS randomization systems, eConsent platforms, etc.) have been tested and shown to work correctly and consistently. Sponsors should maintain or obtain validation documentation from vendors or internal teams. This includes things like test scripts and results, system certificates, or compliance statements. During an inspection, regulators may ask, “How did you assure yourself that this electronic diary was reliably capturing timestamps and responses?” A validation summary or vendor qualification audit report would answer that. In sum, do not overlook system validation as an “IT thing” – it is now firmly a GCP requirement to have systems that are fit for purpose.
• Audit Trails and Traceability: Data governance means being able to trace data from their origin to the final dataset. E6(R3) specifically highlights maintaining audit trails for electronic data – these are automatic logs that record who entered or changed data, when, and what was changed. For example, if a lab result was corrected from 5.0 to 5.1, the system should record that edit. Investigators and sponsors should ensure that key electronic systems have audit trail functionality enabled and that it’s not being turned off. On the investigator side, if the source data is electronic (like hospital electronic health records, EHRs), there should be a mechanism to get audit trail info if needed (for instance, printing the EHR audit log for a particular patient’s entries if required by an inspector to verify no tampering). The idea is that data should be attributable (you know who did what), legible, contemporaneous, original, and accurate – the ALCOA principles of data integrity – and E6(R3) doubles down on applying these to digital records.
• Data Security and Access Control: Another aspect of governance is ensuring only authorized individuals can access modify trial data. E6(R3) expects sponsors and sites to implement appropriate user access controls for electronic systems – unique user IDs, passwords, role-based permissions, etc. Generic logins like “StudyCoordinator” used by multiple people are discouraged since they muddy accountability. Additionally, data should be stored securely, with backups and protection against loss. For example, if trial data is stored on a cloud server, there should be measures like regular backups in a separate location and encryption. While GCP doesn’t delve into IT protocols, an inspector could ask how you are protecting the only copy of your electronic investigator site file or participant recordings, etc. Having an SOP and record of data backup for crucial systems is wise.
• Defining Data Flow and Responsibilities: Trials now often involve multiple data sources and repositories. E6(R3) expects sponsors to map out and document where all trial-related data reside and who is responsible for each. For instance, clinical data in an EDC, images in a central imaging database, lab results at a central lab database, safety reports in a pharmacovigilance system, etc. There should be a clear structure so that nothing falls through the cracks. When inspectors come, they often ask for a “data flow diagram” or similar – a visual or tabular depiction of all data sources, how they move, and where they end up (and likewise, all essential documents and where they are filed). While not explicitly mandated, creating such a diagram as part of your Trial Master File documentation can be extremely helpful. It shows you’ve thought through data governance in a holistic way.
• Essential Records Retention: E6(R3) continues to mandate that essential records be retained for a sufficient period (at least per regulatory requirements – often a minimum of 15 years or more depending on the region and type of trial). Many regions, including the EU and UK, have specific timeframes (e.g., 25 years in certain cases). The guideline doesn’t set one global number, but it does say to follow local law and to ensure records are not destroyed prematurely. With electronic records, this raises the need for continued accessibility – having data saved in formats that can still be opened later, migrating data if needed, and maintaining decryption keys or credentials to access archives. Sponsors should have an archiving plan that covers how they will preserve both paper and electronic records after study completion and who will hold them (e.g., will sites keep their records and for how long? Will the sponsor archive all eCRF data centrally? etc.).

Sponsor vs. Investigator Responsibilities in Documentation

E6(R3) also clarifies expectations for sponsors and investigators regarding documentation and data:

• Investigator Site Files: Investigators are responsible for maintaining essential records at their site (often called the Investigator Site File or Regulatory Binder). E6(R3) doesn’t absolve them of this, but it acknowledges that some documents can be maintained electronically or by the sponsor, as long as the investigator can get to them when needed. A common practice now is having an electronic Trial Master File (eTMF) that both sponsor and site have access to, rather than duplicate paper files. This is acceptable if the site is given access to all investigator-required documents in the eTMF or provided copies for their own file. What’s important is investigators know where to find things like approvals, signed contracts, subject logs, etc., and that they keep records of their site’s activities (like delegation logs, training logs, signed consents, drug accountability logs) in an organized way. E6(R3) mentions that sponsors should ensure investigators are aware of their recordkeeping obligations and have the means to fulfill them.
• Sponsor Trial Master File: The sponsor is responsible for the master collection of all essential records for the entire trial (the TMF). Under E6(R3), the sponsor should ensure the TMF is complete, legible, and readily available for audit/inspection. This includes records provided by CROs or vendors – sponsors must oversee that those partners maintain required records and transfer them to the sponsor’s TMF in a timely manner. A new emphasis is on TMF timeliness: the TMF should be up to date at all times (so-called “clinical trial contemporaneous TMF”), not compiled months after study completion. Many regulatory inspectors now request TMF access even before arriving on-site, reflecting that expectation. Sponsors should thus treat TMF management as an active process during the trial, with periodic QC checks to ensure all expected docs from sites and vendors are filed properly.
• Data Management and Quality Control by Sponsor: E6(R3)’s data governance section includes that sponsors should have processes for data management and data quality control (like data cleaning, query management, validation of datasets). While this was always a practice, the guideline’s explicitness means inspectors may ask for your Data Management Plan or similar documentation. That plan usually covers how data will be handled from collection to database lock, including any computerized system validations, how discrepancies are managed, how coding of terms is done, etc. Ensuring these plans exist and are followed is part of good data governance. For example, if using electronic health records as source, the plan might detail how source data will be verified and transferred to the CRF, and how any data transformation is documented.

Handling Modern Data Types and Sources

The new GCP revision is clearly written with modern trial data in mind. Some scenarios to consider:

• Electronic Source Data: More trials have source data that are electronic (such as eDiaries, ePRO tablets, electronic health records, wearables). E6(R3) does not forbid these – on the contrary, it provides a framework to use them responsibly. The key is to preserve a “copy” of the source that is at least as reliable as the original. For instance, if patients input symptoms on a mobile app (that’s the source), the investigator should have a way to access that data and perhaps certify it into a PDF for archiving in the site file if needed. The term “certified copy” appears in E6(R3) – meaning a copy of original data (electronic or paper) that has been verified to have the same information, thus can stand in place of the original for inspection. Sponsors and sites will often generate certified copies when migrating records (say, scanning all paper records and certifying the scan process so they can go paperless). GCP accepts this as long as the certification process is robust and documented (e.g., a SOP that scanned copies are reviewed for accuracy and then digitally signed by a responsible person).
• Real-World Data and External Data Sets: Some trials incorporate data from outside sources like claims databases, national registries, or central data warehouses (see Blog #10 for more on this). From a documentation point of view, if such data is used for trial analysis, there must be records of what was obtained, when, from where, and under what permission. For example, if linking a cancer trial to a national death registry for survival follow-up, the sponsor should have an agreement or data transfer record, a list of patients sent/matched, and the raw data returned. These become essential records because they support the trial endpoints. Additionally, any data transformation or linkage should be documented (so an auditor could replicate the merge and confirm it was done correctly).
• Data Privacy Documentation: With GDPR and other data protection laws in effect, a “document” that has become essential is proof of compliance with privacy requirements – e.g., subject consent for data use, or in some countries, approval from data protection authorities. Under GCP, protecting participant confidentiality is critical, so retaining documents like signed confidentiality agreements (in case of vendor access to patient data), or a privacy impact assessment conducted for the trial, can be considered part of essential documentation demonstrating that aspect of compliance.

Practical Tips for Managing Essential Records and Data Governance

To align with E6(R3):

• Create a Trial Documentation Checklist Adapted to Your Study: Don’t just use a generic list – add items unique to your trial (e.g., device calibration certificates, central reading charters, interactive response system records). Also assess if any items on a generic list don’t apply and note why. This helps during inspection to show you systematically identified what’s essential.
• Invest in an Organized Filing System (Physical and/or Electronic): Organization is half the battle. Use tabs, indexes, and naming conventions that mirror the trial processes. Many sponsors structure the TMF by sections (e.g., 1.0 Protocol and Amendments, 2.0 Regulatory Approvals, 3.0 Consent Documents, 4.0 Drug accountability, etc.) which is fine. The key is consistency and completeness. Electronic TMF systems can assist with searchability and remote access for stakeholders, but even they require careful indexing. Ensure site files mirror relevant parts of the TMF so sites aren’t missing documents they should have.
• Version Control: Maintain logs of document versions for protocols, IBs, consent forms, etc. E6(R3) expects that the current approved versions are evident and that superseded versions are archived, not mixed up. Clearly label documents with version numbers and dates. This avoids confusion, for example, if an old consent form mistakenly stays in a site file – with proper version control, it will be clear it was replaced and is not the active one.
• Document Data Decisions: If you make decisions about data handling (like excluding a certain data set from analysis due to quality issues, or setting certain edit check thresholds), document these in memos or meeting minutes. Under data governance, one should be able to follow why certain data appear or don’t appear in the final dataset. This is especially important if during cleaning you decide to “lock” data or override something – keep an audit trail or explanation. Regulators want to trust that the data as presented are reconstructable from source with a documented chain of actions.
• Regular QC and Audits: Don’t wait until just before an inspection to see if your documentation is in order. Project teams should schedule periodic quality control reviews of the TMF and site files. Many sponsors do an in-house audit of the TMF at milestones (like after enrollment complete or before database lock) to catch missing documents while there’s still time to retrieve them. For data, conducting mock “data traceability” exercises can be useful – pick a few patients and try to follow their data from consent form to CRF to the analysis listing, seeing if every link is supported by documentation. If, say, you find a lab value in the analysis that you can’t find in the site’s source, that’s an issue to fix early.

Conclusion: Strong Documentation as the Backbone of Compliance

If “if it’s not documented, it didn’t happen” was true before, ICH E6(R3) reinforces it tenfold. However, the approach is now more thoughtful: rather than blindly archiving reams of paper, the focus is on having the right documents and data in place and organized to tell the story of the trial. This shift is critical in an age of EDC systems, eTMFs, and plentiful digital data.

By understanding and implementing the data governance principles of E6(R3), sponsors and sites will not only be inspection-ready, but also operationally more efficient. Good data management practices reduce errors and ensure that when it’s time to compile results or respond to queries, the answers are readily available. It also future-proofs trials: years after a study is over, if questions arise or if submissions are made to health authorities, the essential evidence is intact and accessible.

In summary, E6(R3) encourages moving from a compliance mentality to a quality mentality in record-keeping. It’s not about having a binder to satisfy auditors; it’s about making sure the trial’s conduct and outcomes are transparently documented such that anyone reviewing can reach the same conclusions. For stakeholders, this means placing greater emphasis on system validation, data integrity, and thoughtful archiving. By doing so, you safeguard the very foundation on which trial conclusions stand: reliable data and verifiable conduct. Effective data governance and documentation are thus not just regulatory checkboxes – they are enablers of trust in the trial results and ultimately trust in the new therapies developed through those trials.

References

• ICH Guideline for Good Clinical Practice E6(R3), Final Step-4 Guideline, Jan 6, 2025. [1]
• “The revamped Good Clinical Practice E6(R3) guideline: Profound changes in principles and practice,” Arun Bhatt, Perspectives in Clinical Research, 2023. [3]
• TransCelerate/ACRO’s E6(R3) Asset Library: tools on trial design, risk management, data governance. [5]

For those interested in gaining our Transcelerate Biopharma-certified courses, please enroll in our ICH GCP E6 R3 courses at https://www.whitehalltraining.com/

#GCPE6R3 #ClinicalTrials #ICHGuidelines #ClinicalResearch #ICH #E6R3 #GCP #WhitehallTraining #CRO #GoodCllinicalPractice #ClinicalTrials

Guidance To Explore

For those wanting to dive deeper into the details:

• ICH E6 (R3) Final Guideline (Step 4, January 6, 2025) – The official reference text.
• FDA Overview of ICH E6 (R3) – A clear outline of the changes and their implications.
• EMA Step 5 Guideline – European regulatory perspective on implementation.
• TransCelerate ICH E6 Asset Library – Practical tools and frameworks to support adoption (TransCelerate).