For the purposes of recordkeeping, audit trail, and inspection, each electronic data
element should be associated with an authorized data originator. The data originator may
be a person, a computer system, a device, or an instrument that is authorized to enter,
change, or transmit data elements via a secure protocol into the sponsor’s EDC system or
into the electronic system of a trusted proxy agent such as a contract research
organization.
If a study participant who is using the mobile technology actively participates in the
performance measure by entering and submitting data to the sponsor’s EDC system (e.g.,
when using an ePRO app or when performing visual acuity testing), the study participant
should be identified as the data originator.
If the mobile technology, such as an activity tracker or a glucose sensor, transmits data
automatically to the sponsor’s EDC system without any human intervention, the mobile
technology should be identified as the data originator. In these cases, a data element
identifier should be created that automatically identifies the particular mobile technology
(e.g., name and type) as the originator of the data element. Information associated with a
data element includes the origin of the data element, the date and time of entry, and the
ID number of the study participant to whom the data element applies. Once set by the
electronic system, this value should not be alterable in any way.28
In some cases, data from the mobile technology may be obtained in the course of medical
care and may be entered manually or automatically into an EHR. The EHR data may, in
turn, be used in a clinical investigation and entered into the sponsor’s EDC system. In
this situation, identifying the EHR as the data originator is sufficient because sponsors are
not expected to know the details about all of the users and mobile health technologies that
contribute information to the patient’s EHR (see section IV.C).
The sponsor should develop, maintain, and make available a list of authorized data
originators. When identification of data originators relies on usernames and unique
passwords, controls must be employed to ensure the security and the integrity of the
authorized usernames and passwords (see 21 CFR 11.10(d)). When electronic
thumbprints or other biometrics are used in place of username and password
combinations, controls must be designed to ensure that the biometric identifier cannot be
used by anyone other than the identifier’s owner (see § 11.200(b) and section V.Q27).29
