What are the responsibilities of a TF when third parties subcontract non-GLP hosting services with data acquisition systems used in GLP studies (e.g. data storage such as “e-archiving as a service”)? What is considered acceptable? If a data centre uses an IT service provider to only provide infrastructure for the data centre (e.g. space, power, controlled environmental conditions, etc.) or hosting servers of a contracted GLP test facility (i.e. access to the GLP data is only possible via the Test Facility), is this data centre considered to be part of the TF (and not a third party)? Would such a data centre need to be part of the test facility audits?

Hosted services (e.g. platform, software, data storage, archiving, backup or processes as a service, cloud computing etc.) should be treated like any other supplied services (OECD Document No 17, paragraph 39). Written agreements are required which describe the roles and responsibilities of each party and proper documentation to ensure adequate risk control and risk mitigation. Uncontrolled use of hosted services may carry risks to integrity, availability, ownership, and confidentiality of data and may not be acceptable.

The need for, and extent of, vendor assessment should be based upon a risk assessment taking into account the complexity of the computerised system and the criticality of the business process supported by the computerised system. The need for an audit should also be based on a documented risk assessment. It is test facility management’s responsibility to justify the requirement for and type of audits based on risk.