Electronic data and paper reports of suspected adverse reactions should be stored and treated in the same way as other medical records with appropriate respect for confidentiality regarding patients’ and reporters’ identifiability and in accordance with applicable data protection laws. Confidentiality of patients’ records including personal identifiers, if provided, should always be maintained. Identifiable personal details of reporting healthcare professionals should be kept in confidence, protected from unauthorised access. With regard to patient’s and reporter’s identifiability, case report information should be transmitted between stakeholders (marketing authorisation holders or competent authorities) in accordance with local data protection laws (see VI.C.6.2.2.10. for guidance on the processing of personal data in the EU).

To ensure pharmacovigilance data security and confidentiality, strict control measures should be in place to provide access to documents and to databases only to authorised personnel. This security measure should be extended to the complete data path. With regard to this, procedures should be implemented to ensure security and non-corruption of data during data transfer.

When transfer of pharmacovigilance data occurs within an organisation or between organisations having set up contractual agreements, the mechanism should be such that there is confidence that all notifications are received; in that, a confirmation and/or reconciliation process should be undertaken.

Data received from the primary source should be treated in an unbiased and unfiltered way and inferences as well as imputations should be avoided during data entry or electronic submission. The reports should include the verbatim text as used by the primary source or an accurate translation of it (see VI.C.6.2.2.11. for EU guidance on languages management in ICSRs). The original verbatim text should be coded using the appropriate terminology as described in VI.B.8.. To ensure consistency in the coding practices, it is recommended to use, where applicable, the translation of the terminology in the local language to code the verbatim text.

Electronic data storage should allow traceability (audit trail) of all data entered or modified, including dates and sources of received data, as well as dates and destinations of transmitted data.

A procedure should be in place to account for identification and management of duplicate cases at data entry and during the generation of aggregated reports (see VI.C.6.2.4. for EU guidance on duplicate management).