ISO/IEC 17025 TNI 2016 & DoD/DoE QSM

Control of Data and Information in Laboratories – Beyond Compliance

May 11, 2026

Introduction

Control of data and information is a fundamental requirement of ISO/IEC 17025, TNI 2016, and DoD/DoE QSM.

Laboratories rely heavily on data — from raw analytical results to final reports. The reliability of this data directly impacts regulatory compliance, client trust, and decision-making.

Despite its importance, data control is often treated as a technical or IT-related function, rather than a core quality system element.

What “Control of Data” Really Means

Effective data control goes far beyond storing information.

It includes:

  • Data integrity (accuracy, completeness, consistency)
  • Traceability (who generated, reviewed, and modified data)
  • Security (controlled access and protection)
  • Availability (data accessible when needed)
  • Retention and disposal (defined lifecycle management)

A well-controlled system ensures that data is complete, consistent, and trustworthy from generation to reporting.

Common Gaps Identified During Audits

In my experience, the following issues are frequently observed:

  • Use of uncontrolled tools (e.g., spreadsheets)
    Spreadsheets are widely used but often lack version control, audit trails, and access restrictions.
  • Inadequate access control
    Multiple users sharing logins or excessive permissions without clear justification.
  • Lack of audit trails
    Changes to data cannot be tracked or reconstructed.
  • Weak backup and recovery processes
    Backups may exist but are not tested or verified.
  • Inconsistent data entry practices
    Different formats, abbreviations, or manual corrections without documentation.

Why These Issues Occur

  • Legacy systems that were never fully validated
  • Perception that data control is “IT responsibility”
  • Lack of clear procedures for data handling
  • High workload leading to shortcuts
  • Insufficient training on data integrity principles

What Effective Data Control Looks Like

  • Controlled access
    Each user has a unique login with defined permissions.
  • Audit trails
    All changes are recorded, including who made them and when.
  • Standardized data entry
    Defined formats and rules reduce variability and errors.
  • Validated systems
    Software is tested to ensure it performs as intended.
  • Reliable backups
    Data is backed up regularly and recovery is verified.

Practical Steps to Improve Data Control

  • Limiting use of uncontrolled spreadsheets or adding controls
  • Implementing systems with built-in audit trails
  • Assigning clear data ownership responsibilities
  • Defining and enforcing data entry standards
  • Testing backup and recovery processes periodically
  • Training staff on data integrity (ALCOA principles):
    • Attributable
    • Legible
    • Contemporaneous
    • Original
    • Accurate

Additional Considerations

  • Data integrity expectations are increasing in regulatory environments
  • Electronic systems must be validated and maintained
  • Paper-based systems also require strict controls

Conclusion

Control of data and information is not just a compliance requirement — it is essential for maintaining confidence in laboratory results.

Organizations that treat data as a core asset, rather than just a byproduct, build stronger and more reliable systems.