Data Management & Governance

Medical devices and AI systems increasingly depend on large volumes of data across development, validation, cybersecurity, post-market activities, and regulatory documentation. Poor data management can create challenges around traceability, consistency, audit readiness, and regulatory compliance.

Data governance refers to the processes and controls used to manage how data is acquired, stored, accessed, updated, shared, and maintained throughout the product lifecycle. In regulated environments, governance is important for ensuring data integrity, security, accountability, and compliance with applicable regulations.

Regulations increasingly expect manufacturers to demonstrate control over the quality, traceability, security, and reliability of data used within medical devices and AI systems. This includes considerations around validation data, cybersecurity, interoperability, clinical evidence, post-market monitoring, and transparency obligations.

Yes. MedQAIR supports organisations in establishing governance processes for AI/ML-enabled and software-based medical devices, including documentation structures, data traceability, lifecycle management, cybersecurity alignment, and regulatory readiness across MDR, IVDR, FDA, and AI-related frameworks.

The number of standards in the field of data management are expanding at a fast pace. There are international standards that support data management such as the (SC42) ISO/IEC 5259 standards series (parts 1 through 6), the medical device specific (TC62) IEC PAS 63626, and current standards under development within JTC 21 (e.g. EN 18284). Note, these standards are today not yet recognised by the FDA or harmonised in the European Union, but may be considered ‘State of the Art’.

In addition, Quality and Information Security Management System standards (Management System standards) further support the management of data from a quality (ISO 13485) and information security (NEN 7510-1, ISO 13485) perspective.

Typical risks associated with data include data which is not representative of the intended purpose for which it is used, data may be incomplete, data may be homogeneous or skewed and therefore include inherent bias, it may be outdated and not represent current state of the art, and so on. 

Over time, data may further become outdated, for example, if data is used to train or test AI algorithms, it is important to ensure that data continues to represent what it is used for. Continued retesting an AI algorithm against outdated data when introducing changes to the AI algorithm has a risk of overfitting on test data, and further has a risk of no longer being representative of the current clinical field, where population (e.g. age), disease (e.g. epidemics) or contextual (e.g. medical terminology) characteristics may have changed or where technology has made technological advancements. Data may drift over time, which can have adverse consequences for products trained on such data, actively being used in the field.

Data traceability is the ability to understand where data originates, how it is processed, how it changes over time, and how it is used throughout a product lifecycle. For medical devices and AI systems, traceability supports regulatory compliance, audit readiness, validation activities, incident investigations, and confidence in the reliability of outputs generated from the data.

Organisations should establish processes to assess, monitor, and document the quality, suitability, and contractual controls associated with external data providers. This includes understanding how data was collected, whether it is representative of its intended use, any licensing restrictions, and how changes to the data source may affect product performance, validation activities, or regulatory compliance.

A Data Protection Impact Assessment (DPIA) is a structured process used to identify and mitigate privacy risks associated with the processing of personal data. Under the GDPR, a DPIA may be required when data processing activities are likely to result in a high risk to the rights and freedoms of individuals, particularly when handling health data, large-scale monitoring, or AI-supported decision-making systems.

AI and machine learning systems depend heavily on the quality, representativeness, and management of data. Effective governance helps organisations manage issues such as bias, drift, traceability, data quality, version control, and change management. Strong governance also supports transparency and regulatory expectations under emerging AI-related frameworks.

Data integrity refers to the accuracy, completeness, consistency, and reliability of data throughout its lifecycle. Organisations can demonstrate data integrity through documented procedures, access controls, audit trails, validation activities, change management processes, and controls that ensure data remains trustworthy from collection through long-term retention.

The European Health Data Space (EHDS) introduces additional expectations around the availability, interoperability, sharing, and secondary use of electronic health data within the European Union. Organisations may need to review their governance structures, documentation practices, and technical controls to ensure health data can be managed and exchanged in accordance with applicable EHDS requirements.

MedQAIR supports organisations in developing practical data management and governance frameworks aligned with MDR, IVDR, EHDS, FDA expectations, GDPR, and AI-related requirements. This includes governance structures, data classification, supplier management, traceability controls, AI/ML dataset governance, privacy assessments, and implementation of processes that support long-term compliance and operational efficiency.