The personalization of autologous advanced therapy medicinal products (ATMPs) makes patients an intrinsic part of the supply chain. It begins with collection and registration of starting materials, which necessitates tracking and recording chain-of-identity (CoI) and chain-of-custody (CoC) information for every dose. This situation could expand the challenges of patient data management throughout the whole supply chain, increasing data privacy risks to both patients and suppliers. ATMP manufacturers must therefore protect data privacy not only as clinical trials start, but also as therapies extend into additional territories where data and documentation requirements often differ.
The CoI challenge that ATMP developers have become familiar with grows significantly more complex when they scale therapies commercially. Working with increasing numbers of suppliers from different geographic areas complicates both supply chain orchestration processes and communication and enforcement of regulatory criteria.
Global data and privacy legislation is complex. Despite commonalities among global data-privacy regulations, their differences influence data policies for each territory. Generally, however, a logical starting place for compliance efforts is to restrict the processing and transfer of controlled data and thus minimize risk to all parties.
To prevent unnecessary processing of sensitive data within ATMP supply chains, access should be limited to small user groups with clearly outlined responsibilities for data protection and management. Specifically, a regulated company (data owner) needs a legal framework in place that details the roles and responsibilities for all data processers in its supply chain. Those restrictions must allow for the ATMP supply chain process to move quickly — accommodating short product shelf-lives — and for CoI checks throughout the therapy journey. Those requirements necessitate an efficient CoI management or orchestration system to support CoI checks in multiple locations without breaching privacy or data processing regulations.
With the high complexity, large data volumes, and short timeframes for ATMP CoI management, a digital cell orchestration system (COS) can help therapy sponsors manage CoI within the confines of data regulations. A COS provides necessary access to information for all supply chain stakeholders within required timeframes, minimizes supply chain losses and errors, and enables fine control over the policies and rules that govern data flow.
While implementing a digital COS, an ATMP developer needs to consider specific information required at each stage of the supply chain, and how that links with unique patient identifiers. Once the data requirements for each step of the process have been identified (e.g., patient registration, logistics, and manufacturing), the COS can be configured to regulate how data are accessed. Specificity of access can be achieved through restricted views for user profiles or integration with third-party systems that send out pseudoanonymized data — or pull in other data to form part of a total CoI record. This facilitates fast and safe progression of a therapeutic journey and creates a single source of truth for the CoI that sponsors (as data owners) can control. This functionality prevents supply chain partners from inadvertently becoming processors of sensitive information.
When developers of personalized ATMPs begin to focus on commercial scale-up and access to treatment, barriers to data management often become apparent. Territory-specific best practices and regulations are not restricted to data protection and have proven to be significant obstacles. That is the case despite a growing number of voices calling for international standardization. Such standardization is unlikely to cover data protection and privacy specifically, but it might address connected activities (e.g., starting-material labeling) for which variations arise by region, therapy type, and development stage.
For example, a US Food and Drug Administration (FDA) March 2022 draft guidance document recommends that chimeric antigen receptor T (CAR-T) cell-based product labels include at least two unique identifiers (1), but the de facto standard is three. If such recommendations progress to becoming part of the regulatory framework without global alignment, then CoI management would have to become more sophisticated to manage multiple processes and rule sets.
As the industry strives toward its goal of widespread patient cures, robust CoI management will be ever more critical to ensuring compliance across the many different geographies in which sizeable patient populations need commercial ATMPs.
1 CBER. Considerations for the Development of Chimeric Antigen Receptor (CAR) T Cell Products. US Food and Drug Administration: Rockville, MD, March 2022; https://www.fda.gov/media/156896/download.
Matthew Lakelin is cofounder and vice president of scientific affairs and product development at TrakCel Ltd., Waterfront 2000, 11 Raleigh Walk, Cardiff CF10 4LN, United Kingdom; 44-29-2048-3729; https://trakcel.com.