
Introduction
External data in clinical trials rarely stays within a single system. Lab results, ePRO data, IRT randomisation records, ECG waveforms, and imaging data all require governance - built through two essential documents: the Data Transfer Agreement (DTA) and the Data Transfer Specification (DTS).
The requirement for documented oversight of external data handling is grounded in ICH GCP E6(R2) Section 5.5, which places responsibility for data integrity on the sponsor regardless of which system or vendor generates the data. Many organisations use a Master DTA (covering the governance framework for the vendor relationship) with study-specific addenda for each individual study transfer.
Even if data is not uploaded into the EDC, it is still part of the study evidence trail and must be controlled.
Why External Data Governance Matters
Without structured governance over external data transfers, several risks emerge: data integrity failures from inconsistent formats or missing records, role ambiguity when discrepancies arise, inconsistent handling across transfers, inspection risk from inadequate documentation, and patient safety impact from delayed or incorrectly handled safety data.
Strong data transfer governance ensures data integrity and reliability, clear roles and accountability, consistent handling and quality across transfers, inspection readiness, and better decision-making based on complete verified data.
What Is a DTA?
A Data Transfer Agreement (DTA) is a governance document that defines the responsibilities, expectations, and accountabilities for the exchange of data between parties.
DTA = Agreement on HOW data will be transferred and WHO is responsible for WHAT.
A DTA governs the process between parties, addressing: Roles and Responsibilities · Transfer Method and Frequency · Issue Management and Escalation · Security and Privacy · Approvals and Reconciliation · Quality and Acceptance Criteria.
Minimum Requirements - DTA
Study Information - protocol title, sponsor, CRO, vendor, system
Purpose and Scope - why data is transferred and how it will be used
Roles and Responsibilities - sender, receiver, data owner, contacts
Data Description - types of data included in the transfer
Transfer Method and Frequency - SFTP, portal, API, manual
Security and Privacy - de-identification, PHI handling, access controls
Quality Control - test transfer, QC checks, acceptance criteria
Issue Management - missing, late, incorrect, or duplicate file handling
Correction and Change Control - how corrected data and changes are managed
Reconciliation - with EDC or other source system as applicable
Retention and Archival - storage location and retention period
Approvals and Signatures - all relevant parties
A DTA is about accountability, governance, and expectations.
What Is a DTS?
A Data Transfer Specification (DTS) is a technical document that defines the structure, format, content, and rules for the data being transferred.
DTS = Specification of WHAT data will be transferred and HOW it must be structured.
Minimum Requirements - DTS
File Information - file name convention, format, versioning
Data Structure - record level, file layout, dataset list
Key Identifiers - study, site, subject, visit, sample, session
Variable Specifications - name, label, type, length, format for every variable
Units and Code Lists - controlled terminology, reference lists
Date/Time Rules - format, time zone, 24-hour convention, DST, partial dates
Missing Data Rules - allowed codes, blanks, not-done conventions
Validation Rules - range checks, mandatory fields, logic checks
Reconciliation Rules - match keys, EDC alignment, acceptable windows
Duplicate Handling - identify, flag, or remove duplicate records
Correction/Supersede Rules - how updated data replaces prior data
QC Responsibilities - who checks, who approves, how it is logged
Archival and Retention - final file location, retention period, version control
A DTS is about data structure, standards, and quality rules.
DTA vs DTS - At a Glance
AspectDTADTSPurposeGovern the process and responsibilitiesDefine the data and technical detailsScopeWho does what, when, how, and with what commitmentsWhat data, in what format, structure, and with what rulesNatureGovernance / Operational / Sometimes contractualTechnical / Data / ProcessFocusParties, roles, frequency, security, issue managementFile layout, variables, validation rules, naming, reconciliationKey QuestionWho will send, receive, manage, and own the data?What exactly is in the file and how must it be used?When UsedHigh-risk or critical transfers, recurring exchangesWhenever data are transferred, loaded, transformed, or reconciled
High-risk transfers often require BOTH DTA and DTS.
When Are They Required?
DTA required or strongly recommended when: Vendor sends data on a recurring or ad hoc basis · Data are safety-critical, analysis-critical, or regulated · Data will be imported into EDC or submitted · Reconciliation is expected · Third-party service providers are involved.
DTS required when: Data are transferred, downloaded, or received · Files are loaded, transformed, reconciled, or reviewed · Data are used for analysis, reporting, or listings · Technical understanding and QC rules are needed · Even when data are not uploaded into the EDC.
Both documents are recommended for high-risk, high-frequency, or regulated transfers.
Decision Framework: DTA vs DTS vs Both
Risk LevelCharacteristicsDocument RequiredHigh Risk or Critical DataSafety data, submission data, high frequencyDTA + DTSMedium Risk or Recurring DataRegular transfers, analysis-relevantDTA + DTS (consider both)Low Risk or One-Time DownloadAd hoc, archive-only, manualDTS (lightweight) or DMP-only with documented rationale
Risk-based approach = right level of control. Document all decisions with rationale and approval.
How to Implement - Step by Step
Identify External Data Sources - list all sources, systems, vendors, and data types at study setup
Define Data Use and Requirements - how will data be used and what are the critical elements?
Decide DTA / DTS / Both / DMP-only - apply the decision framework; document the rationale
Define Roles, Process, and Technical Details - document responsibilities, timelines, QC, reconciliation, issue handling
Execute Transfer and Perform QC - receive/download data, run validation, reconcile, log issues, obtain acceptance
Maintain Records and Close Out - archive final files, logs, approvals, and formally close the transfer
Principle: Plan well. Agree clearly. Transfer securely. Check thoroughly. Archive reliably.
Minimum evidence package: Transfer/Download Log · QC and Validation Log · Reconciliation Log · Issue and Resolution Log · Approved DTA and DTS · Final Accepted Files · Superseded/Corrected Files · Archive Confirmation.
Summary
The DTA and DTS serve complementary and non-overlapping roles:
The DTA governs the relationship and process between data-transferring parties
The DTS governs the structure and quality of the data itself
Both are required for high-risk, high-frequency, safety-critical, or submission-relevant transfers. A risk-based decision framework determines what is needed for lower-risk transfers.
Govern the process. Define the data. Ensure quality. Protect integrity.
About the Author
Neel Gajjar
CCDM®Clinical Data Manager II
Clinical Data Manager specialising in EDC systems, CDISC standards, and GCP-compliant data governance. Creator of the Clinical Research Learning Hub — a platform built to make rigorous clinical research education accessible to every professional in the field.
Connect on LinkedInAll content is expert-written and SME-reviewed. Regulatory references are verified against current ICH GCP E6(R2), FDA, and EMA guidance.



Comments
Leave a comment