Q: I’m reviewing our policy on shared passwords and accounts. We’ve issued a limited number of general passwords to supervisors or operators on the production floor so they can retrieve production documents electronically. Under 21 CFR Part 11.300(a), is it OK for more than one person to have the same password if their log-in IDs are different?
A: General passwords can be used in rare circumstances. Most commonly, they are limited — logically and procedurally — to the ability of the user to “view only”. That is, nothing can be copied, modified, or deleted with these accounts. Even then, the use of shared passwords is a significant security issue if an employee leaves, transfers, or gets involved with regulated decision-making such as approving the release of in-process materials, etc.
So overall, it’s best never to issue such general passwords, and it’s likely FDA would cite such an action with an FDA-483.
You ask if it’s OK for more than one person to have the same password if their log-in IDs are different. No one should ever know that more than one person has the same password. If the system issues a warning that a password is already taken, sometimes it can be easy to determine the identify of that person and get access to his or her account, which of course is another security breach.
If two or more people collude to have the same password, they are likely violating the FDA regulations.
If two or more people collude to have the same password, they are likely violating the FDA regulations and, by planning to circumvent the regulations, are engaging in a felony under Title 18 of U.S. Criminal Law.
My advice: never allow shared passwords. Most companies consider it a firing offense. And make sure your employees understand system security and the reasons for it. FDA expects uniqueness for user IDs and passwords.
Answered by Martin Browning, President and Co-Founder of EduQuest (22 years as an FDA investigator, co-author of FDA’s Part 11, and contributor to the Quality System Regulation). Martin also is the chairman of EduQuest’s FDA Auditing of Computerized Systems and Part 11/Annex 11 training course.