The important phrase is :- “onus is on the Trust to demonstrate that the monitor has only accessed those records permitted”.
To check all audit trails for all monitors/auditors/Inspectors access to all visits, by all subjects, would be resource intensive and not proportionate to the risk.
In keeping with ICH E6 (R2) and the EMA risk proportionate guidance, a risk based approach could be taken. For instance, the audit trail for say 80% (or more) of the first accesses by the monitors/auditors/ inspectors to subjects records, could have the audit trail checked. Then if all is fine, subsequently a “spot check” (pseudo- randomized) of say 10% of the audit trails of future accesses, could be checked. Obviously there needs to be a procedure (SOP) for this and a process for documenting this QC and an escalation process for reporting discrepancies/problems. This procedure would also document the system capabilities and how they work in conjunction with organisational security measures to maintain data integrity and confidentiality.