/Docs/G/GA4GH/Accountability-Policy/Form/0.md
  Source views: Source JSON(ish) on GitHub (VSCode)   Doc views: Document (&k=2.r00t): Visual Print Technical: OpenParameters Xray
Best Practices: Monitoring and Responding to Non-Compliance
  1. Stakeholders involved in oversight of data sharing and data users (e.g., employers or guarantors) should establish clear policies and processes to address cases of non-compliance. In the context of this Policy, non-compliance should be understood in relation to locally adopted data sharing standards. Categories of non-compliance may include:
    • Data misuse (non-compliance with applicable laws, regulations, guidelines, policies, approved protocol, or access agreements);
    • Data breach (the wrongful release of data, whether as a result of accident, negligence or malice);
    • Data hoarding (unreasonable or unjustified withholding of data);
    • Non-compliance with security procedures;
    • Provision of inaccurate or incomplete data or information (e.g., in data submission, access application, or progress report);
    • Failure to obtain prior ethics approval before starting a research project, if required;
    • Failure to appropriately acknowledge the efforts of contributors;
    • Failure to respect benefit sharing requirements; or
    • Inadequate supervision of research by an employer or guarantor.
  2. Such policies and processes should aim to mitigate harm, deter future non-compliance, and educate stakeholders to prevent future non-compliance, in order to maintain trust in the research enterprise. The system established to monitor, adjudicate, and respond to non-compliance should be proportionate to the risk and harms of non-compliance. Responses to non-compliance may be either facilitative or punitive. It may be premature to apply punitive sanctions where data sharing standards are still evolving, and they cannot be applied at all in the absence formal oversight. To enhance accountability throughout the research ecosystem, stakeholders must collaborate to establish common data sharing standards; shared definitions of non-compliance; common monitoring, reporting, and investigation processes; as well as consistent responses to noncompliance.
  1. Monitoring
    Stakeholders involved in the oversight of data sharing and data users should respond in a timely and consistent manner to reports of non-compliance. Where feasible, an officer should be designated to handle and investigate such complaints. The name, role, and contact information of this officer should be made publicly available. Fair and transparent processes for investigating complaints of non-compliance should be established. It should be made clear in advance 1) that the parties are to be constructively involved in investigations, and 2) what consequences will apply if a party fails to provide assistance. All communications during an investigation should be logged, and kept confidential throughout to protect those under investigation from reputational harm.
  2. Responding to Non-Compliance
    1. A range of appropriate responses or sanctions (minimum to maximum) should be defined and made available for each category of non-compliance. Depending on the seriousness of the noncompliance and the type of stakeholder(s) involved, responses may include:
      • Call for an explanation;
      • Additional training;
      • Financial or technical aid;
      • Warning;
      • Compliance audits;
      • Suspension/termination of employment;
      • Suspension/termination of access;
      • Suspension/termination of related services;
      • Suspension/termination of funding;
      • Suspension/retraction of publication; or
      • Report of non-compliance to:
        • o Data steward(s) who provided the data;
        • o Data donor(s) who provided the data;
        • o The employer of the data user;
        • o The ethics body responsible for the project;
        • o Funders, data stewards, or journals implicated in the research;
        • o Regulatory authorities or law enforcement officials; and/or
        • o The general public.
    2. Criteria should be defined for assessing the severity of a sanction, for example, first or repeat non-compliance; non-compliance not self-reported in a timely manner; sensitivity of data; or impact on data donors, data stewards, or vulnerable populations. Where repeated incidents occur at the same institution, it may be appropriate to apply sanctions both to individual researchers and to the institution. In assessing non-compliance, elements of procedural fairness should be respected, including transparent, fair, and independent adjudication, a reasonable opportunity for affected parties to be heard, and specification of circumstances where an appeal is possible (e.g., when substantial sanctions are applied).
    3. To improve collective knowledge of non compliance events, the compliance officer (or other person) should prepare a summary log of the nature of each non-compliance event and how it was resolved. This information should only be released once the non-compliance has been resolved, and should not identify the parties involved. Such a log would provide important data on the frequency, nature, and source of non-compliance events for future policy development.