Plan and...

Non-conformances and adverse events in health research

Health Research topic page | Norsk versjon: Avvik og uønskede hendelser i helseforskning

In this context, non-conformances and adverse events refer to incidents in relation to the research participants or deviations from the approvals that were granted.

Adverse events must be reported immediately to the person or body responsible for the research (“forskningsansvarlig”), either through the project manager or directly by the person who discovered the event. The non-conformance must also be reported in writing in the non-conformance system.

A procedure for dealing with non-conformances (PDF) has been created, which must be followed by the person who receives reports from the system for non-conformances. The person or body responsible for research is responsible for ensuring that non-conformances are dealt with and resolved in line with the procedure.

If doubt arises about whether the research project is justifiable and the risk is acceptable, the project must be suspended until the issues have been clarified with the person or body responsible for research and the regional committee for medical and health research ethics (REC).

The project manager or the person or body responsible for research must report serious incidents as well as adverse and unexpected medical events to the Norwegian Board of Health Supervision (Statens helsetilsyn). In the event of death from unnatural causes, the police must be notified immediately.

If research participants have sustained injuries or if complications have arisen because of the research project, the project manager must inform the research participants immediately. At the same time, the research participants must be informed about the possibility of seeking compensation from the Norwegian System of Compensation to Patients (NPE).

Dealing with non-conformances

If research participants, human biological materials or personal data are handled in violation of established procedures, or if there is suspicion of improper conduct or documented breaches of data security, steps for dealing with non-conformances must be taken. For medical and health research projects, the person or body responsible for research must follow up the non-conformance.

The aim is to resolve the non-conformance as quickly as possible and prevent any recurrence. If the procedures do not correspond to the way that personal data are handled or the way in which the information system is used, changes in the procedures must be considered.

Incident management must be documented in a report containing information about the non-conformance, corrective actions, and results, based on evaluating the effect of the actions over time. Information about the people who have been involved in dealing with the non-conformance must also be provided.

If there is a risk of harm or offence to research participants, the research must be stopped immediately until a new assessment of risk and justifiability has taken place. If the non-conformance is major, a new risk assessment must always be performed to determine whether the established measures are adequate.

The project manager must immediately notify the supervisory authorities in writing of serious adverse and unexpected medical events and situations that might involve risks for the research participants. The police must be notified immediately in the event of death from unnatural causes. The research participant must be notified about harm and complications, as well as the right to seek compensation from the Norwegian System for Compensation to Patients (Norsk Pasientskadeerstatning, NPE).

If the non-conformance has resulted in unauthorized disclosure of personal data where confidentiality is necessary, the Data Inspectorate must be notified.

Procedure for resolving non-conformances

  • identification of the cause of the non-conformance
  • planning and implementation of measures to prevent recurrence
  • collection and securing of incident registers and any other evidence
  • communication with users who are affected by or involved in remediation

Dealing with non-conformances consists of

  • Detection of the non-conformance. Non-conformances may be discovered by employees who find out that information has gone astray, ICT operations personnel who detect security breaches, or the person or body responsible for research who discovers a non-conformance in connection with control procedures. Notifications of non-conformances may also come from a data processor or through automatic notification features.
  • Reporting. All employees have a duty to report any non-conformances. The notification usually goes to the project manager. If serious violations of the guidelines occur, the project manager forwards the notification to the person or body responsible for research.
  • Immediate measures. As soon as possible, steps must be taken to eliminate the non-conformance, limit the level of harm or damage, and limit any consequential loss. The immediate measures are determined by the person responsible for handling the non-conformance (the project manager) or the employee who discovers the non-conformance.
  • Corrective measures. Corrective measures are the longer-term changes made because of the non-conformance. The corrective measures are intended to eliminate or reduce the cause of the non-conformances. These may involve extensive changes in ICT systems, the organization and procedures. The responsibility for this is assigned to the person or body responsible for research, in cooperation with the local or central person responsible for IT security if the non-conformance is related to IT security.
  • Assessment of the measures. After some time, the person or body responsible for research considers whether the measures have been appropriate and have prevented further security breaches.If the non-conformance is related to IT security, the assessment is performed together with local or central staff responsible for IT security.

Examples of non-conformances that must be followed up

  • Personal injuries, unexpected medical incidents and complications/adverse effects and similar.
  • Unintentional disclosure of personal data or human biological material, or any suspicion of such disclosure.
  • Storage of human biological material or personal data without consent or other basis for processing them.
  • Employees who use the information system without authorization.
  • Defects in equipment or software errors that may affect patient safety, information security or the operation of the information system.
  • A request for access to information that has been denied due to the employee’s lack of familiarity with procedures.

Other examples include a printout sent to the wrong printer, theft of portable equipment, medical records on paper left openly available, users who leave a workstation unsecured, users who let other people borrow their username and password, access rights that are not removed when users leave or the project ends, health and personal data sent using unsecured email, access not available to authorized users, misappropriation of confidential information (snooping) and use of emergency access based on the “principle of necessity”