Protocol deviation: is any breach, divergence or departure from the requirements of Good Clinical Practice or the clinical trial protocol
Serious breach: a breach of Good Clinical Practice or the protocol that is likely to affect to a significant degree: a) The safety or rights of a trial participant, or b) The reliability and robustness of the data generated in the clinical trial.
Note: this guidance's definition of serious breach differs from the definition in the Australian Code for the Responsible Conduct of Research and is about deviations from the requirements of Good Clinical Practice or the clinical trials protocol.
Suspected breach: a report that is judged by the reporter as a possible serious breach but has yet to be formally confirmed as a serious breach by the sponsor.
Data Breach: any actual or suspected unauthorised access or use, misuse, damage or destruction of data by any person. It can be any incident in which data is compromised, disclosed, copied, communicated, accessed, removed, destroyed, stolen, lost or used by unauthorised individuals, whether by accident or intentional.
Requirements for reporting of protocol deviation and breaches
Protocol Deviations do not need to be notified to the HREC, unless they meet the definition of a serious breach. Therefore researchers need to make HRECs aware of the small sub-set of deviations that have a significant impact on:
- the continued safety or rights of participants, or
- the reliability and robustness of the data generated in the clinical trial.
These are what we call 'serious breaches'. The investigator should also report a serious breach at their site to their institution (via the Research Governance office). This is because the breach could impact on medico-legal risk, the responsible conduct of research, or adherence to contractual obligations.
For more information on deviations and breaches, see the NHMRC document Reporting of Serious Breaches of Good Clinical Practice (GCP) or the Protocol for Trials Involving Therapeutic Goods. This guidance applies to both commercial and non-commercial clinical trials involving therapeutic goods. For local requirements please refer to the CRDO Launching Pad for the management and reporting of protocol deviations and serious breaches.
Reporting - how to
Serious and suspected breaches must be notified to the HREC in a timely manner.
Serious Breach Report Form (Sponsor) and
Suspected Breach Report Form (Third Party) which must provide a detailed description of what occurred and the steps taken to resolve/address the issue or prevent future occurrences . The report should be completed via
as soon as practicable.
All Data Breaches involving MCRI projects must be reported to MCRI's
Data Breach Response Team (DBRT) to be assessed for severity and impact on affected participants in line with the Privacy Act. Please see the
Data Breach policy
for more information and guidance on handling data breaches, including the
Data Breach Response Plan. The Director of Research Operations has a role on the DBRT, therefore breaches do not need to be reported to the HREC in addition to the Data Breach team. Please complete a
Data Breach Reporting Form and email to
firstname.lastname@example.org as soon as practicable. The DBRT (in conjunction with REG) will review the breach an provide feedback on the corrective and preventative actions needed. If the breach is deemed serious the DBRT will advise the PI to report to the HREC via the above serious breaches process.