The Compliance Office

National University of Sudan

Purpose

The Compliance Office (the Office) is established to promote and safeguard the ethical, legal, and policy-compliant research and operations of the National University of Sudan. Its mandate is to ensure adherence to applicable national laws, Sudanese institutional policies, WHO guidelines, international standards, and funder requirements; to mitigate risk; and to foster a culture of integrity, transparency, and accountability across all activities.

Scope

  • Research ethics and regulatory compliance: human subjects, animal welfare, biosafety, and biosafety containment, data privacy, and consent processes.
  • Data governance and information security: data handling, retention, sharing, privacy, and breach response.
  • Intellectual property and licensing: disclosures, ownership, licensing, and publication considerations.
  • Transfer of materials and data: MTAs/DTAs, provenance, usage limitations, and post-transfer obligations.
  • Anti-Corruption, Conflicts of Interest, and Ethics in Procurement.
  • Training, monitoring, auditing, and reporting mechanisms.
  • Relationship with external partners, sponsors, and regulatory authorities.

Governance and Organisational Structure

  • Reporting line: The Compliance Office reports to the MRC Director and maintains direct access to the IRB Committee and the Audit and Finance Committees.
  • Director of Compliance: Responsible for overall leadership, policy development, and oversight.
  • Compliance Officers: Manage key domains (Ethics & Human Subjects, Data Privacy & Security, IP & Licensing, Material & Data Transfer, and Risk & Audits) and serve as the primary points of contact.
  • Liaison roles: Coordinators for biosafety, IP management, and external regulatory affairs.

Roles and Responsibilities

  • Policy development: Create, update, and maintain compliance policies and SOPs aligned with national laws and international standards.
  • Training and awareness: Develop and deliver mandatory training on ethics, biosafety, data protection, IP basics, and compliance expectations; maintain training records.
  • Monitoring and auditing: Conduct periodic internal audits, spot checks, and risk assessments; track corrective and preventive actions (CAPAs) and verify their closure.
  • Incident management: Establish, report, investigate, and remediate compliance incidents; document findings and communicate with relevant authorities as required.
  • Risk management: Identify compliance risks, maintain risk registers, implement mitigation strategies, and report risk status to leadership.
  • Documentation and record-keeping: Ensure all compliance-related records are complete, current, and securely stored; implement version control and access controls.
  • Third-party oversight: Assess and monitor external partners for compliance with MTAs/DTAs, contractual obligations, and regulatory requirements.
  • Communication: Provide clear guidance to researchers and staff; maintain a central point of contact for compliance inquiries.

Key Policies

The Office has policies on the following:

  • Code of Conduct and Integrity
  • Ethics Approval, Informed Consent, and Participant Privacy
  • Data Protection, Privacy Impact Assessments, and Data Security
  • Data and Material Transfer (MTAs/DTAs) and Provenance Controls
  • Intellectual Property Disclosure, Ownership, Licensing, and Publication
  • Conflict of Interest and Merit-Based Decision Making
  • Procurement, Gifts, and Anti-Corruption
  • Incident Reporting, Investigation, and Corrective Actions
  • Training, Competency, and Records Management
  • Whistleblower Protection and Grievance Mechanisms
  • Access and Security of Research Data and Biospecimens

Processes and Procedures

  • Onboarding and training: Every new staff member and affiliate completes the required compliance training within a defined onboarding period, with refresher training provided at defined intervals.
  • Compliance reviews: Routine reviews of study protocols, MTAs/DTAs, data sharing agreements, and IP disclosures prior to activation or publication.
  • Audits and CAPA: Annual or risk-based audits; document findings; develop and track corrective and preventive actions with deadlines.
  • Reporting: Regular reports to the Director and relevant committees; escalation procedures for urgent compliance matters.
  • Documentation management: Centralised repository for policies, approvals, consent forms, MTAs/DTAs, IP filings, training records, and audit reports.
  • External engagement: Due diligence and transparency in collaborations; ensure alignment with funding requirements and local regulations.

Resources and Staffing

  • Staffing: Compliance Director and multiple Compliance Officers with domain expertise (ethics, data protection, IP, transfers, risk).
  • Training and development: Resources for ongoing professional development, external certifications, and attendance at relevant workshops or conferences.
  • Budget: Annual budget for personnel, training, audits, software tools for data governance, and required licenses or consultations.
  • Tools: Access control systems, data loss prevention tools, secure storage solutions, incident reporting platforms, and document management systems.

Performance Metrics and Reporting

  • Key Performance Indicators (KPIs): Number of policies updated, training completion rates, number of audits and CAPAs closed on time, number of compliance incidents and resolution times, and stakeholder satisfaction.
  • Reporting cadence: Quarterly internal reports to MRC leadership; annual compliance report to the Director; ad hoc reports for significant events or regulatory changes.
  • Continuous improvement: Regular reviews of the Office’s effectiveness; seek feedback from researchers and partners; adapt processes accordingly.

Compliance Culture and Stakeholder Engagement

  • Culture: Promote integrity, transparency, accountability, and accountability through leadership example, clear expectations, and open channels for concerns.
  • Stakeholder engagement: Engage researchers, clinicians, data managers, administrators, and partners in the development and refinement of compliance policies; establish regular forums for updates and feedback.
  • Confidentiality and protection: Safeguard whistleblowers and participants; ensure sensitive information is handled securely and with appropriate protections.