Loading ...

From lab to market: how data integrity failures translate into legal liability

Australia’s health and life sciences sector is growing rapidly, and with that growth comes a more complex web of legal exposure for the organisations that operate within it. The recent Bartier Perry panel event, Health and Life Sciences: Research Integrity Under the Microscope, explored how failures in data and research integrity translate into real-world risk. What emerged from that discussion was a clear message: the legal consequences of data integrity failures are not confined to those who falsify data. They extend, often significantly, to those who rely on it.

This article examines the practical legal mechanics of how that exposure arises: from the regulatory classification of products, to the liability that attaches to sponsors and importers, to the personal risk facing directors when misconduct occurs on their watch.

Key takeaway

The legal consequences of data integrity failures are not confined to those who falsify data. They extend to those who relied on it, those responsible for checking it, and those with the power to stop it.


Regulation by risk: what classification actually means

Not all therapeutic goods in Australia are regulated the same way. The Therapeutic Goods Administration (TGA) operates a risk-based framework that distinguishes between “registered” products (which include prescription medicines and higher-risk goods subject to rigorous pre-market evaluation) and “listed” products (which are considered lower risk and reach the market through a self-certification process).

Sunscreens are a listed product. To bring a sunscreen to market in Australia, a sponsor must use approved ingredients, make approved claims, provide a certified SPF result, and list the product with the TGA. The TGA does not independently test listed products before they enter the market. It relies on the accuracy of the information provided.

The consequences of that reliance became apparent in 2025, when Choice Magazine reported major discrepancies between the SPF ratings advertised on a number of sunscreens sold in Australia and the results of independent testing. Some products claiming SPF 50+ returned test results as low as SPF 4. The TGA announced a consultation on proposed reforms to sunscreen regulation in early 2026: a prospective, educational response to what was, for many consumers, a serious safety failure.

Critical insight

The listed classification transfers the burden of quality assurance to the sponsor, and with it, the legal consequences if that assurance proves unfounded.

 

You can outsource manufacturing. You cannot outsource liability

The sunscreen example illustrates a broader principle that applies across the life sciences sector: the entity that brings a product to market in Australia bears primary legal responsibility for that product, regardless of where it was made or who tested it.

Under Australian consumer law, the importer or sponsor of a product is primarily responsible for its safety and conformity with advertised claims. A consumer harmed by an SPF 4 sunscreen sold as SPF 50+ has a claim against the entity that sold it in Australia, not the overseas manufacturer, and not the testing house that certified the SPF result. Those parties may be brought into the picture through contractual indemnities or contribution claims, but that process is neither quick nor certain, and it does not reduce the primary exposure of the sponsor.

The panel discussion made clear that due diligence in this sector must go well beyond reviewing a certificate or a testing report. Organisations should be auditing supplier facilities, testing independently where the stakes are high, and building appropriate contractual protections into supply arrangements before they execute them. Not every counterparty will accept liability for product failure, and not everyone will be solvent or within Australian jurisdiction when you need them to be.

When data integrity failure is deliberate: from misconduct to fraud

The sunscreen scenario raises questions of negligence, inadequate due diligence, and supply chain accountability. It is a world away from deliberate falsification. But the panel discussion drew a direct line between the two, because the legal and commercial consequences of deliberate data manipulation are instructive for any organisation thinking about what its own controls are designed to catch.

The Ranbaxy case remains one of the starkest examples of pharmaceutical fraud. The India-based generics manufacturer systematically falsified manufacturing and testing data submitted to regulators. To pass bioequivalence and stability testing, the company fabricated data or tested pristine “golden batches” under ideal conditions, while the commercial products were manufactured at facilities that routinely failed to meet specifications. The fraud was brought to light by a whistleblower and confirmed through FDA audits. Ranbaxy ultimately paid USD $500 million in criminal fines and civil penalties. Australian patients were affected; Ranbaxy generics had been registered and distributed here as well. 

Case spotlight: Ranbaxy

  • USD $500 million in criminal fines and civil penalties.

  • Systematic falsification of manufacturing data across multiple facilities.

  • Internal audit processes were absent, ineffective, or complicit.

  • When a regulator gets involved, it is almost always because internal audit has failed.


In Australia, a more recent illustration of data concealment and market misconduct can be found in the Sirtex case. Sirtex Medical developed SIR-Spheres, a selective internal radiation therapy technology, and built it into a commercially listed company. Its CEO, Gilman Wong, was subsequently convicted of insider trading after selling over $2 million in shares while in possession of non-public, downward-trending internal sales growth data. Just weeks later, a major market downgrade sent the stock tumbling.

The case illustrates a feature of data integrity and disclosure failures that is easy to overlook: once compromised or withheld operational data enters the corporate sphere, there are many downstream ways in which it can trigger systemic failure. Regulatory exposure, personal criminal liability, shareholder class actions, and severe securities law violations can all flow from the same underlying corporate integrity problem.

Director liability: when does personal exposure arise?

A recurring question in any discussion of corporate fraud is whether liability stays with the company, or whether it can reach directors and officers personally. The answer turns on what they knew, and when they knew it.

The default position under Australian law is that the corporate entity bears the bulk of liability. But there are circumstances in which directors or officers face personal exposure. Direct involvement in the conduct is the clearest case. Less obvious, but equally important, is the situation where a director had sufficient knowledge of misconduct and failed to act. A director who knew that data was being falsified, or who had enough information that they should have investigated and did not, may be found to have been recklessly indifferent to conduct they could have stopped. Robust governance is not only a compliance exercise. It is a form of personal protection.  

The oversight gap and the tension at its heart

Australia does not have a dedicated, independent body with the statutory power to investigate research misconduct. The current framework is largely self-regulatory: institutions investigate allegations against their own staff internally, guided by the Australian Code for the Responsible Conduct of Research. While compliance with the Code is a mandatory prerequisite for receiving federal grant funding, the Code itself is a principles-based framework rather than a piece of legislation. The only existing federal oversight body, the Australian Research Integrity Committee (ARIC), is strictly limited to reviewing the procedural fairness of an institution’s internal investigation, rather than re-evaluating the evidence or merit of a misconduct claim. Concurrently, a proposal by the Australian Academy of Science for a standalone, independent national watchdog has been heavily debated without being established.

The panel discussion reflected a genuine tension in that debate. On one side, the case for stronger independent oversight is clear. Self-regulation creates conflicts of interest. Institutions have reputational incentives to contain, rather than transparently resolve, integrity problems. The absence of independent oversight means that misconduct can persist longer than it should, and that when it is eventually exposed, the damage is greater.

On the other, Australia conducts an enormous volume of clinical research, the overwhelming majority of which is conducted honestly by researchers whose professional reputation depends on it. Imposing another layer of regulation on all of that activity carries real costs: increased compliance burden, longer research timelines, and the risk that worthwhile work is slowed or deterred. 

What organisations should be doing

The cases examined in this piece point to a number of practical priorities that apply regardless of where an organisation sits in the sector. 

For sponsors and importers:

A listed product is not an unsupervised one. Sponsors assume full responsibility for quality assurance in the absence of pre-market TGA scrutiny and should understand precisely what that requires of them. 

  • Due diligence cannot be discharged by reviewing a certificate. Where the product carries meaningful health risk, audit supplier facilities directly and conduct independent testing. 

  • Contractual protections should be in place before they are needed.

  • Carry appropriate product liability insurance. 

For boards and directors:

  • Internal audit must be genuinely independent, with escalation pathways to the board that do not run through management. 

  • Personal liability is not limited to directors who were directly involved in misconduct. Constructive knowledge of a problem is sufficient to ground liability, and a director cannot rely on ignorance as a defence where the structures to know were absent or inadequate.

  • Research and data integrity is a governance issue. Board oversight should reflect that. 

  • Whistleblower channels that are rarely used are not necessarily working. Boards should treat low utilisation as a question, not a reassurance.

 For investors:

  • Data integrity is a due diligence issue at every stage, but carries particular weight pre-commercial, where the gap between what is claimed and what can be independently verified is at its widest. 

  • Governance and audit structures warrant the same scrutiny as the underlying science. 

  • Compromised data rarely stays contained. What begins as a research misconduct issue has a well-documented tendency to become a securities law problem, a regulatory enforcement matter, or shareholder litigation once it enters the market. 

Conclusion

Data integrity sits at the foundation of everything in health and life sciences. Research findings, regulatory approvals, investment decisions, and consumer safety all rest on the assumption that the underlying data is honest. When that assumption proves wrong, whether through negligence, systemic failure, or deliberate fraud, the consequences do not stay with those who created the problem. They extend to those who relied on the data, those responsible for checking it, and those with the power to stop it.

As the sector continues to grow and attract greater public and private investment, legal and regulatory scrutiny will only intensify. Organisations that treat governance, due diligence, and internal controls as genuine priorities rather than compliance formalities are not only better protected. They are better positioned.

For further information, please contact our Fraud & Corruption team.

Authors: Gavin Stuart & Garrett Williams

 

This publication is intended as a source of information only. No reader should act on any matter without first obtaining professional advice.