Warnings, Suspension and Exclusion

This part of the iSHARE Trust Framework is considered normative and is therefore compliant with RFC 2119.

The warnings, suspension and exclusion process describes the steps that the Satellite/ Scheme Owner MUST take to temporarily suspend or permanently exclude participating parties from the data space/iSHARE Network in case of non-compliance with scheme rules and guidelines, or actions with significant negative impact on the normal operation of the data space/iSHARE Network.

Three classifications of non-compliance are recognised within the iSHARE Trust Framework. Note that the impact or risk described is non-exhaustive.

Classification	Impact or risk
Minor non-compliance	Non-compliance with the iSHARE admission criteria, and/or; Non-compliance with the iSHARE service levels, and/or; Expired information security certification (e.g. ISO27001, ISAE 3402), and/or; Minor data* security breach, for example through the loss of a USB stick, laptop, hard disk, or because of hacking attempts or found malware, and/or; Fraud or presumption of fraud by, for example an employee or a hacker.
Major non-compliance	Recurring minor non-compliance, and/or; Combinations of minor non-compliance, and/or Serious impediment(s) to other Adhering/Certified Party(ies)/Satellites, and/or; Major data security breach and/or breach that needs to be reported in line with Data leaks reporting(meldplicht datalekken), and/or; (Other) impact on confidentiality and integrity of (data* within) the iSHARE Trust Framework.
Critical non-compliance	Recurring major non-compliance, and/or; Network-wide impediment(s) to other parties, and/or; (Other) impact on confidentiality and integrity of the iSHARE Trust Framework.

*Data includes the data used for identification, authentication and authorisation purposes in the context of data exchange, but NOT the contents of the actual data exchange.

Warnings are cautionary advices about non-compliance, about what is needed to rectify non-compliance, and by when;
Suspension involves temporary deactivation of adhering/certified credentials within the iSHARE network;
Exclusion involves permanent deactivation of adhering/certified credentials within the iSHARE network of the excluded party, and involves an iSHARE network wide notification of exclusion for information purposes.

Before the Satellite/ Scheme Owner issues warnings, suspends or even excludes parties, it MUST take into consideration and/or weigh the interests of the iSHARE Trust Framework and the data space/ iSHARE network (i.e. all Adhering/Certified Parties).

Goal

The goal of the warnings, suspension and exclusion process is to warrant trust in the iSHARE Trust Framework, as well as protecting the confidentiality and/or integrity of (data within) the data space/iSHARE network.

Responsibilities

Several parties have responsibilities and tasks in the warnings, suspension and exclusion process:

The Steering/Facilitating party is responsible for facilitation of the process, to protect the confidentiality and/or integrity of (data within) the data space or iSHARE Network.
The Reporting party can be any party that reports non-compliance.
The Non-compliant Party is responsible for acting, at all times but especially after receiving a warning or suspension, in line with the Trust Framework's rules and guidelines.

Non-compliant party	Reporting party	Steering (facilitating) party
Adhering party	Any	Satellite
Certified party	Any	Satellite
Satellite	Any	Scheme Owner

Sequence

The reporting party reports non-compliance to the Steering party, including an estimation of the non-compliance classification;
The Steering party assesses the non-compliance and the estimated non-compliance classification by the reporting party, and:
1. Accepts the non-compliance classification and moves to step 3;
  or
2. Changes the non-compliance classification and moves to step 3;
  or
3. Rejects the reported behaviour as non-compliance, and communicates why to the reporting party.
If non-compliance leads to a minor incident, calamity or crisis, the incident management process is initiated.
The Steering party registers the non-compliance and:
1. If classified as minor non-compliance, notifies the non-complying party of its non-compliance, the reason(s), and the rectifications/adjustments needed within what timespan;
2. If classified as major non-compliance, issues the non-complying party an official warning, and communicates its reason(s) and the rectifications/adjustments needed within what timespan;
3. If classified as critical non-compliance, suspends the non-complying party, by updating the party's status in the satellite registry to 'revoked', until necessary rectifications/adjustments are in place. The Satellite communicates this suspension to the data space and the Scheme Owner to the iSHARE network.
The non-complying party either:
1. Rectifies or adjusts within the indicated time span, and informs the Steering party of the rectifications/adjustment;
  or
2. Communicates its disagreement with the notification/warning to the Steering party within 5 working days, to which the Steering party MUST reply within 5 working days. The non-complying party is given another 5 working days to respond to the Steering party's latest reply (which can include adjustments to its earlier notification/warning);
  or
3. Does not take any action.
If sufficient rectifications/adjustments follow in time, step 8 follows. Otherwise, the Steering party:
1. If classified as minor non-compliance:
  1. Issues the non-complying party a warning, and communicates its reason(s) and the rectifications/adjustments needed within what timespan.
2. If classified as major non-compliance:
  1. Issues the non-complying party a last warning before suspension, and communicates its reason(s) and the rectifications/adjustments needed before within what timespan in order not to be suspended.
3. If classified as critical non-compliance:
  1. Issues the non-complying party a last warning before exclusion, and communicates its reason(s) and the rectifications/adjustments needed before within what timespan in order not to be excluded.
If the non-complying party continues to dishonour the (final) warning after a reasonable time, the Steering party:
1. If classified as minor non-compliance:
  1. Upscales the non-compliance level to major and goes back to step 6b.
2. If classified as major non-compliance:
  1. Upscales the non-compliance level to critical and goes back to step 4c.
3. If classified as critical non-compliance:
  1. The Steering party terminates the participation of the non-compliant party by cancellation of the Accession Agreement;
  2. Excludes the non-complying party from the data space/ iSHARE Network, by updating the party's status in the satellite registry to 'ended', and initiates its withdrawal in line (as much as is reasonable) with the withdrawal process;
  3. The Steering party communicates this exclusion to the data space/iSHARE network. The excluded party will not be allowed to take part in the admission process for the next 12 months. Step 7c is followed by step 9.
The Steering party considers (new) actions taken by the party adequate, considers the notification or warning honoured and closes the process;
The Steering party evaluates the incident with the reporting and/or (an)other party(ies), and registers the evaluation for future learning.