I’m not sure this is really within the intended scope of DataMethods, but I’ll bite anyway. FYI, I have no training in statistical ethics that I recall, other than “you can’t claim to have a scientific mindset, and then lie with statistics”, and only a modest exposure to research ethics.
The scenario description is unclear on how John “simulates Janet’s data.” I’m going to assume that he ran (a copy of) the actual data through some process that “fuzzed it.” (As opposed to creating totally manufactured data, based on his memory of the key aspects of the data, which is still problematic.) And then he used the fuzzed-up version.
The PI has control of the data, and was unwilling to authorize this use. That makes this, IMO, a clear case of misappropriation.
That’s a violation of at least the expectations of a collaborative research team/effort. If there’s a formal non-disclosure agreement, then John has violated that contractual agreement, and that agreement likely specifies remedies and/or penalties.
But wait, it gets worse.
If this is patient data originally generated in the normal course of patient care and business, then John’s actions would also likely be a HIPAA violation, and should be reported as a probable criminal violation to internal institutional compliance officers. (I’m not sure offhand if a person with knowledge of such a situation is also personally required to directly refer the matter externally to federal officials … but if you or I had such knowledge, it would be wise to check the regulations.)
And if this is patient data, and the usage is unauthorized research, then John’s actions should also be referred to the Institutional Review Board, which would follow its standard procedures for deciding how to censure John. His actions will have (arguably) risked the institution’s reputation, created questions of lack of institutional control, and possibly impacted the ability for its entire affiliated research community to get grants.
The IRB has strong motivations to swing a Big Stick on violators, as a lesson & deterrent to others.
But you asked, in part, what John could have done differently.
He could have:
made a more persuasive case to the PI about the implications and value of what he wanted to do;
offered to have her co-author his paper;
tried to get the PI’s peers or dept’l chair to support his cause;
initiated his own project dedicated to his research question … possibly funded, possibly not … and acquire new data to support the research;
been more patient;
recognized that his lack of patience/control/ethics was a serious problem, and changed careers before treading down the slippery slope to cause such embarrassment and heart-ache to his parents. Perhaps to a gig-economy driving job, or as a cook in an all-night waffle emporium.
Wanting to be first to publish some novel research … even important research … is pretty slim justification for such a violation of trust.
(Edit: I’m in the USA. Federal HIPAA regulations here protect patient data privacy, and define allowed usages. Other locations may or may not have equivalent legal protections.)