The University needs to be aware about any significant breach (or likely breach) of our legislative obligations.
Early detection and rectification of a breach may minimise the potential impacts of the breach on the University. It also may place the University in a better position to deal with Regulators and the University Community regarding the breach, if necessary.
Managers have a duty to uphold and monitor compliance within their area of responsibility, and ensure that their staff receive adequate training and instruction to keep them up to date with relevant legislative requirements.
All staff, students and associates have a responsibility to ensure that their activities on behalf of the University comply with applicable law and related University policies and procedures.
Upon receipt of a breach notification, we seek to ensure that:
- you have made a genuine attempt to comply with the law and your breach reporting obligations;
- the causes of the breach have been identified and addressed so that it is unlikely to recur;
- otherwise, a plan for rectifying the compliance failure has been developed and submitted to us;
- the consequences are able to be dealt with comprehensively;
- there has been no undue delay in notifying the breach; and where necessary
- if there are some more significant compliance issues within your business, that they are identified.
Failure to report a significant breach (or likely breach) is possibly, in itself, to be a breach of your obligation to comply with laws. This is because it indicates that your arrangements to ensure compliance with your obligations may be inadequate.
Suspected breaches of Work Health and Safety legislation are covered by separate procedures.
Q1 What breaches (or likely breaches) must you report?
You must give us a written report as soon as possible if:
- you breach any of the specified obligations associated with legislation; and
- you are likely to breach any of the specified obligations;
Q2 How do you report a breach?
A breach must be reported to us in writing:
- You can use the Breach Reporting Form for lodging written (paper or online) breach reports, or
- You may lodge your report in another form if that is more appropriate for you and forward to firstname.lastname@example.org.
All written report should include the following information:
- Date of the breach (or likely breach) (Include both: the date that the breach occurred; and the date you became aware of the breach).
- Description of the breach
- Describe the obligation that has been breached (or is likely to be breached)
- Rate the severity of the breach (Using the University Risk Matrix)
- How the breach was identified For example, the breach may have been identified through your compliance arrangements or as a result of a complaint.
- How long the breach lasted Include details as relevant.
- How the breach has been rectified Describe the process and responsibilities for handling the breach (or likely breach), including any steps that have been taken to remedy it. If ongoing steps are being taken to rectify the breach (or likely breach), indicate when you expect to send us a report on your progress in rectifying it.
- Future compliance Describe any steps that have been, or will be, taken to ensure future compliance with the obligation.
Q3 What happens to a breach report?
Acknowledgement On receipt of the breach report, we acknowledge it.
Request for more information (if needed) If we have insufficient information to form a view, we will ask you for more information.
Addressing compliance issues (if appropriate) We may contact you to discuss how you have improved your compliance procedures. This may involve working with you to address continuing compliance issues and determining how to reverse or minimise any damage resulting from the breach.
Q4 What does 'likely to breach' mean?
You are likely to breach an obligation if, and only if, you are no longer able to comply with the obligations under legislation.
Q5 What if I don't think a breach is reportable?
We recognise that compliance arrangements are unlikely to ensure full compliance with every aspect of the law at all times.
However, ALL breaches are reportable. We particularly consider that any breach (or likely breach) that causes actual or potential negative impact on students, teaching and research is likely to be reportable.
If we fail to properly consider whether every breach (or likely breach) that comes to our attention is reportable, you run the risk of failing to identify a breach (or likely breach) that is significant and must be reported to a regulator. We also consider that the repeat of a breach may indicate a continuing underlying systemic problem.
Q6 Once reported, what do I do?
Ensure all breaches are rectified breaches as appropriate, even minor breaches.
Q7 What happens to the information in a breach report?
We will consider the information in a breach report to ensure that action has been taken to address the breach.
Breach notifications play a role in the University of Newcastle Council’s oversight of the University. Apart from alerting us to potentially significant breaches of the law, it also give us valuable information to help us identify emerging trends of non-compliance. A report will be provided to the University Audit and Risk Management Committee periodically to provide assurance of compliance related activities within the University.
The University maintains a breach register to ensure that we have adequate arrangements in place to comply with our obligation to identify and report all significant breaches (or likely breaches).
All Breach related information is stored securely, and handled sensitively and sensibly.
Q8 What about Breach related penalties?
There may be penalties levied against the University associated with breaches of legislation, and particularly for not reporting a significant breach on becoming aware of the breach (or likely breach).
Q9 Are there any external reporting requirements
Each manager is responsible for completing and lodging the reporting requirements for the compliance requirements or obligations which fall under their area of responsibility, by the required date, to required party with the appropriate level of internal approval.