Compliance Management Framework: Breach Reporting - Procedures

Accessibility links

Compliance Management Framework: Breach Reporting - Procedures

Breadcrumbs

Approval authority
Vice-Chancellor and President
Responsible officer
Chief Operating Officer
Designated officer
Chief Operating Officer
First approved
23 February 2016
Last amended
24 May 2018
Effective start date
24 May 2018
Review date
24 May 2023
Status
Active
Related documents
Acceptable Use of Information Technology Resources - Governing Policy
Audit and Assurance Framework - Governing Policy
Compliance Management Framework - Governing Policy
Critical Incident Management - Governing Policy
Enterprise Risk Management and Resilience - Governing Policy
Equity and Diversity - Governing Policy
Financial Management Practices - Managerial Policy
Fraud and Corruption Control - Governing Policy
Governance Framework - Governing Policy
Health, Safety and Wellbeing - Governing Policy
Information Management Framework - Governing Policy
Public Interest Disclosures - Governing Policy
Research Misconduct - Governing Policy
Staff Code of Conduct - Governing Policy
Student Academic Integrity - Governing Policy
Student Grievance Resolution - Governing Policy
Related legislation / standards
University of the Sunshine Coast Act 1998
Copyright Act 1968 (Cth)
Privacy Act 1988 (Cth)
Financial and Performance Management Standard 2009 (Qld)
Financial Accountability Act 2009 (Qld)
Work Health and Safety Act 2011 (Qld)
Work Health and Safety Regulations 2011 (Qld)
Information Privacy Act 2009 (Qld)
AS ISO 196000:2015 Compliance management systems
USC Enterprise Agreement
Download PDF

1.Definitions

Please refer to the University’s Glossary of Terms for policies and procedures.

2. Purpose of procedures

The procedures that follow outline the processes for managing actual or potential breaches of the University’s compliance obligations. These procedures must be read in conjunction with the Compliance Management Framework – Governing Policy and other related procedures.

The intent of these procedures is to:

a) provide a systematic process for the reporting and investigation of compliance breaches or potential breaches so they can be appropriately addressed;

b) reinforce the importance of compliance, so that all staff members are encouraged to proactively raise compliance issues as soon as possible and address any weaknesses in the control environment(1);

c) enable the gathering of information to facilitate monitoring and reporting of compliance performance within the University; and

d) ensure that no staff member is penalised or disadvantaged as a result of reporting a compliance breach and that repercussions of breaches themselves are determined on a case-by-case basis.

3. Exclusions

3.1 A number of processes are established across the University to manage complaints relating to compliance or breaches of laws and regulations, and these are dealt with at the operational management level, and covered in various University policies, such as:

a. Staff Code of Conduct – Governing Policy

b. USC Enterprise Agreement

c. Health, Safety and Wellbeing – Governing Policy

d. Incident Management – Governing Policy

e. Anti-Discrimination and Freedom from Harassment – Governing Policy

f. Equity and Diversity – Governing Policy

g. Fraud and Corruption Control – Governing Policy

h. Financial Management Practices – Managerial Policy

i. Information Management Framework – Governing Policy

j. Public Interest Disclosures – Governing Policy

k. Acceptable Use of Information Technology Resources – Governing Policy

l. Research Misconduct – Governing Policy

m. Student Academic Integrity – Governing Policy

n. Copyright – Managerial Policy.

3.2 Any University policy or legislation that includes dedicated processes for handling compliance failures will take precedence over the following procedures. Please refer to the specific subject area policy or legislative provisions in the first instance.

4. Procedure steps and actions

4.1 It is essential that all parties involved in breach reporting, investigation and rectification act in good faith to obtain a satisfactory outcome. Good faith includes acting sincerely, without malice and being truthful.

4.2 No blame should be attached to the reporting of accidental breaches or those identifying process errors.

4.3 It should be noted that staff committing deliberate or negligent breaches may be subject to the University’s disciplinary processes or regulatory/criminal actions (where applicable and/or appropriate).

4.4 The required steps and actions to be followed for reporting and investigating compliance breaches, or potential breaches, are detailed in Table 1 below:

Table 1: Breach Reporting Procedures

Procedure (including Key Points) Responsibility Timeline
1. Initial identification and notification
  a. Staff should notify their supervisor or appropriate line manager of the breach or potential breach. Higher Degree Research Students should report the breach to their supervisor. b. If a staff member feels they are unable to discuss the breach with their supervisor, the staff member should contact the Cost Centre Manager, or alternatively the relevant Human Resources contact person or Director of Human Resources for further advice. c. Breaches or potential breaches can be reported anonymously. d. Upon receiving notification of a breach or potential breach, the supervisor should notify the Cost Centre Manager by telephone or email.
    Staff member who notices the breach or potential breach / failure       Supervisor/Cost Centre Manager     Immediately or as soon as practicable
2. Breach containment
  a. The supervisor should take immediate, common sense steps to limit or contain the breach. Depending on the nature of the breach, different actions may be required e.g. stop the unauthorised practices; recover any records; suspension of employment in consultation with Human Resources; etc. b. Do not compromise the ability to investigate the breach. Do not destroy evidence that may be valuable in determining the cause or allow corrective action to be taken.
    Supervisor/Cost Centre Manager     Immediately or as soon as is practicable
3. Breach assessment and escalation
  a. Assess the concerns raised to substantiate if there is a prima facie case that a breach has occurred. b. Evaluate the risk level in accordance with USC’s Risk Management Procedures. c. For breaches that are considered significant(2), this will require activation of an Incident Response Team (IRT). d. For significant breaches, the Vice-Chancellor and President is to be informed via the relevant USC Executive Member (or delegate). e. The IRT will oversee the management of the incident until resolution. Relevant members of the University will be involved in the IRT as appropriate. Media communications are to be managed by the Director, Marketing and External Engagement. The reporting and communication of breaches must be discussed with the Senior Legal Officer and University Risk Manager.
    Cost Centre Manager     Immediately or as soon as is practicable
4. Investigation and reporting
  a. If necessary, an investigation should be undertaken. The level of investigative effort should reflect the seriousness of the breach. b. Investigations should: i) determine the root causes;   ii) identify whether it was a systemic breach, an isolated incident or a deliberate act;   iii) identify appropriate actions to strengthen the control environment and prevent similar breaches from occurring; and   iv) be completed in a timely manner. c. The investigation outcome should be reported to the relevant Executive and to the Vice-Chancellor and President. d. All significant breaches should be reported to the Audit and Risk Management Committee. e. Where breaches involve alleged criminal activity, this should be referred to the appropriate law enforcement agencies or authorities for investigation. f. Mandatory reporting requirements to Regulators and relevant external bodies should be complied with. Reporting of significant breaches will be discussed and managed by the IRT that is established for any significant compliance breaches.
    Cost Centre Manager where breach occurred                           Chief Operating Officer     Vice-Chancellor and President     Commence investigation immediately after the breach has been assessed and contained
5. Implementation of corrective action
  1.Corrective and/or preventative actions will be implemented within agreed timeframes. b. Where systemic issues are identified, an improvement plan should be developed to address policy and/or process improvement. c. Monitoring by the appropriate manager should be undertaken to ensure corrective actions are completed.
    Cost Centre Manager where the breach occurred                 As recommended or agreed                    
6. Breach recording/register
  a. A central register of compliance breaches or potential breaches will be maintained in an approved and secure recordkeeping system, in accordance with the Information Privacy Act 2009 (Qld) and Privacy Act 1988 (Cth) and the University’s Information Management Framework – Governing Policy and associated procedures. b. The register will include a full record of all reported breaches/potential breaches, investigations, corrective actions undertaken, and include breaches referred for external resolution.
    Chief Operating Officer     Continuously

Footnotes:

(1) Compliance issues refer to those instances where there are concerns about the University’s compliance with legislative obligations.

(2) Significant breaches are those where a significant incident has occurred regarding the University’s compliance obligations.

END

Back to top

Pro tip: To search, just start typing - at any time, on any page.

Searching {{ model.SearchType }} for returned more than {{ model.MaxResults }} results.
The top {{ model.MaxResults }} of {{ model.TotalItems }} are shown below.

Searching {{ model.SearchType }} for returned {{ model.TotalItems }} results.

Searching {{ model.SearchType }} for returned no results.