Please refer to the University’s Glossary of Terms for policies and procedures.
2. Purpose of procedures
The procedures that follow outline the processes for managing actual or potential breaches of the University’s compliance obligations. These procedures must be read in conjunction with the Compliance Management Framework – Governing Policy and other related procedures.
The intent of these procedures is to:
a) provide a systematic process for the reporting and investigation of compliance breaches or potential breaches so they can be appropriately addressed;
b) reinforce the importance of compliance, so that all staff members are encouraged to proactively raise compliance issues as soon as possible and address any weaknesses in the control environment(1);
c) enable the gathering of information to facilitate monitoring and reporting of compliance performance within the University; and
d) ensure that no staff member is penalised or disadvantaged as a result of reporting a compliance breach and that repercussions of breaches themselves are determined on a case-by-case basis.
3.1 A number of processes are established across the University to manage complaints relating to compliance or breaches of laws and regulations, and these are dealt with at the operational management level, and covered in various University policies, such as:
a. Staff Code of Conduct – Governing Policy
b. USC Enterprise Agreement
c. Health, Safety and Wellbeing – Governing Policy
d. Incident Management – Governing Policy
e. Anti-Discrimination and Freedom from Harassment – Governing Policy
f. Equity and Diversity – Governing Policy
g. Fraud and Corruption Control – Governing Policy
h. Financial Management Practices – Managerial Policy
i. Information Management Framework – Governing Policy
j. Public Interest Disclosures – Governing Policy
k. Acceptable Use of Information Technology Resources – Governing Policy
l. Research Misconduct – Governing Policy
m. Student Academic Integrity – Governing Policy
n. Copyright – Managerial Policy.
3.2 Any University policy or legislation that includes dedicated processes for handling compliance failures will take precedence over the following procedures. Please refer to the specific subject area policy or legislative provisions in the first instance.
4. Procedure steps and actions
4.1 It is essential that all parties involved in breach reporting, investigation and rectification act in good faith to obtain a satisfactory outcome. Good faith includes acting sincerely, without malice and being truthful.
4.2 No blame should be attached to the reporting of accidental breaches or those identifying process errors.
4.3 It should be noted that staff committing deliberate or negligent breaches may be subject to the University’s disciplinary processes or regulatory/criminal actions (where applicable and/or appropriate).
4.4 The required steps and actions to be followed for reporting and investigating compliance breaches, or potential breaches, are detailed in Table 1 below:
Table 1: Breach Reporting Procedures
|Procedure (including Key Points)||Responsibility||Timeline|
1. Initial identification and notificationa. Staff should notify their supervisor or appropriate line manager of the breach or potential breach. Higher Degree Research Students should report the breach to their supervisor. b. If a staff member feels they are unable to discuss the breach with their supervisor, the staff member should contact the Cost Centre Manager, or alternatively the relevant Human Resources contact person or Director of Human Resources for further advice. c. Breaches or potential breaches can be reported anonymously. d. Upon receiving notification of a breach or potential breach, the supervisor should notify the Cost Centre Manager by telephone or email.
|Staff member who notices the breach or potential breach / failure Supervisor/Cost Centre Manager||Immediately or as soon as practicable|
2. Breach containmenta. The supervisor should take immediate, common sense steps to limit or contain the breach. Depending on the nature of the breach, different actions may be required e.g. stop the unauthorised practices; recover any records; suspension of employment in consultation with Human Resources; etc. b. Do not compromise the ability to investigate the breach. Do not destroy evidence that may be valuable in determining the cause or allow corrective action to be taken.
|Supervisor/Cost Centre Manager||Immediately or as soon as is practicable|
3. Breach assessment and escalationa. Assess the concerns raised to substantiate if there is a prima facie case that a breach has occurred. b. Evaluate the risk level in accordance with USC’s Risk Management Procedures. c. For breaches that are considered significant(2), this will require activation of an Incident Response Team (IRT). d. For significant breaches, the Vice-Chancellor and President is to be informed via the relevant USC Executive Member (or delegate). e. The IRT will oversee the management of the incident until resolution. Relevant members of the University will be involved in the IRT as appropriate. Media communications are to be managed by the Director, Marketing and External Engagement. The reporting and communication of breaches must be discussed with the Senior Legal Officer and University Risk Manager.
|Cost Centre Manager||Immediately or as soon as is practicable|
4. Investigation and reportinga. If necessary, an investigation should be undertaken. The level of investigative effort should reflect the seriousness of the breach. b. Investigations should: i) determine the root causes; ii) identify whether it was a systemic breach, an isolated incident or a deliberate act; iii) identify appropriate actions to strengthen the control environment and prevent similar breaches from occurring; and iv) be completed in a timely manner. c. The investigation outcome should be reported to the relevant Executive and to the Vice-Chancellor and President. d. All significant breaches should be reported to the Audit and Risk Management Committee. e. Where breaches involve alleged criminal activity, this should be referred to the appropriate law enforcement agencies or authorities for investigation. f. Mandatory reporting requirements to Regulators and relevant external bodies should be complied with. Reporting of significant breaches will be discussed and managed by the IRT that is established for any significant compliance breaches.
|Cost Centre Manager where breach occurred Chief Operating Officer Vice-Chancellor and President||Commence investigation immediately after the breach has been assessed and contained|
5. Implementation of corrective action1.Corrective and/or preventative actions will be implemented within agreed timeframes. b. Where systemic issues are identified, an improvement plan should be developed to address policy and/or process improvement. c. Monitoring by the appropriate manager should be undertaken to ensure corrective actions are completed.
|Cost Centre Manager where the breach occurred||As recommended or agreed|
6. Breach recording/registera. A central register of compliance breaches or potential breaches will be maintained in an approved and secure recordkeeping system, in accordance with the Information Privacy Act 2009 (Qld) and Privacy Act 1988 (Cth) and the University’s Information Management Framework – Governing Policy and associated procedures. b. The register will include a full record of all reported breaches/potential breaches, investigations, corrective actions undertaken, and include breaches referred for external resolution.
|Chief Operating Officer||Continuously|
(1) Compliance issues refer to those instances where there are concerns about the University’s compliance with legislative obligations.