1. General guidelines
The procedures that follow outline the University’s process for managing potential compliance failures and must be read in association with the Compliance Management Framework – Governing Policy and other related procedures.
2. Intent and objectives
The intent of this procedure is to:
a) provide a systematic process for the reporting and investigation of compliance breaches or potential breaches to enable proactive prevention in the future;
b) encourage all staff members to be proactive and raise compliance issues that are of concern as soon as possible to prevent escalation;
c) enable the gathering of information to facilitate monitoring and reporting of compliance performance within the University; and
d) ensure that no staff member is penalised or disadvantaged as a result of reporting a compliance breach and that repercussions of breaches themselves are determined on a case-by-case basis, in accordance with the University’s Public Interest Disclosures – Governing Policy.
3.1 A number of processes are established across the University to manage complaints relating to compliance or breaches of laws and regulations, and these are dealt with at the operational management level, and covered in various University Policies, such as:
a. Staff Code of Conduct – Governing Policy
b. USC Enterprise Agreement
c. Health, Safety and Wellbeing – Governing Policy
d. Critical Incident Management – Managerial Policy
e. Anti-Discrimination and Freedom from Harassment – Governing Policy
f. Equity and Diversity – Governing Policy
g. Fraud and Corruption Control – Governing Policy
h. Financial Management Practices – Managerial Policy
i. Information Management Framework – Governing Policy
j. Public Interest Disclosures – Governing Policy
k. Acceptable Use of Information Technology Resources – Governing Policy
l. Research Misconduct – Governing Policy
m. Student Academic Integrity – Governing Policy
n. Copyright – Managerial Policy
3.2 Any University policy or legislation which includes dedicated processes for handling compliance failures will take precedence over the following procedures. Please refer to the specific subject area policy or legislative provisions in the first instance.
4. Procedure steps and actions
4.1 It is essential that all parties involved in breach reporting, investigation and rectification act in good faith to obtain a satisfactory outcome. Good faith includes acting sincerely without malice and being truthful.
4.2 No blame should be attached to the reporting of accidental breaches or those identifying process errors.
4.3 It should be noted that staff committing deliberate or negligent breaches may be subject to the University’s disciplinary processes or regulatory/criminal actions (where applicable and/or appropriate).
4.4 The required steps and actions to be followed for reporting and investigating compliance breaches, or potential breaches, are detailed in Table 1 below:
Table 1: Breach Reporting Procedures
|Procedure (including Key Points)||Responsibility||Timeline|
1. Initial identification and notificationa. Staff should notify their supervisor or appropriate line manager of the breach or potential breach. b. If a staff member feels they are unable to discuss the breach with their supervisor, contact the Cost Centre Manager, or alternatively the relevant Human Resources Client Contact officer or Director of Human Resources for further advice. c. Breaches or potential breaches can be reported anonymously. d. Upon receiving notification of a breach or potential breach, the supervisor should notify the Cost Centre Manager by telephone or email.
|Staff member who notices the breach or potential breach / failure Supervisor/Manager||Within 24 hours|
2. Breach containmenta. The supervisor should take immediate, common sense steps to limit or contain the breach. Depending on the nature of the breach, different actions may be required e.g. stop the unauthorised practices; recover any records; suspension of employment in consultation with Human Resources; etc. b. Do not compromise the ability to investigate the breach. Do not destroy evidence that may be valuable in determining the cause or allow corrective action to be taken.
|Supervisor/Manager or Cost Centre Manager||Immediately or as soon as is practicable|
3. Breach assessment and escalationa. Assess the complaint to substantiate if there is a prima facie case that a breach has occurred. b. Evaluate the risk level in accordance with the USC’s Risk Management Procedures. c. High risk breaches: i) A high risk breach is one with the potential to have a serious impact on the University, including: an investigation by a regulator or statutory body; the potential for a sanction, enforceable undertaking, fine, penalty, compensation payment or criminal prosecution; or a potential impact to business processes or continuity. ii) High risk breaches must be elevated to the appropriate Pro Vice-Chancellor (PVC), Deputy Vice-Chancellor (DVC), Chief Operating Officer (COO) or equivalent for action. iii) If the breach is likely to receive adverse media attention, it should also be reported to the Vice-Chancellor and President (VCP). d. Breaches involving personal or identifying student information should be reported to USC’s Privacy Officer – Director, Information Services. d. Breaches involving personal or identifying staff information should be reported to USC’s Privacy Officer – Director, Information Services, as well as the Director, Human Resources. e. If a breach constitutes a critical or significant incident, the USC Critical Incident Management Procedure should be followed. f. Determine the necessity for an investigation and the appropriate avenue for investigation, i.e. either by the manager, COO/DVC/PVC (or equivalent), Director of Human Resources or Internal Audit.
|Manager or Cost Centre Manager||Immediately or as soon as is practicable|
4. Investigationa. If necessary, an investigation should be undertaken. The level of investigative effort should reflect the seriousness of the breach. b. Investigations should: i) Determine the root causes; ii) Identify whether it was a systemic breach, an isolated incident or a deliberate act; iii) Identify and gain agreement of appropriate actions to prevent the breach recurring or escalating to a more serious level; iv) Apply the principles of natural justice; and v) Be completed in a timely manner. c. The investigation outcome should be reported to the appropriate manager or DVC/PVC (or equivalent), and to the Chief Operating Officer. d. Where breaches involve criminal activity, this should be referred to appropriate law enforcement agencies or authorities for investigation.
|Designated investigator Vice-Chancellor and President||Commence investigation immediately the breach has been assessed and contained|
5. Implementation of corrective actiona. Recommended corrective and/or preventative actions will identify appropriate persons responsible for implementation and target completion timelines. b. Where systemic issues are identified, an improvement plan should be developed to address policy and/or process improvement. c. Monitoring by the appropriate manager should be undertaken to ensure corrective actions are completed. d. Monitoring of corrective action effectiveness will be undertaken by the Chief Operating Officer as part of annual compliance reporting process.
|Investigator / Staff identified as responsible for corrective action implementation Chief Operating Officer||As recommended or agreed Annual|
6. Breach recording/registera. A central register of compliance breaches or potential breaches will be maintained in an approved and secure recordkeeping system, in accordance with the Information Privacy Act 2009 (Qld) and Privacy Act 1988 (Cth) and the University’s Information Management Framework – Governing Policy and associated procedures. b. The register will include a full record of all reported breaches/potential breaches, investigations, corrective actions undertaken, and include breaches referred for external resolution.
|Chief Operating officer||Continuously|
7. Complaint and appeal processa. If a person, who was a party to the complaint, is not satisfied with the investigation outcome or recommended actions, they may lodge an appeal with the Director of Human Resources, the Vice-Chancellor and President or an external agency as appropriate.