Moores has released Navigating Charity and Not-for-Profit Mergers, a new practical guide designed to support charities and not-for-profits considering merger opportunities.

The guide brings clarity to merger pathways, risk assessment and governance considerations, supporting informed decisions that protect purpose while strengthening sustainability.

Developed by Moores’ Charity and Not for Profit Law team, the guide draws on extensive experience advising charities and not for profits on governance, restructures and mergers. The team was recognised in the Chambers Asia-Pacific Guide 2026 for Charity and Not-for-Profit Law, reflecting its depth of sector knowledge and practical, considered approach to complex matters.

Learn more or request to download the guide here.

For more information or to speak with one of our experienced lawyers, please contact us.

We are firmly living in the age of artificial intelligence (AI). Generative AI technologies are evolving at extraordinary speed, and their use is becoming increasingly embedded in everyday life. Children and young people, in particular, are at the forefront of this shift, using AI companions that simulate personal relationships and tools that can manipulate video, audio, or images to make it appear as though someone is saying or doing something they never did.

While these technologies can be creative, engaging, and exciting, they also present an entirely new category of risk for children and young people. Schools are increasingly encountering one of the most concerning manifestations of this risk: the creation and circulation of malicious and abusive deepfakes.

Across our work with school clients, we have seen leaders and Boards grappling with how to prevent these incidents and how to respond decisively when they occur. This is not a localised issue.

In December 2025, the Hong Kong Privacy Commissioner released a practical toolkit to support schools in preventing and responding to abusive deepfake incidents, highlighting the global scale and urgency of the problem.¹

Drawing on that guidance alongside our direct experience advising schools, this article sets out:

• Actionable steps for Boards and school leaders;
• Practical steps schools can take to prevent the creation of abusive deepfakes; and
• Strategies for responding effectively when incidents occur.

Actionable steps for boards and school leaders in responding and preventing deepfakes

Boards and school leaders have a responsibility to take reasonable, proactive steps to protect students from reasonably foreseeable online harms, including the creation of abusive and malicious deepfakes. By adopting a proactive approach, schools can minimise risks and ensure that their schools are prepared to respond quickly when an incident occurs.

1. Education and Awareness Campaigns

Education is the first and most critical line of defence. School leaders should invest in educating employees, volunteers, students, and parents about the risks associated with deepfakes and the importance of online privacy. Awareness programs can help students recognise the dangers of manipulated media and create space for them to engage in open conversations about their online activities. Student learning about online behaviour should explicitly address AI‑generated content, noting that many children and young people are unable to reliably identify manipulated or synthetic media, which significantly increases their vulnerability.

Schools should also communicate clearly with students about:

• Their responsibilities when using digital tools;
• The legal and disciplinary consequences of creating or sharing harmful content; and
• The importance of reporting abusive or malicious deepfakes early.

Equally important is empowering students to protect themselves online, including the use of privacy settings, blocking and reporting concerning behaviour, and seeking support from trusted adults.

2. Collaborate with Experts and Legal Advisors

Given the legal and technical complexity of deepfake incidents, schools should not attempt to navigate this landscape alone.

It is important for schools to understand when the creation and distribution of abusive deepfakes may amount to criminal behaviour. For example, under sections 53S and 53T of the Crimes Act 1958 (Vic) (Victorian Crimes Act), it is a criminal offence to intentionally distribute an intimate image of another person or threaten to do so, if the distribution is contrary to community standards of acceptable conduct.² Consent is irrelevant if the victim is under 18 years old. The Victorian Crimes Act defines “image” to include images digitally created by generating the image or altering or manipulating another image³, which could include malicious and abusive deepfakes. The penalty is up 3 years imprisonment.

There are also relevant federal offences. For example, under s 75 of the Online Safety Act 2021 (Cth), a person must not post or threaten to post an intimate image online of another person without their consent. Under that Act, “intimate image” includes material that has been digitally altered, such as deepfakes. Under section 474.17 of the Criminal Code 1995 (Cth), it is an offence to use a carriage service in a way that reasonable persons would regard as being menacing, harassing or offensive. Under section 474.17A, there is also an offence which applies to those who use technologies to artificially generate or alter sexually explicit material (such as deepfakes) for the purposes of non-consensual sharing online. These offences are subject to serious criminal penalties of up to six years imprisonment.

Beyond legal advice, schools should also establish relationships with cybersecurity and technology experts who can assist with detection, evidence preservation, and risk mitigation.

3. De-risk Staff and Students’ Use of AI by Establishing Clear Policies and Student Codes of Conduct

Schools should develop (or update) and implement comprehensive policies that set clear boundaries regarding acceptable use of technology (including AI and deepfakes), expectations for online conduct, and the consequences of misuse.

School should also review their student code of conduct and acceptable use policy to ensure that specific AI image abuse matters are explicitly referenced, including consequences for distributing and sharing material created by others or of unknown origin.

These policies and codes of conduct should address the importance of safeguarding children’s privacy and set clear boundaries for the use and sharing of images, videos, and personal data as well as the creation of deepfakes using AI tools.

Tips to Prevent the Creation of Abusive Deepfakes

While schools cannot entirely prevent the creation of deepfakes, they can take steps to limit the risk of their students being targeted. The key lies in proactive privacy protection and data management strategies.

• Limit the Use of Personal Data and Digital Footprints
  Encourage employees, volunteers, students, and parents to limit the amount of personal information shared online. This includes photos, videos, and other identifying data that could be misused in creating deepfakes. Schools should work with parents to support their children to adjust privacy settings on social media platforms and ensure that images and videos of students are only shared by the school with explicit consent.
  
  
• Adopt Strong Data Protection Practices
  Schools should implement robust data protection measures to ensure that sensitive student information is secure. This includes encrypting data, using secure file-sharing platforms, and conducting regular audits to ensure compliance with data protection regulations. Using secure methods for online teaching, such as password-protected video conferencing, will help protect students from being filmed or recorded without consent.
  
  
• Encourage Use of Watermarking and Digital Signatures on Images and Videos Shared by the School
  Watermarking photos and videos with identifying information, such as the school’s name or logos, can make it more difficult for individuals to use these images in deepfakes. Similarly, digital signatures can help verify the authenticity of images or videos, reducing the likelihood of misuse.
  
  
• Limit the Use of AI-Generated Content
  Schools should be cautious when using AI-generated content for teaching purposes or school events. If students or staff create digital content, it should be made clear that they must not manipulate, edit, or alter others’ images or likenesses or use AI tools to create deepfakes, whether they are intended to be abusive or harmless.

How Schools Should Handle Abusive Deepfake Incidents

Despite proactive measures, it is possible for malicious and abusive deepfakes to be created and shared online. Schools must be prepared to respond quickly and decisively to protect their students and ensure accountability.

• Respond Immediately
  Schools must act quickly upon discovering a deepfake involving a student. This includes identifying the source of the abusive content, removing the content from all platforms to the extent this can be done and notifying or encouraging the subject of the deepfake to contact appropriate authorities such as the eSafety Commissioner.
  
  Care should be taken when gathering information and evidence of probative value when evidence may be deleted or may be illegal to possess. Whilst it may be necessary and appropriate in some circumstances to take a screenshot of the abusive deepfake image, schools must very carefully consider how any images could be securely stored to minimise the risk of inadvertently breaching child abuse image laws and ensure images cannot be accessed by somebody who should not have access to it. Consider whether and when the eSafety Commissioner, with its greater powers, may be needed to intervene.
  
  
• Engage with Legal and Regulators, As Required
  Schools should consider whether there is a requirement to notify relevant authorities when an abusive deepfake is identified, including police. School must understand that the creation and distribution of abusive deepfakes could be unlawful or even criminal behaviour, depending on the circumstances. Schools should consult legal experts to navigate and reduce the risk of potential legal claims.
  
  
• Provide Emotional and Psychological Support for Victims
  The psychological impact of being the victim of a deepfake can be significant. Schools should provide access to appropriate services and supports and ensure the child feels supported and protected from further harm. Open communication with the student’s family is important, and schools should work with families to ensure that the student’s privacy is respected, to the greatest extent possible.
  
  
• Public Communication and Rebuilding Trust
  If the deepfake becomes publicly known, schools may need to communicate with a broader audience, such as the school community. Great care should be taken when doing this. Transparency and clear messaging may help rebuild trust among students, employees, volunteers, and parents. A public statement should reassure the community that the school is taking all necessary steps to address the situation, including implementing further safeguards.
  
  
• Long-Term Prevention and Follow-Up
  After an incident, schools should review and revise their policies to ensure they are equipped to prevent future occurrences and learn from any gaps identified. This may include updating data protection policies, enhancing awareness campaigns, and providing additional training for employees and volunteers on identifying deepfake content. Long-term prevention also involves working with parents to educate them about online safety and deepfake risks, ensuring that both school and home environments are aligned in protecting children from digital harm.
  
  To ensure proper discharge of duty of care, train those conducting investigations into student conduct about how they can obtain evidence of probative value when evidence may be deleted or may be illegal to possess – and to know when the eSafety Commissioner, with its greater powers, may be needed to intervene.
  

Schools have a duty of care which requires them to take proactive steps to protect their students’ privacy and personal data, prevent the creation of abusive deepfakes, and respond quickly and appropriately to any deepfake incidents that may occur.

By educating the school community, collaborating with legal and cybersecurity professionals, and adopting strong data protection policies, schools can significantly reduce the risks associated with malicious and abusive deepfakes. If an incident occurs, a clear and speedy response, combined with the provision of useful supports, will ensure that the wellbeing of affected children and young people are protected.

How we can help

Our Child Safety, Safeguarding and Discrimination team are skilled in supporting schools to keep children safe. Our team can provide peace of mind in developing and implementing prevention strategies and navigating incidents if they occur.

Contact us

If you would like to discuss how we can support your organisation, our team is here to help. Please contact Skye Rose or Tal Shmerling if you would like further support.

Subscribe to our email updates and receive our articles directly in your inbox.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

1. Office of the Privacy Commissioner for Personal Data, Hong Kong, ” Abuse of AI Deepfakes: Toolkit for Schools and Parents”, December 2025. Can be accessed here: https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf. ↩︎
2. In summary, under section 53S of the Crimes Act 1958 (Vic), if a person (A):
   – intentionally distributes an intimate image of another person (B) to another person (C); and
   – the distribution is contrary to community standards of acceptable conduct; and
   – person (B) did not consent the distribution of the image or the manner in which the image was distributed;
   that person (A) is guilty of an offence.
   In summary, under section 53T of the Crimes Act 1958 (Vic), if a person (A):
   – threatens another person (B) to distribute an intimate image of (B) or another person (C); and
   – the distribution is contrary to community standards of acceptable conduct; and
   – (A) intends that (B) will believe they will carry out that threat;
   that person (A) is guilty of an offence. ↩︎
3. Section 53O of the Crimes Act 1958 (Vic). ↩︎

On 9 January 2026, the Albanese Government announced the establishment of a Royal Commission into Antisemitism and Social Cohesion following the 14 December 2025 terrorist attack at Bondi Beach. Former High Court Justice the Hon Virginia Bell AC has been appointed to serve as Commissioner.

This Royal Commission will replace the previously announced review of federal intelligence and law enforcement agencies (to be undertaken by Dennis Richardson AO AC)¹ and will also supersede the anticipated NSW Royal Commission. Instead, the Commonwealth Commission will operate with full cooperation from the NSW Government and all states and territories, ensuring it is truly national in scope.

To supplement the Royal Commission, on 20 January 2026, Parliament also passed legislation which enacted changes to key areas to target and prevent hate speech, radicalisation and extremism activity.

Proposed Scope of the Royal Commission into Antisemitism and Social Cohesion

In summary, based on the Letters Patent dated 9 January 2026,² the Royal Commission into Antisemitism and Social Cohesion (Royal Commission) will examine:

• The nature, prevalence, and drivers of antisemitism, opportunities to de-radicalise and strengthen social cohesion, and impacts on Jewish Australians.
• Recommendations for government agencies, including improvements to guidance and training, protective security for Jewish places and leaders, and whether agencies have sufficient powers and resources to respond effectively.
• The circumstances and emergency response to the Bondi terrorist attack, including security arrangements, agency communication and effectiveness, and any legislative gaps or restrictions that affected the response.

The Royal Commission also has a broad mandate to make any other recommendations that strengthen social cohesion, counter ideologically or religiously motivated extremism, and address related matters.

An interim report on the Bondi attack and urgent actions is expected by 30 April 2026, with the final report due by 14 December 2026.

Broader Government Response to Antisemitism

The Royal Commission is the latest in a series of measures since 2023, including the appointment of Ms Jillian Segal AO as Special Envoy to Combat Antisemitism in July 2024. Her plan, delivered in July 2025, contained 13 recommendations and 49 key actions,³ to which the Government responded formally on 18 December 2025.⁴

Further legislative reforms were flagged in December 2025 and announced on 12 January 2026⁵ — a landmark proposal aimed at strengthening Australia’s response to hate-fuelled conduct and violent extremism by way of:

• Aggravated hate speech offences for preachers and leaders promoting violence;
• Increased penalties for hate speech inciting violence;
• Making hate an aggravating factor in sentencing for online threats and harassment;
• A regime for listing organisations whose leaders engage in hate speech promoting violence or racial hatred; and
• A federal offence for serious vilification based on race or advocating racial supremacy.

On 20 January 2026, Commonwealth Parliament convened an emergency sitting and passed two bills⁶ reflecting the announced changes. These bills collectively amend legislation to address the following key areas to address and prevent hate speech, violence and extremism:

1. Criminal Law Reforms: Tougher laws on hate speech, racial hatred, radicalisation, and stricter controls on firearms and explosives;
2. Migration Amendments: Enhanced powers for visa refusals and cancellations linked to extremist activity;
3. Customs Controls: Stronger restrictions on importing and exporting extremist material, weapons, and firearms;
4. Firearms Legislation: Introduction of a national gun buy-back scheme and tighter background checks; and
5. Transitional Provisions: Ensuring smooth implementation of these sweeping changes.

These new laws will commence after the day they receive Royal Assent.

How we can help

Moores will provide updates to the sector as the legislation progresses. Subscribe to our email updates and receive our articles directly in your inbox.

Contact us

Please contact us for more detailed and tailored help.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

1. Previously referred to as the ‘Richardson Review’. ↩︎
2. Royal Commission on Antisemitism and Social Cohesion | Attorney-General’s Department ↩︎
3. Special Envoy’s Plan to Combat Antisemitism | aseca ↩︎
4. Australian Government response to the Special Envoy’s Plan to Combat Antisemitism   ↩︎
5. Special envoy’s plan to combat antisemitism | Prime Minister of Australia ↩︎
6. Combatting Antisemitism, Hate and Extremism (Firearms and Customs Laws) Bill 2026 (Cth); Combatting Antisemitism, Hate and Extremism (Criminal and Migration Laws) Bill 2026 (Cth). ↩︎

On Wednesday 14 January 2026, the Department of Education (DOE) announced that a major cyberattack has compromised the personal information of students from all Victorian government schools.

This news is a timely reminder that all schools are required by law to keep personal information secure. Schools are required to report eligible data breaches to the Office of the Australian Information Commissioner, whether or not these are caused by the school or by a malicious actor.

What we know so far about the DOE cyberattack

According to the DOE, an unauthorised external third-party accessed a database containing information about current and past school student accounts, including:

• Student names
• School-issued email addresses
• School names and year levels
• Encrypted passwords for school accounts

What trends correlate with data breaches in non-government schools?

Whilst there is no evidence that any non-government schools were impacted, privacy breaches (including from cyberattacks) do occur at non-government schools – both Catholic and independent. We often support schools in these matters.

In our experience, certain factors tend to correlate with breaches. These include:

• Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
• Keeping old information which is no longer required, instead of archiving or destroying it;
• A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays;
• Incorrect settings (for example, in Teams or on consent platforms); and
• Circulating spreadsheets via email (instead of SharePoint for example).

How we can help

Moores supports non-government schools with privacy compliance, data breach response and cyber incident management. In late January 2026, Moores will release its 2026 Privacy Toolkit, designed to assist organisations of all types to meet their obligations under Australian privacy laws.

Our team regularly advises not-for-profits, schools and education providers on privacy compliance, data breach response plans and proactive redesign of processes to implement privacy-by-design.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

The Victorian Government’s final Occupational Health and Safety (Psychological Health) Regulations 2025 (Vic) (Regulations) came into force on 1 December 2025 – a milestone moment for workplace wellbeing.

While earlier drafts of the Regulations proposed obligations on employers to maintain written prevention plans and report certain hazards to WorkSafe, those provisions were dropped in the final version. However, this doesn’t mean complacency is an option. WorkSafe Victoria still strongly recommends using the prevention-plan template developed during the drafting process to provide structure, transparency and minimise the risk of psychosocial hazards.

Importantly, these Regulations are now a standalone instrument – a new legal requirement that exists alongside the traditional Occupational Health and Safety Regulations 2017 (Vic). Awareness of both is essential to avoid compliance gaps.

What Employers Must Do Now

Eliminate or Minimise Psychosocial Risks

Employers are now explicitly required to identify and eliminate psychosocial hazards wherever possible. If elimination isn’t “reasonably practicable,” the employer must reduce the risk by modifying work design, systems and management structures. Then and only then, as a last resort, through training or information.

Know the Hazards

A ’psychosocial hazard’ is defined as any factor in:

• the work design;
• the system of work;
• the management of work;
• the carrying out of work; or
• personal or work-related interactions,

that may arise in the working environment and may cause an employee to experience one or more negative psychological responses that create a risk to their health and safety.

Psychosocial hazards include but are not limited to:

• bullying, violence, or harassment;
• exposure to traumatic incidents;
• poor job design: excessive demands, insufficient control, low reward, or unclear roles;
• inadequate environmental conditions or poor management of change; and
• lack of support, dysfunctional relationships, or staff working remotely or in isolation.

These hazards can trigger cognitive, emotional, behavioural, and even physiological responses that threaten health and safety.

Continuous Risk Management

There is a hierarchy of measures which employers must comply with. In the first instance, an employer must eliminate the risk. However, if it is not reasonably practicable to eliminate the risk, the employer must reduce the risk as far as reasonably practicable by altering the management of work, systems of work, work design or workplace environment. If the risk cannot be reduced by altering these systems, then the employer must use information, instruction or training to reduce the risk as far as reasonably practicable.

Employers must regularly review and revise controls under multiple scenarios:

• before implementing changes to work processes;
• when new hazards or injury reports arise;
• following any incident involving a psychosocial trigger;
• if existing measures prove ineffective.

WorkSafe can require Employers to review or update control strategies if safeguards aren’t kept up to date or robust. WorkSafe has released a Compliance Guide on managing risks to psychosocial hazards to assist employers in complying with the Regulation.

Why Employers Should Seek Advice

• Navigate complexity: New standalone rules mean your existing OHS systems and processes may no longer be enough.
• Stay ahead of WorkSafe: The recommended template provides employers with a defensible baseline for compliance. However, employers should ensure that risk management frameworks are tailored to unique hazards in their workplace having regard to their operations, environmental conditions, leadership capability, culture, sector and known issues.
• Protect your people and your reputation: Early detection and mitigation of psychosocial risks can reduce legal and operational exposure, as well as employee distress and turnover.

Next Steps for Employers

• Review your systems: Identify potential psychosocial hazards in your workplace.
• Use prevention tools: The template remains a best-practice resource.
• Embed change: Align your work systems with the Regulations’ hierarchy: eliminate, reduce, then inform.
• Plan reviews: Schedule reviews both routinely and in response to incidents or changes.
• Consult your adviser: Get tailored guidance from an OHS professional or legal advisor to ensure full compliance and best practice.

WorkSafe Victoria’s guidance on managing risks to psychosocial hazards is a useful starting point but with so much at stake, expert advice isn’t just prudent, it’s essential. Employers who take a strategic, informed approach to psychological safety now will build stronger, healthier, more resilient workplaces, and shield themselves from future legal or regulatory risk.

How we can help

Moores can assist employers to amend their risk management frameworks to ensure that they effectively identify and mitigate psychosocial hazards, including occupational health and safety policies and procedures, training for senior leaders on identifying and managing psychosocial hazards, and implementing plans to minimise risks as far as possible.

For more information on the reforms, watch our webinar Psychosocial Hazards in the Workplace.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

Owners of residential property in Victoria may be required to lodge a Vacant Residential Land Tax (VRLT) notification if their property was vacant for six months or more during the 2025 calendar year.

If you own a residential property in Victoria which was vacant for six months or more during the period from 1 January 2025 to 31 December 2025, a VRLT notification for that property must be lodged with the State Revenue Office by no later than 15 February 2026.

Notifications must be made via the SRO’s online VRLT portal.

Importantly, a notification must be submitted even if you believe that the property is exempt from VRLT (for example, it was used as a family holiday home and it qualifies for the exemption). In that case, the exemption is claimed when the notification is made.

VRLT Exemptions

The only exception to the notification requirement is if a VRLT notification was lodged for 2025 claiming an exemption, that exemption application was approved, and the use of the property has not changed (ie. it still qualifies for that same exemption).

How we can help

To find out more about whether VRLT applies to your property – and whether an exemption could possibly apply – use our self-assessment tool.

Contact us

To discuss your specific situation or for assistance with lodging a notification or claiming an exemption, please contact us.

Subscribe to our email updates and receive our articles directly in your inbox.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisati}

On 9 December 2025, the Office of the Australian Information Commissioner (OAIC) announced it will be launching into the new year with significant momentum with plans to undertake its first ever privacy compliance reviews.

Who is the OAIC targeting?

Starting in the first week of January 2026, the OAIC’s targeted review will assess 60 entities across six sectors engaging in ‘in person’ collections of personal information privacy practices against the requirements under the Australian Privacy Principle (APP) 1.

The six sectors include:

1. Rental and property – collection of individuals’ personal information during property inspections;
2. Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication;
3. Licensed venues – collection of identity information to enable individuals to access a venue;
4. Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
5. Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive; and
6. Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

Requirements of APP 1 – Pulse checking your Privacy Policy

The OAIC’s announcement is a timely reminder to ensure that your Privacy Policy is clear, accessible up to date and captures any changes to personal information handling practices as we head into 2026.

A key element of the review is the OAIC’s assessment of how these selected APP entities are complying with APP 1.4 which sets out items which must be included in your Privacy Policy to be compliant. The information required includes:

• the kinds of personal information that the entity collects and holds;
• the purposes for which the entity collects, holds, uses and discloses personal information;
• how an individual may access personal information about themselves that is held by the entity and seek the correction of such information;
• how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
• whether the entity is likely to disclose personal information to overseas recipients; and
• if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Key takeaways

The Commissioner has power to conduct an assessment relating to the Australian Privacy Principles (under S 33C of the Privacy Act 1988 (Cth)). The January 2026 sweep is indicative of a move toward exercise stronger enforcement powers and a shift in the OAIC’s regulatory approach.

How we can help

The Privacy and Data Security team at Moores can help you to proactively review your privacy practices including by ensuring your organisation has an up-to date privacy policy and   undertake  privacy audits.  .

Stay tuned for our New Privacy Toolkit, to be released in early 2026.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

^{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

Moores is pleased to share that our Practice Leader and Head of Education, Cecelia Irvine-So, has been recognised in the Herald Sun’s Victorian Education Power Rankings.

Described as a “major legal player behind the scenes”, Cecelia is acknowledged for her work supporting schools to navigate complex challenges, strengthen governance and create safe, thriving environments for students.

Moores is privileged to work alongside non-government schools across Victoria and Australia, supporting their ongoing impact on young people and their communities.

Under Cecelia’s leadership, our education practice continues to be sector-leading and trusted by schools seeking clear, practical and values-driven guidance.

Contact us

Please contact us if you would like further information on how we can assist.

Subscribe to our email updates and receive our articles directly in your inbox.

This month, the Australian Competition and Consumer Commission issued three recall notices following the detection of asbestos in imported coloured and decorated sand products used by children for play and craft activities. These products have been sold by major retailers including Kmart and Officeworks throughout Australia between 2020 and 2025.¹

The presence of asbestos in any product used by children will understandably cause concern, noting that the current government guidance is that risk is low.² While school and early learning centres (ELCs) are focused on the operational response, it is equally important that they take steps now to ensure comprehensive, well-maintained records. Asbestos-related claims typically arise many years — even decades — after initial exposure. Without adequate documentation, it may be difficult in the future to ascertain the level and nature of potential exposure as well as whether reasonable steps were implemented to address risk at the time the risk was identified.

A dual focus is therefore essential:

1. Immediate safety and remediation, and
2. Long-term, reliable record-keeping to protect the organisation, staff, and students into the future.

What we know so far about the potential asbestos contamination

The response has varied across states as regulators and agencies respond to the recall. Schools in the ACT, Tasmania and Brisbane have closed for disposal and deep cleaning. In Victoria, the Department of Education has responded but has not indicated any plans for school closures.  The Australian Department of Health, Disability and Ageing has issued interim advice in response to the recall immediately advising consumers to:

“Stop using affected products, follow recall instructions, and await further advice. Current risk is low; no clinical checks needed.”³

For the workplace and school environment, Asbestos in Victoria and WorkSafe Victoria have also provided information here.

What is the legal risk?

This recall identifies occupational, health and safety, and duty of care risks.

Taking a conservative approach, schools and ELCs should treat the recall notice as an alert to the potential for a reasonably foreseeable risk of harm requiring a risk response in line with the school’s own risk management framework and risk assessment process.

This means that schools and ELCs must act to eliminate or reduce the risk as far as possible in the workplace and learning environment.

Managing the risk response

In managing any response, schools and ELCs have a primary duty to ensure the safety of students, educators, and families by removing affected products from use and following health authority advice.

Once these immediate risks have been addressed, it is crucial not to overlook the long-term implications. While health authorities assess the risk as low, it is appropriate to collate and preserve any documentation that could assist to respond to possible future questions, reviews, or claims.

The following are some of the steps can support documenting any risk management response (in addition to immediate safety and remedial action):

• document the recall on the school/ELC risk register
• assess and record the level of use in the workplace and school or ELC environment (see: What should you document now?)
• report on the school/ELC’s response to relevant management and governance committees within the school
• communicate with the school community –parent notifications about the school’s response will ameliorate any reputational risk or perceived shortcomings in your response. Transparency, clear communication with parents, and proactive safety measures will be crucial in maintaining community trust.

What should you document now?

Moores recommends that schools and ELCs collate and keep the following (if and to the extent that this information is available) for any coloured or kinetic sand products currently or recently in use:

Product documentation

1. Photographs of the product and packaging where it is safe to do so, including packaging, labels, safety instructions, batch numbers, barcodes and product names.
2. Purchase Information including date of purchase and supplier – this may be on invoices, receipts or purchase orders.
3. Any correspondence with suppliers regarding product safety or recall notifications.

Action documentation

1. A clear timeline of risk management actions taken by the school or ELC.
2. Teacher and staff training on how to handle or identify products that could potentially be contaminated, even after the initial recall.
3. Remediation and disposal records.

People and situational documentation

1. Teacher statements to capture first hand recollections of when and how the product was used in the educational environment.
2. Records of where the produce was used in the educational environment, including a sketch map if appropriate.
3. Lists of who may have may been present in rooms during the period in which the product was used, including students, staff, volunteers and visitors.

What about retention of records?

Schools and ELCs should retain related records in line with:

• retention periods under the Occupational Health and Safety Act 2004 (Vic) for near misses and notifiable incidents (i.e. at least 5 years after the serious near miss or incident occurs);
• retention periods having regard to the limitation periods for personal injury claims, noting that students can bring a claim once they are of mature age; and
• the organisation’s own records management and retention policy and schedules.

Stay informed

Given the recall, ELCs and schools must act quickly to protect the health and safety of students and staff, and to keep their communities informed.  At the same time, it is critical to establish a comprehensive documentation process that ensures you are well prepared should any claims arise in future.

Moores will continue to keep the sector informed. You can stay updated by subscribing to receive updates on this issue.

Contact us

Please contact us for more detailed and tailored help.

---

_{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

1. Customers warned of recalled children’s sand due to asbestos risks | ACCC. ↩︎
2. enHealth Interim Advice – Asbestos contamination identified in imported coloured sand products | Australian Government Department of Health, Disability and Ageing ↩︎
3. enHealth Interim Advice – Asbestos contamination identified in imported coloured sand products | Australian Government Department of Health, Disability and Ageing ↩︎

From 1 January 2026, a new mandatory and suspensory merger control regime (the Regime) under the Competition and Consumer Act 2010 (Cth) (the CC Act) will apply to significant asset transfers, acquisitions and mergers. Not-for-profits (NFP) and charities acquiring assets or taking over another entity may need to seek ACCC approval for the transaction if certain threshold requirements are met.

What is the Regime and why does it matter to NFPs and charities?

The Regime¹ establishes a mandatory notification obligation from 1 January 2026 for certain ‘acquisitions’ that meet prescribed thresholds. These ‘acquisitions’ cannot be effected until the Australian Competition & Consumer Commission (ACCC) has granted approval. This requirement will also apply to merger agreements entered into before 1 January 2026 that are completed on or after that date.

Under s 50 of the CC Act, an ‘acquisition’ of shares² or assets³ that would or is likely to substantially lessen competition in a market may be prohibited. The ACCC looks at factors such as market concentration, barriers to entry and whether the acquisition removes an effective competitor to determine whether the acquisition would substantially lessen competition.

When would an ‘acquisition’ by an NFP or charity need to be notified to the ACCC?

An acquisition that is connected with Australia (e.g. the target carries on business in Australia or holds assets used in an Australian business) must be notified if it meets certain financial thresholds set by Ministerial Determination⁴. These are based mainly on revenue and asset value. In summary, an ‘acquisition’ by an NFP or charity⁵ would need to be notified to the ACCC in the following circumstances:

• Large Entity or Group: Notification is required if the combined Australian revenue of the merging parties is $200 million or more, and one of the entities involved has Australian revenue of $50 million or more (or assets valued at $250 million or more).
• Very Large Group: Notification is required if the acquiring group’s Australian revenue is $500 million or more, and the target’s Australian revenue is $10 million or more.
• Serial Acquisitions: Smaller acquisitions made over a three-year period may also trigger notification if, considered together, they reach the above thresholds. A revenue threshold still applies to each acquisition of $2m. This three-year period could include acquisitions prior to 1 January 2026.

Even if the thresholds are met, notification may not be required in relation to:

• internal restructures within the same group of entities;
• acquisitions in the ordinary course of business (not involving land or patents); or
• acquisitions that do not result in a change in control.

Further, parties may apply to the ACCC for a notification waiver (available from 1 January 2026) which removes the obligation to notify. The ACCC has indicated it will provide further information about waivers later in 2025.

What are the options for an NFP or charity who is required to notify the ACCC?

Organisations that are planning to merge and are required to notify have three options:

• Before 31 December 2026: early voluntary notification under the new regime
  Organisations can notify now as if the Regime is in force (the ACCC will assess the notification as if the Regime already applies);

• Before 31 December 2026: informal merger review under the old pre-2026 regime (may no longer be available)
  If an organisation applies and the ACCC approves the merger before 31 December 2025, then the acquisition can proceed but must be completed within 12 months of approval. If the ACCC review is not completed by 31 December 2025, the informal merger review will be discontinued and the acquisition must be notified under the Regime. As the ACCC has advised that requests for informal review received after October 2025 may not be completed before 31 December 2025⁶, there is a significant prospect that this option is already or will soon be unavailable.

• After 31 December 2025: notify under the Regime.

What is the notification and review process under the Regime?

Broadly, the Regime includes provision for:

• Pre-notification discussions with the ACCC. These early, confidential discussions are intended to help identify any competition concerns early. Early notification can be completed through the ACCC portal.
• Notification waiver. As noted above, parties may apply to the ACCC for a notification waiver (available from 1 January 2026) which removes the obligation to notify. The ACCC has indicated it will provide further information about waivers later in 2025.
• Formal ACCC notification. This will be either short form notification⁷ (for straightforward acquisitions that are less likely to raise competition concerns) or long form notification⁸ (for acquisitions raising greater competition risks or complexity). For all submissions, parties must provide information including: details on the business activities and financial information (e.g. revenue) of all parties; information defining the relevant market(s), key competitors, and customers; documentation regarding prior deals put into effect over the preceding three years (to enable assessment of serial acquisitions as discussed above); and if using the long form, any Board documents (including papers, presentations, and reports) that analyse the acquisition’s rationale, valuation, and competitive dynamics of the market.
• ACCC assessment. This is a staged process involving:
  • initial assessment (Phase 1 – $56,800);
  • where competition concerns are identified, potential further assessment (Phase 2 – $855,000 to $1,595,000); and
  • where there is substantial lessening of competition and the application would otherwise be refused or approved with conditions, a consideration of net public benefit (Public Benefits Application – $401,000).    

What are the consequences of non-compliance?

If a notifiable acquisition is completed without ACCC approval, the ACCC can void or stay the transaction. It would also be a contravention of the CC Act to:

• proceed with a stayed merger,
• fail to comply with conditions imposed by the ACCC on an acquisition approval; or
• provide the Commission with information that is false or misleading.

Penalties for non-compliance are significant, being the greatest of: $50 million; three times the value of the benefit gained (if the benefit is determinable); or 30% of the entity’s adjusted turnover during the breach period (if the benefit is not determinable).

What are practical action steps for NFP and charity boards contemplating a merger?

• Consider whether notification is required in relation to proposed acquisitions
• Seek early advice and consider engaging with the ACCC confidentially to ascertain if notification is likely to be required
• Budget for compliance including ACCC fees if the transaction will be notifiable
• Prepare supporting documentation early including beneficiary/participant impact assessments, competitor analysis, and transaction rationale
• Stay informed and monitor emerging ACNC guidance as the Regime is further developed

Conclusion

The Regime represents a significant regulatory shift for NFPs and large charities that are involved in large or regular merger transactions. Proactive engagement with the ACCC, early advice and strategic planning will position your NFP or charity to avoid surprises and ensure compliance with the Regime.

How we can help

Moores Charity and Not-for-Profit team can work alongside you to prepare your board, assess merger readiness and liaise with the ACCC to ensure your organisation is well positioned for Regime compliance.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

_{Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.}

1. The Regime was implemented via the Treasury Laws Amendment (Mergers and Acquisitions Reform) Act 2024 (Cth), which amended the CC Act. The amendments to the CC Act are also supported by Ministerial Determination and the Merger Process Guidelines. ↩︎
2. The definition of ‘assets’ is expansive, including legal or equitable interests in tangible or intangible assets, property, land, goodwill, and intellectual property rights. A transfer of assets from one merger partner to another (typically followed by the deregistration of the transferring partner) will be an ‘acquisition’ of assets. Similarly, a transfer of control involving the acquisition of member rights (such as where the acquiring entity becomes sole member of the target entity) will also be an ‘acquisition’ of assets. ↩︎
3. The CC Act refers to ‘shares’ in the capital of a body corporate or corporation. This will include shares in a proprietary limited company or company limited by shares, but does not include member rights in a company limited by guarantee. ↩︎
4. Competition and Consumer (Notification of Acquisitions) Determination 2025 ↩︎
5. A share acquisition is less likely for an NFP or charity. ↩︎
6. https://www.accc.gov.au/business/mergers-and-acquisitions/informal-merger-review-process ↩︎
7. https://www.accc.gov.au/system/files/notification-proposed-acquisition-short-form-july-2025.pdf ↩︎
8. https://www.accc.gov.au/system/files/notification-proposed-acquisition-long-form-july-2025.pdf ↩︎