The September school holidays are around the corner, and summer holidays will be here before we know it. With holidays can come students going to parties, drinking, taking “compromising” photos and spending many more hours than usual on social media. As part of our work for National Child Protection Week (3 to 9 September 2023), we’ve reflected on the key risks to young people heading into school holidays and the extent of the school’s duty of care in that holiday period.

What is the duty of care?

It is the duty of schools and teachers to take reasonable steps to reduce the risk of reasonably foreseeable harm occurring.

The extent of the duty of care has steadily been increasing in recent years, both through legislative tools (Ministerial Order 1359) and case law. We’ve previously explained the expanding “school environment” and decision of PCB v Geelong College [2021] VSC 633. The key takeaway from this case was that schools can be responsible for the acts of third parties, who are volunteers, or members of community groups, when the school facilitates the introduction or connection with students, and risks are reasonably foreseeable but not addressed.

What are the risks students face over school holidays?

Discharging the duty of care means understanding what reasonably foreseeable risks students are facing. Over school holidays, we have seen risks of:

• cyberbullying, with additional time spent on social media as a way to connect with friends, and isolation exacerbating the effects of the cyberbullying. Of the teenagers who have negative online experiences, 30% said this was related to bullying which occurred at school.¹
• deteriorating mental health. We learnt from remote learning that time at home and isolation can significantly impact some children’s mental health; and that home may not always be a safe place;
• non-consensual sexual activity, noting Victoria has introduced an affirmative consent model;
• alcohol and drug taking at parties, and photos and videos of subsequent behaviour being posted either with or without consent on social media. In the 2020 eSafety survey, 8% of teens reported that “Someone misused my personal information/photos online in a mean way”.
• developing online relationships with people they don’t know, which can lead to grooming. In 2020, 30% of teens surveyed by eSafety were contacted online by a stranger.²

Statistics from the 2021 eSafety survey, Digital Lives of Aussie Teens

What are reasonable steps to reduce the risk of these harms?

Schools cannot, and are not expected, to prevent any harm occurring. Instead, the duty is to take reasonable steps to mitigate the risk of these harms occurring. Schools may well have a duty of care to students even on term break, particularly where behaviour involves another student from the school. Once the school is informed of any issues, it needs to act and take reasonable steps to investigate. Whilst general reminders are insufficient to discharge the duty of care with respect to known incidents, a reasonable step towards discharging the duty of care will often be education. With the reduced level of supervision and oversight over school holidays, providing students with information about their rights, responsibilities and how to seek help and support can prevent harm occurring, and/or escalating. It is a requirement under the Ministerial Order 1359 that schools:

• inform children and students about their rights, including to safety;
• offer sexual abuse prevention programs and related information in an age-appropriate way; and
• ensure online environments promote safety while minimising the opportunity for students to be harmed.

Schools should use end of term assemblies and communications to reiterate:

• school policies may well apply to students for behaviour during term break;
• bullying is unacceptable and is not less serious if taking place out of school hours and/or away from campus;
• where students can go for help if usual supports, such as head of house or the counselling service, are closed.

How we can help

We offer training for school staff about the duty of care, online safety and how to respond to identified risks of harm to students. We also offer information sessions and seminars for students to informed students about their rights and responsibilities, both in terms of the affirmative consent model and being a digital citizen to students as part of our Safeguarding and Child Safety work.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.

¹eSafety, Digital Lives of Aussie teens (2021) page 5. You can download the full report here: https://www.esafety.gov.au/research/digital-lives-aussie-teens

2 eSafety, Digital Lives of Aussie teens (2021) page 11. You can download the full report here: https://www.esafety.gov.au/research/digital-lives-aussie-teens

If you are a charity or for-purpose organisation, you may have been following news reports in the last month (August 2023) about a privacy breach affecting “thousands of donors to Australian charities”. This article looks into an emerging trend of third-party data breaches – data breaches by contractors or service providers – where the charity or victim organisation obtaining the services has the public-facing brand name which makes it into news reports. Then we give some recommendations for what you can do about it.

Third-party data breaches

A third-party data breach occurs when a malicious or criminal actor compromises a supplier, service provider or contractor to gain access to sensitive information or systems at the victim organisation’s customers, clients or business partners. For example: 

• A school gives health information to a camp provider;
• The camp provider is subject to the data breach;
• It is the school whose students are affected, and so it the school which is reported in the media as having a data breach and must respond to the fall out with stakeholders.

Third-party data breaches are increasing because of the increased uptake of contracted automation and efficiencies, the imperative for not-for-profits to optimise their support and contact databases and increased criminal activity via hacking. Many not-for-profit organisations may not know, or take responsibility, for where their data goes when working with other organisations. Often, they simply trust that the third party has adequate systems in place. Further, charities, schools and other for-purpose organisations may have many different service providers and contractors with whom different information is being shared. This means it is difficult to know where your data is.

How to mitigate the risks of a third-party data breach

Knowing where your data is was the principal recommendation of Victorian Privacy and Data Protection Commissioner, Rachel Dixon, during Privacy Awareness Week in May 2023.

“Know what data you hold, and where it is.”

In more technical terms, this is referred to as data mapping, or visualising your organisation’s data assets. Data mapping sets you up to take action to protect that data. It will also prepare your organisation to respond to pending amendments to the Privacy Act 1988 (Cth).

Another recommendation to mitigate the risks of third-party data breaches is to include privacy requirements in your contracts with these service providers. Your contracts should:

• ensure the organisation is required to comply with the Privacy Act 1988 (Cth), because there are some exemptions in the law;
• require both organisations to tell each other about potential data breaches;
• set out minimum data security requirements expected of the service provider; and
• provide clear rules around data retention and destruction once is it no longer needed.

The importance of privacy-by-design

Incorporating privacy-by-design into your information systems can help reduce the risk of data breaches, by implementing systemic protections to avoid the circumstances that lead to a breach even arising. Privacy-by-design is the idea of building privacy protections into processes to make good privacy practices a part of normal, everyday practice – making them the “default setting”.

In this context, this would be systemic protocols or restrictions of the sharing of information with third parties, such as a restriction on the downloading and exporting of client, donor or student data so only certain staff can do this, or the data must be shared in a specific way that has been considered and approved by the Privacy Officer.

How we can help

We can help you with data mapping, contracting with service providers and redesigning your information systems with privacy-by-design in mind. If you have unfortunately been affected by the data breach currently in the media, we can support you in your response and risk mitigation.  Contact us to hear more about these services and our perennially popular privacy and data breach training.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

Planning for a loved one with a disability is challenging. From 1 July 2023, further stamp duty and land tax exemptions regarding the primary residence of a person with a disability have been introduced by The State Taxation Acts Amendment Act 2023 (Vic).

Increased Special Disability Trust (SDT) Duty Exemptions  

SDTs can hold assets on behalf of an eligible person with a disability while exempting those assets (up to a cap) from any pension means testing – these have been a useful planning option for some time. You can find further information regarding SDTs in our previous article series.

Previously, there has been a stamp duty exemption available for a transfer of property to a SDT up to the value of $500,000 – with duty payable to the extent the property exceeds that value. New Section 38A of the Duties Act 2000 (Vic) now provides that:

• A stamp duty exemption is available for a property that will be the primary residence of the person with a disability up to the value of $1,500,000; and
• The stamp duty exemption up to the value of $500,000 remains for any property that is not a primary residence.

The additional requirements are that:

• The transfer must be from an immediate family member (defined to include parents, step-parents, guardians, grandparents or siblings);
• There must be no consideration paid (ie/ a gift, not a purchase); and
• For the primary residence exemption, there must already be a residence constructed on the property that is intended to be used as the beneficiary’s primary residence.

Additionally, the Capital Gains Tax (CGT) exemption in Section 118.85 of the Income Tax Assessment Act 1997 (Cth) remains applicable and is uncapped as to value.

Duty exemption for the transfer of a home to a person with a disability

The transfer of a home directly to an eligible person with a disability may also be exempt from stamp duty up to the value of $1,500,000. This exemption is similar to the SDT exemption outlined above, except that it allows the disabled person to own the home directly, rather than it being held on their behalf via a SDT.

In addition to the requirements outlined above, the transferee must have, prior to the transfer, an assessment from Services Australia or the Department of Veterans’ Affairs that confirms that they would be eligible to be the beneficiary of a SDT.

This exemption is not available if there will be joint owners who are not both eligible persons with a disability.

The potential benefit of this option is it allows people to take advantage of the duty concession without the trouble of creating a SDT, which can have associated administrative burden and cost. However, it means that the property is then under the direct control of the person with a disability – and consequently available for them to sell, transfer or otherwise dispose of as they wish (and form part of their estate upon their death). So, if they are not a person who should reasonably be managing their own assets, then this option would not be appropriate. 

The CGT implications of a transfer would need to be considered and the specific exemption available for a transfer to a SDT does not appear to have been updated to be consistent with this duty exemption.

A primary residence is exempt from means testing regardless of whether it is held in a SDT or personally, so direct ownership will not in itself impact pension eligibility – although the value of other assets exempted from means testing will change subject to whether the disabled person is a home owner.   

Land tax exemption for a home occupied by a family member with a disability

A home owned by an immediate family member that is used as the primary residence of an eligible person with a disability is now exempt from land tax under Section 54(1)(c) of the Land Tax Act 2005 (Vic).

The requirements are that:

• The occupant of the property must have received an assessment from Services Australia or the Department of Veterans’ Affairs that confirms that they would be eligible to be the beneficiary of a SDT;
• The property must be owned by an immediate family member; and
• There must be no rent paid by or on behalf of the disabled person.

This provision should provide relief where a residence is held for the use of a disabled family member. With appropriate estate planning, such residence could potentially be passed to a SDT (or other form of protective trust) via Will on the death of the property owner – a scenario which likewise has applicable stamp duty and CGT exemptions and could therefore be cost effective.

Key takeaways

Providing an appropriate residence for a person with a disability is often a key aspect of estate planning. There are now further cost effective options as to the ownership of their primary residence, but care needs to be taken in assessing the appropriate structure.

How We Can Help

For expert advice or guidance regarding Estate Planning and Special Disability Trusts, please do not hesitate to contact us.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.

Conducting investigations in relation to employee conduct always requires careful consideration and compliance with requirements of procedural fairness. However, when the conduct being investigated involves children, this raises several additional complexities which must be considered by employers.

The case of Gulliver v Corporation of the Trustees of the Roman Catholic Archdiocese of Brisbane [2023] FCA 823 (Gulliver) highlights the need for a sensitive approach to these types of allegations, balanced with compliance with any processes set out in an enterprise agreement. This case resulted in an employer being required to pay over $50,000 in penalties as a result of failure to comply with a direction from the Fair Work Commission (FWC), in accordance with its obligations under the applicable enterprise agreement. While this case drives home the need for employers to properly consider requests for further information in accordance with relevant industrial instruments, it also highlights the complex child safety and privacy obligations that must be carefully considered, which vary between jurisdictions.

The Facts: Background of the employee investigation

The applicant was a teacher employed at a school managed by the respondent, who traded as Brisbane Catholic Education, for over 15 years. The employment relationship between the teacher and Brisbane Catholic Education was governed by the Catholic Employing Authorities Single Enterprise Collective Agreement — Diocesan Schools of Queensland 2019–2023 Agreement (Enterprise Agreement). The Enterprise Agreement was a workplace instrument and an Enterprise Agreement for the purposes of the Fair Work Act 2009 (Cth) (FWA).

By letter dated 7 February 2023, the teacher was advised by Brisbane Catholic Education that an investigation had been commenced in relation to the teacher’s conduct in the course of her employment. The alleged conduct involved the teacher tugging the earlobes of two students when demonstrating the appropriate sleeper earrings to be worn in accordance with the school’s policy. In further correspondence from Brisbane Catholic Education, the teacher was informed that the allegations had been substantiated.

The teacher subsequently sought details of the evidence being relied upon in the investigation, however, was only provided with select, paraphrased information in relation to the allegations being investigated. The teacher then applied to the FWC seeking a range of remedies, including an injunction preventing Brisbane Catholic Education from terminating her employment until completion of the dispute resolution procedures set out in the Enterprise Agreement. Notably, the Enterprise Agreement contained status quo provisions which stated:

2.4.8 Whilst all of the above procedure is being followed, normal work shall continue except in the case of a genuine safety issue.

2.4.9 The status quo existing before the emergence of the grievance or dispute is to continue whilst the above procedure is being followed.

The FWC, in its reasons found that the Enterprise Agreement’s guidelines surrounding complaints against employees did not “compel” Brisbane Catholic Education to provide the teacher with the material sought. However, the FWC recommended in the particular circumstances of this case, that “the sensible course is for [Brisbane Catholic Education] to provide to the [teacher] to the full extent that is permissible, any material that will be put before the decision maker before a final decision is made”.

Brisbane Catholic Education failed to provide any further details in relation to the conduct, and subsequently terminated the teacher on the basis of the alleged conduct on 31 May 2023.

The teacher therefore claimed that Brisbane Catholic Education contravened s 50 of the FWA by contravening the status quo maintenance provisions contained in her Enterprise Agreement.

Findings by the Federal Court

The Court held that there was a contravention of s 50 of the FWA on the basis of the contravention of the Enterprise Agreement requiring the status quo to be upheld during the dispute resolution process set out in the Enterprise Agreement.

The Court found that the teacher was “left in a position of not knowing, prior to her dismissal, whether or not [Brisbane Catholic Education] would act on the recommendation” made by the FWC.

“Had [Brisbane Catholic Education] chosen to act on the recommendation by communication to her, even if only to the extent of stating, “You already have, by correspondence of particular dates, the following material and this is the only material which will be placed before the decision-maker”, she would then have had the choice of whether or not to accept that this was in fulfilment of the recommendation or, had she chosen to want more, to press for an arbitrated outcome.”

Instead, the Court found that by failing to do so, Brisbane Catholic Education, by the termination the teacher’s employment without providing any indication of its position in relation to the recommendation, was to interrupt the status quo.

Consequently, the Court was satisfied that the contravention had been made out, being a violation of a status quo required by clause 2.4.9 of the Enterprise Agreement.

As a result of this contravention and having found liability, the Court awarded $28,832.76 compensation for economic loss and a further $25,000 penalty for the breach of s 50 of the FWA.

Key takeaways and considerations for employers

• Employers need to carefully consider and balance their child safety and privacy obligations against their obligations to comply with the processes contained in their industrial instruments, and may face penalties for non-compliance.
• Employers may at times be prevented from disclosing details relevant to an investigation having regard to confidentiality, privacy and other obligations not to disclose reports made about abuse by children. For example, legislation in Victoria prohibits publishing information that would enable the identity of the student or the person who notified the regulator of a reportable allegation.
• Employers may be able to provide information about an investigation subject to undertakings of confidentiality and no further use.
• While Queensland does not yet have a reportable conduct scheme, it is important to note that the alleged conduct may fall within the parameters of reportable conduct under reportable conduct schemes in other jurisdictions.
• Laws relating to publishing and disclosure of reportable allegations also vary between jurisdictions, so it is therefore important for employers to consider how any reporting obligations they may have, interact with processes in enterprise agreements and under laws regulating the publishing and disclosure of information regarding reportable allegations.

How we can help

We advise clients on employment and safeguarding investigations across Australia and can provide assistance on the best way to navigate these complex issues, consistent with relevant laws and industrial instruments. With our expertise in both workplace relations and child safety, Moores are well-placed to assist with managing misconduct investigations that overlap with reportable conduct in relation to children. Please contact Skye Rose for further advice or information.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.

No one likes a zombie and changes to the Fair Work Act 2009 (Cth) aim to rid them once and for all.

If your organisation or company has an older enterprise agreement that it has not replaced or formally terminated (through the Fair Work Commission), then you may need to think about your ‘zombie’ which may cease to exist come 7 December 2023. 

What is a Zombie Agreement?

The term ‘zombie agreement’ was more colloquially used prior to the first set of significant workplace reforms introduced by the Federal Government to describe older enterprise agreements. Specifically, those made before the Fair Work Act 2009 (Cth) began operating in 2009.

Enterprise agreements are usually renegotiated and replaced every 3 to 5 years given that the maximum ‘life’ of the agreement under the legislation is 4 years. However, if an agreement, even a very old one made 15 or 20 years ago, is not replaced by another Fair Work Commission approved enterprise agreement, or terminated by the Fair Work Commission, it still operates. That can create some complexity and in some cases, a disadvantage for employees where legislative and other standards have changed but the workforce are not entitled to the benefit of the changes because of the preservation of these older agreements.

Approaching Sunset: What happens once zombie agreements cease to operate

The Fair Work Legislation Amendment (Secure Jobs, Better Pay) Act 2022 (Cth) addresses this curious feature of older agreements. From 7 December 2023, ‘zombie’ agreements, that is, agreements made prior to 1 July 2009, will cease to operate through the legislative mechanism, even if another agreement is not in place or employees have not agreed to terminate the agreement.

The Fair Work Commission has the power to extend the life of the ‘zombie’ on application from a party to the agreement. That process involves making submissions and providing evidence to the Commission about why the agreement should be extended.

Importantly, after this date, assuming no extension has been granted, the relevant modern award which would otherwise cover the workforce will automatically replace the zombie agreement. Compliance with an award is a statutory obligation and a breach of that obligation can expose an employer to a Court prosecution, regulator investigation and/or penalties of up to $93,900 for a single breach.

If your organisation has a ‘zombie’ lurking, then the steps to consider in preparation of the change in December 2023 include:

• Checking if you issued the compulsory notice to employees about the end of the zombie agreement on or before 6 June 2023;
• Identifying what industrial instrument may apply after the agreement ceases;
• Internal planning about whether the organisation will move towards making another agreement or not;
• Updating payroll systems to reflect new payment rules and conditions that drive payment;
• Updating employment contracts as required;
• Providing notification to employees about what next after the zombie; and
• Assessing whether an application for an extension to the default period is appropriate and would have reasonable prospects.

Extending the life of the zombie agreement

The legislative changes do enable a party to seek to extend the life of the zombie agreement. The extension can be for no more than four years.

The legislation provides that the FWC must extend the default period if it is satisfied that:

• the relevant circumstances as described in the legislation exist and it is otherwise appropriate in the circumstances to do so; or
• that it is reasonable in the circumstances to do so.

In Suncoast Scaffold Pty Ltd 2009 [2023] FWCFC 105 (Suncoast), the Full Bench considered whether to extend the default period of the collective agreement-based transitional instrument (zombie agreement) to 31 March 2027. This required assessment of the particular criteria which states an extension must be granted if:

• the employee would be covered by a modern award; and
• it is likely that the employees, viewed as a group, would be better off overall if the instrument applied to the employees than if the relevant modern award applied.

The Full Bench provided detailed guidance on how the requirement in that section differs from the well-known ‘BOOT’ test. The Full Bench stated (emphasis added):

“… The requirement for the better off overall criterion in subitem 9(b) to be assessed by reference to the award covered employees ‘viewed as a group’ appears to allow for the possibility that the criterion may be satisfied, notwithstanding that some individual employees are not better off overall than under the relevant award, as long as there is a discernible advantage for the employees considered as a collective. Further, there only needs to be satisfaction as to the ‘likelihood’ of such a discernible collective advantage; that is, it only needs to be probable rather than certain. Taking these matters together, it is apparent that the better off overall criterion is less stringent that the BOOT in s 193 of the FW Act.”

The Full Bench concluded it would not be reasonable in the circumstances to extend the default period for the agreement given that:

• the agreement is beyond its 14th year of operation and no longer reflects award entitlements now applicable under the FW Act;
• There was ‘no independent evidence,’ to suggest the employees were satisfied with the current arrangement;
• The agreement only continued to apply to one third of the workforce and was therefore of limited relevance; and
• There was nothing to suggest that the continued operation of the agreement was critical or even important for the viability or efficiency of the Suncoast Business.

How we can help

Our Workplace Relations team can assist you to review your existing industrial instrument(s) and develop a pathway forward before the December deadline, including considering whether to make an extension application.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.

---

The COVID-19 pandemic forced many employers to think about traditional and new ways of working, including how hours of work are performed and the flexibility that more and more employees are coming to expect from their employer. The post-pandemic working world has seen an increase in many employers being willing to facilitate flexible working arrangements.

However, flexible work arrangements aren’t new. The right to request a ‘flexible work arrangement’ has been part of the National Employment Standards in the Fair Work Act 2009 (Cth) (FW Act). Under that standard, some employees (such as parents, workers with a disability and pregnant workers) are eligible to request flexible work arrangements. Those arrangements can include changes to start and finish times, part time work, job sharing and working from home. Section 65 of the FW Act sets out the requirements that must be complied with when making and responding to flexible work arrangements (see our article: Constraints for employers when balancing flexible work). Recent changes have seen further enhancement of this important standard as part of the FW Act.

While flexible work arrangements offer considerable benefits to both employers and employees, the arrangements can sometimes blur the boundaries between employees’ personal and working lives, leading to ‘hidden overtime’.[1]

There is often a tricky balance for employers and employees to strike where the job demands of a position require some reasonable additional hours to be worked but where a flexible work arrangement is in place which defines work hours more clearly. When is a reasonable expectation not so reasonable or even more significantly, unlawful?

Recapping the essentials – Reasonable additional hours

Under the National Employment Standards, employees are entitled to refuse to work additional hours if they are unreasonable.[2] Whether additional hours are reasonable requires a consideration of the following factors:

• any risk to employee health and safety from working the additional hours;
• the employee’s personal circumstances, included family responsibilities;
• the needs of the workplace;
• whether the employee will receive overtime payments, penalty rates, compensation or a level of remuneration which reflects the expectation to work additional hours;
• any notice given by the employer to require the additional hours, or by the employee of their intention to refuse the additional hours;
• usual patterns of work in the relevant industry;
• the nature of the employee’s role and level of responsibility;
• whether additional hours are in accordance with averaging terms in an industrial instrument or other agreement between the employer and employee; and
• any other relevant matters.[3]

Many employment contracts include a term stating that the employee may need to work additional hours as required to fulfil the requirements of the role. For ‘salaried’ workers (those paid on an annualised basis), the clause may even state that the employee ‘agrees’ that their salary adequately compensates them for any additional reasonable hours worked.

However, depending on the circumstances, relying on a contractual term may not be sufficient. The expectation of reasonable additional hours is not always lawful. For example, in 2022, the Federal Court of Australia held that it was unreasonable for a knife hand at a meat wholesaler to work an additional 12 hours per week.[4] While a contractual term is one positive step that employers can take to indicate an employee agrees to working overtime, employers are also required to assess what is ‘reasonable’ by engaging with each of the elements in section 62(3).

Additionally, employees who are covered by an award or enterprise agreement may be entitled to receive overtime pay for additional hours worked. Employers are advised to therefore monitor overtime worked by award covered employees, even where they are paid on an annualised basis, to ensure they are remunerated at or above their minimum award entitlements for the hours worked.

Occupational health and safety considerations

Working additional hours can also increase occupational health and safety risks. In most Australian jurisdictions, ‘persons conducting a business or undertaking’ (PCBU) have an obligation to ensure, as far as is reasonably practicable, that employees (and other persons) are not exposed to risks to psychological health and safety arising from work being performed for the PCBU.

In the context of flexible working arrangements, employers may need to be vigilant of the practical effect of flexible work arrangements and to continually monitor hours of work to ensure that ‘flexibility’ isn’t leading to safety risks because of the way the hours of work are performed or how many hours are worked. A failure to adequately address safety risks may expose an employer to investigation or prosecution by the safety regulator, increased absence due to ill health caused by unreasonable work hours and demands and/or claims for compensation due to a workplace ‘injury’.

So what steps can employers take to reduce these risks?

Employers can take positive steps to manage requests for flexible work arrangements, including:

• Implementing policies and procedures which are consistent with the processes under the FW Act, with particular regard to those categories of workers who are lawfully entitled to make a request for flexible work arrangements under the FW Act.
• Establishing the employer’s position about flexible work arrangements that fall outside of the FW Act framework.
• Considering employee job design, including managing expectations about how much work an employee can practically complete during their agreed working hours;
• Working to make necessary adjustments to address risks of unreasonable work hours or demands.
• Reviewing the adequacy of existing controls to manage psychosocial risks in the workplace more generally, including methods for maintaining boundaries between working hours and personal life. These methods can include marking out employee work hours in team calendars, identifying employee working hours in email signatures, and not contacting or emailing employees outside of their working hours.
• Conducting training for employees to manage risks arising from flexible work and for managers to identify and respond to risks as they arise.
• Auditing award covered ‘annualised salary’ employees to ensure employees are being paid at or above their minimum award entitlements.

How we can help

Our Workplace Relations team can provide you with practical advice regarding flexible work arrangements and reasonable additional hours and strategies to strike the right balance in your workplace. We can also assist you with designing your flexible working policy to ensure that you meet your legal obligations and maximise the benefits that flow from flexible work arrangements.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

---

[1]https://www.oecd.org/coronavirus/policy-responses/productivity-gains-from-teleworking-in-the-post-covid-19-era-a5d52e99/ (accessed 14 July 2023).

[2] Fair Work Act 2009 (Cth), s 62(2).

[3] Fair Work Act 2009 (Cth), s 62(3).

[4] Australasian Meat Industry Employees Union v Dick Stone Pty Ltd [2022] FCA 512.

The Office of the Victorian Information Commissioner (OVIC) recently found the Victorian Department of Health (Department) failed to take reasonable steps to secure personal information in its call centres during the pandemic – and a lack of personnel screening processes as a key factor.

In the case, a contractor was able to access personal information and then harassed and engaged in an offence against the individual whose personal information had been accessed.

OVIC found that the Department allowed contractors to commence work before checks were complete, and this was a factor in the breach. This happened at the height of COVID, when there was immense pressure to staff the call centre without delay.

Many not-for-profit organisations which receive Victorian government funding or provide health, care or education services are contracted service providers (CSPs), and are therefore bound by the Privacy and Data Protection Act 2014 (Vic) (PDP Act) by virtue of funding agreements.

The takeaway: Check your funding agreement to see if your organisation must comply with the Privacy and Data Protection Act 2014 (Vic) PDP Act. If you are, your first step should be to refer to OVIC’s website.

OVIC found that the Department did not ensure there was sufficient pre-employment screening of external staff (i.e., contractors) to determine their suitability to handle personal information that had been entrusted to the Department by the public.[1] The breach was a breach of IPP 4.1, which states:

IPP 4.1: An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.[2]

APP 11.1: An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.[3]

For organisations bound instead by the Privacy Act 1988 (Cth), APP 11.1 is extremely similar and findings of OVIC regarding IPP 4.1 support interpretation of obligations under the Australian Privacy Principles (APPs).

The takeaway: Information security is not just about software protections, phishing training and securing your cloud storage systems. Think bigger. Personnel screening is also relevant to information security.

Key lessons

We recommend you consider:

• Are your volunteers and contractors suitable to access your databases?
• Do your personnel know how they are expected to handle personal information?
• What if a data breach was to impact one of the contractors you work with? For example, a camp provider, or a software provider?
• What protections or security measures do you have in place regarding your work with other organisations that involve sharing information about your clients, stakeholders, staff and/or students?

This investigation highlights the risks associated with allowing third-party contractors to access information and systems, because contractors engaged by the Department of Health who failed to take reasonable steps to perform security checks, and a subcontractor misused personal information.

How we can help

We can help you identify the right questions to ask about your information handling operations and processes. We can also help you answer them and manage the change process to align your organisation’s operations with your risk appetite. It is commonly said in the cyber security industry that “It’s not a matter of if you are faced with a breach, but when.” Moores can help you prepare.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.

---

[1] Office of the Victorian Information Commissioner, Misuse of Department of Health information by third party employees during pandemic response (July 2023) page 5 https://ovic.vic.gov.au/wp-content/uploads/2023/07/DOH-INV-20230628-Report-v1-1.pdf.
[2] Privacy and Data Protection Act 2014 (Vic) Sch 1, IPP 4.2.
[3] Privacy Act 1988 (Cth) Sch 1, APP 11.1.

We’ve heard a lot about payroll tax and school fees from the media recently. For schools affected, there will have been much deliberation as to how to meet this new financial burden.

As you head into budget meetings, consider whether your enrolment documents need any tweaks to be approved at that meeting too.

Here is what we’ve seen trending in this space:

• Requests for financial accommodation: if you agree to payment plans, ensure these are in writing, have an end date and contain clear consequences for breach. Sometimes, these plans legally override the enrolment agreement and the school has only watered-down terms to rely on.

• Allegations on departure to seek to avoid payment: if you part ways with a family, then ensure that reasons are documented and that any support plans are up-to-date. Make sure your enrolment documents (and any marketing materials!!) do not promise or imply a particular outcome or level of achievement.

• Challenging notice periods: if you charge one term’s fees in notice, ensure you give sufficient notice in term week and avoid any “unfair” contract terms (under the consumer law) which could be argued were not binding.

Lastly, if you are rolling out new terms and conditions, to avoid the tyranny of multiple versions or version uncertainty, ensure your process is legally enforceable. A mere letter update may not be enough if your terms do not allow you to update in this way. Beware – relying on parents opting “out” of new terms and conditions is often legally invalid.

How can schools make sense of this? Most importantly, how can schools ensure their enrolment agreements are strong contracts that establish a good relationship between parents and the school, in turn better supporting education of our young people and avoiding disputes?

Here are our recommendations

Consider updating your enrolment agreement, and specifically:

1. Know what terms and conditions students and parents are subject to.
2. Think about your notice requirements for withdrawal. Read more about the ACT ACAT decision here, or watch our webinar for free.
3. Make sure your enrolment agreements are easy to understand for your community to ensure inclusiveness and accessibility.
4. With privacy in the spotlight, check what collection processes are in place for waitlists and enrolment.

Why does this matter?

• The enrolment agreement is the legal basis for the provision of services by your school. It is how to guarantee recovery of fees.
• It is a complicated contract. It is not a simple payment of money in exchange for an item. Enrolment can continue for 13 years.

The current economic conditions are seeing increasing preparedness to challenge documents, and to involve lawyers in these matters on behalf of parents.

How can we help

Get in contact with our Education Team to discuss how we can help you refresh your enrolment documents or enrolment process to address these emerging challenges.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to your organisation.

---

Privacy has been a hot topic for a while now. In response to the flurry of activity in the privacy space, regulators are now making moves and responding – and it is not just the national privacy regulator who is talking about privacy.

Below we summarise the different global regulators and courts who are considering privacy.  With Moores’ passion for helping our for-purpose, charitable and education clients, we have also explained what these news items mean for these industries.

Medibank decision from APRA

The Australian Prudential and Regulation Authority (APRA) will require Medibank to increase its capital adequacy requirement to $250 million, to reflect weaknesses in Medibank’s information security environment identified in the review of the cyber incident in October 2022. APRA regulates the Australian financial market, including banks and insurance companies like Medibank. 

The Office of the Australian Information Commissioner (OAIC) is yet to announce its decision into response to the incident, which could include a fine of $50 million. Separately, Slater and Gordon instituted proceedings in May 2023 in a class action representing millions of Australians.

The takeaway: Privacy is on the radar of many regulators, not just the privacy regulator. Regulators know they need to be seen to be taking a tough stance on privacy to align with the public’s expectations.

Facial recognition found to violate human rights

The European Court of Human Rights has ruled that the use of facial recognition to locate and arrest a protester while he was travelling on the Moscow underground violated rights to freedom of expression and privacy.[1] The Court concluded that the processing of Mr Glukhin’s personal data in the context of his peaceful demonstration, which had not caused any danger to public order or safety, had been particularly intrusive. The use of facial-recognition technology in his case had been incompatible with the ideals and values of a democratic society governed by the rule of law.

In Australia, the OAIC has investigated retailers for collecting facial images from customers without valid consent, and those retailers were ordered to delete all faceprints collected. These investigations are ongoing.

The takeaway: This decision turned on the ‘reasonableness’ of the use of the technology. This is a key part of Australian privacy regulation too. How you use personal information needs to be reasonable in circumstances to avoid being intrusive or illegal.

Data protection relevant to investigating Meta’s possible competition infringements

Meta had challenged the investigation by German competition regulator (equivalent to the ACCC) into possible privacy breaches. On 4 July 2023, the Court of Justice of the European Union ruled that the German competition authorities could also consider data protection issues in its review of Meta’s business practices, as the collection of data without consent was a potential abuse of market power. The practical consequence could be to substantially limit Meta’s use of personal data for advertising purposes.

The takeaway: Competition regulators are getting involved with privacy.

• This trend exists in Australia too, with the ACCC taking an increased interest in privacy. The ACCC has investigated possible privacy breaches as they may relate to misleading or deceptive conduct. In 2021, the Federal Court found that Google had misled customers about the collection and use of location data. The penalty was $60 million.[2]

• On 10 July 2023, the ACCC invited views on the Australian data broker industry from consumers, businesses and interested stakeholders, in response to its issues paper on data brokers.[3]

The ACNC’s says privacy is an ethical responsibility

The Australian Charities and Not-for-profit’s Commission (ACNC) acknowledges that gathering data about people charities provide services to “brings with it important legal and ethical responsibilities”. Information about managing people’s information published by the ACNC is available here.

The takeaway: “A charity’s Responsible People must be aware of the legal requirements of managing people’s information and data. They are responsible for their charity’s actions and must ensure their charity complies with all the relevant laws governing data collection, storage and usage.”[4]

How we can help

With specialised knowledge of the for-purpose and education sectors, we can help you navigate regulatory compliance and interactions with regulators, be it the specific privacy regulator – the OAIC – or other regulators who may become interested in your activities. More information about our regulatory compliance and privacy offerings are linked for you, or contact us directly.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

[1] Glukhin v. Russia (European Court of Human Rights, Chamber, Application No 11519/20, 4 July 2023). 

[2] Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367.

[3] Australian Competition and Consumer Commission,Digital platform services inquiry – March 2024 report – issues paper (published 10 July 2023) <https://www.accc.gov.au/inquiries-and-consultations/digital-platform-services-inquiry-2020-25/march-2024-interim-report>.

[4] Australian Charities and Not-for-profit’s Commission, Managing People’s Information and Data, <https://www.acnc.gov.au/tools/guides/managing-peoples-information-and-data>.

A clear and comprehensive Child Safe Code of Conduct is crucial for communicating the expected standards of behaviour and requirements of all people engaged by an organisation. Where organisations work with children, it’s also required by relevant Child Safe Standards and National Principle for Child Safe Organisations.[1]

Reviewing and updating child safety policy documents and codes of conduct may not feel like an important priority, but taking a set and forget approach to codes of conduct without periodic reviews can miss important opportunities to strengthen behavioural expectations of workers, particularly in relation to online conduct. Codes that don’t comprehensively address acceptable and unacceptable behaviours, professional boundaries, ethical behaviour, and provide guidance on managing inappropriate conduct can significantly undermine an organisation’s ability to effectively manage inappropriate conduct by workers towards children.

Expectations regarding communication with children (whether in person, online or by phone), contact and relationships with children outside of work, grooming behaviours, and travel are often inadequate and out of date and fall short of legal and community expectations.

We’ve put together this quick summary to help you perform a health check on your organisation’s Child Safe Code of Conduct.

1. Appropriate and inappropriate behaviours

Your Code of Conduct should outline in sufficient detail those behaviours acceptable and unacceptable, both in and outside of work. Accepted or expected behaviours should address ways in which workers can create a positive environment to prioritise the safety and wellbeing of children.

Unacceptable behaviours should be specific to the organisation’s activities and address situations or scenarios that workers may face during their employment which pose high risk of harm to children.

The behaviours should have regard to:

• the nature of the organisation’s engagement with children;
• demographic of children the organisation engages (i.e. particularly vulnerable children such as children with disability);
• demographic of workers (e.g. youth organisations may engage young people or children under 18 as workers); and
• activities in which adult workers will interact with children during the course of their work;
• all forms of possible contact with children (having regard to the rapidly changing online space and ability to communicate by phone, email, text, applications, and all forms social media etc), and whether there are any exceptions to expectations (such permitting family members to be connected on social media with their own children).

Further, care must be taken to ensure that workers understand behaviours that are unacceptable, irrespective of whether they occur in connection with their work (such as grooming and child, or engaging in physical violence towards or in the presence of a child).

Providing clear direction to workers as to acceptable and unacceptable behaviours will clarify expectations and ensure organisations have clear guidelines if workers breach the Code of Conduct.

2. Address risks for online environment

The National Principles for Child Safe Organisations and all Child Safe Standards require organisations to address both physical and online environments to promote the safety and wellbeing of children and young people and minimise the risk of harm.

Organisations that do not engage with children on online platforms may believe that it is not necessary to consider online environments. However, online environments represent a significant risk of potential harm to children, and organisations may owe a duty of care to children beyond the actual time the child is engaged with the organisation.

Organisations can also be held vicariously liable for a worker’s abuse of a child if it is found that organisation did not take reasonable steps to prevent the abuse from occurring. In determining liability, a court will consider the adequacy and currency of an organisation’s policies, procedures, code of conduct and training for workers.

Addressing contact with children on online platforms outside of hours is critical to ensure the organisation properly exercises its duty of care.

3. Code of Conduct for children and young people

Organisations may require a separate Code of Conduct which sets expectations for children in relation to their behaviour with each other to safeguard against risks of harm. The Royal Commission into Institutional Responses to Child Abuse found that 16% of participants reported sexual abuse by other children in institutions.

There is a risk of harm being inflicted by other children particularly in relation to sexual, physical, bullying, harassing and online behaviour. Clear statements of non-tolerance of serious harm such as sexual assault, cyberbullying and image-based abuse will allow organisations to take action where children are at risk of harm from each other. In states with affirmative consent laws, organisations should consider providing information and training on what is required for consent.  

Organisations will need to ensure that the code of conduct is accessible in accordance to the age and capacity of children they engage with, and that it covers the full list of expectations regarding

4. Review and update periodically

The Code of Conduct should be reviewed and updated to reflect changes in the organisation or changes in the law. The process of review should be clearly stated within the Code including when it will be reviewed, who will undertake the review, and who is responsible for approving changes. The version and date of the review should be stated on the Code to make clear what updates needs to be incorporated.

How we can help

Moores is one of the only law firms in Australia with a dedicated safeguarding and child safety team. Experts in our field, we support organisations with advice and training on their child safety obligations and drafting or amending codes of conduct, child safety policies and procedures to align with best practice, not just meet the minimum standard.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

[1] Currently, Child Safe Standards have been adopted in New South Wales and Victoria. Whilst similar, South Australia has adopted the Child Safe Environments – Principles of Good Practice, and the ACT has adopted the Children and Young People Standards.States without state-based Child Safe Standards include Tasmania, Queensland, Western Australia and the Northern Territory, where the National Principles for Child Safe Organisations are relevant. Additionally, schools in Victoria must ensure that their Code of Conduct complies with more prescriptive requirements of the Ministerial Order 1359