The Victorian Court of Appeal has upheld an important ruling, finding that direct discrimination can occur through an employer’s unconscious act of bias towards an employee in the workplace. In Austin Health v Tsikos [2023] VSCA 82, an employer was found to have treated an employee unlawfully because of her sex by ignoring her repeated attempts to negotiate higher pay rates, despite affording such right to the employee’s male colleagues. The conduct was found to be in breach of the Equal Opportunity Act 2010 (Vic) (EO Act).

This decision is a timely reminder for employees to be cautious of how ‘unconscious’ biases may impact their decision making and the potential consequences for unlawfully discriminating against employees.

Background

Christina Tsikos was employed by Austin Health between 2009 to 2018. She was initially employed in a clinical role as an orthotist/prosthetist, but was promoted in 2010 to manager of the Orthotic/Prosthetics Department. During her employment, she was paid at the rate provided in the applicable industrial agreement.

Ms Tsikos managed fourteen people, with ten of these employees being men. Four of the male employees were being paid above their enterprise agreement rates and were classified at a level higher than their role classification. One of the employees was paid significantly higher than Ms Tsikos, despite him reporting to her.

Ms Tsikos attempted to renegotiate her wage six times over seven years, however, Austin Health did not engage in the negotiations.

Procedural History

VCAT

Ms Tsikos commenced proceedings in the Victorian Civil and Administration Tribunal (VCAT) under the EO Act claiming she had been directly discriminated against on the basis of her age and sex. She claimed that she had been treated unfavourably in being denied or limited access to negotiate her salary.

VCAT was not satisfied that discrimination had occurred on the basis that Ms Tsikos failed to show:
• That being unable to negotiate her salary was unfavourable treatment as there was inadequate evidence of the opportunity existing for other employees;
• with sufficient strength or particularity, a denial or limitation of the attempts (of Ms Tskikos to negotiate her pay) by Austin Health; and
• any unfavourable treatment was on the basis of her age or sex.

Supreme Court

Ms Tsikos appealed the decision to the Supreme Court. Justice Richards upheld the appeal found that the original decision had several errors including that VCAT had failed to: • consider whether Ms Tsikos had been treated less favourably in the ways she alleged. VCAT had, instead, considered whether Ms Tsikos had been treated less favourably than her male colleagues;
• determine whether the alleged contravention had been proved; and
• consider and make findings about Ms Tsikos’ sixth attempt to negotiate which was significant due to its formal nature.

It was also found that VCAT had erroneously considered the attempts individually rather than consider the evidence holistically. Ms Tsikos had provided expert evidence in relation to the operation of structural inequality and unconscious bias in the workplace which contributed to the holistic picture of Austin Health treating her unfavourably. It was found that if these errors had not been made, it was open to VCAT to find that Austin Health had discriminated against Ms Tsikos on the basis of her sex by failing to negotiate her wage.

The appeal was allowed and remitted to VCAT to be heard and decided again.

Appeal

Court of Appeal

Austin Health appealed the Supreme Court decision on nine different bases. It was claimed that the judge erred in:

1. Not exposing her reasoning pathway in respect of any error to dismiss the claim of age discrimination;
2. Determining the wrong test was applied for ‘direct discrimination’;
3. Determining VCAT failed to consider and adjudicate upon the ‘entire evidence’;
4. Finding VCAT had failed to consider the sixth attempt to negotiate;
5. Characterising Ms Tsikos’ claim as one of systemic discrimination’;
6. Ignoring a finding of fact that Ms Tsikos failed to establish a denial of access to a ‘benefit’ or a ‘detriment’;
7. Determining that the Briginshaw principles did not and would not apply to the claim of unlawful direct discrimination on the grounds of ‘sex’;
8. Invoking the rule in Jones v Dunkel to support the proposition that a failure to call a witness may provide basis of an adverse inference; and
9. Remitting the claim back to VCAT because upon remittal for rehearing, the unchallenged findings of fact stood in the way of the claim succeeding.

The leave to appeal was granted, however, none of the grounds were successful. The Court of Appeal agreed with the single instance judgment and found that VCAT had erred in its original decision by:
• applying the wrong test for direct discrimination;
• failed to weight the ‘entire evidence’; and
• omitted considerations of the manager’s final attempt to negotiation.

The Court of Appeal noted that “we agree with the judge that not only would it have been open to the tribunal to find that composite picture was one of unfavourable treatment, it is difficult to see how the tribunal could reasonably have concluded otherwise”,

Key Takeaway

Unintentional discrimination or unconscious bias can fall foul of anti-discrimination legislation. It is as important as ever to ensure that employer’s frameworks for remuneration and other employment benefits are appropriately administered and managed to minimise the risk of discrimination outcomes, even if indirect or unconscious.

How we can help

For assistance with advice on your organisation’s obligations to comply with anti-discrimination legislation or assistance with dealing with matters raised by employees in relation to potential claims of discrimination, contact our workplace relations team. Our team is well-placed to assist with practical and legal guidance for organisations seeking to balance their obligations to employees, and their operational and workforce needs.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

The Fair Work Legislation Amendment (Secure Jobs, Better Pay) Bill 2022 (Cth) (Bill) passed both houses of Parliament in December 2022 and is now law. Among other changes to the Fair Work Act 2009 (Cth) (FW Act) (discussed previously here), the Bill introduced new limitations on fixed term contracts that are set to take effect on 7 December 2023 (discussed previously here).

The limitations apply broadly to employers covered by the FW Act. This article considers the specific implications of the new limitations on fixed term contracts for employers who are charities and not-for-profits given the prevalence of the use of fixed term and specific duration employment arrangements in the sector.

What limitations on fixed term contracts will apply?

New provisions in the FW Act will make it an offence, subject to some exceptions, for an employer to enter into a fixed term contract with an employee:

• for a period that exceeds two years;

• that allows the contract to be extended or renewed for a period that exceeds two years;

• that provides for an option or right to extend or renew the contract more than once; or

• where the contract continues the same, or substantially similar, employment relationship and work duties as a previous fixed term contract, and:

• the contract and previous fixed term contract exceed two years in length;

• the contract or previous fixed term contract contains a right of renewal or extension; or

• the employee has previously been engaged under two consecutive fixed term contracts.

There are a range of exceptions to the limitations on fixed term contracts (listed in full here) including two that are of particular relevance for charities and not-for-profits – governance positions and funded positions.

Exception: Governance Positions

The new limitations on fixed term contracts will not apply to any contract of employment that relates to a governance position where a time limit is imposed on the position by the governing rules of the corporation or association.

This exception may enable a charity or not-for-profit to enter into a fixed term contract with an employee that has a “governance position” in the organisation, if a time limit for that position is specified in the organisation’s Constitution or Rules. The term “governance position” is not defined in the legislation or explanatory memorandum. We expect that there will be judicial consideration of the term if and when there are challenges to an employer’s reliance on this exception, but that guidance is still some time away. It may be possible that the term means an individual that is a voting member of the Board or Committee noting that the legislation does not go as far as to define the term in that way. If that was the case, the exception may be capable of applying to employees that have an ex officio role on the Board or Committee such as executive Directors, some school principals (in the case of a school) and some religious ministers (in the case of a faith-based institution). However, given the complexities arising with applying this exception and consequences for breach, further legal advice should be obtained where it relates to a specific organisation and its employment arrangements.

New anti-avoidance provisions under the Bill will prohibit employers from “changing the nature of work” or “otherwise altering an employment relationship” in order to avoid the new limitations on fixed term contracts. Accordingly, employers should seek advice before:

• introducing fixed terms for governance positions where the Constitution or Rules did not previously provide for a fixed term for that position; or

• seeking to characterise a position as a “governance position” if the individual does not have a genuine governance role in the organisation.

Exception: Funded Positions

The new limitations on fixed term contracts will not apply to any contract of employment that relates to a position for the performance of work where:

• the position is funded in whole or in part by government funding or funding of a kind prescribed by the regulations (noting that no regulations have been prescribed for this purpose to date);

• the funding is payable for a period of more than 2 years; and

• there are no reasonable prospects that the funding will be renewed after the end of that period.

This exception may provide a basis for not-for-profit and charity employers that receive government funding for positions to lawfully appoint persons to those positions for fixed terms that exceed two years in duration (provided that all the criteria to be met for the exception to apply are satisfied). The legislation and explanatory memorandum does not include any guidance as to how the prospects of funding renewal should be assessed. This assessment will depend on the circumstances and it may be prudent to seek advice.

How we can help

Our For Purpose team helps charities from the ground up, from support to apply for registration to amending governing documents. If your charity has made appointments to positions for fixed terms, we can assist you to navigate the new limitations on fixed term contracts that will take effect on 7 December 2023 and the exceptions to those limitations discussed in this article.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

From 1 July 2023, all charities registered with the Australian Charities and Not-for-profits Commission (ACNC) will be required to report related party transactions in their Annual Information Statements. These changes are part of the Australian Government’s reforms that were initially announced in mid-2021 with an aim to provide greater accountability to donors, charity beneficiaries and members of the public.

What is a related party transaction?

The term ‘transaction’ is defined by the ACNC to be a “transfer of resources, services, or obligations between related parties. It does not have to include financial payment.” A charity engages in a transaction if it is either giving or receiving the resources. This can include actions such as: purchases/sales, donations, loans, leases, guarantees, delivery of goods, resources or services, and the provision of employees or volunteers.

The ACNC defines the term ‘related party’ differently according to a charity’s size.

For small charities (annual revenue under $500,000), a simpler definition is used by the ACNC whereby a related party is “a person or organisation that is connected to the charity and has significant influence over the charity.” This includes responsible persons (directors, board members), senior managers, family members of those persons and others who may have influence over a charity’s decision making.

For all other charities, the ACNC adopts the definition of ‘related party’ that is used in the Australian Accounting Standards (AASB 124). Under that definition, a related party can be:

• a person that is connected to the charity or has control of the charity (responsible persons and family members);
• an organisation that is connected to the charity and has control or significant influence over the charity (i.e. a parent or related entity);
• an organisation that the charity has control or significant influence over, such as a subsidiary;
• a member of the charity’s key management personnel or a close member of their family; or
• an associate or joint venturer of the charity.

What must charities now do?

The ACNC has recently released guidance to assist charities to understand their new obligations and to provide charities with certainty about what transactions should be reported.

All charities will need to report on related party transactions in their Annual Information Statements submitted to the ACNC from 1 July 2023 onwards. If a charity notes that they have reportable related party transactions then they will need to select the type of related party transactions that they have engaged in from the following list:

• Fees paid to a related party for providing goods or services to the charity.
• Loans from or to a related party.
• Salary or wages paid to a related party’s relative.
• Transfer of charity property or assets to a related party.
• Charity goods or services provided at a discount to a related party.
• Significant use of charity property by a related party.
• Investment in a related party.

There will also be an ‘other’ option if charities wish to report on other forms of related party transaction not provided for in the list.

Charities will also be able to provide additional relevant information about these related party transactions if desired. For example, charities may wish to include details about the value of these related party transactions and how they have been managed.

Small charities will only need to provide details about ‘reportable’ related party transactions (the ACNC has supplied some examples in its guidance notes about when a related party transaction will be ‘reportable’). All other charities will need to provide details about ‘material’ related party transactions. The materiality of a related party transaction will depend on the context of a charity’s specific circumstances – charities will need to determine what is and is not material. Medium and large charities also need to provide details of related party transactions in their annual financial statements in accordance with the requirements of Australian Accounting Standards (AASB 124 and AASB 1060).

How Moores can help

To comply with these ACNC reporting requirements, charities should now be recording details about their related party transactions, including the value of these transactions and how they are being managed.

Moores is here to help your charity to put appropriate policies and procedures into place to ensure that you are able to comply with your financial reporting and statutory obligations. We can assist you to review key arrangements and agreements to ensure that they are complaint and in the best interests of your charity.

Contact us

Please contact us for more information or guidance regarding any of the above.

Subscribe to our email updates and receive our articles directly in your inbox.

Victoria’s State Budget announcement yesterday left many schools surprised by unexpected news that their long standing payroll exemption was to be scrapped with effect from mid 2024.

Announcements referred to “high fee” schools, although the apparent threshold of annual fees of more than $7,500 (to be clarified exactly in its application) looks to capture many mid-tier and mid-fee schools, including some outer metro and regional independents and Catholic schools.

Many schools in this mid-tier have a tight surplus after meeting growing staff costs and will need to explore costs savings in upcoming School Board budget meetings in August and September. Tuition fee increases in circumstances where parents are already feeling cost of living pressures are unlikely to be welcomed.

This payroll tax decision follows the 2021 land tax amendments (see our land tax article here) and further erodes the tax concessions historically afforded to charitable organisations in Victoria. 

On the other hand, low fee schools will get a boost and the early childhood sector is celebrating the continuation and extension of free kindergarten, noting that 15 hours of fully funded three year old kinder has been on the sector wish list for a number of years. Combined with the Federal Government’s increase to the child care subsidy, families with younger children should have more access and lower costs, with long daycare operators apparently restricted from passing on some costs.

In a pleasing development, 150 new bush kinder programs will be funded.

The budget also allocates significant investment by the State in new schools and school programming including camps, which may alleviate the risk of camps being cancelled due to recent changes to time in lieu payments for teachers.

Lastly, although we understand teaching staff will be spared the public sector job cuts, with the budget announcement that up to 4,000 positions will be cut from the public service, the Department of Education and Training is very likely to be impacted, although it is currently unclear how this will flow on to schools.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

This article is part 3 of our charity article series. Click here to read Part 1: Before you Start. Click here to read Part 2: Charity Tax Concessions.

Part 3: Choosing the Right Structure

An essential preliminary step when establishing a charity is to consider which legal structure is most appropriate. Structures commonly used include an unincorporated association, an incorporated association, a company limited by guarantee or a trust.

This article sets out some of the considerations that apply when selecting a legal structure.

What does it mean to incorporate?

A key decision is whether to establish an incorporated entity. An incorporated entity is a separate legal entity – most commonly an incorporated association or a company limited by guarantee. Unlike an unincorporated association (which is legally a group of people) or a trust, an incorporated entity is a separate ‘legal person’.

What are the benefits of incorporation?

Incorporation results in the establishment of a ‘legal entity’ that has a separate and distinct identity from the group of individuals who established, or are a part of the entity.

Separate legal identity

An incorporated entity can (among other things):

• open and operate a bank account;
• obtain insurance (although some insurers will offer cover to unincorporated bodies);
• enter into contracts (including employment contracts) and agreements and sign documents;
• buy, sell, own, lease and rent property and other assets;
• borrow and loan money; and
• sue and be sued in its own right.

‘Limited’ liability for members

A key benefit of incorporation is that the legal entity has ‘limited liability’. This protects members from being personally liable for the entity’s debts in the event that a legal claim is made against the entity and cannot satisfy debts out of its own assets. Depending on the type of legal structure chosen, liability is usually limited to $10 or to the assets of the legal entity.

Protection for committee members / directors

The committee members or directors of an incorporated entity also have protection from liability for claims made against the entity. This is known as the corporate veil. However, this protection may not be available if the entity trades while insolvent, or if a claim against the entity arises in connection with actions of a committee member or director which are fraudulent, criminal or dishonest.

Perpetual succession

Incorporation results in perpetual succession – the legal entity will continue to exist irrespective of changes to the entity’s membership and will only cease to exist if it is deregistered or wound up by the entity’s members. Among other things, this means that it is not necessary to change the name of the owner of assets (such as vehicles or shares) or to enter into new contracts (such as employment contracts) when the individuals involved in the entity change.

Unincorporated associations

A group of individuals that choose not to incorporate but operate under an agreed set of rules and have a common purpose will ordinarily be an unincorporated association. Unincorporated associations are simpler to establish than incorporated bodies and are not subject to ongoing reporting obligations to the incorporating regulator.

However, each of the ‘benefits’ of incorporation above has a corresponding disadvantage for an unincorporated association. For example:

• An unincorporated association (being a group of individuals) legally cannot enter into contracts, which makes employment arrangements problematic.
• If there is a claim against the unincorporated association that cannot be satisfied out of its assets and is not covered by insurance, each of its members could be separately and jointly liable.

Trusts

There are a variety of trusts (including ‘mere’ charitable trusts and ancillary funds) that can be established. They are usually used for specific purposes. A trust can be described as a “bucket of money” governed by a legal set of rules (a trust deed) prescribing the use of that money and administered by a group of people (or an organisation), who are bound by those rules (the trustee(s)). As a general rule, trusts are not designed for “doing” organisations that actively engage in the provision of services. A trust is used for more “passive” support and investment purposes.

Companies limited by guarantee

A company limited by guarantee is a federal structure designed to operate in each State and Territory and is incorporated under the Corporations Act 2001 (Cth) and regulated by ASIC. Companies that are registered charities have reporting obligations to both ASIC and the Australian Charities and Not-for-profits Commission (ACNC), although the ACNC is the primary regulator.

Incorporated associations

An incorporated association is a state-based entity which is designed to operate within its home State and is governed by the relevant legislation of the State in which incorporation takes place and the State regulator. For example, in Victoria this is the Associations Incorporation Reform Act 2012 (VIC) and Consumer Affairs Victoria.

Incorporated associations that are registered charities have reporting obligations to both the State regulator and the ACNC.

Similarities between incorporated associations and companies limited by guarantee

There are a number of similarities between incorporated associations and companies limited by guarantee, including the following:

• both structures are membership-based bodies which elect a governing body;
• both have purposes and rules set out in a governing document which dictate the way in which the structure is to operate and make decisions;
• in the case of charities, both structures are regulated by the ACNC and subject to the ACNC Governance Standards;
• both can apply for charity tax concessions and deductible gift recipient status based on their purposes and activities;
• both provide a corporate veil to protect members from liability; and
• both can be wound up in the event of insolvency.

Differences between incorporated associations and companies limited by guarantee

While there are a number of similarities between an incorporated association and companies limited by guarantee, there are also number of key differences, including in relation to the following:

• the ability of a company limited by guarantee to have a sole member, which allows for the charity to be established as a subsidiary of another entity;
• charitable companies have better integration with the ACNC;
• statutory duties of committee members / directors – the committee members of incorporated associations are subject to two sets of duties (under the relevant associations legislation and the ACNC Governance Standards), whereas company directors are intended to be exempt from the Corporations Act duties and only subject to the ACNC Governance Standards duties;
• member registers and the circumstances in which entities may be required to provide the register to a member;
• public perception – there is a perception that companies are better governed than incorporated associations;
• the ability of a company limited by guarantee to operate in any jurisdiction of Australia (an incorporated association must obtain an Australia Registered Business Number to operate outside its home State); and
• better international recognition.

How can we help?

Moores can help if you have any questions about setting up your NFP or charity.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

This is part 3 of our ‘So you want to start a charity’ series. 

See Part 1 – Before you start here

See Part 2 – Charity Tax Concessions here

The tag line for Privacy Awareness Week (PAW) 2023 is “Back to Basics.” This encourages organisations to take stock of their current practices, existing data holdings, and any high-risk areas. Taking stock now will prepare you to respond to legislative change that is on the horizon for later in 2023.

For more information about potential reforms to the Privacy Act 1988 (Cth), see:

• Privacy Act Review: Schools, are you ready?
• Privacy Act Review: Key changes on the radar for NFPs
• Privacy Act Review: Children’s privacy in the spotlight

What are your current collection practices?

To improve your privacy compliance – as is increasingly expected by the regulators and the public – you need to know what data you hold and where your risks are. The first step in this process is to reflect on what data you are collecting and ask yourself:

• Do you need it?
• Should you be collecting it?
• Are you entitled to collect it?
• Do you need consent to collect it?
• Is the collection fair and not unreasonably intrusive?

While for many years data was considered an asset, Victorian Privacy Commissioner, Rachel Dixon, has recently observed that data should be viewed as neutral on the balance sheet due to the risks associated with non-compliance and data breaches.

Understanding the regulatory and reputational risks of data breaches, organisations are encouraged to consider practices of data minimisation. Data minimisation involves only collecting and storing the information you need, and that is relevant to your functions and activities.

What are your existing data holdings?

The next element is to map your existing data holdings. Yes, this can sound technical. It really means, make a list of all the locations where you store data, and what is stored where.

This means thinking about all the digital and physical locations where you store information relating to individuals. It is common that schools, early learning centres and other charities operate with many different programs and systems, including customer relationship management programs such as Compass and Consent2Go.

Reviewing your existing data holdings gives you the opportunity to consider what you don’t need anymore, and then what you can delete. This is another data minimisation strategy. Granted, deletion and destruction of information needs to be tempered with reporting and retention obligations. For example, charities often have reporting obligations or audit requirements in funding contracts, and Victorian independent schools are subject to retention requirements from the Public Records Office Victoria. To balance the data minimisation and retention conflicts, good data governance needs to be implemented, to empower staff to understand when information can be deleted, and automate this process going forward.

Where does your organisation face high privacy or data security risks?

Now you know what you are collecting, and what you hold. This should position you to identify your privacy high risks, and consequently some steps to mitigate risks to privacy. Some common risks to consider:

• contractors, and sharing information with third parties;
• human error breaches, such as wrong email addresses or lost devices; and
• cyber security, firewalls, phishing.

How we can help

We can guide you through this process, or take the burden off you with a privacy audit. We work on privacy policies, and so much more. Increasingly, privacy is about much more than your privacy policy. We can help implement practices and systems to build privacy into your organisation, and help you navigate the legislative changes on the horizon.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Hiring out school facilities to local sports clubs, other schools or business groups can be a great way for schools to give back to their local community and monetise their assets outside of school hours. Getting this right generates goodwill, positive reputation and revenue. Getting it wrong can generate frustration, administrative burden and regulatory questions.

This article highlights six key points for schools to consider when hiring out facilities.

MO1359 and child safety

The school environment is the school campus, used during and outside school hours. This means the Greek school using your school’s facilities on Saturdays is in your school environment, as is the local sporting club using your oval and changerooms. Further, MO1359 does not limit a school governing authority’s obligations to students enrolled in the school. MO1359 also applies to children in the school environment.

VRQA Guidelines

The Victorian Registration & Qualification Authority (VRQA) Guidelines to the Minimum Standards and Requirements for School Registration require arrangements for the external hire of school facilities to be recorded in writing and subject to commercial terms.

Hire fees

It goes without saying that both the hire fee and the payment terms must be clearly stated in any hire agreement. For compliance with the Guidelines, it is important that hire fees are set at market rates.

Other related points which should be considered include:

• Do hirers need to pay a deposit to secure their booking?
• Do you require hirers to pay a security deposit? And if so, in what circumstances can the security deposit be withheld by the school?

Facility area

It is essential that everyone know specifically what facilities the hirer will be entitled to use and when.

• Does hiring the school lecture theatre include use of the school’s sound and lighting equipment?
• Does hire of the gymnasium include basketball equipment?

These issues should be explicitly addressed in the hire agreement.

Our experience suggests another minor detail can prove very important – clarify where cars attending the event should (and should not) be parked. Headaches of this kind can be easily avoided by making expectations clear in the hire agreement.

Risk management

External hire of school facilities attracts a level of risk. Public liability matters are at the forefront – who is responsible for personal injury occurring during the hire period? What about property damage? Hire agreements should include provisions allocating risk and responsibility for these matters, as well as provisions requiring hirers to comply with school policies and directions as to use of the facility.

Schools should also ensure that every hirer provides evidence of appropriate insurance prior to the hire event.

Use of the school’s name

Consider whether the school is happy for its name to be used by the hirer organisation (think “ABC College Basketball Club”) and what conditions you wish to impose on such use. Reputational factors are key, and you want to be sure that you have appropriate control over how the school name is used. Ensuring your agreement deals with the topic of naming rights will minimise the potential for issues to arise in this regard.

What is the right balance?

We don’t advocate for hire agreements that are longer than a Microsoft software licence. The answer is not in a longer document, but a smarter system. We believe in good process, clear terms and flexibility. The best set up will deliver a template document(s) for your school, including a policy, which can be used to streamline how you manage external hiring arrangements.

How we can help

The team at Moores is experienced in helping our school clients design processes and documents that manage external hiring arrangements, including compliance with current VRQA Guidelines. Get in touch with us and we’ll help you to get your facility hire arrangements right first time.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

It is common for schools to enter into agreements and arrangements with third party hirers to lease or manage certain parts of the school campus (e.g. performing arts centres, sports grounds next to school campus, swimming pools).

The difficulty schools face is when that third party uses the campus space during or before / after school hours. It may be difficult to know when the school’s child safety obligations are enlivened and what due diligence needs to be taken.

Child Safety in the school environment

All Victorian primary and secondary schools must comply with Ministerial Order 1359 – Implementing the Child Safe Standards – Managing the risk of child abuse in schools and school boarding premises (MO1359) to be registered and remain registered as a school with the VRQA.

To comply with MO1359, the school’s governing authority (Principal, Board of Directors, School Council etc.) must ensure the school meets all the elements of MO1359 in all school environments.

MO1359 defines ‘school environment’ broadly as:

Any of the following physical, online or virtual places, used during or outside school hours:

• a campus of the school;
• Online or virtual school environments made available or authorised by the school governing authority for use by a child or student (including email, intranet systems, software applications, collaboration tools, and online services); and
• Other locations provided by the school or through a third-party provider for a child or student to use including, but not limited to, locations used for:
  • camps;
  • approved homestay accommodation;
  • delivery of education and training such as registered training organisations, TAFEs, non-school senior secondary providers or another school; or
  • sporting events, excursions, competitions or other events.

Compliance can be difficult when third party hirers have staff who engage directly with students during or outside of school hours (i.e. sports or instrumental lessons) in circumstances where the service is provided on campus, or in a separate / isolated facility on the school campus, but which may not be directly authorised by the school (i.e. the student’s caregiver pays for sports lessons directly to the provider).

As the contractor – or contractor’s staff – are interacting with students in the school environment with the authorisation of the school – MO1359 applies. This means the recruitment, screening, equity, and all other obligations apply.

Why is this important?

This is important because the school now needs to ensure compliance:

• strategies, which are needed to embed an organisational culture of child safety and identify, reduce or remove risks of child abuse within the school environment;
• child safety materials (policies, procedures and codes of conduct); and
• screening, supervision, training and other human resources practices.

How we can help

Moores has experience working with schools to create child safe practices including within leases, facility hire and services agreements. If you would like to discuss this article with us further, or learn more about our services, please do not hesitate to contact us.

The Notifiable Data Breach (NDB) Scheme requires organisations subject to the Privacy Act 1988 (Cth) (Privacy Act) to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) within 30 days.

Note: There is a current proposal to shorten this reporting period to 72 hours, bringing it in line with Europe’s requirement under the General Data Protection Regulation, and most reportable conduct schemes in Australia.

The OAIC biannually publishes statistics about the reporting it receives under the NDB Scheme, the trends and themes from which we have summarised here for you.

In 2022, there were 890 notifications to the OAIC. Of these, 503 were malicious and criminal attacks, 320 were human error and 33 were a system fault.

Malicious or criminal attacks are increasing.

Malicious and criminal attacks are consistently the largest cause of eligible data breaches. Due to high profile data breaches in the latter half of 2022, reporting significantly increased (41%) from the January to June reporting period to July to December.

Increase in malicious or criminal attacks:

There are different types of malicious and criminal attacks, including phishing and ransomware. By far the most common type of malicious and criminal attack is a cyber security incident (76%). This shows the increasing connection between privacy and data security. The Australian Cyber Security Centre (ACSC) has guidance on improving cyber security to prevent these incidents.

It is worth noting that, ultimately, even cyber security incidents are caused by human error, whether this is system design or more direct action, such as clicking on a suspicious link. The prevalence of these cyber security incidents (ransomware, compromised passwords, hacking, malware) shows an area for improvement in employee cyber literacy. While many organisations run phishing training and require passwords to be regularly changed, this can in fact create a sense of false security that a software system will intercept all threats, whereas human reasoning is in fact increasingly required to ward off the sophisticated types of cyber threats which are currently prevalent.

Human error is steady at one third of breaches

It has been a steady statistic that around one third of eligible data breaches under the NDB Scheme (since 2017) have been caused directly by human error. This can be the “low hanging fruit” organisations can address quickly, while working in parallel on more complicated technological solutions to cyber threats.

The most common human error eligible data breach is emailing personal information (PI) to the wrong recipient. The second largest type is unintended release or publication. The graph below contains more information.

There are different ways organisations can seek to address human error breaches, including human methods such as training, and technological methods such as automatic delays on external emails, so staff can pull back emails sent in error, or requiring publications to be tested in a protected, such as offline, environment.

How we can help

We can help by working with you to identify areas of risk and exposure for your organisation regarding data security and the NDB scheme. We do this by conducting tailored privacy audits of your organisation’s operations, and working with you to design solutions to reduce any identified risks, and then conducting staff training.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Privacy-by-design, sometimes written as PbD, can be an intimidating term, but we are here to de-mystify it.

Privacy-by-design is the idea of building privacy protections into processes to make good privacy practices a part of normal, everyday practice – making them the “default setting”. This includes building privacy into human and technological processes, and making privacy an automatic consideration in business operations.

The key principles of Privacy-by-design

1. Proactive and preventative, not reactive and remedial	Take a proactive approach to protecting privacy. Anticipate risks to prevent privacy-invasive events before they occur.
2. Privacy as a default setting	Automatically protect personal information in IT systems and business practices as the default.
3. Privacy embedded into design	Embed privacy into the design of any systems, services, products and business practices. Privacy should be one of the core functions of any system or service.
4. End-to-end security – full lifecycle protection	Implement strong security measures throughout the information ‘lifecycle’. Process personal information securely and destroy it securely when you no longer need it.
5. Visibility and transparency – keep it open	Ensure whatever business practice or technology you use operates according to the stated promises and objectives (in your privacy policy). Make people fully aware of the personal information you collect, and for what purpose(s).
6. Respect user privacy – keep it user centric	Keep the interest of individuals paramount in the design and implementation of any system or service. Offer strong privacy defaults and user-friendly options, and ensure appropriate notice is given.

Practical tips to implement Privacy-by-design

1. Minimise the information you collect, and minimise aggregation of personal information or data that could be identifiable.
2. Involve IT and compliance team members in projects, to contribute to the design of new systems and check any possible impacts on privacy.
3. Conduct PIAs when starting a new project or changing how you handle personal information.

What is a PIA?

The OAIC says:

“A privacy impact assessment (PIA) is a systematic assessment of a project that identifies potential privacy impacts and recommendations to manage, minimise or eliminate them.”

A PIA helps to identify and minimise the privacy risks of changes to services or policies and new projects. A PIA is an important privacy by design process that assists compliance with privacy obligations and delivers benefits to organisations.

The OAIC has published guidance on PIAs, including 10 steps to undertaking a privacy impact assessment.

How we can help

We can help by making the ideas of Privacy-by design and PIAs tangible and specific to your organisation’s operations and regulatory needs. We can support you to implement Privacy-by design with a privacy compliance audit, or training to empower your staff. More information about our privacy work is here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.