RERELEASE: Originally published 04/08/2022

Only two months after its original publish, the Australian regulatory landscape has been rocked by cyber threats, data breaches and privacy complaints, we feel that it is worthwhile to republish this article about the dangerous cyber threats facing health and community organisations, and how to combat these.

This article discusses the trends we are seeing in the media regarding high-profile data breaches and considers the possible impact of data breaches affecting not-for-profit, health or community organisations who often hold sensitive or health information – for example, about a person’s disabilities.

Since reporting began in 2018, the health sector has been in the number one or two spot for data breaches, compared with other industries such as education and professional services, under the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breach Scheme (NDB Scheme). Another reporting period drew to a close on 30 June 2022. Which industry will take out the top spot for last financial year?

As we wait for the OAIC to publish its latest data, we reflect on key cyber threats and how to combat them, thinking particularly about the sensitivity of health information and community expectations to protect it.

Why does protecting your information matter?

Data security matters for all community organisations because privacy and data breaches eat away at the trust that individuals have in your organisation. Trust between your community, clients, volunteers and donors is particularly important when you rely on your community to pursue your charitable purpose or mission in the community. Trust and privacy are particularly important when health information is involved, such as information about disabilities, mental health, and illnesses and injuries.

Health information is ‘sensitive’ information, and sensitive information is afforded higher protections because its inappropriate handling can have adverse consequences for an individual. For example, inappropriate handling of information about a person’s disability can result in discrimination.

Key cyber threats

Advances in information and communication technology and, of course, the pandemic, have pushed many organisations to digitise records. In response, new privacy risks have emerged, and cyber criminals have further developed their arsenal.

Be wary of:

• electronic forms that automatically includes (or pre-fills) information. This can cause privacy breaches due to unauthorised disclosure;
• ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid; and
• malicious network traffic – when a suspicious link or file created or received over a network overrides the network and executes vicious operations like downloading (stealing) information.

How to combat these cyber threats

1. Support your staff

Human error, accidental breaches, the wrong email address, or falling victim to malicious links are major risks to your organisation, and very common types of data breaches. You can combat cyber threats by supporting your staff, specifically with:

• phishing training so staff can identify malicious emails or links;
• privacy training so staff verify a patient’s identity and double check the phone number or email before sending information; and
• internal privacy or information management process sheets and procedures that clearly communicate expectations for how to handle personal information and records.

2. Take steps to detect data breaches

As part of complying with Australian Privacy Principle 11, you must take reasonable steps to ensure you detect data breaches in a timely manner. You can do this by implementing:

• technical controls that monitor unusual activity in your online systems;
• physical controls, such as securing paper records; and
• personnel controls, such as communicating to staff how to report suspected data breaches internally.

3. Be prepared for data breaches

Cyber threats and data breaches are almost inevitable. In the 2020–21 financial year, the Australian Cyber Security Centre received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. We recommend you prepare your organisation with a Data Breach Response Plan that assigns responsibilities for responding to the cyber threat, and any associated reporting.

A key objective of the Notifiable Data Breaches scheme is to protect individuals by enabling them to respond quickly to a data breach and minimise the risk of harm. Delays in identification, assessment or notification of data breaches greatly impacts the opportunity for individuals to take steps to protect themselves from harm.

How we can help

Moores can conduct privacy training and privacy audits, and prepare data breach response plans or reports on privacy breaches. A privacy audit considers your current information handling processes against Australian privacy principles and identifies areas of risk and non-compliance, to support you to improve how you handle information.

You can also register for our upcoming event, Data breach simulation: How to manage a data breach, to be held in person and online on 17 November, here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

The Federal Government has announced this weekend that it will increase the government funded paid parental leave entitlement to a total of 26 weeks paid leave. The increased entitlement, which will be phased in between 2024 and 2026, is the biggest increase to the Government’s Paid Parental Leave Scheme since it was introduced 11 years ago.

The current government funded entitlement provides parents a total of 20 weeks paid leave following the birth or adoption of a child, including 18 weeks under the Paid Parental Leave Scheme for a primary carer and two weeks of Dad and Partner Pay for a secondary carer. Both entitlements are paid at the national minimum wage, currently $21.38 per hour. The reforms will see an increased entitlement comprised of 24 weeks’ paid leave for a primary carer, and two weeks for a secondary carer. However, a single parent will be able to use the full 26 week payment.

The Government will also increase the flexibility of the scheme from July 2023, to allow parents to take periods of paid parental leave between periods of paid work outside of the home. As before, employers will be able to supplement the Government’s Paid Parental Leave Scheme and Dad and Partner Pay via their own internal parental leave policies.

It is hoped that greater flexibility in using parental leave entitlements will contribute to the reduction of Australia’s national gender pay gap, which currently sits at 14% according to the Workplace Gender Equality Agency. However, some critics have called for greater increases, noting that Australia’s Paid Parental Leave Scheme falls behind that of 31 of the 38 nations party to the Organisation for Economic Co-operation and Development.

This announcement comes shortly after the Federal Government introduced the Anti-Discrimination and Human Rights Legislation Amendment (Respect at Work) Act 2022 to Parliament in late September. If passed, the Bill will reform the Federal anti-discrimination framework to implement further recommendations from the Sex Discrimination Commissioner’s Respect@Work: National Inquiry into Sexual Harassment in the Workplace report.

Included in the proposed reforms is the introduction of a positive duty on employers to eliminate unlawful sex discrimination and sexual harassment (similar to that provided by the Equal Opportunity Act 2010 (Vic) in Victoria) which will be enforced by the Australian Human Rights Commission. This duty is crucial in driving proactive and positive cultural change within workplaces, rather than solely relying on workers who have suffered harassment or discrimination to come forward. Other changes will increase access to justice for complainants of sex discrimination, by removing cost barriers and allowing representative bodies to initiate applications on behalf of individuals.

Further details of the parental leave reforms will be provided in the Federal Government’s budget announcement in late October. Prime Minister Anthony Albanese has foreshadowed, in light of the budget announcement, that “equality for women is at the heart of our vision for a fair go at work. And equality for women will be at the centre of our budget”.

Moores will be closely watching these developments and updating clients in the coming months.

How we can help

For assistance with your organisation’s parental leave policy, please reach out to the Moores Workplace Relations team. Our team is well equipped to provide advice on your obligations and reviews of your internal policies and procedures.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

It is a common misconception that employers must indefinitely pause a misconduct or performance management process when an employee becomes unwell and takes personal leave in the midst of the process. It does become a more complex exercise but there are options to progress the process depending on the circumstance.

The Fair Work Act 2009 (Cth) prohibits dismissing an employee who is temporarily absent from work due to illness or injury, where the dismissal is because of that absence. That does not always mean that an employee is immune from dismissal.

Managing ill and injured employees in the workforce can be difficult. An employer must often balance a number of objectives: complying with obligations under the Fair Work Act 2009 (Cth) (FW Act), anti-discrimination laws and industrial instruments; empathy for the employee who is unwell; and fulfilling the employer’s operational requirements to keep its business running.

The matter is further complicated where an employee seeks to take personal leave during a disciplinary action process such as the process to put allegations of misconduct or serious misconduct against the employee, or a process to manage unsatisfactory performance. Employers may be left wondering whether an employee is genuinely unwell and unfit for work, or whether the employee is simply seeking to delay the disciplinary action.

There is no universal statutory prohibition on dismissing an employee while they are on personal leave. However, an employer who chooses to do so must be aware of their obligations and of the risks involved. In this article, we set out key considerations for employers with respect to dismissing an employee who is on personal leave.

General Protections

The FW Act prohibition on terminating an employee because they are temporarily absent due to illness or injury falls within the FW Act’s ‘General Protections’ framework. That framework aims to protect workplace rights, including the right to take personal leave when an employee is unwell. An employer breaches this provision where they are aware that an employee was absent from work because of an illness or injury, and terminates the employee’s employment because of that illness, injury or absence.

The Full Court of the Federal Court has held, in Khiani v Australian Bureau of Statistics [2011] FCAFC 109, that this prohibition does not stand to prevent an employer from dismissing an employee while the employee is absent on personal leave. Where the employee may be dismissed for another valid reason ‘it is not to the point that the decision to dismiss happens to be made while the employee is on leave’.

Therefore, an employer may not contravene section 352 of the Act where it can demonstrate that the employee was validly dismissed for a reason other than their absence from work while sick. This may be due to a pre-existing performance or misconduct issue, or because they are unable to fulfil the inherent requirements of their role (ie. do not have capacity).

Procedural fairness and unfair dismissal

Where an employer has a valid reason to dismiss an employee who is on personal leave, such as the employee’s misconduct, underperformance, or inability to fulfil the inherent requirements of the position, the employer must still ensure it follows a fair process. A failure to undertake a proper, fair and reasonable dismissal process may result in the employee succeeding in a claim for unfair dismissal.

In determining whether a dismissal was unfair, the Fair Work Commission will consider whether the dismissal was ‘harsh, unjust or unreasonable’. This includes considering whether there was a valid reason for the dismissal and whether the employee was provided with a fair opportunity to respond to the employer’s concerns (referred to as ‘procedural fairness’).

In the Fair Work Commission’s decision in Dana Emery v Cutlers The Law Firm [2015] FWC 52, an employer who dismissed an employee while she was absent for three days due to illness was found to have failed to comply with procedural fairness obligations. Although the employee had advised that she had an appointment to see her doctor and would soon provide a date for her return to work, the employer dismissed the employee by telephone while she remained on leave. The Commission found that there was no reasonable basis for failing to wait at least one more day or until such time as the employer could meet with the employee personally to provide her with an opportunity to respond.

This case, and others like it, are a helpful reminder of the importance of ensuring a procedurally fair dismissal process, particularly in light of the additional complexities that arise when an employee is on personal leave at the time of the dismissal.

While it can be harder to provide an employee with a genuine opportunity to respond to concerns where the employee is absent from work on personal leave, it is not impossible. In these circumstances, an employer should carefully consider factors such as:

• whether the employee has capacity to engage in the matter, assessed on a case-by-case basis and with regard to any available medical evidence;
• whether the employee has nominated a representative, such as a union officer, lawyer, or family member to receive correspondence on their behalf;
• whether the dismissal can be held off until the employee is well enough to return to work; and
• whether any timeframes provided to the employee for responding to concerns are reasonable within the circumstances.

Carefully considering these factors, and documenting any decisions made, will be key to defending a claim of unfair dismissal.

When is an absence no longer temporary?

Importantly, section 352 of the FW Act only prevents dismissal on the basis of an employee’s absence due to illness or injury where that absence is temporary. An employee will not be protected by this provision if their absence extends for more than three months (either in a single absence, or as a total of absences within a 12 month period).

The exceptions to section 352 allow for an employer to dismiss an employee who has expended their paid leave entitlements and has been absent from work for an extended and unpaid period, on the basis that they are unable to fulfil the inherent requirements of their role.

However, care must still be taken to mitigate risk and ensure an employer’s obligations are met. This includes having regard to any available medical evidence about the employee’s prognosis, whether the employee can return to work if reasonable adjustments are made or the employee is redeployed to an alternative role, and whether it is possible to keep the job open with a temporary replacement. It is crucial that employers understand and satisfy their obligations under anti-discrimination legislation, including in relation to disability or long term illness.

Managing this obligation alongside a disciplinary process can be tricky. It will be important to ensure that the reason for the disciplinary action is not because of the absence (or illness or injury)).

The case of Manojkumar Pradhan v Amcor Flexibles (Australia) Pty Ltd [2021] FWC 6125, was a timely reminder that an employer who hastens to move to termination after the closure of a workers’ compensation claim may fall foul of the FW Act. That case did not involve an ongoing disciplinary process but rather one of a termination due to an employer’s view that the employee couldn’t perform the inherent requirements of the role in the future. In that case, Amcor terminated the employee after his workers’ compensation claim period had ceased and about a month after exhausting paid leave entitlements. Amcor asked the employee to provide medical information to show that he could return to his full duties but the employee was unable to. Amcor believed it could terminate the employee’s employment due to incapacity but the Commission disagreed. It found that Amcor had dropped the employee ‘like a hot potato’ after his claim period and by not waiting for three months after he had exhausted his paid leave, had effectively terminated his employment because of his temporary absence, not because of his incapacity to return to his full duties.

How we can help

At Moores, our Workplace Relations team is well-equipped to guide employers through tricky situations in the workplace. Get in touch with the Workplace Relations team at Moores if you or your organisation would benefit from our team’s support and advice.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

In what has become an increasingly complex and contested area of law, the Australian gig economy has faced a further set back in cementing a clear understanding of what the employment relationship is of gig economy workers.

In August 2022, the Fair Work Commission (FWC) Full Bench quashed a decision that a Deliveroo delivery rider was an employee and afforded protection under the unfair dismissal regime.

The rider as an employee

In Diego Franco v Deliveroo Australia Pty Ltd [2021] FWC 2818, the FWC rejected Deliveroo’s argument that the delivery rider was an independent contractor, stating that while ‘camouflaged’, Deliveroo had a ‘significant capacity for control’ over the delivery rider and consequently should be considered an employee.

In that decision, the FWC found that despite the supplier agreement suggesting an independent contractor relationship, due to the terms of the agreement being determined unilaterally and the lack of bargaining power by the delivery driver, the agreement needed to be considered with a degree of caution.

That decision was significant, providing avenues for workplace rights for a group that had previously not enjoyed those benefits.

FWC Full Bench overturns the decision

The decision was overturned by the FWC in an appeal. In Deliveroo Australia Pty Ltd v Diego Franco [2022] FWCFB 156, the FWC Full Bench determined that while at the time the FWC’s findings were correct, the original decision should be overturned based on the High Court decision in Construction, Forestry, Maritime, Mining and Energy Union v Personnel Contracting Pty Ltd [2022] HCA 1.

In the High Court decision, the court found that where parties have set out clear terms of their relationship in an employment contract which are ‘not challenged as a sham’, there is no reasons why the employment relationship would not be determined by the rights and obligations that are set out in the contract.

In the Deliveroo appeal, the FWC found that:

• there was no reason to suggest that the terms of the written agreement were a sham or unlawful; and
• the terms were not ‘indicative of an employment relationship’.

Therefore, the delivery rider must be considered an independent contractor due to the primacy of the contractual terms.

What can we expect now?

The decision is unlikely to be the last we see on the matter, with this recent appeal highlighting the ongoing uncertainty of laws and regulations in the gig economy surrounding the employment relationship of gig economy workers.

Going forward, organisations should ensure they continue to remain cautious of the way that they engage workers, the legality of their employment contracts and remain mindful of this rapidly evolving area of law.

How we can help

At Moores, our Workplace Relations team is well-equipped to guide employers through tricky situations in the workplace. Get in touch with the Workplace Relations team at Moores if you or your organisation would like some advice on navigating these evolving employment issues.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Privacy and data breaches are in our headlines yet again, but what can the not-for-profit and education sectors learn this time around? This article considers lessons from recent high-profile privacy breaches.

Lesson 1: What your organisation does after a data breach is extremely important for your brand.

Data breaches can trigger emotional responses from members of the public who are affected – and big headlines in the media – because privacy is tied to identity, individuality and autonomy.

Malicious and criminal attacks are the leading cause of data breaches notified to the OAIC under the Notifiable Data Breach Scheme. While data breaches, or malicious hacking, may be an inevitable threat, there are measures you can implement in your organisation to ensure you are prepared to respond swiftly and in an appropriate manner.

Now is a good time for you to review your current data breach response plan. The OAIC has guidance about the four key steps to responding to data breaches which are: contain, assess, notify and review.

In addition, staff should regularly receive data breach simulation training to help staff recognise data breaches, risks to data security and know how to respond in the moment. Taking swift, immediate steps is critical to limiting the further dissemination of information affected by a data breach.

Lesson 2: Children’s privacy is gaining importance in the regulatory space and community expectations

The trend of children’s privacy gaining importance can be seen in Australia, Britain and California.

In Britain

The British Information Commissioner’s Office (ICO) has taken enforcement action against TikTok for breaching the privacy of children, which could impose the largest fine in the ICO’s history: £27 million.

The ICO’s investigation found TikTok may have:

• processed the data of children under the age of 13 without appropriate parental consent;
• failed to provide proper information to its users in a concise, transparent and easily understood way; and
• processed special category data, without legal grounds to do so.

This enforcement action is currently a notice of intent. No fine or factual findings have been made as yet.

In Australia

In Australia, much has been accomplished by the eSafety Commissioner in recent years, partly with the introduction of two new schemes: the Online Content Scheme and Cyberbullying Scheme.

The growing concern for upholding children’s rights to privacy is confirmed as the focus of the Privacy Act Review on stronger measures to ensure consent from parents and/or children, and the need for clear language that is child-friendly when organisations’ key stakeholders are children. Overall, greater organisational accountability, transparency and privacy-by-design requirements will also contribute to better empowering children to make decisions to protect their privacy, and establish baseline expectations so pro-privacy mechanisms are built into online platforms.

Transparency and accountability are part of the ICO’s criticisms of TikTok. The Online Privacy Bill published as an exposure draft in 2021 was designed to implement an Online Privacy Code regulating the activities on social media platforms specifically, however, this bill has not yet been put to Parliament. The Attorney-General has promised an overhaul of Australia’s privacy laws. As we await a bill to amend the Privacy Act 1988, we recommend organisations work with children to take pro-active steps to ensure policies, procedures and technology uphold the privacy rights of children interacting with your organisation.

In California

On 15 September 2022, the Californian Governor signed legislation protecting the wellbeing, data and privacy of children using online platforms. To be called the California Age-Appropriate Design Code Act, many of the themes resemble pro-privacy design elements so children are not manipulated into waiving privacy rights on online platforms. Ensuring terms of service are easily understandable is another common feature.

How we can help

We can help you respond to a data breach by helping with the immediate steps, and subsequent notifications required by the Notifiable Data Breach Scheme. We can also provide assistance by leading privacy audits to proactively identify information security risks in your systems and processes.

In conjunction with our Safeguarding expertise, we are also passionate about helping organisations keep children safe online and uphold their privacy rights.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

The last couple of challenging years have seen a dramatic increase in aggression aimed at teachers, whether in person or via email and other electronic means (see a recent example here). Increasingly, schools report that many parents are pestering staff to the point of harassment.

What can the school do to help its staff?

In the context where the proprietor of the school owes a duty of care to its staff in relation to their health, safety and wellbeing, such harassment does need to be addressed. This duty, which is embedded in occupational health and safety legislation and also enshrined in the common law, is broad enough to cover not only the physical safety of teaching and non-teaching staff, but their mental wellbeing as well.

A Parent Code of Conduct (Code) is an important tool in the school’s arsenal against keyboard warriors. It allows the school to issue a warning notice and ask for the messages to a particular staff member to cease. We’ve found a Code to be a useful tool for managing a parent’s behaviour, provided it is properly drafted and does not fall at the last hurdle, ie. fails to provide consequences for a breach.

What if the first approach fails?

The Victorian government has enacted a change to the Education and Training Reform Act 2006 (Vic) (Act) in June 2021 to establish the School Community Safety Order Scheme (Scheme).

How does it work?

The Scheme enables authorised persons to issue school community safety orders (Orders) to prohibit or restrain certain behaviours from occurring on school premises and school-related places, or in relation to school staff. Orders can be immediate or ongoing.

Orders may only be made and can only be issued to adults (18 years old or over) who are not staff members or students at the school. This may include parents or carers of students at the school, former students, friends or partners of students, former staff members or staff members from other schools and third-party contractors engaged by the school.

Orders can only be made if the school has looked at other ways to address the behaviour, considered the mandatory considerations for Orders and an Order is found to be the least restrictive means available of addressing the behaviour.

Types of Orders

There are two types of Orders that principals and other authorised persons can issue to prohibit or limit different types of behaviours:

1. Immediate School Community Safety Orders

• Prohibit a person from entering or remaining on any school-related place specified in the Order and remain in effect for a maximum of 14 days.
• May be made orally or in writing where the person who is subject to the Order poses an unacceptable and imminent risk of:
  • harm to another person on school premises or to a member of the school community at a school-related place;
  • causing significant disruption to school activities; or
  • interfering with the wellbeing, safety or educational opportunities of students.

2. Ongoing School Community Safety Orders

• apply for a maximum period of 12 months; and
• may prohibit or limit a person from:
  • entering or remaining on any school-related place;
  • approaching, or causing another person to approach, within 25 metres of any staff member or class of staff members within or outside of any school-related;
  • contacting any staff member or class of staff members; and/or
  • using or communicating on a communication platform owned, controlled by, or established in relation to the relevant school.

The standard required to create an Order is lower than that required for a personal safety intervention order, which may only be granted by court order. In our experience, the making of an Order under the Scheme is an important addition to a school’s suite of initiatives to address the issue of parents harassing staff at the school.

How we can help

We have assisted many schools in the creation of a School Community Safety Order Policy. We are able to advise you whether one is necessary and assist you in reviewing your current Parent Code of Conduct to determine whether it needs updating.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

We have seen a steady rise in information requests being made by parents, clients and other individuals connected to our clients across education, housing, not-for-profit and community health organisations. Information requests – or access requests – most commonly arise when there has been a breakdown of trust, and can be a pre-litigation measure.

What is an information request?

The right for individuals to make requests of organisations for access to information about themselves comes from the Australian Privacy Principles (APPs), or other privacy principles that might be applicable in different states.

The Access Right

If an organisation holds personal information about an individual, the organisation must, on request by the individual, give the individual access to the information.

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not.

There are some exclusions which might apply, for example, the employee records exemption.

Breakdown of trust

There is no tort of privacy in Australia, however, privacy is recognised as a human right and is enforced in Australia through various privacy principles – the most well known are the Australian Privacy Principles in the Privacy Act 1988.

The right to make information requests recognises that privacy is fundamentally about power. When organisations hold personal information about an individual, the organisation can construct an image of that person and make inferences about their identity, needs and wants. When there is a breakdown in the relationship between the individual and organisations, individuals make information requests in order to regain control over their information, and by extension, identity.

Privacy is fundamentally about power.

A breakdown in trust is also exacerbated by data breaches, ransomware and hacking. Look out for our lessons from the recent data breach in the headlines.

Fishing expedition

Information requests can also be made as a pre-litigation measure to gather information in order to be better positioned to commence a claim against the organisation. This can be concerning for organisations, and make it difficult to balance individual privacy rights with organisational commercial and strategic objectives.

There is an ability for organisations to refuse a “frivolous or vexatious” (APP 12.3(c)), but this should be treated with caution. There are no published decisions where the Australian Information Commissioner has found a request to be frivolous or vexatious, and the APP Guidelines say:

“A request should not be refused on this ground unless there is a clear and convincing basis for deciding that a request is frivolous or vexatious. It is not a sufficient basis, for example, that a request would cause inconvenience or irritation to an organisation.”

Lessons from the Privacy Commissioner

Earlier in the year we reported on decision made by the Australian Information Commissioner about an information request that involved personal information of another person. The decision confirmed organisations cannot simply “fob off” information requests on the basis that providing the information would unreasonably impact the privacy of another person.

In the most recent decision, published in June 2022, a not-for-profit agency (Relationships Australia) was found to have interfered with an individual’s privacy by not providing all the information requested, and not providing access in the manner requested. The not-for-profit agency also did not adequately explain the exceptions it considered applied in responding to the individual.

Organisations must give access to the information in the manner requested by the individual if it is reasonable and practicable to do so (APP 12.4). In this decision, the individual had requested the information by post. The not-for-profit agency only offered to provide access to the information in person by viewing the documents at their office, as the information was sensitive and this was a more trauma-informed approach. While the trauma-informed approach was recognised by the Information Commissioner, ultimately the organisation had an obligation to provide the information by post, as the individual had rejected the suggested trauma-information approach.

While organisations can offer to provide access in different ways, they cannot refuse a method of access requested by an individual unless it is unreasonable or unpracticable.

How we can help

Moores can support your organisation to respond to the rise in information requests by:

• Providing training on privacy in general, and information requests in particular;
• Developing a procedure to help staff respond to information requests; and
• Support correspondence with individuals to address the breakdown of trust and mitigate risks of information requests excavating to the Information Commissioner.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Practices that restrict a person’s freedom (restrictive practices) are common in the disability sector, but their use and misuse can give rise to significant risks to the health and wellbeing of vulnerable people, breaches of human rights, litigation and reputational damage. While the use of restrictive practices is authorised in limited circumstances, recent data from the NDIS Commission demonstrates that over 1,000,000 instances of unauthorised restrictive practices occurred between 2020-2021.*

Given the prevalence and risk associated with restricted practices, it is critical that registered disability service providers understand and comply with their obligations in relation to regulated restrictive practices. This is particularly the case for where it is a condition of their registration with the National Disability Insurance Scheme (NDIS).

We note that this article is focused on registered disability service providers (Providers), as non-registered disability service providers must not provide services to participants or consumers which are regulated restrictive practices. Regardless of registration, non-registered disability service providers must comply with the NDIS Code of Conduct and ensure they provide safe and high-quality services.

What is a restrictive practice?

The National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act) defines a restrictive practice as ‘any practice or intervention that has the effect of restricting the rights or freedom of movement of a person with disability’. The primary purpose of a restrictive practice is to protect the restricted person, or other people, from harm. The National Disability Insurance Scheme (Restrictive Practices and Behaviour Support) Rules 2018 (NDIS Rules), sets out five categories of restrictive practices that are regulated by the NDIS Commission:

• Seclusion: the confinement of a person to a room or a physical space;
• Chemical restraint: the use of medication or chemical substance for the primary purpose of influencing a person’s behaviour, such as medication to sedate a person;
• Mechanical restraint: the use of a device to prevent or restrict a person’s movement for the primary purpose of influencing a person’s behaviour, such as removing a communication device;
• Physical restraint: the use of physical force to prevent or restrict movement of a person’s body for the primary purpose of influencing their behaviour, such as holding a person down; and
• Environmental restraint: restricting a person’s free access to their environment, including items or activities, such as locking the door to a backyard area.

The use of restrictive practices for people with disability is highly regulated because of the risk that the practices pose. As the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability (Disability Royal Commission) has recently heard, restrictive practices can cause serious physical and psychological harm, including trauma, fear, shame, and loss of dignity. Restrictive practices can also reinforce power differentials and lead to a loss in autonomy.

The NDIS Rules set out conditions for the use of restrictive practices, which Providers must be aware of. These conditions include that the use of a restrictive practice must be:

• clearly identified in a person’s behaviour support plan;
• authorised according to any state or territory-based authorisation requirements;
• used as a ‘last resort’ mechanism in response to risk of harm, after consideration of other strategies;
• the least restrictive response available in the circumstances, and must be proportionate to the risk of harm posed; and
• used for the shortest possible duration to ensure the safety of the person or others.

When engaging in a restrictive practice, Providers should also consider:

• their reporting and record-keeping obligations;
• strategies for reducing or eliminating the use of restrictive practices over time;
• implementing practices that are trauma-informed;
• communicating the intention to use a restrictive practice, in a manner that is appropriate for the individual and their family;
• conducting a comprehensive risk assessment prior to implementing restrictive practices;
• collaboration with other professionals, including support workers and medical and allied health providers;
• the particular needs and circumstances of the person with disability, including culture, religion, beliefs, sexuality, linguistic circumstances, and gender; and
• conducting regular reviews of restrictive practices to ensure they are conducted properly and to gauge whether they remain necessary.

Key Takeaways for Providers

The Disability Royal Commission recently heard submissions from Providers and advocacy bodies, who identified key drivers for the inappropriate use of restrictive practices. Notably, the Royal Commission heard that excessive use of restrictive practices is often linked to low staff to client ratios, a lack of staff support, deficiencies in supervision, and insufficient resources and funding.

In light of the themes emerging from those hearings, Providers should consider the following actions to limit the use and misuse of restrictive practices:

• educate people with disabilities about their rights and what constitutes a restrictive practice;
• engage with people with disabilities, and their families and carers, to better understand their needs;
• improve training within the workforce in positive behaviour support and person-centred care;
• ensure staff understand and uphold the human rights of people with disability; and
• ensure appropriate workforce planning so that staffing profiles adequately reflect and address the needs of people with disability, and potential risks.

Reporting

The Rules provide for rigorous reporting requirements in relation to the use of restrictive practices, which are a condition of a Provider’s ongoing registration with the NDIS.

Where a restrictive practice has been authorised, and is part of a person’s behaviour support plan, the Provider needs to report each use of that restrictive practice to the NDIS Commission on a monthly basis.

Where a restrictive practice is used but has not been authorised for the person, the Provider is required to report each use of the restrictive practice to the NDIS Commission as a Reportable Incident. This includes where the use of the restrictive practice is a once-off in response to an emergency, and where the use of the restrictive practice is ongoing but has not been authorised or is not included in the person’s behaviour support plan.

Record keeping

The Rules also provide for stringent record-keeping requirements, as conditions of a Provider’s ongoing registration with the NDIS. Where a restrictive practice is used, a Provider must record and maintain the following information for seven years from the day the record is made:

• a description of the use of the regulated restrictive practice, including why the restrictive practice was used, what the impact of that practice was, whether there was any injury caused, and whether the use of the practice was a reportable incident;
• a description of the behaviour of the person with disability that lead to the use of the regulated restrictive practice;
• the time, date and place at which the use of the regulated restrictive practice started and ended;
• the names and contact details of the people involved in the use of the regulated restrictive practice, and of any witnesses;
• the actions taken in response to the use of the regulated restrictive practice;
• what other less restrictive options were considered or used before using the regulated restrictive practice; and
• the actions taken leading up to the use of the regulated restrictive practice, including any strategies used to prevent the need for the use of the practice.

Investigations

For a Provider to comply with its reporting and record keeping obligations, it may also be required to conduct an investigation into incidents and allegations of restrictive practices being used.

Providers who breach their obligations

Providers who breach their obligations risk losing their NDIS registration, and may face significant public scrutiny. Importantly, an organisation’s failure to comply with its obligations places people with disability at risk of harm and abuse.

Providers may also be liable for any harm or injury caused by their staff, and should take great care to provide staff with appropriate training and resources to ensure the safety and wellbeing of both their workforce and their clients.

How we can help

If your organisation would like assistance with understanding its obligations under the National Disability Insurance Scheme (Restrictive Practices and Behaviour Support) Rules 2018, the Moores Safeguarding team can assist. Our team is well-equipped to provide advice, draft and review policies, and respond to concerns.

Moores has expertise in harm prevention and mitigation for organisations working with vulnerable people. Moores can also conduct independent investigations, with a trauma-informed approach, to ensure that concerns are properly responded to, and to ensure the safety, well-being, and dignity of vulnerable people.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

---

*NDIS Quality and Safeguards Commission, Unauthorised uses of restrictive practices in the National Disability Insurance Scheme, January 2022.

Jennifer Dixon, Lachlan McKenzie, Krista Fitzgerald, James Dimond and Luke Haley have all featured as Leading Lawyers and Rowdy Johnson as Rising Star in the latest Doyle’s Guide. Recognised by their peers and referrers for their expertise in Wills & Estates Litigation and/or Wills, Estates and Succession Planning.

This ranks Moores as a First Tier Law firm in both the ‘Wills & Estates Litigation‘ and ‘Wills, Estates & Succession Planning‘ categories for the sixth year running.

Our expert team is experienced in assisting families with complex Estate Planning arrangements as well as challenging and defending all manner of Disputes relating to Wills, Estates, Trusts, SMSF and Bequests.

For more information or to speak with one of our experienced lawyers, please do not hesitate to contact us.

---

Jennifer Dixon, Practice Leader

• Preeminent Wills, Estates & Succession Planning Lawyer – Victoria, 2022
• Leading Wills & Estates Litigation Lawyer – Victoria, 2022

Lachlan McKenzie, Practice Leader

• Preeminent Wills & Estates Litigation Lawyer – Victoria, 2022
• Leading Wills, Estates & Succession Planning Lawyer – Victoria, 2022

Krista Fitzgerald, Practice Leader

• Leading Wills, Estates & Succession Planning Lawyer – Victoria, 2022

James Dimond, Special Counsel

• Recommended Wills & Estates Litigation Lawyer – Victoria, 2022

Luke Haley, Senior Lawyer

• Recommended Wills & Estates Litigation Lawyer – Victoria, 2022

Rowdy Johnson, Senior Lawyer

• Rising Star Wills, Estates & Succession Planning Lawyer – Victoria, 2022

---

Leading Law Firm

• First Tier Wills, Estates & Succession Planning Law Firm – Victoria, 2022
• First Tier Wills & Estates Litigation Law Firm – Victoria, 2022

Plenty of charities and businesses operate in premises which are owned by a related entity. The importance of having a proper lease in place between those entities is frequently misunderstood.

Often, such tenancy arrangements are informal – the land is owned by one entity and the business is operated by another – but because the same people are in control of both entities, there is no formal agreement in place for the use of the land by the operating entity.

This scenario can prove problematic on many fronts – set out below are some of the reasons why you should consider putting a lease into place between related entities.

Compensation claims

In the recent case of Olde English Tiles Australia Pty Ltd v Transport for New South Wales, land in Annandale, NSW was owned by a family who used it to operate a tile business through a corporate entity. There was no formal lease in place.

The land was compulsorily acquired by the NSW Government and the business entity sought compensation for its business relocation costs. However, as there was no formal lease in place, the NSW Court of Appeal held that the business entity had no “interest” in the land for the purposes of the compulsory acquisition law, and therefore they were not entitled to be compensated for relocation costs.

Risk management

Leases serve an important function of allocating liability for costs and risk. If an accident occurs on the land and a claim is brought for personal injury, a proper lease will go a long way to determining who is responsible for the costs of meeting the claim by addressing matters such as risk and indemnity.

In the absence of a lease, there may also be difficulties with recovering an insurance claim if the building is damaged.

Security of tenure

Things don’t always run smoothly, and if there is a rift between those in control of the land and those who run the charity or business from that land, this can have serious repercussions for the viability of the charity or business, especially if the landowner decides to sell the land. A formal lease will ensure that the charity/business operator has an enforceable right to continue operating from the land in these circumstances.

A lease (with the consent of any mortgagee) will also go a long way in protecting the occupier against the unfortunate circumstance where the bank might need to step in and conduct a mortgagee sale.

Sale of business

If the charity/business is to be sold or otherwise transferred, any knowledgeable buyer will insist on there being a lease in place which entitles the charity or business to use the land it operates on. Having a formal lease in place therefore adds value to the operations.

Land tax

Properties used for charitable purposes can be exempted from land tax upon making application to the State Revenue Office. If there is no lease in place with the charitable entity which occupies the property, it may be difficult to convince the State Revenue Office that the property satisfies the criteria for exemption.

Accounting/tax considerations

A properly drafted lease will clearly set out matters such as what rent is payable, when and how rent will be increased, and who is responsible for outgoings relating to the land.

This makes it much easier to justify payments and allocate liability for these matters when preparing the charity/business accounts, the landowner accounts, and tax reporting. Your accountant and auditor will always prefer you to have some kind of basis (like a signed lease) for setting rent payments at a particular amount.

How we can help

The team at Moores has extensive experience in handling these issues and can help you to quickly and easily get a lease into place between related parties, saving you the kinds of headaches we’ve outlined above.

If any of the above raises concerns for you, please get in touch with us and we’ll help you put into place a quick and effective solution.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.