Moores has released Navigating Charity and Not-for-Profit Mergers, a new practical guide designed to support charities and not-for-profits considering merger opportunities.
The guide brings clarity to merger pathways, risk assessment and governance considerations, supporting informed decisions that protect purpose while strengthening sustainability.
Developed by Moores’ Charity and Not for Profit Law team, the guide draws on extensive experience advising charities and not for profits on governance, restructures and mergers. The team was recognised in the Chambers Asia-Pacific Guide 2026 for Charity and Not-for-Profit Law, reflecting its depth of sector knowledge and practical, considered approach to complex matters.
Learn more or request to download the guide here.
For more information or to speak with one of our experienced lawyers, please contact us.
We are firmly living in the age of artificial intelligence (AI). Generative AI technologies are evolving at extraordinary speed, and their use is becoming increasingly embedded in everyday life. Children and young people, in particular, are at the forefront of this shift, using AI companions that simulate personal relationships and tools that can manipulate video, audio, or images to make it appear as though someone is saying or doing something they never did.
While these technologies can be creative, engaging, and exciting, they also present an entirely new category of risk for children and young people. Schools are increasingly encountering one of the most concerning manifestations of this risk: the creation and circulation of malicious and abusive deepfakes.
Across our work with school clients, we have seen leaders and Boards grappling with how to prevent these incidents and how to respond decisively when they occur. This is not a localised issue.
In December 2025, the Hong Kong Privacy Commissioner released a practical toolkit to support schools in preventing and responding to abusive deepfake incidents, highlighting the global scale and urgency of the problem.1
Drawing on that guidance alongside our direct experience advising schools, this article sets out:
Boards and school leaders have a responsibility to take reasonable, proactive steps to protect students from reasonably foreseeable online harms, including the creation of abusive and malicious deepfakes. By adopting a proactive approach, schools can minimise risks and ensure that their schools are prepared to respond quickly when an incident occurs.
1. Education and Awareness Campaigns
Education is the first and most critical line of defence. School leaders should invest in educating employees, volunteers, students, and parents about the risks associated with deepfakes and the importance of online privacy. Awareness programs can help students recognise the dangers of manipulated media and create space for them to engage in open conversations about their online activities. Student learning about online behaviour should explicitly address AI‑generated content, noting that many children and young people are unable to reliably identify manipulated or synthetic media, which significantly increases their vulnerability.
Schools should also communicate clearly with students about:
Equally important is empowering students to protect themselves online, including the use of privacy settings, blocking and reporting concerning behaviour, and seeking support from trusted adults.
2. Collaborate with Experts and Legal Advisors
Given the legal and technical complexity of deepfake incidents, schools should not attempt to navigate this landscape alone.
It is important for schools to understand when the creation and distribution of abusive deepfakes may amount to criminal behaviour. For example, under sections 53S and 53T of the Crimes Act 1958 (Vic) (Victorian Crimes Act), it is a criminal offence to intentionally distribute an intimate image of another person or threaten to do so, if the distribution is contrary to community standards of acceptable conduct.2 Consent is irrelevant if the victim is under 18 years old. The Victorian Crimes Act defines “image” to include images digitally created by generating the image or altering or manipulating another image3, which could include malicious and abusive deepfakes. The penalty is up 3 years imprisonment.
There are also relevant federal offences. For example, under s 75 of the Online Safety Act 2021 (Cth), a person must not post or threaten to post an intimate image online of another person without their consent. Under that Act, “intimate image” includes material that has been digitally altered, such as deepfakes. Under section 474.17 of the Criminal Code 1995 (Cth), it is an offence to use a carriage service in a way that reasonable persons would regard as being menacing, harassing or offensive. Under section 474.17A, there is also an offence which applies to those who use technologies to artificially generate or alter sexually explicit material (such as deepfakes) for the purposes of non-consensual sharing online. These offences are subject to serious criminal penalties of up to six years imprisonment.
Beyond legal advice, schools should also establish relationships with cybersecurity and technology experts who can assist with detection, evidence preservation, and risk mitigation.
3. De-risk Staff and Students’ Use of AI by Establishing Clear Policies and Student Codes of Conduct
Schools should develop (or update) and implement comprehensive policies that set clear boundaries regarding acceptable use of technology (including AI and deepfakes), expectations for online conduct, and the consequences of misuse.
School should also review their student code of conduct and acceptable use policy to ensure that specific AI image abuse matters are explicitly referenced, including consequences for distributing and sharing material created by others or of unknown origin.
These policies and codes of conduct should address the importance of safeguarding children’s privacy and set clear boundaries for the use and sharing of images, videos, and personal data as well as the creation of deepfakes using AI tools.
While schools cannot entirely prevent the creation of deepfakes, they can take steps to limit the risk of their students being targeted. The key lies in proactive privacy protection and data management strategies.
Despite proactive measures, it is possible for malicious and abusive deepfakes to be created and shared online. Schools must be prepared to respond quickly and decisively to protect their students and ensure accountability.
Schools have a duty of care which requires them to take proactive steps to protect their students’ privacy and personal data, prevent the creation of abusive deepfakes, and respond quickly and appropriately to any deepfake incidents that may occur.
By educating the school community, collaborating with legal and cybersecurity professionals, and adopting strong data protection policies, schools can significantly reduce the risks associated with malicious and abusive deepfakes. If an incident occurs, a clear and speedy response, combined with the provision of useful supports, will ensure that the wellbeing of affected children and young people are protected.
Our Child Safety, Safeguarding and Discrimination team are skilled in supporting schools to keep children safe. Our team can provide peace of mind in developing and implementing prevention strategies and navigating incidents if they occur.
If you would like to discuss how we can support your organisation, our team is here to help. Please contact Skye Rose or Tal Shmerling if you would like further support.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.
On 9 January 2026, the Albanese Government announced the establishment of a Royal Commission into Antisemitism and Social Cohesion following the 14 December 2025 terrorist attack at Bondi Beach. Former High Court Justice the Hon Virginia Bell AC has been appointed to serve as Commissioner.
This Royal Commission will replace the previously announced review of federal intelligence and law enforcement agencies (to be undertaken by Dennis Richardson AO AC)1 and will also supersede the anticipated NSW Royal Commission. Instead, the Commonwealth Commission will operate with full cooperation from the NSW Government and all states and territories, ensuring it is truly national in scope.
To supplement the Royal Commission, on 20 January 2026, Parliament also passed legislation which enacted changes to key areas to target and prevent hate speech, radicalisation and extremism activity.
In summary, based on the Letters Patent dated 9 January 2026,2 the Royal Commission into Antisemitism and Social Cohesion (Royal Commission) will examine:
The Royal Commission also has a broad mandate to make any other recommendations that strengthen social cohesion, counter ideologically or religiously motivated extremism, and address related matters.
An interim report on the Bondi attack and urgent actions is expected by 30 April 2026, with the final report due by 14 December 2026.
The Royal Commission is the latest in a series of measures since 2023, including the appointment of Ms Jillian Segal AO as Special Envoy to Combat Antisemitism in July 2024. Her plan, delivered in July 2025, contained 13 recommendations and 49 key actions,3 to which the Government responded formally on 18 December 2025.4
Further legislative reforms were flagged in December 2025 and announced on 12 January 20265 — a landmark proposal aimed at strengthening Australia’s response to hate-fuelled conduct and violent extremism by way of:
On 20 January 2026, Commonwealth Parliament convened an emergency sitting and passed two bills6 reflecting the announced changes. These bills collectively amend legislation to address the following key areas to address and prevent hate speech, violence and extremism:
These new laws will commence after the day they receive Royal Assent.
Moores will provide updates to the sector as the legislation progresses. Subscribe to our email updates and receive our articles directly in your inbox.
Please contact us for more detailed and tailored help.
On Wednesday 14 January 2026, the Department of Education (DOE) announced that a major cyberattack has compromised the personal information of students from all Victorian government schools.
This news is a timely reminder that all schools are required by law to keep personal information secure. Schools are required to report eligible data breaches to the Office of the Australian Information Commissioner, whether or not these are caused by the school or by a malicious actor.
According to the DOE, an unauthorised external third-party accessed a database containing information about current and past school student accounts, including:
Whilst there is no evidence that any non-government schools were impacted, privacy breaches (including from cyberattacks) do occur at non-government schools – both Catholic and independent. We often support schools in these matters.
In our experience, certain factors tend to correlate with breaches. These include:
Moores supports non-government schools with privacy compliance, data breach response and cyber incident management. In late January 2026, Moores will release its 2026 Privacy Toolkit, designed to assist organisations of all types to meet their obligations under Australian privacy laws.
Our team regularly advises not-for-profits, schools and education providers on privacy compliance, data breach response plans and proactive redesign of processes to implement privacy-by-design.
The Victorian Government’s final Occupational Health and Safety (Psychological Health) Regulations 2025 (Vic) (Regulations) came into force on 1 December 2025 – a milestone moment for workplace wellbeing.
While earlier drafts of the Regulations proposed obligations on employers to maintain written prevention plans and report certain hazards to WorkSafe, those provisions were dropped in the final version. However, this doesn’t mean complacency is an option. WorkSafe Victoria still strongly recommends using the prevention-plan template developed during the drafting process to provide structure, transparency and minimise the risk of psychosocial hazards.
Importantly, these Regulations are now a standalone instrument – a new legal requirement that exists alongside the traditional Occupational Health and Safety Regulations 2017 (Vic). Awareness of both is essential to avoid compliance gaps.
Eliminate or Minimise Psychosocial Risks
Employers are now explicitly required to identify and eliminate psychosocial hazards wherever possible. If elimination isn’t “reasonably practicable,” the employer must reduce the risk by modifying work design, systems and management structures. Then and only then, as a last resort, through training or information.
Know the Hazards
A ’psychosocial hazard’ is defined as any factor in:
that may arise in the working environment and may cause an employee to experience one or more negative psychological responses that create a risk to their health and safety.
Psychosocial hazards include but are not limited to:
These hazards can trigger cognitive, emotional, behavioural, and even physiological responses that threaten health and safety.
Continuous Risk Management
There is a hierarchy of measures which employers must comply with. In the first instance, an employer must eliminate the risk. However, if it is not reasonably practicable to eliminate the risk, the employer must reduce the risk as far as reasonably practicable by altering the management of work, systems of work, work design or workplace environment. If the risk cannot be reduced by altering these systems, then the employer must use information, instruction or training to reduce the risk as far as reasonably practicable.
Employers must regularly review and revise controls under multiple scenarios:
WorkSafe can require Employers to review or update control strategies if safeguards aren’t kept up to date or robust. WorkSafe has released a Compliance Guide on managing risks to psychosocial hazards to assist employers in complying with the Regulation.
WorkSafe Victoria’s guidance on managing risks to psychosocial hazards is a useful starting point but with so much at stake, expert advice isn’t just prudent, it’s essential. Employers who take a strategic, informed approach to psychological safety now will build stronger, healthier, more resilient workplaces, and shield themselves from future legal or regulatory risk.
Moores can assist employers to amend their risk management frameworks to ensure that they effectively identify and mitigate psychosocial hazards, including occupational health and safety policies and procedures, training for senior leaders on identifying and managing psychosocial hazards, and implementing plans to minimise risks as far as possible.
For more information on the reforms, watch our webinar Psychosocial Hazards in the Workplace.
Owners of residential property in Victoria may be required to lodge a Vacant Residential Land Tax (VRLT) notification if their property was vacant for six months or more during the 2025 calendar year.
If you own a residential property in Victoria which was vacant for six months or more during the period from 1 January 2025 to 31 December 2025, a VRLT notification for that property must be lodged with the State Revenue Office by no later than 15 February 2026.
Notifications must be made via the SRO’s online VRLT portal.
Importantly, a notification must be submitted even if you believe that the property is exempt from VRLT (for example, it was used as a family holiday home and it qualifies for the exemption). In that case, the exemption is claimed when the notification is made.
The only exception to the notification requirement is if a VRLT notification was lodged for 2025 claiming an exemption, that exemption application was approved, and the use of the property has not changed (ie. it still qualifies for that same exemption).
To find out more about whether VRLT applies to your property – and whether an exemption could possibly apply – use our self-assessment tool.
Contact us
To discuss your specific situation or for assistance with lodging a notification or claiming an exemption, please contact us.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisati
On 9 December 2025, the Office of the Australian Information Commissioner (OAIC) announced it will be launching into the new year with significant momentum with plans to undertake its first ever privacy compliance reviews.
Starting in the first week of January 2026, the OAIC’s targeted review will assess 60 entities across six sectors engaging in ‘in person’ collections of personal information privacy practices against the requirements under the Australian Privacy Principle (APP) 1.
The six sectors include:
The OAIC’s announcement is a timely reminder to ensure that your Privacy Policy is clear, accessible up to date and captures any changes to personal information handling practices as we head into 2026.
A key element of the review is the OAIC’s assessment of how these selected APP entities are complying with APP 1.4 which sets out items which must be included in your Privacy Policy to be compliant. The information required includes:
The Commissioner has power to conduct an assessment relating to the Australian Privacy Principles (under S 33C of the Privacy Act 1988 (Cth)). The January 2026 sweep is indicative of a move toward exercise stronger enforcement powers and a shift in the OAIC’s regulatory approach.
The Privacy and Data Security team at Moores can help you to proactively review your privacy practices including by ensuring your organisation has an up-to date privacy policy and undertake privacy audits. .
Stay tuned for our New Privacy Toolkit, to be released in early 2026.
Moores is pleased to share that our Practice Leader and Head of Education, Cecelia Irvine-So, has been recognised in the Herald Sun’s Victorian Education Power Rankings.
Described as a “major legal player behind the scenes”, Cecelia is acknowledged for her work supporting schools to navigate complex challenges, strengthen governance and create safe, thriving environments for students.
Moores is privileged to work alongside non-government schools across Victoria and Australia, supporting their ongoing impact on young people and their communities.
Under Cecelia’s leadership, our education practice continues to be sector-leading and trusted by schools seeking clear, practical and values-driven guidance.
Please contact us if you would like further information on how we can assist.
This month, the Australian Competition and Consumer Commission issued three recall notices following the detection of asbestos in imported coloured and decorated sand products used by children for play and craft activities. These products have been sold by major retailers including Kmart and Officeworks throughout Australia between 2020 and 2025.1
The presence of asbestos in any product used by children will understandably cause concern, noting that the current government guidance is that risk is low.2 While school and early learning centres (ELCs) are focused on the operational response, it is equally important that they take steps now to ensure comprehensive, well-maintained records. Asbestos-related claims typically arise many years — even decades — after initial exposure. Without adequate documentation, it may be difficult in the future to ascertain the level and nature of potential exposure as well as whether reasonable steps were implemented to address risk at the time the risk was identified.
A dual focus is therefore essential:
The response has varied across states as regulators and agencies respond to the recall. Schools in the ACT, Tasmania and Brisbane have closed for disposal and deep cleaning. In Victoria, the Department of Education has responded but has not indicated any plans for school closures. The Australian Department of Health, Disability and Ageing has issued interim advice in response to the recall immediately advising consumers to:
“Stop using affected products, follow recall instructions, and await further advice. Current risk is low; no clinical checks needed.”3
For the workplace and school environment, Asbestos in Victoria and WorkSafe Victoria have also provided information here.
This recall identifies occupational, health and safety, and duty of care risks.
Taking a conservative approach, schools and ELCs should treat the recall notice as an alert to the potential for a reasonably foreseeable risk of harm requiring a risk response in line with the school’s own risk management framework and risk assessment process.
This means that schools and ELCs must act to eliminate or reduce the risk as far as possible in the workplace and learning environment.
In managing any response, schools and ELCs have a primary duty to ensure the safety of students, educators, and families by removing affected products from use and following health authority advice.
Once these immediate risks have been addressed, it is crucial not to overlook the long-term implications. While health authorities assess the risk as low, it is appropriate to collate and preserve any documentation that could assist to respond to possible future questions, reviews, or claims.
The following are some of the steps can support documenting any risk management response (in addition to immediate safety and remedial action):
Moores recommends that schools and ELCs collate and keep the following (if and to the extent that this information is available) for any coloured or kinetic sand products currently or recently in use:
Product documentation
Action documentation
People and situational documentation
Schools and ELCs should retain related records in line with:
Given the recall, ELCs and schools must act quickly to protect the health and safety of students and staff, and to keep their communities informed. At the same time, it is critical to establish a comprehensive documentation process that ensures you are well prepared should any claims arise in future.
Moores will continue to keep the sector informed. You can stay updated by subscribing to receive updates on this issue.
From 1 January 2026, a new mandatory and suspensory merger control regime (the Regime) under the Competition and Consumer Act 2010 (Cth) (the CC Act) will apply to significant asset transfers, acquisitions and mergers. Not-for-profits (NFP) and charities acquiring assets or taking over another entity may need to seek ACCC approval for the transaction if certain threshold requirements are met.
The Regime1 establishes a mandatory notification obligation from 1 January 2026 for certain ‘acquisitions’ that meet prescribed thresholds. These ‘acquisitions’ cannot be effected until the Australian Competition & Consumer Commission (ACCC) has granted approval. This requirement will also apply to merger agreements entered into before 1 January 2026 that are completed on or after that date.
Under s 50 of the CC Act, an ‘acquisition’ of shares2 or assets3 that would or is likely to substantially lessen competition in a market may be prohibited. The ACCC looks at factors such as market concentration, barriers to entry and whether the acquisition removes an effective competitor to determine whether the acquisition would substantially lessen competition.
An acquisition that is connected with Australia (e.g. the target carries on business in Australia or holds assets used in an Australian business) must be notified if it meets certain financial thresholds set by Ministerial Determination4. These are based mainly on revenue and asset value. In summary, an ‘acquisition’ by an NFP or charity5 would need to be notified to the ACCC in the following circumstances:
Even if the thresholds are met, notification may not be required in relation to:
Further, parties may apply to the ACCC for a notification waiver (available from 1 January 2026) which removes the obligation to notify. The ACCC has indicated it will provide further information about waivers later in 2025.
Organisations that are planning to merge and are required to notify have three options:
Broadly, the Regime includes provision for:
If a notifiable acquisition is completed without ACCC approval, the ACCC can void or stay the transaction. It would also be a contravention of the CC Act to:
Penalties for non-compliance are significant, being the greatest of: $50 million; three times the value of the benefit gained (if the benefit is determinable); or 30% of the entity’s adjusted turnover during the breach period (if the benefit is not determinable).
The Regime represents a significant regulatory shift for NFPs and large charities that are involved in large or regular merger transactions. Proactive engagement with the ACCC, early advice and strategic planning will position your NFP or charity to avoid surprises and ensure compliance with the Regime.
Moores Charity and Not-for-Profit team can work alongside you to prepare your board, assess merger readiness and liaise with the ACCC to ensure your organisation is well positioned for Regime compliance.