The recent Fair Work Commission (Commission) decision in Tawanda Gadzikwa v Australian Government Department of Human Services [2018] FWC 4878 has confirmed that employers may reject an employee’s medical certificate if it is too vague to enable them to discharge their legal obligations following a long period of absence.
In June 2016, Mr Gadzikwa, commenced a period of unpaid personal leave with the Department of Human Services (DHS) due to a mental health condition. Mr Gadzikwa did not return to work, save for three days in September 2016.
In late 2017, DHS informed Mr Gadzikwa that his unpaid sick leave would come to an end in January 2018, and sought proof that he was fit for duty.
Mr Gadzikwa provided DHS with a medical certificate that stated he was fit to perform “light duties”. Given the extended period of absence, DHS sought further specifics about Mr Gadzikwa’s ability to return to work.
DHS’ request for further information prompted an argumentative response, but limited additional information was provided.
In light of the ambiguous language contained in the medical clearance, DHS dismissed Mr Gadzikwa on the basis that it was unsatisfactory. Mr Gadzikwa lodged an unfair dismissal claim alleging that the information that he had provided was sufficient.
Fitness for work: When employers can reject a medical certificate | Moores
Deputy President Colman rejected the unfair dismissal claim and found that Mr Gadzikwa had failed to provide a sufficient medical clearance at the end of his authorised leave because the medical certificate:
The Commission was also satisfied that dismissal was not effected by any procedural unfairness or disproportionate to the relevant conduct.
Employers should seek legal advice before rejecting a medical certificate, or dismissing an employee because it requires further information. While subjecting an employee to unreasonable requests for information about their disability could expose an employer to an adverse action or disability discrimination claim, allowing an employee to return to work without sufficient information on their fitness for duty or the modifications required may breach an employer’s OHS obligations.
For more information, or to speak with a member of our workplace relations team, please do not hesitate to contact us.
Currently in Australia there are no specific laws which prevent an individual in public from taking a photo of a student.
That being said, the Privacy Act 1988 (Cth) governs how personal information including images can be collected, stored and used. Your school’s child safe policy may also set out when adults, and which adults, are allowed to photograph students, and in what circumstances.
Many schools grapple with balancing the need to promote the school’s activities and achievements against parent wishes and concerns, which can range from very protective to “oversharing” when it comes to photos of students!
In addition to being subject by virtue of annual turnover of (more than $3,000,000), and because they are prescribed as health services, independent schools must comply with the Australian Privacy Principles (APPs) which are set out in the Privacy Act, and their state health records act legislation.
The APPs include the requirement to be transparent (in your privacy policy) and compliant as to:
Common privacy concerns for schools
Whilst grappling with getting the balance rights, schools often note these dilemmas:
Some key tips for best practice
How we can help
Moores assists clients in the education sector to create workable and compliant privacy frameworks, including privacy training for staff. We can advise on any privacy breaches or data breaches, in the event these do occur.
If you would like further assistance, please do not hesitate to contact us.
Ordinarily, a BDBN is valid if:
However, we have recently observed additional requirements being imposed via the trust deed. A common example is what we like to call the ‘life events’ clause. Under the ‘life events’ clause, a BDBN may cease to have effect in a variety of circumstances. For example:
The latter option provides the Trustee with a wide discretion to render a BDBN invalid.
It is important to be aware that a BDBN may not be as binding as you think.
If the BDBN was signed before the member married or divorced, or before they had children, the BDBN may no longer be binding.
It is also important to be sure the BDBN has been validly made and lodged. In practice, we have seen the following issues arise upon the death of a member:
If you have any general queries regarding a BDBN, please do not hesitate to contact us.
Strathmore Secondary College is under investigation following the accidental publication of over 300 student records. The breach was slammed by education minister James Merlino as “nothing short of appalling” as it revealed highly sensitive information such as disabilities, behavioural issues, and treatment plans of students. The breach sends a strong message to the education sector regarding the importance of training staff and having in place a strong data breach response plan.
On Tuesday 21 August 2018, Strathmore Secondary College became aware that student records relating to more than 300 students had been accidentally published on the school’s intranet from as early as Monday this week. The intranet is accessible by students and parents. The records published listed conditions such as ADHD, Asperger’s, acquired brain injuries, and Autism. It also contained information on whether students were receiving government support, were on medication, or had treatment plans.
While the information was restricted to the intranet, there are concerns that the information could fuel bullying or harassment. Additionally, the information could be further spread by word of mouth or copies being made. The education department will be launching an inquiry into the breach and visiting the school to educate staff on privacy and IT issues. The impact of the breach in terms of degree of access or number of downloads is currently unclear.
The Strathmore data breach aligns with the OAIC’s recent finding that human error is a key contributor to data breaches. In its second quarterly report on the NDB Scheme, it found that human error accounted for 36% of data breaches. While malicious or criminal attacks accounted for 59% of notifications, many of these had a human factor such as clicking on phishing emails. This provides an important lesson to organisations to ensure that equal focus is given to training its staff as to its IT systems.
Furthermore, the Strathmore data breach demonstrates the significant impact a data breach can have on an organisation’s reputation. It is critical that organisations have in place a tailored data breach response plan (DBRP). This is especially so if the organisation is bound by the NDB Scheme or reporting requirements under state contracts. These generally require the reporting of data breaches which lead to or have the potential to lead to significant harm to affected individuals.
In the past, Moores has worked with education institutions who have suffered data breaches, including education bodies which have published sensitive student information in error on “public” websites. With the help of a clear and effective DBRP, significant harm can be mitigated and the data breach can be contained. This may mean that reporting is not required, allowing the organisation to minimise the risk of reputational harm or widespread panic.
The education sector is becoming increasingly susceptible to data breaches. Privacy breaches, malicious cyber threats, and IT systems failure were all part of the top 10 concerns for schools, as highlighted in the AON Independent Risk Report 2018. Education institutes are particularly vulnerable due to holding sensitive information such as the health data of children.
Organisations need to strengthen their actions regarding privacy. We highly recommend that organisations undertake a self-assessment of their current practices. Where your organisation falls short, such as failing to have a DBRP or training for staff, the current environment provides incentive to prioritise improving your practices.
Moores has experience working with clients in the education sector to both prevent against and proactively respond to data breaches. We can provide advice to your organisation on its privacy framework.
The Victorian Civil and Admission Tribunal (VCAT) have awarded $11,000 in damages to a teacher whose employer failed to protect person information from loss and disclosure.
The teacher had been diagnosed with medical conditions and as part of a different discrimination claim relating to the teacher, the acting principal took written notes of a phone call with the Department of Education’s legal advisors.
The note didn’t identify the teacher, but was sufficiently particular to the teacher to be identified as referring to her and her medical condition. The note was found in the staff bathroom by a colleague who had a discussion with another colleague and determined that it was regarding the teacher. They placed it in her pigeonhole.
On her return to the workplace the teacher found the note, left and did not return to work. The teacher claimed that she had suffered distress at the discovery of the note as her employer had not complied with the privacy principles in the Health Records Act 2001 (Vic) (HRA).
VCAT found that the Employer had breached the HRA and caused the teacher to suffer damages in the form of distress, an inability to return to work and deterioration in her mental health.
This case highlights that, despite the publicity around hacking and data breaches, many privacy breaches are still due to basic human error and misplacing paper records. This was reflected in second quarterly report published by the Office of the Australian Information Commissioner on 31 July 2018. The report found that 33 per cent of the notifications received indicated that the cause of the breach was human error. The most common human errors were:
Damages Award to Teacher for Breach of Privacy | Moores
Human error was also believed to be behind the disclosure of hard-copy records of 31 patients from John Fawkner Private Hospital. You may remember, in 2017, when five pages of confidential hand-over notes were found in the gutter on Coburg Street. The notes contained personal, and highly sensitive, information including names, ages, diagnoses, treatment plans, medications and living conditions. Although at the time there was no obligation on the hospital to notify the patients that their privacy had been breached, this is no longer the case with the new notifiable data breach legislation.
The recent legislation changes and the common occurrence of human error highlight the importance of risk management when dealing with personal information.
To ensure that your organisation is in a strong position to effectively and swiftly respond to a data breach, we recommend that your organisation take the following 5 steps to ensure compliance and best practice:
All this information can seem overwhelming and daunting, so don’t forget Moores is here to help. If you would like more information or assistance with your data breach response plan, please do not hesitate to contact us.
Harrison v Department of Education and Training (Human Rights) (Corrected) [2017] VCAT 1128
The Office of the Australian Information Commissioner (OAIC) has issued its second quarterly statistics report (the Report) for 1 April – 30 June 2018. As the number of data breaches reported increases, interesting trends have been identified. Significantly, while 59% of breaches were caused by malicious or criminal attacks, 36% of data breaches reported were due to human error. This provides a valuable lesson for organisations that preventing human error should be a key aspect of its data security strategy.
A total of 242 notifications were made under the Notifiable Data Breaches (NDB) scheme in the second quarter. The general trend of increasing reports continued with 90 reports being made in June, compared to only 55 made in March. Contact information and financial details were the most common kinds of personal information to be involved in data breaches.
The Report also identified the top five industry sectors that made the most notifications in the quarter. These were (in order) health service providers, finance, legal, accounting and management services, education, and business and professional associations. Significantly, health service providers accounted for 49 of the notifications received which equates to around 20% of notifications made. This also did not include My Health Record breaches as those are subject to a separate notification scheme.
The causes of notifications were:
The majority of malicious or criminal attacks were due to cyber incidents such as phishing, malware, ransom ware or stolen credentials. Interestingly, these often occurred due to exploitation of vulnerabilities, including human factors such as clicking on phishing emails or disclosing passwords.
Notifications that were caused by human error primarily occurred due to personal information being sent to the wrong recipient, accidental unintended release or publication, or loss of paperwork/data storage device. However, information sent to the wrong person tended to affect smaller amounts of individuals while lost data storage devices impacted significantly more individuals.
The Report and the recent publicised data breaches suffered by PageUp and Svitzer demonstrate that prevention is best. While both PageUp and Svitzer were able to manage the breaches to prevent serious harm from occurring, the organisations suffered significant reputation loss and business impact. It can be difficult to prevent malicious or criminal attacks but organisations can do more to prevent the human factor which creates vulnerability to these attacks and human errors.
Some practical tips for preventing data breaches are:
Moores has experience working with clients to both prevent against and proactively respond to data breaches. We can provide advice to your organisation in regards to undertaking the preventative steps above.
While Australia has traditionally been a target destination for university students, the number of international students enrolled in primary and secondary schools has increased by 14% in the last year. Schools that enrol overseas students under the age of 18 have additional obligations to ensure child safety.
To provide guidance to these schools, the Victorian Registration and Qualifications Authority (VRQA) has released Guidelines for the Enrolment of Overseas Students Aged under 18 (Overseas Guidelines). The Overseas Guidelines will commence on 1 July 2018; a very important date for schools as they will also need to be compliant with the new National Code for Overseas Students (National Code) and the VRQA Guidelines to the Minimum Standards (Minimum Standard Guidelines).
In response to rising complaints by overseas students, Australia prioritised the importance of preserving its reputation as an international destination for education. In response, the new National Code was passed and places obligations on educational institutions providing services to international students. In particular, Standard 5 of the National Code relates to underage overseas students. It states that if the student is not staying with a relative, the education provider must provide appropriate accommodation, support and general welfare.
The previous VRQA Guidelines on Homestay Accommodation for Overseas Students (Homestay Guidelines) lacked comprehensiveness and only consisted of three guidelines. Therefore, the new Overseas Guidelines were released, consisting of eight guidelines which clarify the requirements for education providers and align with the new Code and updated Child Safety Standards.
The Overseas Guidelines will replace the Homestay Guidelines. The key changes are outlined below.
Child Safe Standards
The Overseas Guidelines require education providers to comply with the Child Safe Standards as set out in the Child Wellbeing and Safety Act 2005 (Vic). This includes, but is not limited to:
If an underage student is not staying with a relative, the education provider must ensure that the student is at least 13 years of age (unless the student will be living in a boarding facility which is owned by a registered school). The education provider must issue a Confirmation of Appropriate Accommodation and Welfare (CAAW) letter to the Department of Immigration and Border Protection. This education provider will then be responsible for ensuring appropriate accommodation, support and welfare (as per Minimum Standards for Student Accommodation below) for the student and ensuring that any third parties providing these services comply with the Child Safe Standards. The education provider will not be able to delegate, outsource or contract out these responsibilities.
Education providers must also provide all underage overseas students with a Student Safety Card which includes the education provider’s details, a 24/7 contact number, emergency numbers, homestay details (if relevant) and a statement that the education providers is registered with the VRQA.
Training Requirements
Education providers will be required under the Overseas Guidelines to train support staff and student coordinators who interact with underage students. They must receive training on:
Minimum Standards for Student Accommodation
Education providers responsible for providing accommodation must ensure that the accommodation is appropriate for the student’s age and needs. For example, providers need to ensure that they have in place appropriate processes for screening accommodation such as homestay or boarding school facilities. This will include ensuring the accommodation staff or provider has a valid WWCC, and verifying the suitability of the accommodation. In particular, homestay arrangements require the provider to ensure the student has their own bedroom, regular biannual checks to ensure suitability, and a site visit to assess appropriateness.
Impact on Education Providers
Schools which offer their services to underage overseas students need to be compliant with the Overseas Guidelines by 1 July 2018. Most schools are likely focusing on implementing the National Code and VRQA Guidelines to the Minimum Standards and should incorporate compliance with the Overseas Guidelines into their changes.
We recommend that schools take the following next steps.
Moores can assist with your governance requirements, from conducting governance analysis, through to policy development and training.
We are experienced in working with schools and the education sector, with particular focus on practical and commercial approaches to regulatory complexities.
For assistance with reviewing your policies and procedures to ensure compliance with the Overseas Guidelines, please don’t hesitate to contact us.
Child safety has rightly been prioritised by schools following the Royal Commission into Institutional Responses to Child Sexual Abuse and the Victorian Betrayal of Trust Inquiry. This is particularly the case in Victoria, where several legislative changes now place obligations on schools to provide a child safe environment.
As part of their commitment to the safety and wellbeing of their students, some schools now require all employees, subcontractors and suppliers of builders on their school building projects to have a Working with Children (WWC) Check. This article looks at whether this requirement is necessary and sensible.
WWC Checks are a state based assessment of an individual’s suitability to work with children. In Victoria, the WWC Check is regulated under the Working with Children Act 2005 (Vic) (the Act). The WWC Check screens an individual’s national criminal record for serious criminal charges, offences, findings of guilt and professional conduct determinations and findings related to the safety of children. If an individual passes the WWC Check, their criminal record is continually monitored for the five years that the WWC Check is valid for and the organisation they work for is notified of any changes (if the organisation is listed when the WWC Check is completed, renewed or updated). A WWC Check is different to a National Police Check which checks national criminal records for a broader range of crimes and there is no monitoring and notification process (meaning it is only valid at the time it is provided).
Under the Act, an individual requires a WWC Check if they engage in, or intend to engage in, child-related work as an employee or volunteer. Child-related work is described as work undertaken:
The employees, subcontractors and suppliers of builders who are carrying out works on school grounds will satisfy the first requirement above. However, while such persons may have contact with children, it is likely to be considered occasional and incidental to their work. Therefore, it is unlikely that employees, subcontractors and suppliers of builders who are carrying out works on school grounds as part of a school building project need WWC Checks under the Act.
While employees, subcontractors and suppliers of builders are unlikely to need a WWC Check under the Act, some schools insist on it as part of their Child Protection Policy (CPP). It is a requirement under the Child Safe Standards (Standards) that schools have their own CPP. The Standards were created as a compulsory minimum set of obligations on organisations that provide services to children, including Victorian schools.
If a school’s CPP requires WWC Checks for employees, subcontractors and suppliers of builders, the school must ensure that these checks are obtained. This is because breaches of a school’s CPP may result in investigation and liability. This raises two issues. First, a school should be precise in specifying who is required to have a WWC Check to avoid the school assuming unintentionally broad obligations. Second, should a school’s CPP require all employees, subcontractors and suppliers of builders on their school building projects to have a WWC Check? We note that:
The Standards make clear that WWC Checks are only a starting point for ensuring child safety. Schools need to ensure that they are complying with all seven of the Standards. This includes putting in place strategies to reduce the risk of child abuse. For example, how school building projects are staged and delivered can help ensure a child safe environment. Issues to consider include how best to limit contact between students and the employees, subcontractors and suppliers of builders. Can, for example, the construction site be securely fenced off from the wider school grounds? Should the school prohibit employees, subcontractors and suppliers of builders from entering or leaving the school grounds at the start or end of the school day? Will the school engage chaperons and supervisors while building works are being carried out?
We also note that the Children Legislation Amendment (Reportable Conduct) Act 2017 (Vic) imposes a reportable conduct scheme which requires the head of a school (i.e. the Principal) to notify the Commission for Children and Young People of reportable conduct by an associated employee, volunteer, contractor or other associated individual to a child. Reportable conduct includes allegations of sexual offences, sexual misconduct, physical violence, significant neglect and any other behaviour that causes significant emotional or psychological harm. Unlike the WWC Check requirement under the Act, this reporting requirement will apply to the employees, subcontractors and suppliers of builders on school building projects.
Child safety should be of upmost importance to schools. This includes in connection with their school building projects.
We can assist schools to bring their processes in line with legislative requirements and best practice to help ensure a child safe environment, including by:
For any further information, please do not hesitate to contact us.
In May 2018, a regime of new privacy regulation commenced in Europe. Its application is extensive and may apply to Australian businesses with a presence or connection to the EU. Many Australian organisations are being asked currently to sign new data sharing agreements with European companies.
The European Union General Data Protection Regulation (GDPR) is an important regime that will harmonise data privacy laws across Europe.
Four years in the making, it was finally endorsed by the EU Parliament on 14 April 2016 and will commence on 25 May 2018. It is a set of rules and regulations on data protection and privacy for all individuals within the European Union.
Compared to the Data Protection Director 95/46/EC which it replaces, the GDPR has an increased territorial scope. It applies to all companies processing personal information from individuals residing in the EU, regardless of where the company is located. Therefore, the GDPR will apply to Australian organisations who:
The GDPR only applies to personal data. Under Article 4, “personal data” has been defined as any information relating to an identified or identifiable natural person. There are ‘special categories’ of personal data which are offered additional protection and this includes personal data revealing racial or ethnic origin, political opinions, trade union membership or religious or philosophical beliefs. Health information, genetic data, biometric data or information concerning an individual’s sex life or sexual orientation are also ‘special categories’ of information (Article 9).
The key piece of privacy legislation in Australia is the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). There are several overlaps between the APPs and the GDPR, meaning organisations that comply with the APPs are likely to be compliant with several provisions of the GDPR already. For example, APP 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. This is similar to the requirements under the GDPR to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities.
However, some additional obligations arise under the GDPR. These include requiring organisations to:
Organisations should also note additional requirements for data processing businesses and for organisations that transfer personal data outside the EU. Additionally, the GDPR has expanded rights for individuals that organisations will need to respect. For example, individuals in the EU have a ‘right to be forgotten’, meaning they can require organisations to delete their data in certain circumstances. Individuals also have a right to data portability which is a right to request information they have given to one online service provider to be transmitted to another online service provider and a right to object at any time to the processing of their personal data.
The GDPR imposes on organisations a mandatory data breach notification regime which requires them to advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach, unless the breach is unlikely to impact the rights and freedoms of individuals. Affected individuals also need to be notified without undue delay. This is likely a higher standard than Australia’s new Notifiable Data Breaches Scheme as this only requires notification of breaches which are likely to result in serious harm to any individuals affected.
The GDPR is a complex regime and organisations that breach it risk fines up to €20 million or 4% of annual worldwide turnover. It is imperative that organisations prioritise compliance with the GDPR as its commencement day looms. Moores recommends each organisation takes the following 5 steps to ensure compliance and best practice:
All this information can seem overwhelming and possibly insurmountable, so don’t forget Moores is here to help, whether it is a simple policy review or the full implementation of your 5 step plan we are more than happy to discuss your requirements.
Following recent amendments to the Marriage Act, same-sex couples across Australia are now permitted to marry under Australian law. But as with any legal marriage, it is important to look at your estate planning before (or shortly after) you walk down the aisle.
These days, married and unmarried couples are virtually the same in the eyes of the law.
From division of property on separation to estate entitlements on death, if you are living together as a couple on a genuine domestic basis, you have mostly the same rights as married couples.
However, the legal requirement for a de facto relationship is generally that you have lived together for 2 years of more, or have children together. So if your current relationship doesn’t satisfy these criteria, then getting married will likely affect your legal rights and responsibilities.
Marriage generally revokes a Will that is made before the big day. This is one major difference between the legal rights of married and de facto couples. So if you have been married recently, you should urgently update your Will as your existing Will may no longer be valid.
If you don’t already have a will, however, there is no need to wait. You can make a will “in contemplation of marriage”, to get around the automatic revocation.
Superannuation is not necessarily governed by your will. However, in most cases, you can still decide who will receive your super (and life insurance) after your death. Proper planning can make the process much simpler and help your loved ones to avoid unnecessary tax.
Who will manage your affairs, if you are no longer able? Making a power of attorney lets you decide. It also lets you have some control over the decisions that are made. Getting married is a good time to make sure you have the right people in these roles.
Marriage is a happy occasion. Unfortunately, about 40% of marriages in Australia end in divorce. To help avoid bitter disputes, it can be worthwhile to make a “binding financial agreement” early on in the relationship, to decide how the assets will be divided on separation. At least three to six months before marriage is ideal.
Already married? Never fear, a BFA can be made at any time.
Our specialised lawyers can advise and assist you with all aspects of your estate planning and family law needs. If you are preparing to marry, now is time to get practical advice on how to structure and plan your estate. Please do not hesitate to contact us .