Docstoc

This procedure is in draft format and should not be referred to in

Document Sample
This procedure is in draft format and should not be referred to in Powered By Docstoc
					This procedure is in draft format and should not be referred to in any way.

  PROCEDURE: Compliance breach notification and recording procedure

  Operational Responsibility         Internal Audit and Risk Management Group

  Related Policy                     Compliance Policy

  PROCEDURE STATEMENT

                                     To establish a process for the notification and recording of compliance
  Intent                             breaches, issues and complaints; for the ultimate prevention of future
                                     breaches.

  Procedure Scope                    University-wide

                                     Breaches of health and safety legislation, critical incidents or disclosures
  Exclusions
                                     made under the Whistleblowers Protection Act.

  PROCEDURE STEPS AND ACTIONS:
  Procedure (including Key Points)                                Responsibility             Timeline
  In order to assist with the proactive prevention of compliance breaches, complaints or issues; the recording of
  actual or alleged breaches or complaints is essential to enable RMIT to identify where compliance issues exist
  or potentially may develop.
  This procedure assists by providing a process to record and report on compliance breaches, complaints or
  issues; thereby delivering the information necessary to enable future breach prevention activities or strategies
  to take place. The procedure is in 4 sections:
      •    Breach definitions;
      •    How to respond to a compliance breach: containment and notification;
      •    Prevention of future breaches; and
      •    Recording of a breach.
  The procedure forms part of the compliance monitoring activities required under the RMIT Compliance Policy
  and is consistent with Australian Standard AS3806:2006 Compliance Programs.


  BREACH DEFINITIONS:
      1. A compliance breach is a failure to comply with:
               a. A Commonwealth or State Act, Regulation, Code or other Statute
               b. An RMIT Statute, Code or Policy
               c.   Any other mandatory or voluntary code, agreement or contract
               d. Obligations arising at Common Law




                                                    Document: Compliance breach notification and recording procedure
                                                                                            Author: Kathy Bramwell
                                                                                               Save Date: 5/21/2009
                                                                                                         Page 1 of 9
This procedure is in draft format and should not be referred to in any way.
      2. A significant compliance breach is a breach with the potential to have a serious impact upon
         RMIT, its staff, processes or property.
          Examples include:
              a. An accident on RMIT’s premises, or whilst involved in an RMIT activity, that results in an injury
                 leading to hospitalisation or death. In the event of such an accident, the Hazard & incident
                 reporting, investigation and reporting procedure should be followed.
              b. A significant investigation by a regulator or statutory body;
              c.   The potential for a fine, penalty or compensation payment of $50,000 or higher;
              d. A major impact upon RMIT’s business continuity;
              e. The potential to reach local, state, national or international media.
          More detailed examples are attached to this procedure under Appendix B.
      3. A critical incident is:
          A critical incident is a severe crisis such as multiple fatalities and/or serious injuries; or an event which
          is likely to cause extreme physical and/or emotional distress to staff, students and visitors.
          It may also be any incident potentially impacting upon RMIT’s safety or reputation, e.g. natural disaster,
          a large fire, bomb sabotage, material release, civil unrest, environmental issue or ethical / reputation
          damage.
          In the event of a Critical incident, response should follow the Critical incident management policy.


  HOW TO RESPOND TO A COMPLIANCE BREACH:
      4. Breach containment
              a. Take immediate, common sense steps to limit or contain the breach (e.g. stop the
                 unauthorised practice; recover any records; shut down the system etc).
              b. If the breach relates to Health and Safety legislation, the Hazard & incident reporting,
                 investigation and recording procedure should be followed.
              c.   Do not compromise the ability to investigate the breach. Do not destroy evidence that may be
                   valuable in determining the cause or allow corrective action to be taken.
      5. Notification of a non-significant compliance breach
              a. All staff should immediately notify the relevant Head of School/Business Unit, once they
                 become aware that a breach has occurred, or is likely to occur.
              b. Upon receiving the information, the Head of School/Business Unit should notify the Senior
                 Manager, Compliance using the form attached as Appendix B, within 14 days if the breach is
                 not significant.
              c.   The Senior Manager, Compliance will assess what other notifications are required on a case-
                   by-case basis.
      6. Notification of a significant breach
              a. All staff should immediate notify the relevant Head of School/Business Unit, once they become
                 aware that a significant breach has occurred, or is likely to occur.
              b. When the breach is significant or has potentially significant consequences, the Head of
                 School/Business Unit should immediately notify the relevant Pro Vice-Chancellor and Senior
                 Manager, Compliance.
              c.   The Senior Manager, Compliance will assess what other notifications are required on a case-
                   by-case basis and liaise with the Pro Vice-Chancellor and Legal Services with regard to further
                   action or notification.



                                                      Document: Compliance breach notification and recording procedure
                                                                                              Author: Kathy Bramwell
                                                                                                 Save Date: 5/21/2009
                                                                                                           Page 2 of 9
This procedure is in draft format and should not be referred to in any way.
              d. If the breach is considered to be a Critical Incident (as defined in section 3) the Critical incident
                 management policy should be followed.
              e. If the breach relates to the disclosure of personal information that may put an individual at risk,
                 the Head of School/Business Unit should also immediately contact the Privacy Officer, who will
                 determine whether notification to the individual is required.
              f.   If any breach is likely to receive media attention, notification must also be provided to the Vice-
                   Chancellor and the Media and Communications Unit.


  PREVENTION OF FUTURE BREACHES:
      7. Once the immediate steps are taken to mitigate the risks associated with a breach, the Head of
         School/Business Unit should investigate the root cause(s) of the breach and consider whether to
         develop a prevention plan.
          The level of effort should reflect the significance of the breach and whether it was a systemic breach or
          an isolated instance. A prevention plan may include the following:
              a. A review of relevant processes, policies and procedures;
              b. A review of employee training practices;
              c.   An audit of physical and/or technical security; and
              d. A review of contractual obligations imposed on contracted service providers.
          Following any breach, it is vital that full details of the breach, investigation and corrective actions
          undertaken are recorded and retained.


  RECORDING OF A COMPLIANCE BREACH:
      8. Details of all compliance breaches, issues, potential breaches and/or compliance-related complaints
         should be recorded on a register.
      9. This register should include details of any notifications made to the Senior Manager, Compliance.
      10. A copy of the compliance breach notification form should be kept with the register for future reference.
      11. This register will be reviewed as part of the annual compliance review process.
      12. A copy of a sample register is attached as Appendix D.


                                      Appendix A: Breach notification flowchart

  Supporting Guidelines, flow-        Appendix B: Examples of significant breaches
  charts, check-lists, etc            Appendix C: Breach response and notification form
                                      Appendix D: Compliance breach and issues register

                                      Compliance policy
                                      Corporate compliance strategy
  Links to related forms,
  records and electronic              Health, safety and security policy
  databases
                                      Critical incident management policy
                                      Hazard and incident reporting, investigation and recording procedure

  PROCEDURE FURTHER INFORMATION

  Commencement Date:                                        Review Date:


                                                      Document: Compliance breach notification and recording procedure
                                                                                              Author: Kathy Bramwell
                                                                                                 Save Date: 5/21/2009
                                                                                                           Page 3 of 9
This procedure is in draft format and should not be referred to in any way.
  REVISION HISTORY – managed by University Policy Officer
  Revision Ref.     Approved      Date              Committee /      Resolution       Document Reference
  No.               /Rescinded                      Board            Number
  ACCOUNTABILITIES

  Implementation:                  Senior Manager, Compliance

  Compliance:                      All Executive, Managers and staff of RMIT

  Development / Review:            Senior Manager, Compliance

  Approval authority:              Vice-Chancellor

  Interpretation and advice:       Senior Manager, Compliance

  Data collection and analysis:    Senior Manager, Compliance

  WHO SHOULD KNOW THIS PROCEDURE?

   All RMIT executive, managers and staff

  EFFECTIVENESS OF THIS PROCEDURE

  How will the efficiency and         •     Number of breach notifications received
  effectiveness of this               •     Timelines of notifications received
  procedure be measured?              •     Monitoring of corrective action outcomes


  PROCEDURE SUPPORTING INFORMATION

                                   Compliance – adhering to the requirements of laws, industry and
                                   organisational policies, standards and codes, principles of good governance
                                   and accepted community and ethical standards.
                                   Compliance Breach – an act or omission whereby RMIT has not met its
  Definitions and acronyms:
                                   compliance obligations, processes or behavioural obligations.
                                   Staff – person, whether remunerated or not, working on RMIT’s behalf
                                   including part-time staff, full-time staff, sub-contractors, temporary staff and
                                   volunteers.

  Key Words For Search             Compliance, breach, failure, notification, rectification, correction, privacy,
  Engine                           media, publicity, reporting




                                                   Document: Compliance breach notification and recording procedure
                                                                                           Author: Kathy Bramwell
                                                                                              Save Date: 5/21/2009
                                                                                                        Page 4 of 9
   This procedure is in draft format and should not be referred to in any way.
  Appendix A:
  Notification Flowchart
                                                   Staff become aware of compliance breach
                                                              or potential breach


                             Notify Head of School or Business Unit Immediately


                               Head of School / Business Unit contains breach and
                             makes preliminary assessment as to breach consequences




    Critical Incident                                                 Health and Safety Breach
              Follow the                                                              Follow the
Critical incident management policy                                        Hazard and incident reporting,
                                                                        investigation and recording procedure




                        Significant                           Breach but not
                          Breach                                Significant

    Notify PVC and Senior Manager,                                Contain the breach and initiate
        Compliance immediately                                          corrective action


    Contain the breach and initiate corrective
                     action                                   Record details of incident on Completion
                                                              Breach Notification Form and send copy
                                                             to Senior Manager, Compliance within 14
                                                                                 days
If likely to receive media or public attention –
      notify Vice-Chancellor and Media &
              Communications Unit                              Retain all records for future reference


  Complete Breach Notification Form and send
 copy to Senior Manager, Compliance within 24
                    hours.

       Retain all records for future reference
                                                   Document: Compliance breach notification and recording procedure
                                                                                           Author: Kathy Bramwell
                                                                                              Save Date: 5/21/2009
                                                                                                        Page 5 of 9
This procedure is in draft format and should not be referred to in any way.
APPENDIX B – Examples of Significant Breaches

   •   An accident on RMIT’s premises, or whilst involved in an RMIT activity, that results in an
       injury leading to hospitalisation or death.
       Example: During the course of research activities being undertaken in a laboratory, a student and
       an RMIT employee are burnt through the experiment. Both are hospitalised overnight for
       observation.
       Subject to the circumstances surrounding the accident, RMIT may be in breach of the
       Occupational Health and Safety Act 2004 and RMIT’s Health, Safety and Security policies. The
       incident may also be investigated by the WorkCover Authority.
       For further information on compliance on OH&S matters, please refer to the specific RMIT
       Health, Safety and Security Policies link located on the RMIT website at www.rmit.edu.au under
       RMIT Policies. (For H&S breaches, follow Hazard and incident reporting, investigation and
       recording procedure.

   •   A significant investigation by a regulator or statutory body.
       Example: RMIT undertakes a large advertising campaign promoting scholarship programs. In
       actual fact, RMIT were not providing scholarships and were using the advertising campaign as a
       way to attract students to the University.
       An RMIT Employee notifies the ACCC of the false and misleading advertising campaign.
       Pursuant to the Trade Practices Act 1974, the Commissioner of the ACCC appoints an
       investigator to investigate the complaint which may result in a prosecution of RMIT.

   •   The potential for a fine, penalty or compensation payment of $50,000 or higher. (Excluding
       workers compensation claims)
       Example: Using the false and misleading advertising campaign above, if on prosecution it is
       determined that RMIT knowingly contravened the Trade Practices Act 1974, the court can
       impose fines and compensation. The penalties can be as high as $10 million for corporations
       and $500,000 for individuals.

   •   A major impact on business continuity.
       Example: There was a failure to implement procedures for the regular monitoring of cooling
       towers. As a consequence an outbreak of legionella occurs, which leads to the closure of the
       Bundoora Campus until the source of the disease can be identified and treated. Numerous RMIT
       Employees and Students are hospitalised as a result. Additionally, RMIT is fined for the breach
       of its compliance obligations under the Building Act 1993.
       RMIT may also be in breach of the Occupational Health and Safety Act 2004 and RMIT’s Health,
       Safety and Security Policies.

   •   The potential to reach local, state, national or international media.
       Example: An RMIT Employee forgets to shred a run of confidential records about RMIT students
       and leaves the documents on a table in a room used by many RMIT Employees and Students.
       The student records can easily be identified. A group of students identify that their records are
       accessible and inform the media.

       (This is a breach under the Information Privacy Act 2000 which requires RMIT to take reasonable
       steps to destroy or de-identify personal information that is no longer needed.)

                                                Document: Compliance breach notification and recording procedure
                                                                                        Author: Kathy Bramwell
                                                                                           Save Date: 5/21/2009
                                                                                                     Page 6 of 9
This procedure is in draft format and should not be referred to in any way.
       APPENDIX C – Compliance Breach Response and Notification Form
(This form should be used for notification to the Senior Manager, Compliance of an actual breach or alleged breach – within
24 hours of a significant breach or otherwise within 14 days – please refer to the completion instructions on the rear of this
form)
Provisions breached or alleged to have been breached (please specify):
   RMIT Internal Obligations (eg Statute, Policy, Delegations)
   Legislative or Regulatory obligations
   Other
Nature and impact of the breach or alleged breach (including details of the effect on RMIT, staff and students) and
how the breach was identified:




Date the (alleged) breach                                      Date you became aware of
occurred (if known):                                           the breach:

Was it confirmed as an
                                      Yes     No          Significant Breach?                            Yes     No
actual breach?
Who is potentially
affected?
Potential consequences of
breach:
If confirmed as an actual breach: What were the root causes?




If confirmed as an actual breach: Corrective action taken or proposed:




Date Corrective Action Completed
Senior Manager,                                                Pro Vice-Chancellor
                              Yes     No Date:                                                Yes     No Date:
Compliance Notified?                                           Notified?
Vice-Chancellor or                                             Privacy Officer
                              Yes     No Date:                                                Yes     No Date:
Media Unit Notified?                                           Notification Required?
Contact Person in relation to the breach:                      Phone No.



Date:
Email or Internal mail – Senior Manager, Compliance, Internal Audit & Risk Management Group, Building 48.7.
Receipt of this breach notification will be acknowledged.




                                                         Document: Compliance breach notification and recording procedure
                                                                                                 Author: Kathy Bramwell
                                                                                                    Save Date: 5/21/2009
                                                                                                              Page 7 of 9
                                                        COMPLIANCE BREACH NOTIFICATION AND RECORDING PROCEDURE

"This draft procedure is in development and it should not be relied upon in any way.


Instruction for completion of the Compliance Breach Response and Notification Form

Compliance Strategy and Plans
All staff are encouraged to read and use the RMIT Compliance Strategy, and relevant individual school/group compliance
plans (where implemented), as a guide when notifying the Senior Manager, Compliance of compliance breaches or issues.
The Strategy and Plans detail the handling of breaches and the notification requirements. The Strategy can be located on
the RMIT website at http://www.rmit.edu.au/internalaudit/complianceguidance.

What should be notified to the Senior Manager, Compliance?
All breaches of compliance obligations (except H&S), regardless of potential severity, should be notified to the Senior
Manager, Compliance, including:
    •   A failure to comply with an RMIT statute, policy, procedure or code;
    •   A failure to comply with a provision of an Act or Regulation; or
    •   A failure to comply with any other mandatory or voluntary code, agreement or standard.

Breaches relating to Health & Safety legislation should follow the Hazard and incident reporting, investigation and recording
procedure. Critical Incidents should follow the Critical incident management policy.

When should a breach be notified to the Senior Manager, Compliance?
A compliance breach should be notified to the Senior Manager, Compliance within 24 hours if significant, 14 days if it is not
significant.
All portfolios/schools/groups need to ensure that their internal compliance plans and management systems are sufficiently
robust to ensure that relevant staff are made aware of breaches in a timely and efficient manner.

What if the breach is a significant breach?
A significant breach is one with the potential to have a serious impact, including:
    •   An accident resulting in an injury leading to hospitalisation or death;
    •   A significant investigation by a regulator or statutory body;
    •   The potential for a fine, penalty or compensation payment of $50,000 or higher;
    •   A major impact on business continuity; or
    •   The potential to reach the media.
All significant breaches should be reported to the relevant Pro Vice-Chancellor and the Senior Manager, Compliance
immediately it is identified that a significant breach has occurred or is likely to occur.

How should breaches be notified to the Senior Manager, Compliance?
All notifications should be notified in writing utilising the Breach response and notification form. Please refer to the
Compliance breach notification and recording procedure for full details of the breach notification process. The use of this
form will ensure relevant information is included.

What will the Senior Manager, Compliance do with this information?
The Senior Manager, Compliance will consider all breach notifications received and contact the relevant manager if further
information is required. The Senior Manager, Compliance will inform relevant other parts of the Internal Audit and Risk
Management Group (IARM) of the breach so that the root causes may be assessed for further required action and the
implementation of corrective action may be monitored.
The Senior Manager, Compliance will include relevant information in periodic compliance reports prepared for the VCE and
Council Internal Audit and Risk Management Committee.
Further Enquiries: Senior Manager, Compliance – Kathy Bramwell.
                          Telephone: 9925 3551            Email: Kathy.bramwell@rmit.edu.au
                          Intranet: http://www.rmit.edu.au/internalaudit/complianceguidance
                                                                                                   COMPLIANCE BREACH NOTIFICATION AND RECORDING PROCEDURE

"This draft procedure is in development and it should not be relied upon in any way.



APPENDIX D
                                        COMPLIANCE BREACH AND ISSUES REGISTER
                                                   Is it a       Has it                                                                          Notification to
                                                                                                                                  Notification
 Nature and date of compliance breach, issue,   Significant      been                                                   Date                        Senior
                                                                                   Corrective Action Taken                        provided to
         complaint or potential breach           Breach?      resolved?                                               Resolved                     Manager,
                                                                                                                                     PVC?
                                                  Yes/No        Yes/No                                                                           Compliance?
Date            Description of Breach                                                                                            Yes/No   Date   Yes/No    Date




This register has been reviewed as part of the annual compliance review process:

Responsible Manager/Officer: ___________________________________________________                    Annual Review Date: _____________________________

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:19
posted:3/13/2010
language:English
pages:9
Description: This procedure is in draft format and should not be referred to in