Compliance breach reporting procedure
Intent and objectives
The intent of this procedure is to:
- Provide a systematic process for the reporting, recording and investigation of compliance breaches or potential breaches to enable proactive prevention in the future;
- Encourage all staff members to be proactive and raise compliance issues that are of concern as soon as possible to prevent escalation;
- Enable the gathering of information to facilitate monitoring and reporting of compliance performance within the University; and
- Ensure that no staff member is penalised or disadvantaged as a result of reporting a compliance breach and that repercussions of breaches themselves are determined on a case-by-case basis
Scope
University-wide.
Exclusions
Compliance failures of health and safety legislation, critical incidents, allegations of breaches of the RMIT Code of Conduct for Research or disclosures made under the Whistleblowers Protection Act, which are covered by separate procedures.
Compliance failures or potential failures identified as part of reviews; e.g. Internal or External Audit, AQTF or VRQA reviews, or organisational reviews.
Staff or students complaints procedures.
RMIT Ombuds Policy and supporting procedures.
Procedure steps and actions
It is essential that all parties involved in breach reporting, investigation and rectification act in good faith to obtain a satisfactory outcome. Good faith includes acting sincerely without malice and being truthful.
No blame should be attached to the reporting of accidental breaches or those identifying process errors.
It should be noted that staff committing deliberate or negligent breaches may be subject to RMIT disciplinary processes or regulatory/criminal actions (where applicable and/or appropriate).
|
Procedure (including Key Points) |
Responsibility |
Within 24 hours Timeline |
|---|---|---|
|
1. Initial identification and notification a. Notify your supervisor or appropriate line manager of the breach or potential breach. b. If the staff member feels unable to discuss the breach with their manager, they can contact the Senior Manager Compliance to discuss the issue. c. Breaches or potential breaches can be reported anonymously. d. Upon receiving notification of a breach or potential breach, the manager should notify the Senior Manager Compliance by telephone or email. |
Staff member who notices the breach or potential breach / failure Manager | |
|
2. Breach containment a. The manager should take immediate, common sense steps to limit or contain the breach. Depending on the nature of the breach, different actions may be required - e.g. stop the unauthorised practices; recover any records etc. b. Do not compromise the ability to investigate the breach. Do not destroy evidence that may be valuable in determining the cause or allow corrective action to be taken. c. If guidance is required on appropriate risk assessment and/or breach containment, contact the Senior Manager Compliance. |
Manager |
Immediately or as soon as is practicable |
|
3. Breach assessment and escalation a. Evaluate the risk level. b. High risk breaches: i. A high risk breach is one with the potential to have a serious impact on the University, including:
ii. High risk breaches must be elevated to the appropriate Pro-Vice Chancellor, Vice-President, Deputy Vice-Chancellor or equivalent for appropriate action. iii. If the breach is likely to receive adverse media attention, it should also be reported to the Vice-Chancellor. c. Breaches involving personal or identifying student or staff information should be reported to the RMIT Privacy Officer. d. If a breach constitutes a critical incident or severe crisis, the Critical incident management policy should be followed. e. Determine the necessity for an investigation and the appropriate avenue for investigation: i.e. either by the local Manager; by the PVC (or equivalent) or the Senior Manager Compliance. |
Manager or Senior Manager compliance |
Immediately or as soon as is practicable |
|
4. Investigation a. If necessary, an investigation should be undertaken. The level of investigative effort should reflect the seriousness of the breach. b. Investigations should: i. Determine the root causes; ii. Identify whether it was a systemic breach, an isolated incident or a deliberate act; iii. Identify and gain agreement of appropriate actions to prevent the breach recurring or escalating to a more serious level; iv. Apply the principles of natural justice; and v. Be completed in a timely manner. c. The investigation outcome should be reported to the appropriate manager or PVC (or equivalent), and to the Senior Manager Compliance. d. Where breaches involve criminal activity, this should be referred to appropriate law enforcement agencies or authorities for investigation. |
Designated investigator: Manager; Pro-Vice Chancellor or equivalent; Vice-Chancellor; or Senior Manager Compliance as appropriate |
Commence investigation immediately the breach has been assessed and contained |
|
5. Implementation of corrective action a. Recommended corrective and/or preventative actions will identify appropriate persons responsible for implementation and target completion timelines. b. Where systemic issues are identified, an improvement plan should be developed to address policy and/or process improvement. c. Monitoring by the appropriate manager should be undertaken to ensure corrective actions are completed. d. Monitoring of corrective action effectiveness will be undertaken by the Senior Manager, Compliance as part of regular compliance reviews. |
Investigator / Staff identified as responsible for corrective action implementation |
As recommended or agreed |
|
6. Breach recording / register a. A central register of compliance breaches or potential breaches will be maintained. b. The register will include a full record of all reported breaches / potential breaches, investigations, corrective actions undertaken, and including breaches referred for external resolution. |
Senior Manager, Compliance |
Continuously |
|
7. Unacceptable outcomes a. If a staff member is not satisfied with the investigation outcome or recommended actions, they may lodge a complaint with the RMIT Ombuds. b. The role of the RMIT Ombuds is detailed in the RMIT Ombuds Policy. |
Staff member |