(1) The procedure details the requirements for identifying, assessing, remediating, reporting and recording breaches of compliance obligations under the compliance management program. (2) Authority for this document is established by the Compliance Policy. (3) This procedure applies to all staff including researchers, contractors and volunteers of the RMIT Group. (4) It does not apply to allegations of breaches of the Code of Conduct which are handled under separate policies. (5) RMIT policies and procedures governing a specific type of breach or critical incident response may take precedence over this procedure. However, the requirements for reporting and recording (section 4) apply to all types of breaches. (6) All RMIT staff who identify or suspect a breach must report it to their manager as soon as practicable. Evidence that may be valuable in determining the cause or allow for corrective action to be taken must not be compromised or destroyed. (7) Managers must report the identified or suspected breach to the compliance management contact or responsible owner. (8) If staff are unable to discuss a breach with their manager, they must report the breach directly to the relevant compliance management contact or the Associate Director, Policy, Compliance and Contract Management. (9) Staff who wish to make a confidential or anonymous disclosure about an identified or suspected compliance breach should make the disclosure directly to compliance@rmit.edu.au (unless there is a corruption or fraud concern then see clause (26). (10) Staff who are aware of a breach and fail to report it may be subject to disciplinary action in accordance with the Code of Conduct and relevant RMIT policies that may apply. (11) Where reasonable and practicable, immediate action must be taken to contain the breach. This may include stopping unauthorised practices, recovering any records, implementing safety measures etc. In certain cases, action may be required before the matter can be reported. (12) Where incidents or breaches relate to high risk regulatory activities the Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters must be followed. (13) Significant or material breaches must be reported to Risk, Audit and Compliance by responsible owners as soon as practicable, with timelines for assessment of the breach to ensure that any independent investigation, as necessary or required, commences in a timely manner. (14) Compliance management contacts are responsible for assessment of compliance breaches. The compliance management contact will assess the nature, scale and impact of breaches with reference to risk management protocols and determine the appropriate course of action. Where there is a conflict of interest concern, the responsible owner may seek advice from the Associate Director, Policy, Compliance and Contract Management. (15) The assessment will identify root causes and determine whether the breach is an isolated or systemic issue. It will identify corrective or preventative actions to mitigate or eliminate the impact of the breach and likelihood of recurrence. (16) Breaches that may give rise to a risk of harm to individuals must be evaluated to determine likelihood and severity to inform corrective action and determine if an external agency needs to be notified. (17) Corrective or preventative action plans for breaches to privacy and personal data security must be endorsed by the Privacy Office and Office of the Chief Information Security Officer. (18) The implementation of corrective or preventative actions will be approved and monitored by the responsible owner. (19) Staff who may have access to confidential or personal information during breach management must comply with the Privacy Policy and the Information Governance Policy. (20) Suspected or actual breaches must be recorded. (21) Breaches relating to high risk regulatory activities will be recorded by the compliance management contact/s identified in the Escalation Guide: Regulatory, Legal, Conduct, Safety and Security Matters. (22) Material breaches relating to high risk regulatory activities must be reported to the relevant governance body – Academic Board, Audit and Risk Management Committee or Council. (23) The responsible owner in consultation with the Associate Director, Policy, Compliance and Contract Management must report compliance obligation breaches to the relevant government department or regulatory agency where the reporting of such breaches is mandatory. (24) The Executive Director, Governance, Legal and Strategic Operations must report on identified compliance obligation breaches, corrective action and status to the Audit and Risk Management Committee no less than twice per year in accordance within the approved schedule. (25) The Executive Director, Governance, Legal and Strategic Operations will retain a record of breaches and outcomes on the Compliance Obligation Breach Register. (26) Breaches caused by suspected or confirmed corruption must follow the Anti-Corruption and Fraud Prevention Policy and Whistleblower Procedure. (27) Refer to the following documents which are established in accordance with this procedure:Compliance Breach Management Procedure
Section 1 - Context
Section 2 - Authority
Section 3 - Scope
Section 4 - Details
Policy Governance
Identifying and Responding to Breaches of Compliance Obligations
Assessing and Remediating Breaches of Compliance Obligations
Recording and Reporting of Breaches of Compliance Obligations
Public Interest Disclosure
Section 5 - Resources
View Document
This is the current version of this document. You can provide feedback on this policy document by navigating to the Feedback tab.