View Current

Breach Management procedure

This is the current version of this document. To view historic versions or versions that have not yet come into effect, click on the Historic or Future version links in the navigation bar.

Section 1 - Preamble

(1) This Procedure was approved by the Vice-Chancellor on 1 April 2017.

Top of Page

Section 2 - Purpose

(2) This Procedure governs the University’s approach to the identification, containment, investigation, remediation, reporting and recording of a breach of all applicable laws, University statutes, regulations, policies and procedures.

(3) This Procedure provides clarity in relation to raising breach issues as early as possible to enable the University to remediate current breaches and proactively prevent future potential breaches.

Top of Page

Section 3 - Scope

(4) This Procedure applies to all staff and associates of the University.

(5) This Procedure does not apply to breaches of the University’s policies and procedures categorised as ‘Academic’ under the University’s Policy Framework. Breaches in this category are monitored through the Academic Board.

Top of Page

Section 4 - Policy

(6) Refer to the Risk and Compliance Management policy.

Top of Page

Section 5 - Procedure

(7) Any University policies and/or procedures dedicated to a particular type of breach may take precedence over this Procedure. However, the requirements for breach recording and reporting set out at clauses 23 to 27 are applicable to all types of breaches in order to maintain a central register of the University’s breaches.

Initial Containment and Notification

(8) All staff and associates who become aware of a breach will:

  1. coordinate immediate action in order to contain the breach
  2. ensure evidence that may be valuable for an investigation is not compromised
  3. notify the breach to their supervisor, head of organisational area, or in the case of a breach by a contractor, the relevant Contractor Officer.

(9) Upon notification of a breach a supervisor, head of organisational area or Contractor Officer will report the breach to the Implementation or Responsible officer for the relevant policy and/or procedure.

(10) If staff and associates are unable to discuss a breach with their supervisor, head of organisational area or Contractor Officer, they will report the breach to the Implementation or Responsible Officer for the relevant policy and/or procedure or alternatively contact the Risk and Compliance Unit directly.

(11) Staff and associates who wish to make a confidential or anonymous disclosure about a breach should make the disclosure directly to the University Solicitor's Office.

(12) Disclosures relating to the Risk and Compliance Unit will be reported to Internal Audit.

(13) All staff and associates who may access confidential and personal information in the course of breach management must comply with the requirements of the Privacy policy.

(14) Staff members who are aware of a breach and fail to report the breach may be subject to disciplinary action in accordance with the Staff Discipline policy.

Breach Assessment, Investigation and Remediation

(15) The relevant Implementation or Responsible Officer will evaluate the impact of a breach using the Deakin Risk Matrix Table and determine the appropriate course of action.

(16) The relevant Implementation or Responsible Officer will coordinate an appropriate investigation unless they have or are perceived to have a conflict of interest in accordance with the Conflict of Interest procedure.

(17) The relevant Implementation or Responsible Officer may consult the University Solicitor's Office to select the most appropriate investigative approach and ensure the statutory requirements for an investigation are met.

(18) The investigation will identify root causes and verify whether a breach was an isolated or systemic issue. It will also identify corrective and/or preventative actions to reduce the breach impact and likelihood of recurrence.

(19) If necessary, the Implementation or Responsible Officer may request that other subject matter experts within the University or an external party assist in the investigation.

(20) If an investigator has or is perceived to have a conflict of interest, the investigator will be excluded from the investigation.

(21) Any corrective and/or preventative actions required will be undertaken and monitored by the staff member(s) nominated as a result of the investigation.

(22) The operational risks for the organisational area should be reviewed in consideration of the breach.

Breach Recording and Reporting

(23) The following recording and reporting arrangements will be followed to enable continuous improvement in compliance management and monitoring.

(24) The relevant Implementation or Responsible Officer will report all breaches to the Risk and Compliance Unit on occurrence. An exemption may apply to an Implementation or Responsible Officer with prior written agreement between that Officer and the Risk and Compliance Unit.

(25) The Risk and Compliance Unit is responsible for the collation of records of breaches that occur within the University.

(26) The Risk and Compliance Unit will report all breaches with ‘Modest’ or ‘Substantial’ impact as defined in the Deakin Risk Matrix Table to the University Executive quarterly and to the Audit and Risk Committee at least annually.

(27) All breaches with ‘Major’ or ‘Catastrophic’ impact as defined in the Deakin Risk Matrix Table will be escalated by the Risk and Compliance Unit to the University Executive and Audit and Risk Committee by the Risk and Compliance Unit as they occur.

Top of Page

Section 6 - Definitions

(28) For the purpose of this Procedure:

  1. Associates: Contractors, consultants, volunteers, visiting appointees and visitors to the University.
  2. Breach: A breach is an unintentional or deliberate act or omission, which leads to the University and/or staff member(s) failing to meet their compliance obligations.
  3. Contractor Officer: A staff member who is responsible for the administration of the engagement of contractors for an organisational area in accordance with the Contractors and Consultants procedure. Contractor Officers may be the senior financial or administrative officer within a School, Division or other organisational area.
  4. Implementation Officer: A practice leader and Manager, at HEW level 9 or above, who is assigned by the Responsible Officer to lead the development, implementation and review of the relevant policy or procedure.
  5. Responsible Officer: An Executive member or a Senior Manager who owns and is accountable for a particular policy or procedure that falls under an area of operation in his/her jurisdiction.
  6. Staff: A member of the academic or professional staff, executive or honorary staff member.