View Document

Compliance Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This Policy documents the University’s expectations, principles, and commitment to achieving its compliance obligations.

(2) This Policy outlines how the University monitors and manages Compliance obligations relating to its operations and activities. It also guides staff on their compliance responsibilities and expectations together with any professional obligations.

(3) It specifies the principles and procedures for compliance management to ensure that the University and its controlled entities meet the requirements of all applicable laws, regulations, codes, and University policies.

(4) The Policy establishes the overarching principles of the University’s compliance approach, specifically:

  1. identifying a clear compliance framework within the University;
  2. promoting a consistent and comprehensive approach to compliance within the University;
  3. developing and maintaining practices that facilitate and monitor compliance within the University;
  4. promoting and ensuring standards of good corporate governance, ethics, and continuous improvement of compliance functions; and
  5. embedding a culture of compliance and reporting across the University.

(5) This Policy forms part of the Macquarie University Compliance Management Framework and is based on the Australian Standard AS ISO 19600:2015 Compliance Management Systems.

Background

(6) Compliance impacts across the many functions, policies, disciplines, portfolios, faculties, operations, and activities of the University.

(7) The University’s reputation for integrity and professionalism is paramount, and a commitment to compliance requires that clear processes be in place for the University and its controlled entities to meet obligations and manage new and evolving issues as they arise.

(8) Some key compliance matters are subject to their own standalone policies which should be referred to in the first instance and as relevant to the circumstances. The following policies and webpages are particularly relevant in this regard:

  1. Acceptable Use of IT Resources Policy (and for guidance on managing IT risks, notifications and response requirements, refer to the Computer and Network Security Procedure and the Cyber Security Policy);
  2. Complaint Management webpage (including Student Complaints, Complaints from the Public, Staff Complaints, Concerning and Threatening Behaviours, Discrimination, or harassment);
  3. Disclosures of injuries, incidents and hazards made pursuant to the University’s Occupational Health and Safety Policy, refer to the Safety at Work webpage for further assistance on raising concerns;
  4. Privacy Policy – where an actual, potential, or suspected privacy breach has been identified, the Privacy Officer should be notified via privacyofficer@mq.edu.au;
  5. Macquarie University Code for the Responsible Conduct of Research and refer to the Reporting a breach or research misconduct webpage for further information; and
  6. Public Interest Disclosure Policy (including public interest disclosures and whistle blower policies for the controlled entities). The University encourages employees and the broader University Community to report details of any actual or potential breaches where there are concerns the breach may not have been adequately raised or addressed.

(9) Guidance on Foreign Relations requirements and obligations are managed through foreign.relations@mq.edu.au.

Scope

(10) This Policy applies to all University representatives.

Top of Page

Section 2 - Policy

(11) All University representatives must perform their duties with fairness, impartiality, integrity, and honesty, and adhere to University regulations, enterprise agreements, rules, standards, policies, and procedures. These include the Staff Code of Conduct and the Macquarie University Code for the Responsible Conduct of Research and a range of legislative and regulatory requirements.

(12) The University fulfills its compliance obligations through policy, governance, leadership, reporting, monitoring, staff training, and via embedding a culture of compliance awareness and quality assurance. Reporting and compliance controls are in place to demonstrate oversight and management of obligations

(13) The University’s compliance culture encourages prompt and proactive disclosure of compliance concerns and breaches to managers/supervisors, or other relevant University officials (including Committee Chairs) for appropriate action.

(14) All University representatives must be aware of this Policy and the compliance obligations that apply to their area of work or activities and ensure that their actions comply with those responsibilities.

Part A - Roles and Responsibilities

University Council

(15) The University operates under the Macquarie University Act 1989. The University Council is the governing body of the University.

(16) The Reserved Powers of Council and Council Committees note, amongst a number functions, Council's authority to approve and monitor systems of control and accountability for the University.

Vice-Chancellor, members of the Executive Group, Managers / Supervisors, and other University representatives including Committee Chairs

(17) The Vice-Chancellor, members of the Executive Group, managers / supervisors, and other University officials (e.g. Committee Chairs) play an important role in establishing and promoting appropriate operational oversight of compliance matters to aid and assist each area of the University in meeting their respective compliance obligations.

(18) The University’s compliance approach is integrated into its governance and reporting frameworks and the Macquarie University Risk Management Framework.

(19) Members of the Executive Group, and managers / supervisors are responsible for identifying impacts on their respective compliance obligations and controls which may occur because of internal or external changes including:

  1. proposed new or modified activities; or
  2. changes to organisational structure or systems.

(20) Upon implementation of any new or modified activity or structural or system change, members of the Executive Group and managers / supervisors are encouraged to consult with Group Risk and the Office of General Counsel (Compliance and Privacy Manager) to ensure that their internal controls enable their area to continue to  meet relevant compliance obligations.

(21) Members of the Executive Group and managers / supervisors may be requested to review and oversee the following reports:

  1. reports on specific compliance obligations; and
  2. breach notifications and compliance remediation progress reports.

The Office of General Counsel

(22) The Office of General Counsel (Compliance and Privacy Manager) has oversight of the University’s Compliance Framework in liaison with the Chief Risk Officer and Internal Audit; including (where appropriate):

  1. reporting any material non-compliance to:
    1. the Audit and Risk Committee;
    2. Executive Group and managers / supervisors;
    3. Compliance Owners and Compliance Coordinators;
  2. ensuring compliance issues are identified at all levels, escalated as required, and addressed promptly and effectively;
  3. liaising with Internal and external audit, as appropriate;
  4. coordinating any required regulatory reporting in relation to breaches;
  5. promoting review, quality assurance, and continuous improvement of compliance functions, including review of this Policy, the Compliance Management Framework and the Annual Compliance Plan; and
  6. liaising with Governance and Compliance Services and the Policy Unit, to ensure that all new and amended policy documents support compliance obligations as appropriate.

University Representatives

(23) All University representatives play an important role in identifying and managing the University’s compliance obligations and they must:

  1. ensure that they are aware of their obligations under this Policy (as well as any local operating procedures and any legislative or professional obligations relevant to their work/role);
  2. conduct themselves in accordance with University enterprise agreements, rules, standards, policies, and procedures including the Staff Code of Conduct, and the Macquarie University Code for the Responsible Conduct of Research;
  3. undertake any mandatory compliance training and education, as appropriate; and
  4. identify, disclose, and manage any compliance concerns or breaches in a timely manner, in consultation with their manager / supervisor, or other relevant University representative(e.g. Committee Chair), as appropriate.

Part B - Compliance Management Tools

Compliance Register

(24) The University’s Compliance Register sets out the University’s legislative compliance obligations as they apply to the University’s operations.

(25) The Compliance Register identifies the Compliance Owner and Compliance Coordinator for each specific compliance obligation.

(26) The Compliance Register is maintained by the Office of General Counsel (Compliance and Privacy Manager). Entries are approved by the Compliance Owner (the relevant member of the Executive Group or the General Counsel) for all key compliance categories within the University, and the final Compliance Register is endorsed by the Audit and Risk Committee.

(27) Where appropriate, compliance obligations are also supported by relevant University rules, policies, and procedures available in the University’s policy repository Policy Central.

Supporting procedures, forms, attestations, templates, and training

(28) The content of any supporting procedures, forms, attestations, templates, or training will be developed by the relevant stakeholders as appropriate, to manage compliance obligations and any reporting requirements.

Part C - Compliance Accountability and Monitoring

Audit and Risk Committee

(29) The Audit and Risk Committee provides compliance oversight and review. As part of its terms of reference, it is required to:

  1. determine whether management has appropriately considered legal and compliance risks as part of the University and controlled entities risk assessment and management arrangements;
  2. review the effectiveness of the system for monitoring the University and controlled entities compliance with applicable laws and regulations, and associated government policies; and
  3. provide advice to the University Council regarding the issue of the University’s annual Certificate of Compliance, or equivalent reports.
Top of Page

Section 3 - Procedures

Responsibilities and Required Actions

Compliance Breach Procedure

(30) Where a compliance breach or concern arises, the University representative who identified the breach or concern must communicate as soon as reasonably possible to the appropriate manager/supervisor/compliance coordinator.

(31) Concern about a compliance breach can be communicated either by phone, email or through the University’s incident reporting systems, such as Risk and safety reporting form, RiskMan, IT HelpDesk or elsewhere within the University, depending on the nature of the breach or concern.

(32) Campus emergencies can be reported to the Campus Emergency Centre on 9850 9999 (9999 on MQ internal phones) or directly to Emergency Services: 000

(33) The Manager / supervisor who receive the concern of a compliance breach must:

  1. gather sufficient information to determine the severity of the breach or concern;
  2. contact the relevant Compliance Coordinator or the person responsible for compliance in the relevant area to inform them of the breach or concern and seek advice, where required;
  3. conduct a review / investigation commensurate with the nature of the breach or concern. Guidance may be sought from the Office of General Counsel (Compliance and Privacy Manager); and
  4. develop a remediation plan - initiate steps to limit any immediate repeat or continuation of the breach or concern at that time, and in the future.

(34) When sufficient detail about the breach or concern is available, manager / supervisor must consider whether a Compliance Breach Reporting Form should be submitted.

(35) The Compliance Breach Reporting Form must be submitted by the Manager/Supervisor/Compliance Coordinator when a breach is deemed material. That is, the breach has a:

  1. University-wide impact; or
  2. requires policy or procedure review or amendment; or
  3. could generate widespread media and reputational damage; or
  4. requires notification to an external authority / agency; or
  5. is subject to a financial penalty.

(36) A copy of the completed Compliance Breach Reporting Form will also be reported to the Compliance Owner.

(37) The Office of General Counsel can assist with further oversight and management in circumstances where a breach:

  1. requires notification to an external authority / agency, or
  2. is subject to a financial penalty

(38) The Office of General Counsel will consider each material breach that is reported to it, maintain records of notified compliance breaches, and where appropriate provide details to the Audit and Risk Committee as part of the Compliance Exception Report.

(39) In circumstances where a University representative believes that a business unit response to a compliance breach or concern is inadequate, the matter must be referred to the Office of General Counsel (Compliance and Privacy Manager) for follow up.

Management and update of the Compliance Register

Compliance Owner

(40) The Compliance Owner is the member of the Executive Group or the General Counsel responsible for the compliance obligation as designated by the University’s Compliance Register and/or University policies and procedures.

(41) The Compliance Owner may nominate a Compliance Coordinator to manage specific compliance obligations. Any changes to the Compliance Coordinator role must be reported to the Office of General Counsel (Compliance and Privacy Manager), so that the Compliance Register can be updated accordingly.

(42) The Compliance Owner must maintain familiarity with the relevant compliance obligations and inform relevant University stakeholders of any new business impacts or updated legislative requirements that may require management or action.

Compliance Coordinator

(43) The Compliance Coordinator is a University representative with assigned responsibility for managing University compliance obligations as designated by the Compliance Owner. The details of Compliance Coordinators will be included on the Compliance Register.

(44) Compliance Coordinators are appointed based on their knowledge and expertise in the area relevant to the compliance obligation, and will oversee day-to-day compliance decisions with support from the Compliance Owner, and their manager / supervisor.

(45) The Compliance Coordinator must maintain familiarity with the relevant compliance obligations and inform relevant University stakeholders of any new business impacts or updated legislative requirements that may require management or action.

Top of Page

Section 4 - Guidelines

(46) Nil.

Top of Page

Section 5 - Definitions

(47) The following definitions apply for the purpose of this Policy:

  1. Compliance Breach means an act or omission (of varying consequences, depending on the nature of the breach and harm caused) whereby the University does not meet its compliance obligations.
  2. Compliance Management Framework means the University’s framework which establishes the responsibilities of management and University representatives in effectively managing the University’s compliance obligations.
  3. Compliance Obligation means a requirement specified by laws, regulations, codes or University policy and standards.
  4. Compliance Owner means the member of the Executive Group or General Counsel responsible for the compliance obligation as designated by the University’s Compliance Register and/or University policies and procedures.
  5. Compliance Coordinator means a University representative with assigned responsibility for managing University compliance obligations as designated by the Compliance Owner.
  6. Internal Audit are engaged by the University to provide independent assurance and oversight that the University is achieving its risk management and governance processes effectively.
  7. Professional obligations mean obligations, responsibilities or duties performed as a university representative, whether academic, research, or professional. These responsibilities include being aware of and acting within the laws, regulations, enterprise agreements, rules, standards, policies, and procedures that apply to their conduct at the University. It also includes power, authority, duty, or function that is conferred on the individual as a university representative.
  8. Remediation plans may be required in the management of a breach or concern, where certain action needs to be taken to contain and respond to a compliance breach. It might require the preparation of an apology and updating local procedures or a response that requires sophisticated IT management and coordination across the University. The plan might include the steps and actions that should be followed to manage the breach and improve future compliance.
  9. Quality assurance refers to the Quality Assurance Framework Policy
  10. University means Macquarie University and its controlled entities.
  11. University representative means:
    1. staff of the University and its entities, including continuing, fixed-term, and casual staff members;
    2. consultants and contractors working for the University;
    3. members of the University governing bodies;
    4. persons holding honorary titles with the University;
    5. volunteers; and
    6. individuals conducting research under the auspices of Macquarie University (including HDR candidates) and bound by the Macquarie University Code for the Responsible Conduct of Research.