FAQs and Useful Information
What does "compliance" mean at Western Sydney University and its controlled entities?
Compliance means meeting the requirements of all relevant laws (defined as mandatory compliance requirements) and University codes of conduct, standards, and policies (defined as "voluntary compliance commitments") applicable to the University as a whole, and to individual schools and business units. Simply put – it's following the rules in the right spirit.
However at Western Sydney, compliance runs deeper than just following the rules – it means reflecting the University's value of upholding high standards of ethics in line with its Code of Conduct, and its social responsibility commitment to the Greater Western Sydney community.
Who is responsible for compliance?
Compliance is everyone's individual and collective responsibility. All Western Sydney University employees, whether full-time, part-time, or casual (including student employees), are responsible for understanding and following the requirements as applicable to their jobs. Contractors engaged by the University also have the same responsibility.
There are designated "Compliance Representatives" and nominated "Compliance Contacts" who have accountability for complying with mandatory compliance requirements for or on behalf of the University, such as statutory reporting obligations to external bodies (e.g. Human Rights Commission). They are also responsible for the translation of the legislative requirements for which their area is responsible into training, policies and procedures, and of assuring of compliance with laws for the University or their business or academic unit/s.The Compliance Program Unit supports the University and its controlled entities by providing guidance and advice on any compliance-related questions.
Why is compliance so important?
Compliance bolsters the University and its controlled entities' commitment to integrity and ethics, which in turn supports its staff and students in their operations and wellbeing. Compliance relies on all members of the community to care.Non-compliance can have adverse consequences for not just the University and controlled entities' business and operations but also its reputation. In particular, non-compliance with some laws can result in loss or suspension of licenses or permits, penalties, regulatory investigations, and, in severe cases, fines or imprisonment.
What does the Compliance Policy do?
The Compliance Policy establishes the overarching principles and commitment to action for the University and its controlled entities to achieve compliance in all of its activities and operations, and across all levels.
It sets the level of accountability, responsibility of management, and performance required, and the expectations to which actions are reported and assessed.
In particular, the Policy recognises the need to uphold high standards of integrity to ensure a safe environment for staff and students, which is in line with strategic objectives.The Compliance Policy is not a stand-alone document, and is supported by other operational policies, operational manual, and processes of the University and its controlled entities.
Compliance Management Program
What is the intended purpose of the Compliance Management Program?
By providing guiding principles and practical tools, the Compliance Management Program intends to facilitate operational compliance and risk minimisation within business and academic units. It provides a formal, transparent, and uniform framework for the University and its controlled entities, as well as its employees to better assure of operational compliance across its campuses.
How does Western Sydney University and its controlled entities know if all areas are being compliant?
The Compliance Management Program contains mechanisms that assure compliance in all areas, including:
- Compliance Oversight – governance through policies, procedures, systems, training and monitoring.
- Compliance Directory - a centralised list of all relevant Commonwealth and NSW legislation applicable to the University, its units, and schools, and its controlled entities. It allows for 360 degree communication and monitoring, ensuring awareness and currency.
- Attestation Process - an annual attestation intending to certify compliance with relevant legislation and any actual or potential compliance issues in each unit, or school.
- Non-Compliance Incident Reporting - University and its controlled entities' business and academic units, as well as students and members of the public, are able to report or self-report potential, or actual non-fulfilment of statutory obligations that affect their own compliance requirements or of another area in University.
Is there a Procedure document and/or training materials on the Compliance Management Program?
The Compliance Operational Manual is a useful document explaining the intricacies of its processes. The Compliance Contacts and Compliance Representatives will find it the most useful. Specific training materials relating to the Program are available on MyCareer Online.
Isn't compliance something only my manager or the compliance unit should care about?
No. All business units and schools have a legal and ethical obligation to be compliant. We are all affected by legislation by varying degrees; as such we must all individually accept and manage our compliance obligations.
Your manager should support and guide you with any compliance questions you may have. The Compliance Program Unit also provides support to staff as it relates to operating within the Compliance Management Program.
There's a law I don't agree with, or never heard of before in my career. I don't have to comply with it, do I?
Compliance with laws is not optional for either the University, its controlled entities, or its staff. Non-compliance can lead to adverse consequences for both the University, the controlled entities, and the individuals involved, such as external fines and disciplinary measures. It can also affect reputation and public confidence.
Contact the Compliance Program Unit for guidance on any concerns.
Will I have to change how I do things in order to achieve compliance?
Probably not. As employees, people already operate within a compliance environment, and attend training, adhere to policies & procedures and report on their activities. In addition, many teams look for changes in the laws, prepare for adverse situations and actively manage emerging risks.
The Compliance Management Program provides a formal and uniform framework for the entire University and its controlled entities that more easily assures of the operational compliance already occurring or that should be occuring.
The Compliance Policy outlines what is expected of a Western Sydney University employee, including its controlled entities, when it comes to compliance obligations.
Contact the Compliance Program Unit for guidance on any concerns.
How do I comply?
First, be aware of the requirements.
The Compliance Directory catalogues the Commonwealth and NSW legislation requirements relevant to the University and its units / schools, and its controlled entities. There are certain legal aspects not covered in the Compliance Directory and the schools / units manage them separately such as contractual obligations. The staff need to be aware of these obligations that impact their units or processes or activities.
Second, keep up to date.
High standards of accountability are expected and required from all levels of staff; each individual is responsible and accountable for his or her own awareness and compliance with applicable laws. Training and information on particular laws (such as privacy) on what staff need to do to ensure compliance is provided to all employees.
The Compliance Management Program has an embedded legislative alert subscription that provides information on i) amendments, ii) repeals, iii) subordinate legislation made under and that affect the laws listed on its Compliance Directory. Compliance Representatives and Compliance Contacts are subscribed to alerts affecting their assigned laws, however any staff may request to be alerted about particular laws by contacting the Compliance Program Unit. Instructions on how to use the alert service once subscribed is found in the “University-only documents” section (staff login required).
How do I use the Compliance Directory?
Anyone can view the Compliance Directory. It is sorted alphabetically by legislation name, lists the Level and Tier assigned, and summarises the purpose of the legislation and its relevance to the University. The Compliance Directory is a live resource, and is regularly monitored and updated. Managers should encourage all staff to access the directory to help drive compliance awareness and behaviour.
How often is the Compliance Directory updated?
The Compliance Program Unit regularly monitors changes to laws to update the Compliance Directory. A formal update is scheduled on at least an annual basis. Designated Compliance Representatives and nominated Compliance Contacts have access to the Directory’s laws for which their area has responsibility of operational compliance and must continuously review their laws and update the Directory when necessary in a timely manner.
The Compliance Program Unit welcomes review and feedback on the Compliance Directory from the community.
What do the different “levels” of the Compliance Directory mean?
The Compliance Directory is categorised into 4 “levels” denoting i) the applicability of a law across the University, and ii) the operational compliance management:
- Level A (“All”): This is assigned to legislation that applies to all activities at the University, and all staff must comply with these laws. These laws are managed by one business or academic units, or two units where policy/strategy and procedural demarcation exists. Example: Privacy Act, Anti-Discrimination Act.
- Level B (“Broad”): This is assigned to legislation that applies to broadly occurring activities across more than one business and/or academic unit. These laws may be managed jointly, where the management teams regularly consult one another on collective or shared obligations. Example: Education Services for Overseas Students Act.
- Level C (“Centralised”): This is assigned to legislation that applies to University-wide activities. These laws are managed centrally by one academic or business unit on behalf of the University. Example: Government Sector Audit Act.
- Level D (“Decentralised”): This is assigned to legislation that applies to discrete or specialised activities, or to functions not commonly occurring over more than 1 business or academic unit. It includes legislation where it is not necessary to consult on the obligations with another business or academic unit. These laws are managed separately across different business and/or academic units. Example: Health Practitioner Regulation National Law Act.
The Compliance Directory is categorised into 4 “tiers” denoting prioritisation of the Directory in regard to the i) the inherent risk; and ii) the consequence / impact associated with non-compliance with a law:
- Tier 1 : University-wide concern with Critical-High risk, where a breach could have a Catastrophic or Major impact on the operation of the entire University. Requires compliance to be centrally or jointly managed between 1 or 2 main operating areas. Anticipated to have an increased exposure and/or scrutiny from regulators and/or Federal Government. Includes Levels A, B, and C legislation.
- Tier 2 : Concerning a limited number of operating areas/Schools with Critical-High risk, where a breach could have a Major or Moderate impact on the University, and/or certain operating areas/Schools. Anticipated to have a higher exposure and/or scrutiny from regulators. Includes Levels B, C, and D legislation.
- Tier 3 : University-wide concern with High-Moderate risk , where a breach could have a Moderate or Minor impact on the operation of the entire University. Requires compliance to be centrally managed. Anticipated to have a regularity of scrutiny from regulators. Includes Level C legislation.
- Tier 4 : Concerning a single or limited number of operating units/Schools with a Moderate-Low risk, where a breach could have a Minor impact on the operation of the areas/Schools. Compliance can be locally managed across separate areas. Local level concern, with lower risk to the University as a whole, but may be of higher risk to specific areas. Includes Level D legislation.
- Tier 5 : Awareness of the Act exists though no active compliance monitoring is required nor is annual attestation undertaken. No tangible consequences of non-compliance. includes Watchlist items.
Compliance Representatives and Compliance Contacts
I have been assigned as a Compliance Representative / Compliance Contact on the Compliance Directory. What does this mean?
Congratulations! Compliance Representatives and contacts are important drivers of the Compliance Management Program.
Compliance Representatives are senior management members who are responsible for business or academic unit/s, and are assisted by Compliance Contacts who have subject matter expertise in to identify, implement, monitor. Compliance Representatives assure of compliance with legislation obligations for the University or their business or academic unit/s.
The Compliance Management Program outlines specific responsibilities for these two roles.
I have been assigned as a Compliance Representative / Compliance Contact to a law on the Compliance Directory, but I know there is another area who is responsible for some of the obligations. Can you explain?
Some laws cover various aspects which may be a cross-over into different operational areas within the University and its controlled entities where each operational area is responsible for particular compliance obligations under the Act. Whether the law is also assigned to another area, or just one, depends on the “Level” assigned to the law (see above FAQ for level definitions). The Level indicates whether these obligations may be:
- shared / collective, and requires joint management with others to assure of operational compliance (usually Level B legislation e.g. Education Services for Overseas Students Act);
- separate / distinct between multiple Representatives, and does not necessitate consultation with others to assure of compliance (usually Level D legislation e.g. Health Practitioner Regulation National Law Act);
- principally consigned to one area that requires consultation, advice, and insight from others who have an adjunct portion of the obligations to assure of operational compliance (usually Level A legislation e.g. Privacy Act); or
- consigned to one area who manages them centrally on behalf of the University to assure of operational compliance (usually Level C legislation e.g. Public Finance and Audit Act).
I am a Compliance Representative / Compliance Contact, and I've heard I may have to complete attestation in the future when this element of the program is launched. What does this attestation intend to involve?
The annual compliance attestation is intended to be completed by Compliance Representatives and Compliance Contacts, which aims to simply provide reasonable assurance that there is no material non-compliance of the assigned laws in their operating areas that could adversely affect the University’s ability to comply with legislative requirements.The attestation process for Compliance Contacts requires specific detail on key controls, recording and management of compliance incidences, and awareness of compliance requirements.
Who is my area's Compliance Contact or Compliance Representative?
Contact your manager or supervisor, a senior manager in your area, Executive Officer/School Manager, or the Compliance Program Unit.
Note: Not all units or schools, at this stage of the Program, have a designated Compliance Representative or nominated Compliance Contact depending on the mandatory compliance requirements that apply to the University for which it is solely accountable.
Reporting Non-Compliance Incidences
What is non-compliance?
Non-compliance incidents include potential and actual issues that do not fulfil mandatory compliance requirements or cause behaviours that do not conform to the compliance culture. Non-compliance can involve an individual's own actions/omissions or the actions/omissions of someone else at the University and its controlled entities.
Potential non-compliance incidents means any potential non-fulfilment of the mandatory compliance requirements i.e. the incident may happen but has not yet happened. Example: A unit doesn’t have any processes developed or implemented to maintain security for its records (particularly sensitive records) stored in and being moved between office areas of different campuses.Actual non-compliance incidents means a breach of the mandatory compliance requirements i.e. the incident has happened. Example: A record containing personal information is accessed without the proper authorisation.
What if there is an incident of non-compliance?
Most instances of non-compliance tend to be unintentional oversights that can be quickly corrected.The Compliance Management Program is designed to ensure all staff can readily access the support and advice to determine whether or not they are in compliance.
In all cases of non-compliance incidences (whether potential, or actual), a strategy to resolve the issue should be developed between the designated Compliance Representative/s, managers, and the Compliance Program Unit. In some cases, you may need to call on additional resources, such as the Offices of the General Counsel and Audit and Risk Assessment, to obtain specialist advice and guidance.
Why should I report non-compliance incidences?
Reporting compliance incidences play an extremely important role in the University's Compliance Management Program at every step of the process.
First, reporting a compliance incident ensures adequate attention, accountability, and corrective action is taken before it becomes more serious. It also ensures transparency within the University and enables collective responsibility among the different teams.
Second, the University and its controlled entities may have a legal obligation to report a compliance incident to an external agency e.g. Independent Commission Against Corruption.
Third, it facilitates good and centralised record keeping. Compliance incidences can take time to resolve, and retention of information may assist the University, especially if other support services or resources need to be involved. The documentation also helps to demonstrate the actions and intentions to adequately manage the incident.
Fourth, it can help resolve similar compliance incidences for future staff, prevent duplication, and ensure efficiency. No compliance incident is too big or too small to report, and every report is important!
Lastly, it mitigates / reduces of any future disputes or penalties as the University and its controlled entities will be able to demonstrate a genuine effort to rectify the incident in a timely manner.
How do I report non-compliance incidences?
Western Sydney University encourages questions and good faith reporting on compliance incidences through
- Your supervisor or manager
- Compliance Representative or Compliance Contact
- Compliance Program Unit via the central web-based Non-Compliance Incident Reporting Register
Early identification and reporting can help to prevent a small problem from becoming bigger, facilitates prompt resolution, and perhaps even avert a disaster.
The opportunity for questions and reporting is a cornerstone of a successful compliance management program.
Is there a Non-Compliance Incident Reporting Register?
Yes. University staff and the university community (i.e. students and members of the public) can report non-compliance incidences online via the central Non-Compliance Incident Reporting Register. More information on the Register, what types of incidences should be reported, and the link to the Register is found on the Non-Compliance Incident Reporting page.
What does annual attestation intend to involve?
The annual compliance attestation is completed by Compliance Representatives and Compliance Contacts, which aims to simply provide reasonable assurance for a calendar year that there is no material non-compliance of the assigned laws in their operating areas that could adversely affect the University’s ability to comply with legislative requirements.
The attestation process for Compliance Contacts requires specific detail on key controls, recording and management of compliance incidences, and awareness of compliance requirements.