Industrial Manslaughter Laws Proposed for Victoria

Live Broadcasts - Soc Media Post.png

As of May 2018, Industrial Manslaughter laws have been proposed in Victoria.  Made as an election promise for the November state election, Victoria could be closely following Queensland in implementing these new laws.

The proposed changes bring safety to the forefront of businesses as the stakes are raised. Employers whose negligence leads to death would be facing up to 20 years in jail and be criminally charges with workplace manslaughter. Businesses could be fined up to $16 million.

Unlike the Queensland laws, the regulations proposed by Premier Andrews would apply to not only workers but will “cover a visiting supplier…a routine maintenance worker or three innocent people walking down a busy street”.

Mr Andrews says that the aim of the proposed laws is to change the way businesses view their safety responsibilities. It’s important that with these proposed changes, businesses assess themselves to determine whether they are adequately controlling the risks present. 

From our experience in safety, we have seen that those who take safety seriously are constantly looking to improve and stay up to date on their obligations. If you’re not 100% sure that you’re ready for the proposed manslaughter charges, you need to assess your business again.

Contact us for more information about how we can help you do a gap-analysis to identify your risk areas. 

Labour Hire Licensing - Victoria to Join QLD and SA

Two weeks ago, the Labour Hire Licensing Bill 2017 was passed by the Victorian State Parliament. Following South Australia and Queensland, Victoria will be the latest state to adopt the proposed scheme.

The Labour Hire Licensing Scheme was originally suggested as a way to regulate the labour hire industry following a series of exposes on exploited workforces. These included the likes of fruit pickers in the Goulburn Valley and other farming industries.

Most labour hire agencies would have started or completed their applications for licenses in SA and QLD and many will know to apply for Victoria when the time comes. However, non-agencies also need to be aware of these changes as substantial civil financial penalties will apply to both providers who operate without a license and hosts engaging them. These penalties can be up to $391,560 or may include 3 years imprisonment.

Queensland’s deadline for application of license has already passed. Entities which have not submitted a license application before 15 June 2018 are forced to cease operation in Queensland. South Australia has extended their deadline for agencies to successfully obtain a License before 1 February 2019. Information is yet to be released about how and when the latest regulations in Victoria will be implemented.

Hosts are able to check which labour hire agencies are licensed via a register on the government website.

If you would like assistance preparing for labour hire applications or to find out more contact us at info@certex.com.au

Useful links:

https://economicdevelopment.vic.gov.au/inquiry-into-the-labour-hire-industry

https://ols.oir.qld.gov.au/licence-register/

https://www.sa.gov.au/topics/business-and-trade/licensing/labour-hire/labour-hire-licence

Immigration Laws- Are You ‘Up’ With the Changes?

dreamstime_s_26372469 cropped.jpg

There have been recent amendments made by the Migration Amendment (Reform of Employer Sanctions) Act 2013 which introduces more stringent penalties to employers who are in violation of this law.

This is why it is essential that all employers (particularly recruitment agency managers and consultants) are aware of these changes and comply with their lawful obligations under the Act.

From 01 June 2013, if you manage workers who hold a temporary residential visa (of any kind) in Australia, you are bound to adhere to this law, regardless of whether or not you are an approved immigration sponsor.

Previously, the Department of Immigration and Citizenship (DIAC) was required not only to identify an employer in breach of the Act's requirements, but also establish the employer's 'guilt'. That is, DIAC needed to show that an employer allowed an employee/contractor to provide services (for the company or for others) when he was knowledgeable or reckless as to the worker's immigration status and working rights.

Only after successfully proving both factors could the Commonwealth charge this employer with an infringement notice.

Now, however, DIAC no longer have to prove this knowledge/negligence/fault element.

This means, simply if you are in breach of visa conditions or work rights, the Commonwealth can now penalise you with infringement notices from anywhere between $15,300 to $76,500!

You might find it helpful to consider the following questions:

  • Can you evidence the immigration status of your entire workforce (Australian and non-Australian)?
  • Do you employ workers from overseas on any type of temporary visa?
  • Can you demonstrate every temporary visa holder in your workforce is working within their visa conditions?
  • Do you know what your lawful employer obligations are?
  • Do you have accurate internal policies, procedures and training in place to manage immigration compliance?
  • Do you know how the national workplace relations system works with temporary visa workers?
  • Do you know about migration worker engagement laws and employer sanctions?



  •  
  • If you can't answer these questions satisfactorily or if have any concerns, then you should seek expert advice.

    If you don't already have contact with a qualified migration adviser you could visit the website of the Migration Institute of Australia mia.org.au for a list of registered migration agents.

How Much Documentation is the Right Amount?

shutterstock_83971039.jpg

This is always a challenging question for businesses seeking certification. How much documentation is the right amount to ensure your quality management system can reliably deliver a quality product or service?

Some say that a well run business can achieve quality and efficiency with only the mandatory processes documented. Others say they have seen this attempted but not done successfully. Others say "it all depends".

We know that too much documentation can slow the business down, restrict change and improvement, and can become a costly administrative burden.

Early on in the emergence of quality management, the extent of documentation was seen as evidence of a well considered and defined quality system. More documentation meant there had been more thought put into defining and detailing processes and that meant greater control over quality processes in the business. There are many examples of quality manuals and supporting documents that seemed to go on endlessly. One example I have seen is where the internal audit process was documented, then the checklist of areas to be audited was documents - so far so good. But then there were procedures written on how the process should be reviewed in the audit, such as what to look for and what questions to ask, and on what constituted a non-conformance, and how much detail needed to be written in to the report, and a procedure for how the non-conformance should be addressed and when it would be considered closed out.

This sort of documentation ran to many pages. Probably the first and last time it was read was when it was drafted, so it wasn't much use to anyone anyway. The other problem was that it would be almost impossible to update - if (when) the underlying operational process changed then the checklist would change, the definition of a non-conformance against the new process would change, the amount of detail needed in the report might change... and so on and so on.

A documented management system in this much detail often became its own worst enemy. It would end up being so difficult to change anything that the business would not make any changes. That doesn't sit well with the ultimate quality objective of continuous improvement!

Most quality managers and auditors today agree that too much documentation does not support an effective quality management system. It is still open to interpretation on how much is appropriate. The minimum level of documentation is the mandatory documents, identified in the AS/NZS ISO 9001:2008 standard with the words "documented statement of", and "establish a documented procedure to". There are three mandatory statements - the quality policy and quality objectives (4.2.1) and the scope and process outline in the quality manual (4.2.1). There are six mandatory procedures - control of documents (4.2.3), control of records (4.2.4), internal audit (8.2.2), control of non-conforming product (8.3), corrective actions (8.5.2) and preventive action (8.5.3).

Section 4.2.1 also requires that processes be established to ensure the effective planning, operation and control of processes. But it doesn't say these processes need to be documented.

So you could have an effective quality management system with only the mandatory statements and mandatory procedures that are documented.

But that might make it a bit difficult to ensure the quality management system is effective, and is a system.

There are a number of factors which can influence the amount of documentation needed for an effective quality system. The first would be the type of processes. Processes which are complex, perhaps those which are newly designed or rely on new technology, or produced across multiple work sites or work groups, might all be more effective and better understood by staff if they were documented.

Products and services which are high risk - in their production, environment, in their delivery or application, might all be more reliably adhered to is the processes are documented.

If there is a high level of change in the business or the processes, or perhaps a high level of staff turnover, then procedures might be better documented.

On the other hand, if staff are highly trained, are experienced and competent then detailed documentation may not be so important.

One way I approach this question is to consider the major risks and the major differentiators in the process. I call this the "black hat" and the "white hat" (with thanks to Edward de Bono). The "Black hat" elements of a process are the high risk areas with major consequences. These are the areas that you cannot afford to not do properly. If these parts of the process are not followed properly perhaps someone gets hurt, or the product/service will fail, or the process will not comply with statutory requirements etc. These steps should be documented so everyone is clear on what should be done, when and how, and where necessary, proper records made.

The "white hat" elements of the process are the parts that differentiate your product/service from others, and make it recognisable and valued by your clients. You can't afford to not do this right, either, so document the steps so they are very clear.

Another approach I would take is to consider the best way to present the documentation. Procedures are often written in flowing text using sentences and numbered paragraphs. But there are other ways to define and document a procedure - you can use a flow chart (great for the "right brainers" amongst us), you can use a checklist on which you mark each step as it is completed. Workflow control systems can be used to the same effect. Some suggest you can use training materials (although usually these are drafted as background references and information rather than a statement of steps that must be followed).

In the end, you must be confident that the approach you select and the amount of detail you chose to document is appropriate and will assist in the effective planning, operation and control of processes. Very often this is a matter of trial and error. Don't be afraid to set it out as best you can, then refine, modify, simplify and improve as you and the business learn how best to make this work for you.

Update on the Transition to JAS-ANZ Accredited Third Party Certification

MP900309629.JPG
  • Have you sought third party QA certification yet?
  • Do you have some quiet time?
  • If you haven't already sought QA certification then this might be the time to do this. The rules on QA suppliers have not changed.
     
  • As you are aware, at the end of last year the Queensland government dismantled their second party quality assurance auditing and registration processes in favour of using third party auditing bodies. A JAS-ANZ accredited, third party Quality Assurance certificate is now the only QA certificate acceptable to Queensland governmental departments and agencies. Suppliers were given an extension of their second party certifications to 30th June 2013, after which time they need to gain third party certification to tender for selected processes where QA was a requirement.

    Many businesses have been proactive and sought certification and registration with independent third party certifiers. Yet a larger number have held off pending a possible policy change at the end of June or at the beginning of July.

    However, at this stage no policy change has occurred. The QA Policy signed in December 2012 is still being applied by departments, agencies and local government. The QA Handbook and links to the QA Policy can be found here.

    What does this all mean for you? Well, if you have not yet achieved your certification, and you have some quiet time, now would be a very good time to schedule and arrange plans to become certified by a third party auditing body. The greatest benefit from certification can be achieved when you are not time-pressed to do so.

    How can we help? Certex International has already been engaged by a number of Queensland Government suppliers that have chosen to obtain a JAS-ANZ accredited third party QA certification, and there are also a number of businesses scheduled for their initial audit. Firms that have gained certification were very pleased with the ease of the process and the friendly, professional auditing approach by our team of auditors.

    Ask us about the process and find out for yourself. We are happy to provide a no obligation quote, as well as a one hour online training session to help you prepare.

Compliance Requirements- No Escape for Business Owners.

dreamstime_s_15931973 cropped.jpg

Rod: My head-to-head partner this month is Dianne Gibert, founder and Managing Director of Certex International, which recruitment organisations will know as the provider of the RCSA's Service Delivery Standard and ITCRA's iDiagnostic. Dianne, your organisation must be at the leading edge of how increased legislation and compliance is impacting recruitment organisations. Dianne: Very much so, Rod. There is quite a significant shift in the level and impact of compliance requirements today than when I first started in this industry around ten years ago. Back then, recruitment agencies had little awareness about their legal obligations, and their practices and protocols did not place a great emphasis on complying with legislative demands. It was more about networking than procedures. This has certainly changed in recent times and generally I see very different behaviour across the recruitment culture today; the industry has clamped down on legal requirements across a range of different areas including safety, privacy, immigration, and superannuation, and recruitment agencies face much more severe penalties for non-compliance. The agencies themselves therefore, have had to become more astute and thorough in reviewing their procedures for compliance, and auditors have had to be even more comprehensive when conducting their audits. Rod: The consequence of all of these compliance requirements is that the barriers to entry to the recruitment industry have risen. There are two ways of looking at this change. The most immediate view is that it is a continuing source of frustration that every part of every business is subject to increasing red tape. And often the new compliance requirement is to satisfy minority interests and is a knee-jerk reaction to some recent event. It wears down owners and managers and stifles innovation because so much energy is devoted to these "internal" issues. The other view is that, at a macro level, increasing barriers to entry is great for the long-term health and viability of the recruitment industry. Even without direct regulation the industry is becoming far more structured and highly regulated. Clients know it is a regulated environment and it will be harder for fly-by-night organisations to gain credibility when the economic conditions become positive, as they will do. Other industries have shown that increased barriers to entry have led to a more professional industry that can brand, promote and lobby effectively. Dianne: Unfortunately one of the pressure points is on small businesses. Unless they have the business expertise and resources that they can dedicate to properly structuring and managing a business with the proper systems in place, it can be difficult for them. That is not to say that all small businesses suffer, though. Some I have seen perform remarkably well, and know exactly what needs to be done to remain sustainable. Rod: What are the changes that are having the most impact on recruitment agencies? Dianne: Recruitment agencies are now expected to thoroughly understand the impact of legal compliance and non compliance in the face of increased risk and harsher penalties. Equally, they are required to demonstrate this compliance and good service both in tenders with new clients as well as in services to existing ones. Also, clients themselves are more savvy. Whereas in the past they often assumed or were ignorant as to whether an agency was adhering to legislative principles, these days they are more knowledgeable about industry requirements and appraise an agency's compliance with necessary procedures. Often, too client and agencies share responsibilities. For example, in the case of safety, the recruitment agency's responsibility of ensuring on-hire worker safety is extended to the host employer who manages these workers on site. In another example, clients often ask for more information about the candidates than privacy permits, such as age and details of criminal records. This "sharing" process requires recruitment agents to be able to negotiate a delicate balance: they must work cooperatively and openly with their clients, but also carefully and firmly draw the line between accountability and information that the client needs to know and that which is unnecessary or prohibited on privacy grounds. Rod: We all hear stories of the penalties associated with some areas of compliance. Are they really that onerous? Are they really structured to be "guilty until proven innocent"? Dianne: If a client (or an auditing body) finds the recruitment agency in breach of these requirements, there is far more at stake than just the agency's reputation: they can be prevented from hiring further staff, can be fined upwards of $100 000, and even risk jail time. In areas like immigration and safety, ignorance about the law is inexcusable so it is imperative that an agency is well acquainted with any and all the changes to relevant legislative obligations. There are examples where agencies have been caught and penalised, but until now this is less common that one would expect. I think the change in the compliance climate is going to make a difference in future, though. It will no longer be acceptable to assume that no-one will find out because no-one really cares anyway. The risks and the consequences are much higher than they ever were. Rod: Thankfully, there is help available. One of the biggest reasons why we can discern such an improvement in agency compliance is due to the laudable support that the RCSA and ITCRA provide for agencies. Globally, the industry associations (APSCo, REC, ASA etc) are taking a leading role in ensuring the industry keeps up in each region. Dianne: They regularly host training programs and deliver information bulletins to improve an agency's skills and understanding about their duties in law - the most recent activity is around the change to immigration law, and more training is planned in relation to the Privacy amendments. There are "health checks" and certification programs which support agencies in meeting their obligations. This chain of regulation is a risk management strategy that limits the likelihood that a regulated agency will be found in breach of legislative requirements. Does all of this activity have an impact on the "saleability" of a business? Rod: Absolutely. There is a dramatic change in how business quality is perceived. The corporate reputation of an organisation is more transparent than ever before. It is relatively easy to see if an organisation has kept its house in order over the preceding years of operation. A few years ago certification to the recruitment delivery standard or the achievement of an appropriate quality standard was all that was available. Today when an organisation is being reviewed there is so much more. There continues to be a need to "do the right thing" but there is also an absolute need to prove that you are doing the right thing. That is a major change - the procedural systems that need to be in place will impact your organisation's ability to survive external review. Dianne: Completely agree with you here Rod. I often say that you need appropriate procedures in place and the records to show that you do what you say you do. The procedures need to be documented; the records need to be accessible; and you need to check this regularly. It is not enough to say that you told your staff once during induction that this is what you expect of them; that is not sufficient to show compliance. Certainly begs the question whether, at the very least, good compliance processes increase the value of your business? Rod: No, not today. It just becomes an area that you need to have in place to enable your business to gain a potential buyer's interest and then pass due diligence requirements. In the longer term, the multiple paid for recruitment organisations are likely to rise because of this increased barrier to entry. So what am I saying here: in the future, as the barriers to entry continue to rise, and legislative requirements become more onerous, fewer organisations will be able to abide by the necessary requirements to keep their business compliant with the law, and the cost of establishing a new business and investing to the required level of sophistication rises. On the other hand, agencies that diligently review and update their processes, ensuring that they tick all the right boxes with all the right people, become more and more valuable to potential buyers. The recruitment industry is at an interesting point in its evolution. Dianne Gibert is the founder of Certex International Pty Ltd (previously Fathom Business Architects). Certex is an accredited certification body providing certification services in the RCSA SDS and other recruitment industry standards, as well as the well known 9001 Quality Management, 4801 Occupational Health and Safety and 14001 Environmental Management standards. If you have any question about the RCSA Service Delivery Standard or certification standards relevant to the recruitment industry, please contact Dianne on (03) 9585 8241 or email info@certex.com.au.

Benefits of Certification- An Interview with Burdekin Shire Council.

In our last newsletter on 17 July 2013, we explained to you about the Queensland Government's dismantling of second party quality assurance, and their preference for certification third party auditing bodies. Most organisations supplying Queensland Government had been given to 30th June 2013 to obtain third party certification, and many already have, but there are also a number of businesses who have not yet arranged for certification. In this newsletter we highlight the benefits of taking this step. The good news is that you would already have a quality assurance management system in place, so any changes are likely to be minimal. One of the changes you may need to make is to ensure your quality management system is working as well as you can make it. This might mean reviewing and updating procedures, updating training records, and checking that decisions have been properly authorised and documented. Without regular monitoring these things can sometimes take a back seat. The more formal and more regular audits that are conducted by a third party auditor will keep you focused and thereby will ensure you get the maximum benefit out of your quality management system. One of the most significant benefits is that a third party certificate showing the JAS-ANZ symbol is recognised around Australia, and indeed around the world. It is reliable evidence that your management system meets the international standard. This is valued by many corporates and in particular by government bodies. The formalities of third party certification mean that there are more frequent on-site audits and more independent and impartial assessments of your organisation's status. But it also means more opportunities to succeed in tenders, as independent assurance is respected not just by Queensland authorities, but worldwide. You'll be meeting higher expectations and this results in real improvements to business - get a better system, and you get a better outcome. This week we interviewed Mr. Karl Schatkowski, QA Officer/WHS Officer with Burdekin Shire Council. Burdekin Shire Council has been second party certified with the Queensland Government for many years, and earlier this year achieved third party certification to the AS/NZS ISO 9001:2008 Quality Management Standard. Karl explains their experience. Q1. Why did you decide to take on third party certification in 9001? Well, 9001 had been implemented by the Council for a number of years. But we strive to always promote quality assurance, and in order to keep our contracts with Main Roads, we needed to prove to them that we are capable of maintaining that standard even at the 3rd party level. This was also the case with our building department, and the tenders that they may apply for.Q2. What changes did you need to implement to meet the 'tougher' requirements for a quality management system? Actually, there were really only minor non conformances that we needed to change. The biggest challenge was that since we are such a large organisation, there were a few isolated areas (such as Workplace Health and Safety, Customer Service, Environmental Health) where some procedures had to be revised and updated, and transcended from draft mode to approved status. Q3. How did you find this process- challenging, straightforward...? I have been involved in several audits over the years, and I found Paul Neilson from Certex the best auditor I've ever dealt with. He is professional, knowledgeable, and made the entire process very wonderful and easy to deal with. He never crossed the line between auditor and consultant. But, as an organisation, what we appreciated the most was that he maintained communication with us not only during the time that he was here but also after the audit. Q4. What benefits have you noticed since implementation? That's a tough question because 9001 is not something new to us. But I think it really established us as a quality supplier, and gave us added procedural efficiency. Best of all, it ensured that we were able to continue our contract with organisations such as Main Roads.

The Pyramid Effect: Benefits of ISO Standards for SMEs*.

red-pyramid-dahshur-egypt-1873294.jpg

*Small and Medium Enterprises Would you believe that the very first standards were developed in early 3150 BC? In the sweltering Saharan desert, the ancient Egyptians created a standard unit of length that they utilised to build the great Pyramids of Giza. And since then, use of standards has flourished until they have become almost enshrined in our everyday life, from our shoe sizes to our electrical products. Yet, though small and medium sized organisations make up more than 90% (yes, believe it) of the world's businesses, many SMEs still have not taken that extra step to becoming certified on an internationally recognised level. Certification in an ISO standard can be the difference between pyramids and rubble: they eliminate wasteful expenditures of time and resources, establish a strong framework for best practice across every business level, and increase business efficacy and internal productivity. They also add a new level of credibility in your business which in turn can boost confidence and rapports with clients. The flow on effect of all of this is to help open up export markets for your products and services, initiate opportunities to participate in global supply chains, and cement your company in the international sphere, allowing you to have a level playing field with the big conglomerate businesses. Earlier this year, ISO released a short video detailing more benefits of ISO standards for small businesses and you can free PDF that illustrated 10 benefits of standardisation for small and medium enterprises as perceived by small and medium business enterprises from across the world . All of this information and more, is available on special page that ISO has dedicated for SMEs here. Every small business starts out as a pile of bricks. And yes, competition is tough. But strategic use of standards can make a substantial difference to the growth of your company and can help you take your business to new heights. ISO is an independent, non-governmental organization made up of members from the national standards bodies of 163 countries. Under our accreditation with the national standards body in Australian and New Zealand, JAS-ANZ, Certex offers certification in the main ISO standards including Quality, OHS and Environmental management.

Quality- Because You’re Worth It!

shutterstock_172547510.jpg

When we think about becoming accredited, most of us instinctively frown : "It'll be too much paperwork", "It'll take up too much time", "Is it even necessary?". Yet as we hurdle further and further into modern day marketing, being quality certified is fast becoming that 'clinching factor' in tender submissions with other organizations. Why? Because achieving independent recognition for your quality systems establishes your company's proficiency in the industry, and propels you in a different league completely. Indeed, many companies that we have worked with have grown and even doubled in size since becoming certified. The fact remains that are still many major issues that are affecting the quality of service by recruitment companies across Australia and New Zealand. At its most basic level, this can be something as fundamental as a consultant's record keeping practices, compliance (or lack thereof) with legislation, training and competency levels of your staff, or it could be a tendency to overlook planning or a failure to have clear objectives or strategies. Businesses that become certified in a quality standard such as the RCSA Service Delivery Standard or AS/NZS ISO 9001 Quality Management have systems in place to manage and control these and other issues. It can be hard work - there is no denying this - but the benefits can be well worth it. APRG, an expanding recruitment business in Brisbane, recently took the plunge and embarked on an improvement program which ultimately resulted in certification in the RCSA Service Delivery Standard. This is their experience. Certex: "Why did you decide to take on the RCSA Service Delivery Standard certification?" APRG: "APRG's interest in seeking RCSA SDS certification was threefold:

  • We were seeking validation of our existing processes and wanted to understand what was considered best practice within the industry - at the end of the day we did not know what we did not know and were looking for the external view point.
  • We wanted a validated point of difference from the majority of our competitors.
  • Recognition within the industry for the quality of the product and services provided."
  • Certex: "What changes did you need to implement to meet requirements for a quality management system?" APRG: "After working through the initial checklist provided as part of signing up to the process, we realised the major changes we needed to implement to meet the standard were to implement/introduce a 'Controlled Documentation' process to the business, and formalising a structure to manage the existing policies, procedures and processes that we had in place. We also realized the management team had to adopt an improvement/innovation focus across all our processes within the business. " Certex: "How did you find this process - was it challenging or straightforward? APRG: "Whilst the days in the lead up to the initial onsite audit were quite frantic, the process that has been structured by Certex has made the process relatively straightforward to follow. The audit preparation checklist provided as part of signing up to the SDS certification gave a good indication of what to expect and, when followed up by the initial documentation review, gave us the opportunity to make improvements as we moved forward. In addition, our Operations Manager attended a 'Key Concepts in Service Delivery & Quality Management' workshop in the early stages of APRG undertaking preparation for certification. Working through the audits, it was clear that Certex were here to help improve our business and their approach made it well worthwhile. The timing was fantastic as we were transforming the business operating model and a strong quality framework was seen as an important enabler to its introduction." Certex: "What benefits have you noticed since implementation?" APRG: "There have been a number of benefits to APRG since we have undertaken the certification process. The key ones would be:
  • It has challenged APRG to focus on building better internal systems and standards to take the business forward.
  • By building better business systems APRG has a stronger platform for future growth and certainty around the deliverables of the business.
  • Whilst we had a strong compliance focus previously, having an external party validate our processes helped our staff understand why we had put the processes/procedures in place and their importance.
  • We believe it will also assist with tender submissions when we can advise what quality standards we have in place."
  • Even the best of us can benefit from an extra eye looking over our processes, an extra helping hand to identify those last, niggling issues that are inhibiting our growth. Certification brings with it a higher level of understanding about how your business operates and, most importantly, how you want it to operate. Dianne Gibert is the founder of Certex International and Fathom Business Architects, which has been the certification manager for the RCSA Service Delivery Standard since 2004. Dianne has more than 20 years experience as a management consultant specialising in quality management and performance improvement. Certex International is accredited through JAS-ANZ to provide certification services to the recruitment industry in ISO 9001 Quality Management Systems.

Privacy- Do You Know What the New Changes Are?

privacy-concept-cctv-camera-digital-background-screen-icon-d-render-33792378.jpg

There are new amendments to the Privacy Act 1988 that will take effect in March 2014. Though that might seem like a long way away, it's absolutely essential that organisations begin preparing themselves and their business procedures for compliancy now. This is especially important in light of the enhanced powers that the Information Officer will have to discipline organisations that do not adhere to the law. Rest assured that Certex, in conjunction with our sister company Service Excellence Consulting (SEC), will highlight the possible capacities for breach and consequences of breach in more detail in our forthcoming newsletters.

So what's changed?

Well according to the Office of the Australian Information Commissioner (OAIC), the Amendment Act includes a set of "new, harmonised, privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses." These privacy principles will be known as APPs (Australian Privacy Principles) and they set out the standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. There are 13 new APPs in total, including two new principles, and they are be structured to capture the 'lifecycle' of personal information- from consideration and collection to access and correction of personal information. Thus, they govern a range of areas including direct marketing and cross border disclosure. Our lengthy involvement in the recruitment industry has shown us the reality: current practices in the majority of agencies will fall short of the new legislation- far short. Privacy is a delicate and multifaceted issue: it interplays with many pieces of legislation as well as with many different levels in a business. Most agencies think that they have a good understanding of privacy requirements, but the reality is that there are many gaps in understanding and implementation, and some of these are quite serious. The Privacy Best Practice program is an initiative of ITCRA ( Information Technology Contract & Recruitment Association) to assist Australian businesses to prepare for these changes. The program is a unique combination of a training workshop and a review of records which will be conducted at your office, providing the opportunity for many of your staff to attend. The workshop will provide information on the changes in the Privacy Act amendments and implications for recruitment agency. The records review will identify areas in your business of real and potential risk of non-compliance against the new requirements. The findings are presented to you in a report so you can work through and take action to correct the problems. We are also arranging half day workshops in each capital city. Currently, they are proposed for: Melbourne - Wednesday 30th October 2013; Perth - Friday 22nd November 2013. We understand your business- our consultants all have many years of experience, particularly in the recruitment industry, and are qualified auditors who have been trained in privacy by Andrew Wood, barrister on the Tasmanian Bar and expert in privacy and related employment matters. It would not be wise to assume that there is nothing you need to do to prepare for the new legislation. The OAIC has made it clear they will be using their new powers to conduct privacy audits). The recruitment industry is one of a small number of industries which deals with significant amounts of personal information for individuals who are not employees. (There are a number of exemptions for employees under the Privacy Act). Recently a large organisation was found to have breached national privacy when it left a database of about 740,000 customer records, in some cases containing usernames, password, email addresses and more, exposed on the web. There was little the commissioner could do except name and shame. However, under the new laws the commissioner could apply to the Federal Court to levy fines of up to $220,000 against individuals and $1.7m against companies for "repeated and serious" privacy breaches (Source). National and state legislation is constantly updating and it's simply assumed that you'll be aware and compliant with all of the changes as they come. Ignorance of the law is, as strange as it might sometimes seem, just not an excuse anymore. But why be ignorant at all? Send us an expression of your interest in these workshops and we will arrange a time to speak with you. Contact us to register interest and for more details.

Australia Against the Global Market- ISO 2012 Survey Stats Released.

dreamstime_s_18494416.jpg

ISO have released the results of their annual certification survey! "Wait, Hold on," you tell me. "Who have released what about what?" ISO (International Organisation for Standardisation) is the world's largest developer of international standards. They have published over 19 500 standards, all of which have been designed through global consensus and aid in improving the efficiency and customer satisfaction of international trade. Every year, they release a survey of ISO certifications for management systems like the QMS (ISO9001) and the EMS(ISO14001). It captures and categorises a range of interesting and useful information such as number of certifications from countries across the world, the growth and recognition of each standard, the various industry sectors that have recognised and implemented these standards, and the leading countries in standards and certification worldwide. More importantly, the survey underscores the value of international standards in an evolving global economy- it identifies which standards have received the attention of the global market, how many lower cost labour markets are utilising standards to highlight their credentials, and how Australia is faring against our international competitors. This new survey, which has interpreted that data of certifications issued in 2012, is freely available to download from the ISO website here. In short, the results reveal a "healthy growth across the board for all certifications to ISO management systems". ISO9001 has remained stable (in fact slightly increasing since last year) which just reinforces how essential it is for businesses across the world and how many businesses are recognising this and using it to their advantage. The Quality Assurance certification was issued 1, 101, 272 times across 184 countries, and Australia carved out a solid 9185 of that astounding amount. Too much math? Well simply put, ISO 9001 has displayed a growth of about 2% worldwide, and Australia contributed to that. Our contribution was quite small though compared to market giants like China, Italy (and somewhat surprisingly) Spain, who took out the top three spots for total number of 9001 certifications issued. China and Italy also took out top spots (along with Japan) for environmental management, which had seen a more impressive growth of 9% in just one year. Environmental sustainability is not just a necessity- it's an inevitability. More and more organisations are recognising its relevance in the modern world, especially in Australia, where 2000 certifications were issued this year alone. Though Certex does not offer certification in ISO 50001 (Energy Management), we are still so impressed by its growth of 332% that a special mention is being given to a standard (and to companies!) that understands the importance of being energy efficient in the face of climate change. "Okay.." you remark. " What does that have to do with my business?" Great question. What can it do for your business? The fact of the matter is that the time for collecting data for 2013 is fast closing, and even though there were over 2 million actively trading businesses in Australia last year, we've only had 70, 385 certificates issued since 1993! If you haven't considered the benefits of certification on international level, now's the perfect time to do so. Soon it will be time for reflection. It will be time to ask yourself a different question: What makes my organisation different from those international exemplars like China, Italy and Spain? And you'd want that answer to be "nothing".

Proposed Revision of ISO Standards

MP900430727.JPG

"Not again," I hear you groan. But rest assured, these revisions are set to not only be very beneficial for your organisation , but also involve only minor alterations to your existing procedures. Essentially the ISO 14001:2015 and ISO 9001:2015 (along with other standards such as ISO 2700), are predicted to 'align' with Annex SL's structure. Currently, in spite of these standards sharing relatively common requirements, they have different definitions for many of their common terms. This can lead to confusion and inconsistencies when implementing the standards. The proposed alignment will ensure that each standard has roughly the same structure and format as the other, utilise the same definitions for common phrases, and match each other on core requirements. It is also likely that there will be a few content changes to the ISO14001:2015 standard as well, particularly with respect to the context of the organisation, leadership, environmental objectives, policy commitments, performance, and communication. For example: environmental objectives will likely include an expansion of a company's conservation procedures, such as the use of sustainable resources. Meanwhile, the ISO 9001:2015 will likely conform to a more generic format so that it can better cater to a variety of different organisations. And, much like IS0 14001:2015, the main aims and objectives of the standard are stipulated to stay the same as the 2008 version. There is also suggestion that the international Occupational Health and Safety standards (OHSAS 18001 and ANSI) will be modified into a new ISO standard (note: the Australian version of this is AS/N2S 4801). This change would make much sense, given that the OHSAS standard is often implemented alongside the ISO 9001. Michael McLean, a member of Certex's advisory board, has been involved in the consultation process during these changes. We expect a public draft to be published at the end of this year, a finalised draft in mid 2014, and the amended standard itself to be released early 2015. So at this stage? Sit tight and rest easy - there is a generous transition period being awarded to those companies that have already implemented ISO 14001, and we will assist you with any further changes when we all know more about what needs to be done.

Immigration: It’s that-time-of-year.

dreamstime_s_3087404 v2.jpg

It's about that time of year when you sit down and you make a checklist. You start by ticking off that you've completed your taxes (hopefully!) and that you've got all your finances in order. That you've organised superannuation for your employees, and that your insurances are up to date. You're aware about the changes to the privacy legislation? Yep. You're compliant with the (ever changing) Occupational Health and Safety standards? Yep. You've got your risk management policies in place? Yep. Yes it's that time of year to feel pretty good about yourself. The busy end-of-financial year has ended, the busy right-before-Christmas time is yet to begin, and things are going at a comfortable pace, right? Hopefully. But just before you settle into your it's-my-reward coffee, ask yourself one more pertinent, often-overlooked question: <6>Do you know whether every single one of your employees is legally entitled to work in Australia? You see, the problem with opening this question (and the reason why it's not opened often enough) is because it leads to half a dozen subsidiary questions:

  • Do you employ overseas workers or workers on a temporary visa?
  • Are you aware of your lawful employer obligations especially in relation to employer sanctions and engagement of migration workers?
  • Can you demonstrate that every temporary visa holder in your workforce is working within their visa conditions?
  • Do you understand how the National Workplace Relations system works in relation to these temporary visa workers?
  • Do you have accurate internal policies, procedures and training in place to manage and ensure immigration compliance with the Migration Institute of Australia?
  • Do you really know if you are in breach of Commonwealth immigration compliance law?
  • Sure, you might think that you are employing lawful workers, and you believe that they should be adhering to the law, but can you prove it? The fact is, nowadays, you no longer need to be an approved immigration sponsor to be in breach of Commonwealth migration compliance law. If, at any time, you have employed (or referred to another employer) any non-citizen who held a temporary visa, you must adhere to the new changes in the Migration Act. This applies to temporary visas of any kind, either non-sponsored (eg: student, working holiday, bridging etc.) or sponsored (e.g. 457). Inspectors from the Department of Immigration and the Fair Work Ombudsman Office are visiting workplaces around Australia now. If they were to knock on your office door and find that you were employing workers who are not legally entitled to work in Australia (or who are working outside of the scope of their visa) they could issue you with a $15000 on-the-spot fine (and that's before they consider imposing sanctions, penalties or even press criminal charges). Oh dear, time to put that coffee down next to that calendar-you-said-you'll-update. So what are the changes to Migration law and regulation? Well, there have been recent amendments made by the Migration Amendment (Reform of Employer Sanctions) Act 2013 which introduces, as mentioned, more stringent penalties to employers who are in violation of this law. Previously, the Department of Immigration and Border Protection (DIBP) as it is now known ( previously referred to as DIAC) was required to prove an employer's "guilt". That is, DIBP needed to show that an employer allowed an employee/contractor to provide services (for the company or for others) when he was knowledgeable or reckless as to the worker's immigration status and working rights. Now, however, DIBP no longer have to satisfy that you acted with knowledge, recklessness or even negligence in employing or referring workers who are in breach of their visa conditions. Today, the Commonwealth has the capacity to issue infringement notices that escalate up to $76,500 for companies in breach of this law irrespective of what these companies knew or intended regarding their temporary visa worker(s). Okay, okay, so what can you do? Well, you can't sit tight and hope for the best because even your I-floss-every-day winning smile will not bowl the inspectors over if you're found to be in breach. The only safe and responsible approach is to have (or put in place) rigorous and dependable work processes and procedures and then follow these to check the legal status of all of your employees. This means keeping reliable records. This means training your HR staff and managers to know what to look out for. This means proof-reading and re-checking your dependable procedures to make sure that there aren't any gaps or mistakes. And how can you be confident of this? Well, (here's where you pick up that pen-from-that-forgotten-conference and those sticky-notes-that-your-daughter-keeps-taking-for-"school") that's where Certex Immigration Compliance steps in. We are a trusted name in audit and human resources quality assurance, one of only a few wholly Australian owned and managed certification businesses and we're accredited with JAS-ANZ, the government monitoring body, for quality, OHS and environmental management standards. We have engaged with key government immigration regulators, industry stakeholders and leading migration law advisers to develop two unique compliance assessment services. The first is Risk Assessment, which looks at personnel records to assess the status of foreign employees. The second is a full Certification Program, which assesses your policies, procedures and practices against a registered standard, as well as personnel records. It is important to note that these are third-party, independent audits which means Certex auditors do not provide consulting or compliance advice or other migration advice. But Certex Immigration Compliance auditors are qualified and experienced Registered Migration Agents who have been trained to work as lead auditors. They can (and will!) review your records against current legislation and against employer obligations, work permissions and visa conditions of foreign employees. They will assess the level of compliance and identify any gaps, areas of concern or risk and any breaches. These findings are then recorded in an audit report. If the report highlights areas which need attention you can (and should!) take this report to your own Registered Migration Agent or immigration adviser who can assist you in resolving the problems. Add immigration to your checklist and make sure your business complies. Don't let immigration be that-thing-you-wish-you-had-checked.

    Dianne Gibert - Bio

    Dianne Gibert is the founder of Certex International Pty Ltd. Certex is an accredited certification body with JAS-ANZ, providing certification services in 9001 Quality Management, 4801 OHS and 14001 Environmental Management. Certex also manages the RCSA Service Delivery Standard on behalf of the RCSA. Certex has been working with key industry stakeholders to develop the first immigration compliance program in Australia. If you have any question about the Immigration Compliance Service or other certification standards relevant to the recruitment industry, please contact Dianne on (03) 9585 8241 or email info@certex.com.au. You can find more information on certex.com.au.

Privacy- A Case Study on AAPT Pty Ltd.

file-folder-closed-chain-25494667.jpg

Sometimes even the 'big guns' - companies with many, many years of experience under their holsters- can fall foul of privacy regulations. They then stand as a testament to the importance of privacy compliance and the necessity of implementing adequate procedures and policies to satisfy the intricate legislative requirements of privacy law. Recently, the Office of the Australian Information Commissioner (OAIC) published an 'own motion' report featured on their website which informed readers that a prominent Australian telecommunications company had breached the Privacy Act. AAPT Ltd had been the victim of unauthorised access by a hacker group known as Anonymous. Although they were the victim, the company itself was found to be in the wrong: it had failed to meet its requirements under the National Privacy Principles ( NPP), which had obligated it to take reasonable steps to protect and secure customer information and destroy/de-identify information that was no longer in use.

CASE STUDY: AAPT LTD

Earlier in the year, the Commissioner had received reports which indicated that AAPT's server had been compromised by a hacker group known as Anonymous, who had then exposed and published personal client data (including credit report information) on the internet. Though AAPT immediately took steps to ensure that no further information could be exploited, the fact that their records had been attacked at all made them vulnerable to a claim that they had not taken appropriate measures to protect this data in the first place. This obligation relating to the use and misuse of personal information is detailed in the National Privacy Principles that a majority of private sector organisations must comply with. Specifically, NNP 4 (Data security) and NNP 2 (Use and disclosure) require organisations to:

  • take reasonable steps to protect personal information from unauthorised access/disclosure; and
  • to take reasonable steps to destroy or permanently de-identify such information that is no longer in use;

Security of Personal Information

It was AAPT's responsibility to ensure that any and all applications that they utilised to manage personal information be regularly updated. However, the program that AAPT used had several newer versions available with security features that could have prevented this very attack. Indeed, the version used by AAPT was seven years old! Further, the contractual agreement between AAPT and their IT consultant (who managed the server) did not contain adequate measures to protect personal information, and it was not clear that AAPT was even aware of what personal information was being held on this server, let alone who was responsible for the use and update of applications that managed it. In consideration of these factors, the Commissioner came to the view that AAPT had breached this first obligation (NPP 4.1).

Destruction/ De-identification of Information

It was confirmed that not all of the compromised data had been in use by AAPT at the time of the hack. NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information when it is not in use. Though AAPT had policies that outlined their data retention scheme, the Commissioner was of the view that there was "low awareness of data retention requirements" amongst employees and these policies were, in any case, not being followed by the staff involved with the compromised data. Therefore, it was held that AAPT was in contravention of this requirement (NPP 4.2) as well. Mr Timothy Pilgrim (our Information Commissioner) appreciated the speed with which AAPT Ltd responded to its breach, but nonetheless made both the media release and the motion report publicly available on the OAIC website to serve as a message to other companies to not "needlessly" place themselves in "a position of risk" by holding onto old information that is no longer in use. There are significant lessons in this case study for all of us. Most importantly, it is possible to inadvertently breach the law by not actively managing privacy policies and simply assuming that all staff are sufficiently informed about them. And an equally important consequence of breaching the law is that your company will likely be publicly named on the OAIC website. Do not hesitate to contact Certex at any time to ensure that your policies can withstand the force of the law.

Privacy Sweep- How Did We Scrub Up?

2016 04 7.png

The OAIC is moving onto the front foot in relation to Privacy. The Commissioner has indicated he will not be lenient, and results of a survey indicate there is room for improvement. As you will already be aware, the new Privacy amendments come into force in March. The amendments "raise the standard" in relation to managing personnel information. Recruitment and other companies which deal with and store personal information should be reviewing their procedures. Early last year, the OAIC (Office of the Australian Information Commissioner) conducted a 'privacy Sweep' of around 50 common websites visited by Australians. This was in conjunction with a global check of over 2000 websites and apps observed for 'Privacy Practice Transparency'- that is, how effectively these websites increased public or business awareness of privacy rights and responsibilities, and complied with both current and upcoming privacy legislation. Although this Sweep was not an official investigation, it nonetheless aimed at identifying websites that might warrant further assessment in the future after the privacy reforms in March come into force. Although participants only spent a few minutes per website, the results of this Sweep were still quite concerning: in Australia, a staggering 83% of privacy policies on websites were found to have at least one issue with readability, relevance, length, 'contacts for further information' or ability to be found.

Readability and Length

Nearly 50% of websites had readability issues- either the language employed was too complex, or the length of the policy was inexcusably long. The Information Commissioner explained that policy must be capable of being presented in formats which assist people who use technologies like screen readers (often used by visually impaired, illiterate or people who primarily speak a language other than English at home). In essence, people needed to be able to "understand what they are signing up to".

Relevance

On a global and national scale, roughly one-third of policies had relevance-related issues. Too many policies used generalised, 'boiler plate' language that was unclear about whether the site complied with relevant legislation and often, they offered no information about the collection, use and disclosure of personal information. Alarmingly, mobile apps fared far worse- a shocking 92% of apps raised privacy practice concerns, with up to 54% having no privacy policies at all! Those that did frequently provided simple links to the privacy policies for their website, instead of addressing just how the apps themselves would be using and collecting information.

Location and Contact-ability

21% of websites searched worldwide did not even contain a privacy policy, but reassuringly, only 2% of Australian websites and apps fell into that category. More importantly though, 15% of the Australian websites registered a concern with find-a-bility of the privacy policy and a further 9% of participants struggled to find further contact information. The Information Commissioner, Timothy Pilgrim, entreated organisations to observe and revise their privacy policies where needed to ensure they comply with the new requirements. He reiterated that in order to comply with the Australian Privacy Principle 1 (APP 1), organisations must have a clear, up-to-date privacy policy that is open and transparent about their privacy practices. Indeed, in a speech that he made in Sydney on the 25th of November, Timothy Pilgrim warned that he will not be taking a "softly, softly" approach after implementation of these reforms. "I have been asked whether I will I be taking a 'softly, softly' approach after implementation of the reforms. Well, I have never been known to be subtle so the answer to that question is probably 'no'". He did go on to say that he would always start by resolving matters through conciliation, but this in no way should be interpreted as being a lenient approach to the enforcement of privacy laws. Certex has been working with ITCRA (recruitment industry association) and Andrew Wood (barrister) to provide workshops and support services on the privacy changes. Call us for further information.

Privacy- It’s in the Jam, Not the Icing.

jam-fresh-berries-26568194.jpg

The Privacy Act was first enacted in Australia almost 25 years ago, in 1988. And, over that time, we've familiarised ourselves with the 10 National Privacy Principles and found ourselves cushy, comfortable ways to manage personal information. Recruitment agencies, for example, have recognised that a key feature of the privacy requirements is to inform the candidate that we will hold their personal information and what we'll do with it. So, we staple together a Privacy Collection Notice and ask the candidate to read the terms and conditions and give their consent. On their part, the candidates are eager to impress us: they scan the document, quickly grab the first working pen and signs the notice. Done. We've got their approval. Now we can record, store and use the information as we think fit. Right? Well, not anymore. It used to be that the Privacy Collection Notice/Statement was the principal document- it generally overlayed every issue pertaining to privacy. So, over the past 20-something years, we began to rely on it as our go-to-guy for all things privacy related. As long as the Notice was appropriate then what we did with the personal information didn't matter too much- we stopped monitoring too closely how the information was managed or who had access to it. After all, we had the candidate's consent. This will all change when the new privacy amendments come to force in March next year. The new privacy requirements include 13 Australian Privacy Principles. Whilst the main thrust of the legislation is the same, there are some changes. There are two new principles on cross border disclosure and direct marketing. The powers of the Commissioner of the Office of the Australian Information Commission to impose fines and conduct audits have been substantially increased. In addition, there is a major change to the underlying platform for privacy management. APP 1.2 refers to "practices procedures and systems". This means that the one document which got you by before- the icing- is no longer sufficient. You will need to think about how you really manage privacy in your business, the policies and the procedures, and about how well your staff implement these. We have been working with the recruitment industry for over a decade, and have come across many examples of poorly managed privacy situations. Here are some examples.

Example 1

The recruitment industry generally believes that they "own" a candidate. In actuality, their ownership is on tenuous grounds- it is the candidate who is in control of their information, and consents to the recruiter's temporary access to this information. This consent may be revoked at any time. By not fully comprehending what a candidate's right of control is, recruiters may find themselves in breach of privacy laws.

Example 2

In some parts of the industry there is a growing use of "web crawlers" which collect online candidate information and drops it into a recruitment database. These programs collect resumes from Google search results, Outlook emails and more, and transfer candidate details into a database. By doing so, it builds a time-efficient, comprehensive record of potential employees that is invaluable to many recruiters. Whilst this sounds like a great labour saving device, it is not all good news. The problem returns to this fundamental tenet that we discussed earlier: the right to access information, even in this technological day and age, is held by the candidate. This means you cannot collect and record information about a person without their permission.

Example 3

Sandra is a newly hired junior administrative assistant in a recruitment company for nurses and doctors. She's finding it a bit hard to settle into her new job and make friends with her work colleagues and performs a range of administrative tasks, such as filing paperwork, photocopying documents and editing articles. Through many exchanges of hands (and responsibility), she finds herself collecting and reading through simple police checks of the nurses hired by the company. Suddenly, she jumps up and cries out "XYZ is a prostitute!!" (Who knows, maybe that made XYZ a better nurse!). All the workers beside her are amazed by the revelation and peer over the document themselves and Sandra is pleased to be recognised. It's just idle gossip amongst co-workers, isn't it? In fact it's a gross breach of employee privacy. Every staff member must be fully informed and trained by the company' to understand and respect the privacy of past, present and future co-workers, or vicarious liability can even be extended to the managers of the company for not properly advising a Junior of this. You might be saying "sure, a recruiter can be in breach of laws that are intended to protect the candidate that the recruiter will potentially hire. Seems straightforward enough". But breaches can permeate through many more levels of a corporation.

Example 4

Let's consider offshore service providers, for example. It is not uncommon for busy companies to outsource candidate management to offshore companies in India, Malaysia, the Philippines and others. These offshore organisations essentially take care of basic administrative functions such as the creation of newsletter and candidate databases for the companies back here, and store these databases overseas. So what's the problem here? The problem is that the information being used and disclosed is now outside of Australian control but still within Australian jurisdiction. Simply put, this means that you are liable for any non- conformance of the service provider, regardless of whether you were aware of it. This may be an issue for onshore service providers as well. It's easy to recognise how such breaches can damage a company's reputation and, in turn, impact current or future business opportunities. But what is often forgotten is that a breach of privacy is oftentimes a breach of law, and this can have more far reaching consequences. To put it another way: it's easy to smear icing on top of an over-burned cake and hide the crustiness. Similarly, it's easy to cover up poor recruitment practice by installing a fast, computerised device that glosses over your procedural flaws. But do you really want to risk someone eating the cake and finding out that you deceived them (and that the cake itself is awful)?

Example 5

There was once a prickly situation that arose in relation to an applicant who consented to a medical clearance for the recruiter of a company. The director of the medical board, in spite of personally knowing the applicant, did not discharge his responsibility to another doctor but conducted the tests himself. When communicating the results orally with the recruiting company, the director also included allegations that the applicant had 'abruptly' left his previous job. The recruitment manager noted this unsolicited information and subsequently fired the applicant, who, in turn sued the company for misuse of his confidential information, and corporate negligence. Though the applicant had insufficient evidence to establish his claim, the judge in that case firmly chastised the medical director and refused to allow the recruiting company to claim for any costs suffered during the court process. The reality of it is that even if you are acquitted of any charges, there are still costs associated with court processes, some that simply irreplaceable, like time and reputation. When it comes to privacy, it may seem like you've heard it all and you have it all in hand. But it would not be wise to assume that you have privacy all sorted, and that there is nothing you need to do to comply with the amendments. Privacy is a finely nuanced and multifaceted concept because it is a fundamental human right to have and to protect. It's not the icing you slap on top of the cake and hope for the best, it's the strawberry jam between all the layers that holds it all together. It is important on every level, and takes many hours of time and preparation to get right. It is forgivable to be a caught a little unawares today, before a breach has even occurred, but stringent penalties await those who are complacent or careless in causing a breach. So sit back and ask yourself just how well you understand all these issues, and seek help if you're unsure. Don't get caught out with a burned cake.

WorkSafe Targets WA Labour Hire Workplaces.

There have been a number of very serious injuries that have impacted workers employed under labour hire arrangements*. This has prompted WorkSafe in Western Australia to commence a new industry-wide inspection of the workplace health and safety status of workers as well as on the obligations of labour hire agents across all different regions of WA. Upon inspecting a WA workplace for any reason, the inspector will question the employer about whether any workers are being hosted under labour hire arrangements. Such arrangements include both contract/on-hire firms and any host firms. If the answer is yes, the inspectors will consider a broad range of issues via a checklist, including:

dreamstime_s_22637902.jpg
  • hazard identification, risk assessment and risk control;
  • reporting of injuries and investigation of injuries and reported hazards;
  • consultation with labour hire workers and with the labour hire agent;
  • personal protective clothing and equipment; and
  • providing a safe working environment for labour hire workers.
  • They will also specifically examine the training methods and supervision of on-hire workers. Though the program is aimed at raising awareness of workplace health and safety obligations (WHS). WA WorkSafe Commissioner Lex McCulloch has warned that “inspectors will take enforcement action if they find breaches of the laws". He asserts that the labour hire industry was informed, in writing, about the program, so "they should be aware of exactly what the inspectors will require". The program will run until the end of the financial year. It is possible that other states will monitor the outcomes of this exercise with a view to implementing their own inspections. Responsibility for WHS for on-hire workers is shared between the recruitment agency and the host employer. There is a range of seminars, webinars, and information on WHS through recruitment associations. If you have any questions about WHS and, in particular, its application to on-hire workers, contact either the RCSA or ITCRA, or contact us and we should be able to guide you to a reliable adviser. *On-hire workers are typically outsourced blue-collar workers who are hired for short or long term positions.

The APPs Have Been Released.

 

The Office of the Information Commissioner has now released guidelines to the upcoming APP principles, which will be coming into force later this week. Time is running out. Our extensive work in the recruitment sphere has shown us that Recruitment is one of the few industries where Privacy Management is critical and compliance across the industry has not been high. So, let's cut out all the waffle, and jump straight into what you need to know.

You cannot avoid the changes

The National Privacy Principles (or Information Privacy Principles if you belong to a government agency) are being modified for a reason: they simply did not meet customer, client and employee satisfaction and they did not adequately protect personal information across many levels of business. So, fair warning: the new laws will compel your company to meet higher expectations and obligations of transparency. So what are the changes? These National Privacy Principles have been converted into 13 Australian Privacy Principles (APPs) that aim to "harmonise" the two sets of principles that currently apply to Australian government agencies and to private businesses. A more "comprehensive credit reporting system" is also being introduced, as well as a "simplified and enhanced correction and complaints process". But most importantly, the amendments provide the Australian Privacy Commissioner, Timothy Pilgrim, with enhanced powers to enforce and remedy complaints, conduct investigations and address breaches of privacy.

The Commissioner has significant new powers

What powers does the Information Commissioner already have under his belt? Well, he can:

  1. Review any complaint made and make any inquiries with any party that the Office considers necessary. The OAIC can also act as an impartial mediator and aid in reconciliation processes.
  1. If neither party can reach an agreement, the Information Commissioner can, once again, review material and make a formal determination against your company if he deems that your organisation did not enter into reasonable arrangements in negotiation. This determination will dictate what further actions your company must take, and it will be officially recorded.
  1. He can conduct investigations against a company and its actions of his own accord to determine whether it may be interfering with the privacy of an individual. This investigation is made into a report that is publicly listed on the OAIC website to serve warnings, tips and general information to other businesses.
  1. He is also empowered to audit Australian governmental agencies and certain private sector and state government organisations to establish an organisation's adherence to good privacy policies and legislative requirements. These audits too, are generally publicly listed on the OAIC website.

What new powers has he attained?

  1. In serious or repeated cases of privacy breaches, he can issue a penalty of up to $340,000 for individuals and up to $1.7 million for companies.
  1. He can now also accept a legally enforceable undertaking from any private or government agency
  1. Whilst he has always been able to audit a private sector organisation by invitation, Mr Pilgrim jokes that "organisations have been too shy to extend such an invitation up to now." He goes on to say that "from 12 March [he'll] be able to invite [him]self in." That is, he will have the power to conduct "Performance Assessment" audits of his own free will, irrespective of any request or lack of request by an organisation, and regardless of whether the company has committed a serious breach or not.

No "softly, softly" approach

Over the next 12 months, the Office of the Information Commissioner is aiming to assist companies and businesses to learn about these obligations (they have a vast array of resources on their website, for example). However, Mr. Pilgrim has made it very clear that he will not be employing a "softly, softly" approach after the reforms are implement. He has rejected taking a lenient approach for entities still designing processes and policies because he believes that: "The public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, [and therefore] these concepts are not new." He reinforced that "Organisations have had 15 months to prepare...so [he] will not shy away from taking action where it is appropriate or necessary to do so." Thus, the onus is on you to be aware of the extent and nuances of your obligations. The law will not excuse anyone on the basis that he/she "did not know" that the amendments would affect them.

What should you do?

How do you become aware and compliant of these changes? Firstly, if you haven't already thoroughly reviewed the materials on the OAIC website, do so now, and then review your current practices and procedures against the new obligations. But we understand. The information provided is copious, confusing, and a bit overwhelming. So, contact us to learn more about our Privacy Best Practice program held across Australia. The Privacy Best Practice program is an initiative of ITCRA, Information Technology Contract & Recruitment Association. The program is a unique combination of a training workshop and a review of records.

Testimonials

"Thank you to ITCRA for leading [in] providing such valuable training to all staff at Viiew. This is a major challenge for the industry and we have appreciated your support." Troy Thorne (Chief Executive Officer at Viiew)

Amplify Your Security Measures- Gauze Bandages For the ‘Heartbleed’ Bug.

heartbleed_banner.jpg

Recent warnings about cyber security around the "Heartbleed Bug" should alert companies who have not updated their data protection measures to comply with the Privacy Act. Even where a company is not directly liable for any damage as a result of being hacked, there are still compliance issues around the steps taken to protect against cyber attacks.

What is all the fuss about?

What is the Heartbleed bug? What consequences should I have anticipated? Well, in order to protect your information when you're sending an email (for example), websites use a program to ''encrypt'' the data so that it looks like jumbled nonsense to anyone other than the person(s) you sent it to. Now, a computer is going to want to make sure that another computer is still on the other end of the connection, so it sends out a little pocket of data (a ''heartbeat'') that asks for a response. But an error existed that allowed hackers to send a heartbeat of their own and trick the computer into sending over data in response. Computers can store a lot of information in memory- usernames, passwords, credit card numbers- but most dangerously, this bug could steal the encryption key used to jumble up your emails, allowing the hacker to ''decode'' them and access whatever information he wanted! Whilst most of the work lies with the websites themselves to resolve the issue (and by now, all of them should have done so), it is still a timely reminder that businesses and individuals need to keep passwords secure and change them regularly - although perhaps not during a hacking event!

What about privacy concerns?

In a media release around the time of the bug, the OAIC made clear that, the Privacy Act will not hold you liable under APP 6 as having ''disclosed'' personal information when a third party has "intentionally exploited [your] security measures and gains unauthorised access to the information." However, you may still be liable under APP 11 which requires an organisation to take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Simply put, if you did not take reasonable steps to protect against cyber attacks, then you may be in breach of APP 11, and this could entail significant repercussions under the Privacy Act. Contact Certex for more information about these issues and how to protect yourself against privacy laws. To see a breakdown of the Information Commissioner's analysis in previous situations, check out Telstra Breaches... It was released before the new APPs came into force, but still carries important information about how breaches can occur and what kind of actions are expected from you.