Immigration Laws- Are You ‘Up’ With the Changes?

dreamstime_s_26372469 cropped.jpg

There have been recent amendments made by the Migration Amendment (Reform of Employer Sanctions) Act 2013 which introduces more stringent penalties to employers who are in violation of this law.

This is why it is essential that all employers (particularly recruitment agency managers and consultants) are aware of these changes and comply with their lawful obligations under the Act.

From 01 June 2013, if you manage workers who hold a temporary residential visa (of any kind) in Australia, you are bound to adhere to this law, regardless of whether or not you are an approved immigration sponsor.

Previously, the Department of Immigration and Citizenship (DIAC) was required not only to identify an employer in breach of the Act's requirements, but also establish the employer's 'guilt'. That is, DIAC needed to show that an employer allowed an employee/contractor to provide services (for the company or for others) when he was knowledgeable or reckless as to the worker's immigration status and working rights.

Only after successfully proving both factors could the Commonwealth charge this employer with an infringement notice.

Now, however, DIAC no longer have to prove this knowledge/negligence/fault element.

This means, simply if you are in breach of visa conditions or work rights, the Commonwealth can now penalise you with infringement notices from anywhere between $15,300 to $76,500!

You might find it helpful to consider the following questions:

  • Can you evidence the immigration status of your entire workforce (Australian and non-Australian)?
  • Do you employ workers from overseas on any type of temporary visa?
  • Can you demonstrate every temporary visa holder in your workforce is working within their visa conditions?
  • Do you know what your lawful employer obligations are?
  • Do you have accurate internal policies, procedures and training in place to manage immigration compliance?
  • Do you know how the national workplace relations system works with temporary visa workers?
  • Do you know about migration worker engagement laws and employer sanctions?

  • If you can't answer these questions satisfactorily or if have any concerns, then you should seek expert advice.

    If you don't already have contact with a qualified migration adviser you could visit the website of the Migration Institute of Australia for a list of registered migration agents.

How Much Documentation is the Right Amount?


This is always a challenging question for businesses seeking certification. How much documentation is the right amount to ensure your quality management system can reliably deliver a quality product or service?

Some say that a well run business can achieve quality and efficiency with only the mandatory processes documented. Others say they have seen this attempted but not done successfully. Others say "it all depends".

We know that too much documentation can slow the business down, restrict change and improvement, and can become a costly administrative burden.

Early on in the emergence of quality management, the extent of documentation was seen as evidence of a well considered and defined quality system. More documentation meant there had been more thought put into defining and detailing processes and that meant greater control over quality processes in the business. There are many examples of quality manuals and supporting documents that seemed to go on endlessly. One example I have seen is where the internal audit process was documented, then the checklist of areas to be audited was documents - so far so good. But then there were procedures written on how the process should be reviewed in the audit, such as what to look for and what questions to ask, and on what constituted a non-conformance, and how much detail needed to be written in to the report, and a procedure for how the non-conformance should be addressed and when it would be considered closed out.

This sort of documentation ran to many pages. Probably the first and last time it was read was when it was drafted, so it wasn't much use to anyone anyway. The other problem was that it would be almost impossible to update - if (when) the underlying operational process changed then the checklist would change, the definition of a non-conformance against the new process would change, the amount of detail needed in the report might change... and so on and so on.

A documented management system in this much detail often became its own worst enemy. It would end up being so difficult to change anything that the business would not make any changes. That doesn't sit well with the ultimate quality objective of continuous improvement!

Most quality managers and auditors today agree that too much documentation does not support an effective quality management system. It is still open to interpretation on how much is appropriate. The minimum level of documentation is the mandatory documents, identified in the AS/NZS ISO 9001:2008 standard with the words "documented statement of", and "establish a documented procedure to". There are three mandatory statements - the quality policy and quality objectives (4.2.1) and the scope and process outline in the quality manual (4.2.1). There are six mandatory procedures - control of documents (4.2.3), control of records (4.2.4), internal audit (8.2.2), control of non-conforming product (8.3), corrective actions (8.5.2) and preventive action (8.5.3).

Section 4.2.1 also requires that processes be established to ensure the effective planning, operation and control of processes. But it doesn't say these processes need to be documented.

So you could have an effective quality management system with only the mandatory statements and mandatory procedures that are documented.

But that might make it a bit difficult to ensure the quality management system is effective, and is a system.

There are a number of factors which can influence the amount of documentation needed for an effective quality system. The first would be the type of processes. Processes which are complex, perhaps those which are newly designed or rely on new technology, or produced across multiple work sites or work groups, might all be more effective and better understood by staff if they were documented.

Products and services which are high risk - in their production, environment, in their delivery or application, might all be more reliably adhered to is the processes are documented.

If there is a high level of change in the business or the processes, or perhaps a high level of staff turnover, then procedures might be better documented.

On the other hand, if staff are highly trained, are experienced and competent then detailed documentation may not be so important.

One way I approach this question is to consider the major risks and the major differentiators in the process. I call this the "black hat" and the "white hat" (with thanks to Edward de Bono). The "Black hat" elements of a process are the high risk areas with major consequences. These are the areas that you cannot afford to not do properly. If these parts of the process are not followed properly perhaps someone gets hurt, or the product/service will fail, or the process will not comply with statutory requirements etc. These steps should be documented so everyone is clear on what should be done, when and how, and where necessary, proper records made.

The "white hat" elements of the process are the parts that differentiate your product/service from others, and make it recognisable and valued by your clients. You can't afford to not do this right, either, so document the steps so they are very clear.

Another approach I would take is to consider the best way to present the documentation. Procedures are often written in flowing text using sentences and numbered paragraphs. But there are other ways to define and document a procedure - you can use a flow chart (great for the "right brainers" amongst us), you can use a checklist on which you mark each step as it is completed. Workflow control systems can be used to the same effect. Some suggest you can use training materials (although usually these are drafted as background references and information rather than a statement of steps that must be followed).

In the end, you must be confident that the approach you select and the amount of detail you chose to document is appropriate and will assist in the effective planning, operation and control of processes. Very often this is a matter of trial and error. Don't be afraid to set it out as best you can, then refine, modify, simplify and improve as you and the business learn how best to make this work for you.

Update on the Transition to JAS-ANZ Accredited Third Party Certification

  • Have you sought third party QA certification yet?
  • Do you have some quiet time?
  • If you haven't already sought QA certification then this might be the time to do this. The rules on QA suppliers have not changed.
  • As you are aware, at the end of last year the Queensland government dismantled their second party quality assurance auditing and registration processes in favour of using third party auditing bodies. A JAS-ANZ accredited, third party Quality Assurance certificate is now the only QA certificate acceptable to Queensland governmental departments and agencies. Suppliers were given an extension of their second party certifications to 30th June 2013, after which time they need to gain third party certification to tender for selected processes where QA was a requirement.

    Many businesses have been proactive and sought certification and registration with independent third party certifiers. Yet a larger number have held off pending a possible policy change at the end of June or at the beginning of July.

    However, at this stage no policy change has occurred. The QA Policy signed in December 2012 is still being applied by departments, agencies and local government. The QA Handbook and links to the QA Policy can be found here.

    What does this all mean for you? Well, if you have not yet achieved your certification, and you have some quiet time, now would be a very good time to schedule and arrange plans to become certified by a third party auditing body. The greatest benefit from certification can be achieved when you are not time-pressed to do so.

    How can we help? Certex International has already been engaged by a number of Queensland Government suppliers that have chosen to obtain a JAS-ANZ accredited third party QA certification, and there are also a number of businesses scheduled for their initial audit. Firms that have gained certification were very pleased with the ease of the process and the friendly, professional auditing approach by our team of auditors.

    Ask us about the process and find out for yourself. We are happy to provide a no obligation quote, as well as a one hour online training session to help you prepare.

Compliance Requirements- No Escape for Business Owners.

dreamstime_s_15931973 cropped.jpg

Rod: My head-to-head partner this month is Dianne Gibert, founder and Managing Director of Certex International, which recruitment organisations will know as the provider of the RCSA's Service Delivery Standard and ITCRA's iDiagnostic. Dianne, your organisation must be at the leading edge of how increased legislation and compliance is impacting recruitment organisations. Dianne: Very much so, Rod. There is quite a significant shift in the level and impact of compliance requirements today than when I first started in this industry around ten years ago. Back then, recruitment agencies had little awareness about their legal obligations, and their practices and protocols did not place a great emphasis on complying with legislative demands. It was more about networking than procedures. This has certainly changed in recent times and generally I see very different behaviour across the recruitment culture today; the industry has clamped down on legal requirements across a range of different areas including safety, privacy, immigration, and superannuation, and recruitment agencies face much more severe penalties for non-compliance. The agencies themselves therefore, have had to become more astute and thorough in reviewing their procedures for compliance, and auditors have had to be even more comprehensive when conducting their audits. Rod: The consequence of all of these compliance requirements is that the barriers to entry to the recruitment industry have risen. There are two ways of looking at this change. The most immediate view is that it is a continuing source of frustration that every part of every business is subject to increasing red tape. And often the new compliance requirement is to satisfy minority interests and is a knee-jerk reaction to some recent event. It wears down owners and managers and stifles innovation because so much energy is devoted to these "internal" issues. The other view is that, at a macro level, increasing barriers to entry is great for the long-term health and viability of the recruitment industry. Even without direct regulation the industry is becoming far more structured and highly regulated. Clients know it is a regulated environment and it will be harder for fly-by-night organisations to gain credibility when the economic conditions become positive, as they will do. Other industries have shown that increased barriers to entry have led to a more professional industry that can brand, promote and lobby effectively. Dianne: Unfortunately one of the pressure points is on small businesses. Unless they have the business expertise and resources that they can dedicate to properly structuring and managing a business with the proper systems in place, it can be difficult for them. That is not to say that all small businesses suffer, though. Some I have seen perform remarkably well, and know exactly what needs to be done to remain sustainable. Rod: What are the changes that are having the most impact on recruitment agencies? Dianne: Recruitment agencies are now expected to thoroughly understand the impact of legal compliance and non compliance in the face of increased risk and harsher penalties. Equally, they are required to demonstrate this compliance and good service both in tenders with new clients as well as in services to existing ones. Also, clients themselves are more savvy. Whereas in the past they often assumed or were ignorant as to whether an agency was adhering to legislative principles, these days they are more knowledgeable about industry requirements and appraise an agency's compliance with necessary procedures. Often, too client and agencies share responsibilities. For example, in the case of safety, the recruitment agency's responsibility of ensuring on-hire worker safety is extended to the host employer who manages these workers on site. In another example, clients often ask for more information about the candidates than privacy permits, such as age and details of criminal records. This "sharing" process requires recruitment agents to be able to negotiate a delicate balance: they must work cooperatively and openly with their clients, but also carefully and firmly draw the line between accountability and information that the client needs to know and that which is unnecessary or prohibited on privacy grounds. Rod: We all hear stories of the penalties associated with some areas of compliance. Are they really that onerous? Are they really structured to be "guilty until proven innocent"? Dianne: If a client (or an auditing body) finds the recruitment agency in breach of these requirements, there is far more at stake than just the agency's reputation: they can be prevented from hiring further staff, can be fined upwards of $100 000, and even risk jail time. In areas like immigration and safety, ignorance about the law is inexcusable so it is imperative that an agency is well acquainted with any and all the changes to relevant legislative obligations. There are examples where agencies have been caught and penalised, but until now this is less common that one would expect. I think the change in the compliance climate is going to make a difference in future, though. It will no longer be acceptable to assume that no-one will find out because no-one really cares anyway. The risks and the consequences are much higher than they ever were. Rod: Thankfully, there is help available. One of the biggest reasons why we can discern such an improvement in agency compliance is due to the laudable support that the RCSA and ITCRA provide for agencies. Globally, the industry associations (APSCo, REC, ASA etc) are taking a leading role in ensuring the industry keeps up in each region. Dianne: They regularly host training programs and deliver information bulletins to improve an agency's skills and understanding about their duties in law - the most recent activity is around the change to immigration law, and more training is planned in relation to the Privacy amendments. There are "health checks" and certification programs which support agencies in meeting their obligations. This chain of regulation is a risk management strategy that limits the likelihood that a regulated agency will be found in breach of legislative requirements. Does all of this activity have an impact on the "saleability" of a business? Rod: Absolutely. There is a dramatic change in how business quality is perceived. The corporate reputation of an organisation is more transparent than ever before. It is relatively easy to see if an organisation has kept its house in order over the preceding years of operation. A few years ago certification to the recruitment delivery standard or the achievement of an appropriate quality standard was all that was available. Today when an organisation is being reviewed there is so much more. There continues to be a need to "do the right thing" but there is also an absolute need to prove that you are doing the right thing. That is a major change - the procedural systems that need to be in place will impact your organisation's ability to survive external review. Dianne: Completely agree with you here Rod. I often say that you need appropriate procedures in place and the records to show that you do what you say you do. The procedures need to be documented; the records need to be accessible; and you need to check this regularly. It is not enough to say that you told your staff once during induction that this is what you expect of them; that is not sufficient to show compliance. Certainly begs the question whether, at the very least, good compliance processes increase the value of your business? Rod: No, not today. It just becomes an area that you need to have in place to enable your business to gain a potential buyer's interest and then pass due diligence requirements. In the longer term, the multiple paid for recruitment organisations are likely to rise because of this increased barrier to entry. So what am I saying here: in the future, as the barriers to entry continue to rise, and legislative requirements become more onerous, fewer organisations will be able to abide by the necessary requirements to keep their business compliant with the law, and the cost of establishing a new business and investing to the required level of sophistication rises. On the other hand, agencies that diligently review and update their processes, ensuring that they tick all the right boxes with all the right people, become more and more valuable to potential buyers. The recruitment industry is at an interesting point in its evolution. Dianne Gibert is the founder of Certex International Pty Ltd (previously Fathom Business Architects). Certex is an accredited certification body providing certification services in the RCSA SDS and other recruitment industry standards, as well as the well known 9001 Quality Management, 4801 Occupational Health and Safety and 14001 Environmental Management standards. If you have any question about the RCSA Service Delivery Standard or certification standards relevant to the recruitment industry, please contact Dianne on (03) 9585 8241 or email

Benefits of Certification- An Interview with Burdekin Shire Council.

In our last newsletter on 17 July 2013, we explained to you about the Queensland Government's dismantling of second party quality assurance, and their preference for certification third party auditing bodies. Most organisations supplying Queensland Government had been given to 30th June 2013 to obtain third party certification, and many already have, but there are also a number of businesses who have not yet arranged for certification. In this newsletter we highlight the benefits of taking this step. The good news is that you would already have a quality assurance management system in place, so any changes are likely to be minimal. One of the changes you may need to make is to ensure your quality management system is working as well as you can make it. This might mean reviewing and updating procedures, updating training records, and checking that decisions have been properly authorised and documented. Without regular monitoring these things can sometimes take a back seat. The more formal and more regular audits that are conducted by a third party auditor will keep you focused and thereby will ensure you get the maximum benefit out of your quality management system. One of the most significant benefits is that a third party certificate showing the JAS-ANZ symbol is recognised around Australia, and indeed around the world. It is reliable evidence that your management system meets the international standard. This is valued by many corporates and in particular by government bodies. The formalities of third party certification mean that there are more frequent on-site audits and more independent and impartial assessments of your organisation's status. But it also means more opportunities to succeed in tenders, as independent assurance is respected not just by Queensland authorities, but worldwide. You'll be meeting higher expectations and this results in real improvements to business - get a better system, and you get a better outcome. This week we interviewed Mr. Karl Schatkowski, QA Officer/WHS Officer with Burdekin Shire Council. Burdekin Shire Council has been second party certified with the Queensland Government for many years, and earlier this year achieved third party certification to the AS/NZS ISO 9001:2008 Quality Management Standard. Karl explains their experience. Q1. Why did you decide to take on third party certification in 9001? Well, 9001 had been implemented by the Council for a number of years. But we strive to always promote quality assurance, and in order to keep our contracts with Main Roads, we needed to prove to them that we are capable of maintaining that standard even at the 3rd party level. This was also the case with our building department, and the tenders that they may apply for.Q2. What changes did you need to implement to meet the 'tougher' requirements for a quality management system? Actually, there were really only minor non conformances that we needed to change. The biggest challenge was that since we are such a large organisation, there were a few isolated areas (such as Workplace Health and Safety, Customer Service, Environmental Health) where some procedures had to be revised and updated, and transcended from draft mode to approved status. Q3. How did you find this process- challenging, straightforward...? I have been involved in several audits over the years, and I found Paul Neilson from Certex the best auditor I've ever dealt with. He is professional, knowledgeable, and made the entire process very wonderful and easy to deal with. He never crossed the line between auditor and consultant. But, as an organisation, what we appreciated the most was that he maintained communication with us not only during the time that he was here but also after the audit. Q4. What benefits have you noticed since implementation? That's a tough question because 9001 is not something new to us. But I think it really established us as a quality supplier, and gave us added procedural efficiency. Best of all, it ensured that we were able to continue our contract with organisations such as Main Roads.

The Pyramid Effect: Benefits of ISO Standards for SMEs*.


*Small and Medium Enterprises Would you believe that the very first standards were developed in early 3150 BC? In the sweltering Saharan desert, the ancient Egyptians created a standard unit of length that they utilised to build the great Pyramids of Giza. And since then, use of standards has flourished until they have become almost enshrined in our everyday life, from our shoe sizes to our electrical products. Yet, though small and medium sized organisations make up more than 90% (yes, believe it) of the world's businesses, many SMEs still have not taken that extra step to becoming certified on an internationally recognised level. Certification in an ISO standard can be the difference between pyramids and rubble: they eliminate wasteful expenditures of time and resources, establish a strong framework for best practice across every business level, and increase business efficacy and internal productivity. They also add a new level of credibility in your business which in turn can boost confidence and rapports with clients. The flow on effect of all of this is to help open up export markets for your products and services, initiate opportunities to participate in global supply chains, and cement your company in the international sphere, allowing you to have a level playing field with the big conglomerate businesses. Earlier this year, ISO released a short video detailing more benefits of ISO standards for small businesses and you can free PDF that illustrated 10 benefits of standardisation for small and medium enterprises as perceived by small and medium business enterprises from across the world . All of this information and more, is available on special page that ISO has dedicated for SMEs here. Every small business starts out as a pile of bricks. And yes, competition is tough. But strategic use of standards can make a substantial difference to the growth of your company and can help you take your business to new heights. ISO is an independent, non-governmental organization made up of members from the national standards bodies of 163 countries. Under our accreditation with the national standards body in Australian and New Zealand, JAS-ANZ, Certex offers certification in the main ISO standards including Quality, OHS and Environmental management.

Quality- Because You’re Worth It!


When we think about becoming accredited, most of us instinctively frown : "It'll be too much paperwork", "It'll take up too much time", "Is it even necessary?". Yet as we hurdle further and further into modern day marketing, being quality certified is fast becoming that 'clinching factor' in tender submissions with other organizations. Why? Because achieving independent recognition for your quality systems establishes your company's proficiency in the industry, and propels you in a different league completely. Indeed, many companies that we have worked with have grown and even doubled in size since becoming certified. The fact remains that are still many major issues that are affecting the quality of service by recruitment companies across Australia and New Zealand. At its most basic level, this can be something as fundamental as a consultant's record keeping practices, compliance (or lack thereof) with legislation, training and competency levels of your staff, or it could be a tendency to overlook planning or a failure to have clear objectives or strategies. Businesses that become certified in a quality standard such as the RCSA Service Delivery Standard or AS/NZS ISO 9001 Quality Management have systems in place to manage and control these and other issues. It can be hard work - there is no denying this - but the benefits can be well worth it. APRG, an expanding recruitment business in Brisbane, recently took the plunge and embarked on an improvement program which ultimately resulted in certification in the RCSA Service Delivery Standard. This is their experience. Certex: "Why did you decide to take on the RCSA Service Delivery Standard certification?" APRG: "APRG's interest in seeking RCSA SDS certification was threefold:

  • We were seeking validation of our existing processes and wanted to understand what was considered best practice within the industry - at the end of the day we did not know what we did not know and were looking for the external view point.
  • We wanted a validated point of difference from the majority of our competitors.
  • Recognition within the industry for the quality of the product and services provided."
  • Certex: "What changes did you need to implement to meet requirements for a quality management system?" APRG: "After working through the initial checklist provided as part of signing up to the process, we realised the major changes we needed to implement to meet the standard were to implement/introduce a 'Controlled Documentation' process to the business, and formalising a structure to manage the existing policies, procedures and processes that we had in place. We also realized the management team had to adopt an improvement/innovation focus across all our processes within the business. " Certex: "How did you find this process - was it challenging or straightforward? APRG: "Whilst the days in the lead up to the initial onsite audit were quite frantic, the process that has been structured by Certex has made the process relatively straightforward to follow. The audit preparation checklist provided as part of signing up to the SDS certification gave a good indication of what to expect and, when followed up by the initial documentation review, gave us the opportunity to make improvements as we moved forward. In addition, our Operations Manager attended a 'Key Concepts in Service Delivery & Quality Management' workshop in the early stages of APRG undertaking preparation for certification. Working through the audits, it was clear that Certex were here to help improve our business and their approach made it well worthwhile. The timing was fantastic as we were transforming the business operating model and a strong quality framework was seen as an important enabler to its introduction." Certex: "What benefits have you noticed since implementation?" APRG: "There have been a number of benefits to APRG since we have undertaken the certification process. The key ones would be:
  • It has challenged APRG to focus on building better internal systems and standards to take the business forward.
  • By building better business systems APRG has a stronger platform for future growth and certainty around the deliverables of the business.
  • Whilst we had a strong compliance focus previously, having an external party validate our processes helped our staff understand why we had put the processes/procedures in place and their importance.
  • We believe it will also assist with tender submissions when we can advise what quality standards we have in place."
  • Even the best of us can benefit from an extra eye looking over our processes, an extra helping hand to identify those last, niggling issues that are inhibiting our growth. Certification brings with it a higher level of understanding about how your business operates and, most importantly, how you want it to operate. Dianne Gibert is the founder of Certex International and Fathom Business Architects, which has been the certification manager for the RCSA Service Delivery Standard since 2004. Dianne has more than 20 years experience as a management consultant specialising in quality management and performance improvement. Certex International is accredited through JAS-ANZ to provide certification services to the recruitment industry in ISO 9001 Quality Management Systems.

Privacy- Do You Know What the New Changes Are?


There are new amendments to the Privacy Act 1988 that will take effect in March 2014. Though that might seem like a long way away, it's absolutely essential that organisations begin preparing themselves and their business procedures for compliancy now. This is especially important in light of the enhanced powers that the Information Officer will have to discipline organisations that do not adhere to the law. Rest assured that Certex, in conjunction with our sister company Service Excellence Consulting (SEC), will highlight the possible capacities for breach and consequences of breach in more detail in our forthcoming newsletters.

So what's changed?

Well according to the Office of the Australian Information Commissioner (OAIC), the Amendment Act includes a set of "new, harmonised, privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses." These privacy principles will be known as APPs (Australian Privacy Principles) and they set out the standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. There are 13 new APPs in total, including two new principles, and they are be structured to capture the 'lifecycle' of personal information- from consideration and collection to access and correction of personal information. Thus, they govern a range of areas including direct marketing and cross border disclosure. Our lengthy involvement in the recruitment industry has shown us the reality: current practices in the majority of agencies will fall short of the new legislation- far short. Privacy is a delicate and multifaceted issue: it interplays with many pieces of legislation as well as with many different levels in a business. Most agencies think that they have a good understanding of privacy requirements, but the reality is that there are many gaps in understanding and implementation, and some of these are quite serious. The Privacy Best Practice program is an initiative of ITCRA ( Information Technology Contract & Recruitment Association) to assist Australian businesses to prepare for these changes. The program is a unique combination of a training workshop and a review of records which will be conducted at your office, providing the opportunity for many of your staff to attend. The workshop will provide information on the changes in the Privacy Act amendments and implications for recruitment agency. The records review will identify areas in your business of real and potential risk of non-compliance against the new requirements. The findings are presented to you in a report so you can work through and take action to correct the problems. We are also arranging half day workshops in each capital city. Currently, they are proposed for: Melbourne - Wednesday 30th October 2013; Perth - Friday 22nd November 2013. We understand your business- our consultants all have many years of experience, particularly in the recruitment industry, and are qualified auditors who have been trained in privacy by Andrew Wood, barrister on the Tasmanian Bar and expert in privacy and related employment matters. It would not be wise to assume that there is nothing you need to do to prepare for the new legislation. The OAIC has made it clear they will be using their new powers to conduct privacy audits). The recruitment industry is one of a small number of industries which deals with significant amounts of personal information for individuals who are not employees. (There are a number of exemptions for employees under the Privacy Act). Recently a large organisation was found to have breached national privacy when it left a database of about 740,000 customer records, in some cases containing usernames, password, email addresses and more, exposed on the web. There was little the commissioner could do except name and shame. However, under the new laws the commissioner could apply to the Federal Court to levy fines of up to $220,000 against individuals and $1.7m against companies for "repeated and serious" privacy breaches (Source). National and state legislation is constantly updating and it's simply assumed that you'll be aware and compliant with all of the changes as they come. Ignorance of the law is, as strange as it might sometimes seem, just not an excuse anymore. But why be ignorant at all? Send us an expression of your interest in these workshops and we will arrange a time to speak with you. Contact us to register interest and for more details.

Australia Against the Global Market- ISO 2012 Survey Stats Released.


ISO have released the results of their annual certification survey! "Wait, Hold on," you tell me. "Who have released what about what?" ISO (International Organisation for Standardisation) is the world's largest developer of international standards. They have published over 19 500 standards, all of which have been designed through global consensus and aid in improving the efficiency and customer satisfaction of international trade. Every year, they release a survey of ISO certifications for management systems like the QMS (ISO9001) and the EMS(ISO14001). It captures and categorises a range of interesting and useful information such as number of certifications from countries across the world, the growth and recognition of each standard, the various industry sectors that have recognised and implemented these standards, and the leading countries in standards and certification worldwide. More importantly, the survey underscores the value of international standards in an evolving global economy- it identifies which standards have received the attention of the global market, how many lower cost labour markets are utilising standards to highlight their credentials, and how Australia is faring against our international competitors. This new survey, which has interpreted that data of certifications issued in 2012, is freely available to download from the ISO website here. In short, the results reveal a "healthy growth across the board for all certifications to ISO management systems". ISO9001 has remained stable (in fact slightly increasing since last year) which just reinforces how essential it is for businesses across the world and how many businesses are recognising this and using it to their advantage. The Quality Assurance certification was issued 1, 101, 272 times across 184 countries, and Australia carved out a solid 9185 of that astounding amount. Too much math? Well simply put, ISO 9001 has displayed a growth of about 2% worldwide, and Australia contributed to that. Our contribution was quite small though compared to market giants like China, Italy (and somewhat surprisingly) Spain, who took out the top three spots for total number of 9001 certifications issued. China and Italy also took out top spots (along with Japan) for environmental management, which had seen a more impressive growth of 9% in just one year. Environmental sustainability is not just a necessity- it's an inevitability. More and more organisations are recognising its relevance in the modern world, especially in Australia, where 2000 certifications were issued this year alone. Though Certex does not offer certification in ISO 50001 (Energy Management), we are still so impressed by its growth of 332% that a special mention is being given to a standard (and to companies!) that understands the importance of being energy efficient in the face of climate change. "Okay.." you remark. " What does that have to do with my business?" Great question. What can it do for your business? The fact of the matter is that the time for collecting data for 2013 is fast closing, and even though there were over 2 million actively trading businesses in Australia last year, we've only had 70, 385 certificates issued since 1993! If you haven't considered the benefits of certification on international level, now's the perfect time to do so. Soon it will be time for reflection. It will be time to ask yourself a different question: What makes my organisation different from those international exemplars like China, Italy and Spain? And you'd want that answer to be "nothing".

Proposed Revision of ISO Standards


"Not again," I hear you groan. But rest assured, these revisions are set to not only be very beneficial for your organisation , but also involve only minor alterations to your existing procedures. Essentially the ISO 14001:2015 and ISO 9001:2015 (along with other standards such as ISO 2700), are predicted to 'align' with Annex SL's structure. Currently, in spite of these standards sharing relatively common requirements, they have different definitions for many of their common terms. This can lead to confusion and inconsistencies when implementing the standards. The proposed alignment will ensure that each standard has roughly the same structure and format as the other, utilise the same definitions for common phrases, and match each other on core requirements. It is also likely that there will be a few content changes to the ISO14001:2015 standard as well, particularly with respect to the context of the organisation, leadership, environmental objectives, policy commitments, performance, and communication. For example: environmental objectives will likely include an expansion of a company's conservation procedures, such as the use of sustainable resources. Meanwhile, the ISO 9001:2015 will likely conform to a more generic format so that it can better cater to a variety of different organisations. And, much like IS0 14001:2015, the main aims and objectives of the standard are stipulated to stay the same as the 2008 version. There is also suggestion that the international Occupational Health and Safety standards (OHSAS 18001 and ANSI) will be modified into a new ISO standard (note: the Australian version of this is AS/N2S 4801). This change would make much sense, given that the OHSAS standard is often implemented alongside the ISO 9001. Michael McLean, a member of Certex's advisory board, has been involved in the consultation process during these changes. We expect a public draft to be published at the end of this year, a finalised draft in mid 2014, and the amended standard itself to be released early 2015. So at this stage? Sit tight and rest easy - there is a generous transition period being awarded to those companies that have already implemented ISO 14001, and we will assist you with any further changes when we all know more about what needs to be done.

Immigration: It’s that-time-of-year.

dreamstime_s_3087404 v2.jpg

It's about that time of year when you sit down and you make a checklist. You start by ticking off that you've completed your taxes (hopefully!) and that you've got all your finances in order. That you've organised superannuation for your employees, and that your insurances are up to date. You're aware about the changes to the privacy legislation? Yep. You're compliant with the (ever changing) Occupational Health and Safety standards? Yep. You've got your risk management policies in place? Yep. Yes it's that time of year to feel pretty good about yourself. The busy end-of-financial year has ended, the busy right-before-Christmas time is yet to begin, and things are going at a comfortable pace, right? Hopefully. But just before you settle into your it's-my-reward coffee, ask yourself one more pertinent, often-overlooked question: <6>Do you know whether every single one of your employees is legally entitled to work in Australia? You see, the problem with opening this question (and the reason why it's not opened often enough) is because it leads to half a dozen subsidiary questions:

  • Do you employ overseas workers or workers on a temporary visa?
  • Are you aware of your lawful employer obligations especially in relation to employer sanctions and engagement of migration workers?
  • Can you demonstrate that every temporary visa holder in your workforce is working within their visa conditions?
  • Do you understand how the National Workplace Relations system works in relation to these temporary visa workers?
  • Do you have accurate internal policies, procedures and training in place to manage and ensure immigration compliance with the Migration Institute of Australia?
  • Do you really know if you are in breach of Commonwealth immigration compliance law?
  • Sure, you might think that you are employing lawful workers, and you believe that they should be adhering to the law, but can you prove it? The fact is, nowadays, you no longer need to be an approved immigration sponsor to be in breach of Commonwealth migration compliance law. If, at any time, you have employed (or referred to another employer) any non-citizen who held a temporary visa, you must adhere to the new changes in the Migration Act. This applies to temporary visas of any kind, either non-sponsored (eg: student, working holiday, bridging etc.) or sponsored (e.g. 457). Inspectors from the Department of Immigration and the Fair Work Ombudsman Office are visiting workplaces around Australia now. If they were to knock on your office door and find that you were employing workers who are not legally entitled to work in Australia (or who are working outside of the scope of their visa) they could issue you with a $15000 on-the-spot fine (and that's before they consider imposing sanctions, penalties or even press criminal charges). Oh dear, time to put that coffee down next to that calendar-you-said-you'll-update. So what are the changes to Migration law and regulation? Well, there have been recent amendments made by the Migration Amendment (Reform of Employer Sanctions) Act 2013 which introduces, as mentioned, more stringent penalties to employers who are in violation of this law. Previously, the Department of Immigration and Border Protection (DIBP) as it is now known ( previously referred to as DIAC) was required to prove an employer's "guilt". That is, DIBP needed to show that an employer allowed an employee/contractor to provide services (for the company or for others) when he was knowledgeable or reckless as to the worker's immigration status and working rights. Now, however, DIBP no longer have to satisfy that you acted with knowledge, recklessness or even negligence in employing or referring workers who are in breach of their visa conditions. Today, the Commonwealth has the capacity to issue infringement notices that escalate up to $76,500 for companies in breach of this law irrespective of what these companies knew or intended regarding their temporary visa worker(s). Okay, okay, so what can you do? Well, you can't sit tight and hope for the best because even your I-floss-every-day winning smile will not bowl the inspectors over if you're found to be in breach. The only safe and responsible approach is to have (or put in place) rigorous and dependable work processes and procedures and then follow these to check the legal status of all of your employees. This means keeping reliable records. This means training your HR staff and managers to know what to look out for. This means proof-reading and re-checking your dependable procedures to make sure that there aren't any gaps or mistakes. And how can you be confident of this? Well, (here's where you pick up that pen-from-that-forgotten-conference and those sticky-notes-that-your-daughter-keeps-taking-for-"school") that's where Certex Immigration Compliance steps in. We are a trusted name in audit and human resources quality assurance, one of only a few wholly Australian owned and managed certification businesses and we're accredited with JAS-ANZ, the government monitoring body, for quality, OHS and environmental management standards. We have engaged with key government immigration regulators, industry stakeholders and leading migration law advisers to develop two unique compliance assessment services. The first is Risk Assessment, which looks at personnel records to assess the status of foreign employees. The second is a full Certification Program, which assesses your policies, procedures and practices against a registered standard, as well as personnel records. It is important to note that these are third-party, independent audits which means Certex auditors do not provide consulting or compliance advice or other migration advice. But Certex Immigration Compliance auditors are qualified and experienced Registered Migration Agents who have been trained to work as lead auditors. They can (and will!) review your records against current legislation and against employer obligations, work permissions and visa conditions of foreign employees. They will assess the level of compliance and identify any gaps, areas of concern or risk and any breaches. These findings are then recorded in an audit report. If the report highlights areas which need attention you can (and should!) take this report to your own Registered Migration Agent or immigration adviser who can assist you in resolving the problems. Add immigration to your checklist and make sure your business complies. Don't let immigration be that-thing-you-wish-you-had-checked.

    Dianne Gibert - Bio

    Dianne Gibert is the founder of Certex International Pty Ltd. Certex is an accredited certification body with JAS-ANZ, providing certification services in 9001 Quality Management, 4801 OHS and 14001 Environmental Management. Certex also manages the RCSA Service Delivery Standard on behalf of the RCSA. Certex has been working with key industry stakeholders to develop the first immigration compliance program in Australia. If you have any question about the Immigration Compliance Service or other certification standards relevant to the recruitment industry, please contact Dianne on (03) 9585 8241 or email You can find more information on

Privacy- A Case Study on AAPT Pty Ltd.


Sometimes even the 'big guns' - companies with many, many years of experience under their holsters- can fall foul of privacy regulations. They then stand as a testament to the importance of privacy compliance and the necessity of implementing adequate procedures and policies to satisfy the intricate legislative requirements of privacy law. Recently, the Office of the Australian Information Commissioner (OAIC) published an 'own motion' report featured on their website which informed readers that a prominent Australian telecommunications company had breached the Privacy Act. AAPT Ltd had been the victim of unauthorised access by a hacker group known as Anonymous. Although they were the victim, the company itself was found to be in the wrong: it had failed to meet its requirements under the National Privacy Principles ( NPP), which had obligated it to take reasonable steps to protect and secure customer information and destroy/de-identify information that was no longer in use.


Earlier in the year, the Commissioner had received reports which indicated that AAPT's server had been compromised by a hacker group known as Anonymous, who had then exposed and published personal client data (including credit report information) on the internet. Though AAPT immediately took steps to ensure that no further information could be exploited, the fact that their records had been attacked at all made them vulnerable to a claim that they had not taken appropriate measures to protect this data in the first place. This obligation relating to the use and misuse of personal information is detailed in the National Privacy Principles that a majority of private sector organisations must comply with. Specifically, NNP 4 (Data security) and NNP 2 (Use and disclosure) require organisations to:

  • take reasonable steps to protect personal information from unauthorised access/disclosure; and
  • to take reasonable steps to destroy or permanently de-identify such information that is no longer in use;

Security of Personal Information

It was AAPT's responsibility to ensure that any and all applications that they utilised to manage personal information be regularly updated. However, the program that AAPT used had several newer versions available with security features that could have prevented this very attack. Indeed, the version used by AAPT was seven years old! Further, the contractual agreement between AAPT and their IT consultant (who managed the server) did not contain adequate measures to protect personal information, and it was not clear that AAPT was even aware of what personal information was being held on this server, let alone who was responsible for the use and update of applications that managed it. In consideration of these factors, the Commissioner came to the view that AAPT had breached this first obligation (NPP 4.1).

Destruction/ De-identification of Information

It was confirmed that not all of the compromised data had been in use by AAPT at the time of the hack. NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information when it is not in use. Though AAPT had policies that outlined their data retention scheme, the Commissioner was of the view that there was "low awareness of data retention requirements" amongst employees and these policies were, in any case, not being followed by the staff involved with the compromised data. Therefore, it was held that AAPT was in contravention of this requirement (NPP 4.2) as well. Mr Timothy Pilgrim (our Information Commissioner) appreciated the speed with which AAPT Ltd responded to its breach, but nonetheless made both the media release and the motion report publicly available on the OAIC website to serve as a message to other companies to not "needlessly" place themselves in "a position of risk" by holding onto old information that is no longer in use. There are significant lessons in this case study for all of us. Most importantly, it is possible to inadvertently breach the law by not actively managing privacy policies and simply assuming that all staff are sufficiently informed about them. And an equally important consequence of breaching the law is that your company will likely be publicly named on the OAIC website. Do not hesitate to contact Certex at any time to ensure that your policies can withstand the force of the law.

Privacy Sweep- How Did We Scrub Up?

2016 04 7.png

The OAIC is moving onto the front foot in relation to Privacy. The Commissioner has indicated he will not be lenient, and results of a survey indicate there is room for improvement. As you will already be aware, the new Privacy amendments come into force in March. The amendments "raise the standard" in relation to managing personnel information. Recruitment and other companies which deal with and store personal information should be reviewing their procedures. Early last year, the OAIC (Office of the Australian Information Commissioner) conducted a 'privacy Sweep' of around 50 common websites visited by Australians. This was in conjunction with a global check of over 2000 websites and apps observed for 'Privacy Practice Transparency'- that is, how effectively these websites increased public or business awareness of privacy rights and responsibilities, and complied with both current and upcoming privacy legislation. Although this Sweep was not an official investigation, it nonetheless aimed at identifying websites that might warrant further assessment in the future after the privacy reforms in March come into force. Although participants only spent a few minutes per website, the results of this Sweep were still quite concerning: in Australia, a staggering 83% of privacy policies on websites were found to have at least one issue with readability, relevance, length, 'contacts for further information' or ability to be found.

Readability and Length

Nearly 50% of websites had readability issues- either the language employed was too complex, or the length of the policy was inexcusably long. The Information Commissioner explained that policy must be capable of being presented in formats which assist people who use technologies like screen readers (often used by visually impaired, illiterate or people who primarily speak a language other than English at home). In essence, people needed to be able to "understand what they are signing up to".


On a global and national scale, roughly one-third of policies had relevance-related issues. Too many policies used generalised, 'boiler plate' language that was unclear about whether the site complied with relevant legislation and often, they offered no information about the collection, use and disclosure of personal information. Alarmingly, mobile apps fared far worse- a shocking 92% of apps raised privacy practice concerns, with up to 54% having no privacy policies at all! Those that did frequently provided simple links to the privacy policies for their website, instead of addressing just how the apps themselves would be using and collecting information.

Location and Contact-ability

21% of websites searched worldwide did not even contain a privacy policy, but reassuringly, only 2% of Australian websites and apps fell into that category. More importantly though, 15% of the Australian websites registered a concern with find-a-bility of the privacy policy and a further 9% of participants struggled to find further contact information. The Information Commissioner, Timothy Pilgrim, entreated organisations to observe and revise their privacy policies where needed to ensure they comply with the new requirements. He reiterated that in order to comply with the Australian Privacy Principle 1 (APP 1), organisations must have a clear, up-to-date privacy policy that is open and transparent about their privacy practices. Indeed, in a speech that he made in Sydney on the 25th of November, Timothy Pilgrim warned that he will not be taking a "softly, softly" approach after implementation of these reforms. "I have been asked whether I will I be taking a 'softly, softly' approach after implementation of the reforms. Well, I have never been known to be subtle so the answer to that question is probably 'no'". He did go on to say that he would always start by resolving matters through conciliation, but this in no way should be interpreted as being a lenient approach to the enforcement of privacy laws. Certex has been working with ITCRA (recruitment industry association) and Andrew Wood (barrister) to provide workshops and support services on the privacy changes. Call us for further information.

Privacy- It’s in the Jam, Not the Icing.


The Privacy Act was first enacted in Australia almost 25 years ago, in 1988. And, over that time, we've familiarised ourselves with the 10 National Privacy Principles and found ourselves cushy, comfortable ways to manage personal information. Recruitment agencies, for example, have recognised that a key feature of the privacy requirements is to inform the candidate that we will hold their personal information and what we'll do with it. So, we staple together a Privacy Collection Notice and ask the candidate to read the terms and conditions and give their consent. On their part, the candidates are eager to impress us: they scan the document, quickly grab the first working pen and signs the notice. Done. We've got their approval. Now we can record, store and use the information as we think fit. Right? Well, not anymore. It used to be that the Privacy Collection Notice/Statement was the principal document- it generally overlayed every issue pertaining to privacy. So, over the past 20-something years, we began to rely on it as our go-to-guy for all things privacy related. As long as the Notice was appropriate then what we did with the personal information didn't matter too much- we stopped monitoring too closely how the information was managed or who had access to it. After all, we had the candidate's consent. This will all change when the new privacy amendments come to force in March next year. The new privacy requirements include 13 Australian Privacy Principles. Whilst the main thrust of the legislation is the same, there are some changes. There are two new principles on cross border disclosure and direct marketing. The powers of the Commissioner of the Office of the Australian Information Commission to impose fines and conduct audits have been substantially increased. In addition, there is a major change to the underlying platform for privacy management. APP 1.2 refers to "practices procedures and systems". This means that the one document which got you by before- the icing- is no longer sufficient. You will need to think about how you really manage privacy in your business, the policies and the procedures, and about how well your staff implement these. We have been working with the recruitment industry for over a decade, and have come across many examples of poorly managed privacy situations. Here are some examples.

Example 1

The recruitment industry generally believes that they "own" a candidate. In actuality, their ownership is on tenuous grounds- it is the candidate who is in control of their information, and consents to the recruiter's temporary access to this information. This consent may be revoked at any time. By not fully comprehending what a candidate's right of control is, recruiters may find themselves in breach of privacy laws.

Example 2

In some parts of the industry there is a growing use of "web crawlers" which collect online candidate information and drops it into a recruitment database. These programs collect resumes from Google search results, Outlook emails and more, and transfer candidate details into a database. By doing so, it builds a time-efficient, comprehensive record of potential employees that is invaluable to many recruiters. Whilst this sounds like a great labour saving device, it is not all good news. The problem returns to this fundamental tenet that we discussed earlier: the right to access information, even in this technological day and age, is held by the candidate. This means you cannot collect and record information about a person without their permission.

Example 3

Sandra is a newly hired junior administrative assistant in a recruitment company for nurses and doctors. She's finding it a bit hard to settle into her new job and make friends with her work colleagues and performs a range of administrative tasks, such as filing paperwork, photocopying documents and editing articles. Through many exchanges of hands (and responsibility), she finds herself collecting and reading through simple police checks of the nurses hired by the company. Suddenly, she jumps up and cries out "XYZ is a prostitute!!" (Who knows, maybe that made XYZ a better nurse!). All the workers beside her are amazed by the revelation and peer over the document themselves and Sandra is pleased to be recognised. It's just idle gossip amongst co-workers, isn't it? In fact it's a gross breach of employee privacy. Every staff member must be fully informed and trained by the company' to understand and respect the privacy of past, present and future co-workers, or vicarious liability can even be extended to the managers of the company for not properly advising a Junior of this. You might be saying "sure, a recruiter can be in breach of laws that are intended to protect the candidate that the recruiter will potentially hire. Seems straightforward enough". But breaches can permeate through many more levels of a corporation.

Example 4

Let's consider offshore service providers, for example. It is not uncommon for busy companies to outsource candidate management to offshore companies in India, Malaysia, the Philippines and others. These offshore organisations essentially take care of basic administrative functions such as the creation of newsletter and candidate databases for the companies back here, and store these databases overseas. So what's the problem here? The problem is that the information being used and disclosed is now outside of Australian control but still within Australian jurisdiction. Simply put, this means that you are liable for any non- conformance of the service provider, regardless of whether you were aware of it. This may be an issue for onshore service providers as well. It's easy to recognise how such breaches can damage a company's reputation and, in turn, impact current or future business opportunities. But what is often forgotten is that a breach of privacy is oftentimes a breach of law, and this can have more far reaching consequences. To put it another way: it's easy to smear icing on top of an over-burned cake and hide the crustiness. Similarly, it's easy to cover up poor recruitment practice by installing a fast, computerised device that glosses over your procedural flaws. But do you really want to risk someone eating the cake and finding out that you deceived them (and that the cake itself is awful)?

Example 5

There was once a prickly situation that arose in relation to an applicant who consented to a medical clearance for the recruiter of a company. The director of the medical board, in spite of personally knowing the applicant, did not discharge his responsibility to another doctor but conducted the tests himself. When communicating the results orally with the recruiting company, the director also included allegations that the applicant had 'abruptly' left his previous job. The recruitment manager noted this unsolicited information and subsequently fired the applicant, who, in turn sued the company for misuse of his confidential information, and corporate negligence. Though the applicant had insufficient evidence to establish his claim, the judge in that case firmly chastised the medical director and refused to allow the recruiting company to claim for any costs suffered during the court process. The reality of it is that even if you are acquitted of any charges, there are still costs associated with court processes, some that simply irreplaceable, like time and reputation. When it comes to privacy, it may seem like you've heard it all and you have it all in hand. But it would not be wise to assume that you have privacy all sorted, and that there is nothing you need to do to comply with the amendments. Privacy is a finely nuanced and multifaceted concept because it is a fundamental human right to have and to protect. It's not the icing you slap on top of the cake and hope for the best, it's the strawberry jam between all the layers that holds it all together. It is important on every level, and takes many hours of time and preparation to get right. It is forgivable to be a caught a little unawares today, before a breach has even occurred, but stringent penalties await those who are complacent or careless in causing a breach. So sit back and ask yourself just how well you understand all these issues, and seek help if you're unsure. Don't get caught out with a burned cake.

WorkSafe Targets WA Labour Hire Workplaces.

There have been a number of very serious injuries that have impacted workers employed under labour hire arrangements*. This has prompted WorkSafe in Western Australia to commence a new industry-wide inspection of the workplace health and safety status of workers as well as on the obligations of labour hire agents across all different regions of WA. Upon inspecting a WA workplace for any reason, the inspector will question the employer about whether any workers are being hosted under labour hire arrangements. Such arrangements include both contract/on-hire firms and any host firms. If the answer is yes, the inspectors will consider a broad range of issues via a checklist, including:

  • hazard identification, risk assessment and risk control;
  • reporting of injuries and investigation of injuries and reported hazards;
  • consultation with labour hire workers and with the labour hire agent;
  • personal protective clothing and equipment; and
  • providing a safe working environment for labour hire workers.
  • They will also specifically examine the training methods and supervision of on-hire workers. Though the program is aimed at raising awareness of workplace health and safety obligations (WHS). WA WorkSafe Commissioner Lex McCulloch has warned that “inspectors will take enforcement action if they find breaches of the laws". He asserts that the labour hire industry was informed, in writing, about the program, so "they should be aware of exactly what the inspectors will require". The program will run until the end of the financial year. It is possible that other states will monitor the outcomes of this exercise with a view to implementing their own inspections. Responsibility for WHS for on-hire workers is shared between the recruitment agency and the host employer. There is a range of seminars, webinars, and information on WHS through recruitment associations. If you have any questions about WHS and, in particular, its application to on-hire workers, contact either the RCSA or ITCRA, or contact us and we should be able to guide you to a reliable adviser. *On-hire workers are typically outsourced blue-collar workers who are hired for short or long term positions.

The APPs Have Been Released.


The Office of the Information Commissioner has now released guidelines to the upcoming APP principles, which will be coming into force later this week. Time is running out. Our extensive work in the recruitment sphere has shown us that Recruitment is one of the few industries where Privacy Management is critical and compliance across the industry has not been high. So, let's cut out all the waffle, and jump straight into what you need to know.

You cannot avoid the changes

The National Privacy Principles (or Information Privacy Principles if you belong to a government agency) are being modified for a reason: they simply did not meet customer, client and employee satisfaction and they did not adequately protect personal information across many levels of business. So, fair warning: the new laws will compel your company to meet higher expectations and obligations of transparency. So what are the changes? These National Privacy Principles have been converted into 13 Australian Privacy Principles (APPs) that aim to "harmonise" the two sets of principles that currently apply to Australian government agencies and to private businesses. A more "comprehensive credit reporting system" is also being introduced, as well as a "simplified and enhanced correction and complaints process". But most importantly, the amendments provide the Australian Privacy Commissioner, Timothy Pilgrim, with enhanced powers to enforce and remedy complaints, conduct investigations and address breaches of privacy.

The Commissioner has significant new powers

What powers does the Information Commissioner already have under his belt? Well, he can:

  1. Review any complaint made and make any inquiries with any party that the Office considers necessary. The OAIC can also act as an impartial mediator and aid in reconciliation processes.
  1. If neither party can reach an agreement, the Information Commissioner can, once again, review material and make a formal determination against your company if he deems that your organisation did not enter into reasonable arrangements in negotiation. This determination will dictate what further actions your company must take, and it will be officially recorded.
  1. He can conduct investigations against a company and its actions of his own accord to determine whether it may be interfering with the privacy of an individual. This investigation is made into a report that is publicly listed on the OAIC website to serve warnings, tips and general information to other businesses.
  1. He is also empowered to audit Australian governmental agencies and certain private sector and state government organisations to establish an organisation's adherence to good privacy policies and legislative requirements. These audits too, are generally publicly listed on the OAIC website.

What new powers has he attained?

  1. In serious or repeated cases of privacy breaches, he can issue a penalty of up to $340,000 for individuals and up to $1.7 million for companies.
  1. He can now also accept a legally enforceable undertaking from any private or government agency
  1. Whilst he has always been able to audit a private sector organisation by invitation, Mr Pilgrim jokes that "organisations have been too shy to extend such an invitation up to now." He goes on to say that "from 12 March [he'll] be able to invite [him]self in." That is, he will have the power to conduct "Performance Assessment" audits of his own free will, irrespective of any request or lack of request by an organisation, and regardless of whether the company has committed a serious breach or not.

No "softly, softly" approach

Over the next 12 months, the Office of the Information Commissioner is aiming to assist companies and businesses to learn about these obligations (they have a vast array of resources on their website, for example). However, Mr. Pilgrim has made it very clear that he will not be employing a "softly, softly" approach after the reforms are implement. He has rejected taking a lenient approach for entities still designing processes and policies because he believes that: "The public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, [and therefore] these concepts are not new." He reinforced that "Organisations have had 15 months to [he] will not shy away from taking action where it is appropriate or necessary to do so." Thus, the onus is on you to be aware of the extent and nuances of your obligations. The law will not excuse anyone on the basis that he/she "did not know" that the amendments would affect them.

What should you do?

How do you become aware and compliant of these changes? Firstly, if you haven't already thoroughly reviewed the materials on the OAIC website, do so now, and then review your current practices and procedures against the new obligations. But we understand. The information provided is copious, confusing, and a bit overwhelming. So, contact us to learn more about our Privacy Best Practice program held across Australia. The Privacy Best Practice program is an initiative of ITCRA, Information Technology Contract & Recruitment Association. The program is a unique combination of a training workshop and a review of records.


"Thank you to ITCRA for leading [in] providing such valuable training to all staff at Viiew. This is a major challenge for the industry and we have appreciated your support." Troy Thorne (Chief Executive Officer at Viiew)

Amplify Your Security Measures- Gauze Bandages For the ‘Heartbleed’ Bug.


Recent warnings about cyber security around the "Heartbleed Bug" should alert companies who have not updated their data protection measures to comply with the Privacy Act. Even where a company is not directly liable for any damage as a result of being hacked, there are still compliance issues around the steps taken to protect against cyber attacks.

What is all the fuss about?

What is the Heartbleed bug? What consequences should I have anticipated? Well, in order to protect your information when you're sending an email (for example), websites use a program to ''encrypt'' the data so that it looks like jumbled nonsense to anyone other than the person(s) you sent it to. Now, a computer is going to want to make sure that another computer is still on the other end of the connection, so it sends out a little pocket of data (a ''heartbeat'') that asks for a response. But an error existed that allowed hackers to send a heartbeat of their own and trick the computer into sending over data in response. Computers can store a lot of information in memory- usernames, passwords, credit card numbers- but most dangerously, this bug could steal the encryption key used to jumble up your emails, allowing the hacker to ''decode'' them and access whatever information he wanted! Whilst most of the work lies with the websites themselves to resolve the issue (and by now, all of them should have done so), it is still a timely reminder that businesses and individuals need to keep passwords secure and change them regularly - although perhaps not during a hacking event!

What about privacy concerns?

In a media release around the time of the bug, the OAIC made clear that, the Privacy Act will not hold you liable under APP 6 as having ''disclosed'' personal information when a third party has "intentionally exploited [your] security measures and gains unauthorised access to the information." However, you may still be liable under APP 11 which requires an organisation to take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Simply put, if you did not take reasonable steps to protect against cyber attacks, then you may be in breach of APP 11, and this could entail significant repercussions under the Privacy Act. Contact Certex for more information about these issues and how to protect yourself against privacy laws. To see a breakdown of the Information Commissioner's analysis in previous situations, check out Telstra Breaches... It was released before the new APPs came into force, but still carries important information about how breaches can occur and what kind of actions are expected from you.

Telstra Breaches the Privacy of 15,000 Customers.

  • Have you undertaken a privacy risk assessment?
  • Does some of the personal data you collect include sensitive information?
  • Could some of the data have potentially serious adverse consequence if misused?
  • Do all your employees understand the privacy requirements and the significance of breaches?
  • Do you routinely test your security and control settings?
  • Privacy is important, and breaches will be taken seriously. The attitude that Telstra displayed towards managing privacy is not uncommon. Don't you get it wrong. One day before the new privacy principles were to come into force across Australia, the Office of the Information Commissioner let out a bombshell. Telstra, for the second time in 2 years, has breached privacy laws- this time, undermining the privacy of around 15, 775 customers. Both the Office of the Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) found that "between February 2012 and May 2013, the information of 15,775 Telstra customers from 2009 and earlier was accessible on the internet. This included the information of 1,257 active silent line customers."

    What Did Telstra Breach?

    Telstra, like all organisations that fall within the scope of the Privacy Act, has a responsibility to take reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure (National Privacy Principle 4.1). This requirement is mirrored under clause 4.6.3 of the Telecommunications Consumer Protections Code which Telstra, as a telecommunications body, is also bound to follow. Breach of this clause is discussed in relation to the ACMA further in this article.

    How did Telstra Breach NPP 4.1 and Clause 4.6.3?

    Telstra kept spreadsheet files that contained personal information about their clients. These files were hosted by a third party service provider who worked with Telstra. Telstra then requested them to extend their access control to include certain authorised parties. But in doing this, the third party provider inadvertently removed access control altogether, which made these files publicly available online. When Google later indexed this file, it became discoverable under a simple Google search! The full names, addresses and phone numbers of over 15, 000 customers were compromised and Telstra identifies that there were at least 116 downloads of this information. Telstra quickly and competently addressed the situation. But - this is not the first time that this company has compromised private information: in December 2011, on the same host platform, the personal information of staggering 734,000 customers were leaked online.

    Assessment of Telstra's Adherence to NPP 4.1

    NPP 4.1 (now APP 11) requires Telstra to take reasonable steps to protect its clients' personal information from misuse, loss, unauthorised access, modification or disclosure. This meant that the Commissioner had to consider what safeguards Telstra had had in place before the data breach and what steps Telstra should have taken to mitigate the damage given the kind of information Telstra was handling, the environment Telstra was working under, security processes, industry practice, and more. Telstra had believed that the data breach was of "low risk from a privacy perspective" as it only divulged names, phone numbers and addresses. However, the Commissioner disagreed, particularly because of the 1, 257 customers with private numbers and silent lines. Does some of the personal data you collect include sensitive information, or could it have potentially serious adverse consequence if misused? Are you protecting and securing the data accordingly? In addition, Telstra should have been aware of the high risk of privacy breach after the first data breaches in 2011. At that time Telstra implemented a thorough deconstruction and reconstruction of their privacy procedures and processes. The Commissioner felt that, as a result of this, Telstra should have taken more steps to protect personal information. Have you reviewed the risk of a privacy breach in your business? Furthermore, processes that Telstra had already implemented were simply not followed by all parties. This was a "key contributing factor" to the breach. Do all your employees understand the significance of privacy breaches and are they fully aware of their obligations under the Act? Telstra believed that once a process (such as an access control) is implemented securely, "there is no need to undertake on-going testing". However the Commissioner reinforced that there is no 'set and forget' solution to privacy and security in a digital environment. The digital world is constantly changing, evolving and updating. Simply because a process is secure at one point in time does not mean that it is secure indefinitely. Do you routinely test your security and control settings? Telstra stated to the OAIC that it had, in essence, complied with industry practice for testing software as a service. But the Commissioner firmly stated that "adherence to industry practice is not, in and of itself, an alternative to an entity meeting its regulatory and legal obligations. If an entity engages in what it considers to be industry practice, and that practice falls short of the requirements of the Privacy Act, the Commissioner may consider that entity non-compliant." Luckily, the OAIC's investigation on Telstra concluded before the release of the new APP principles. This means that Telstra narrowly avoided potential penalties that it could have incurred at the Privacy Commissioner's discretion. This could have been anything from a legally enforceable undertaking to, in the cases of serious or repeated breaches, monetary fines up to $1.7 million. However, Telstra was found by the ACMA to contravene their earlier Direction to Comply to Clause 4.6.3 of the Telecommunications Consumer Protection Code (TCP Code), and was thus issued an infringement notice of $10,200. This shows us that there can be implications even beyond the Privacy Act for breaches of privacy or for failing to have proper systems and security measures in place. Although Telstra did not have to pay monetary fines to the OAIC on this occasion, the investigation report by both ACMA and the OAIC are publicly listed on their websites for anyone to see, and a media release has been made in relation to the incident. Privacy Commissioner Timothy Pilgrim advised that "This incident [was] a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information." From 2012-2013 the OAIC received 10, 576 privacy enquires and 1496 complaints. Already, this financial year has seen a 30% increase in complaints. Privacy is important. Privacy will be taken seriously. Don't get it wrong.

“The Process Approach”- What Does This Mean For You?

You may have already heard that changes are being made to the ISO 9001 Quality Management Standard, and that these changes will come to force sometime in 2015. With these changes come the 'buzz' words: "process based management"; "process based auditing" What do they mean? What will we need to do? How will it help us? Let Certex decode it for you.

What is a process approach?


Exactly what it sounds like: a sequence of activities that produce a result. A process can be delivering a service or building a product, preparing an invoice, training staff, or ordering and receiving supplies. A process usually includes an input, an activity and an output. Example 1: Process for recruitment staff - Inputs: a role to be filled as defined by a position description and potential candidates for the role. Activity: review and assess candidate suitability for the role. Output: suitable candidate selected for the role. Example 2: Process for building a fence - Inputs: fencing materials, fence building equipment, plans. Activity: build the fence. Output: a suitable fence built in the right place A process can be an operational activity, as shown by these examples, or it can be a management process such as dealing with and resolving a complaint, or a supporting process such as training the fencer and the recruiter to conduct the activity properly. A process approach focuses on the processes within your business. Often, we employ this without even realising it: processes are just what businesses do. That is, your business can often be described by the processes that you undertake. Consider, for example, about what you teach someone when they are starting a new job or new responsibility in your business. You are teaching them about the process that they will be following.

Quality and the Process Approach- Why the ISO9001 Was Created

The process approach is fundamental to quality management. Quality management seeks to implement quality into each of your business processes, by focusing on accuracy, consistency and reliability. Common quality objectives include minimising or eliminating wastage, reducing errors and rework, as well as enhancing customer satisfaction and retention. Over time, we realised that there were some processes that were common features of good quality processes. These included:

  1. Defining the processes so that they can be delivered accurately, consistently and reliably.
  1. Having the right equipment in good working order
  1. Having suitably competent staff
  1. A proactive business that is ordered about the way it analyses problems so that it can implement improvements more effectively compared to a business that makes changes in an ad-hoc or random manner.

Auditors were asked to provide an independent assessment of these and other examples of the level of quality in processes, so that businesses could confirm to its customers that their products and services were built using good quality processes. The ISO9001 Quality Management Systems standard was designed as a way of assessing the level of quality built into processes. It is a set of quality principles that auditors can refer to so their assessments are consistent and fair.

Rationale for the Upcoming Changes

Over the years, the intent behind the 9001 standard became misunderstood: it became the set of clauses that businesses used to describe their quality management system and businesses developed their Quality Manual based on the clauses in the 9001 standard. They'd often even apply the same clause numbering of the standard. Sure, this made life easier for the auditor, but a business could not be run according to these clauses because they were not the processes of a business. This is perhaps where we started to see the classic situation where the Quality Manual would be brought out when the auditor arrived, then put away again in the bottom drawer to gather dust until the next visit. Worse still, a Quality Manual that has been based on the clauses of the 9001 standard has the potential to distract a business from understanding its real processes. It may not see the need to define and manage its real-life operational processes because it may believe the Quality Manual already does so.

9001:2015 and the (new) Process Approach

This problem was recognised, but despite addressing it in recent versions of the 9001 standard, the situation was not being fully understood by businesses or auditors. The current version of the 9001 standard- 9001:2008- describes a process-based quality management system approach as one which links the various processes in a business and which delivers products and services that meet the needs of customers. It refers to the Plan-Do-Check-Act methodology which continually supports improving process performance. Despite this focus on business processes, the confusion over the clause-based approach and the process-approach to a Quality Manual has continued. Next year, a new version of the 9001 Quality Management System standard will be released. Although we don't yet know all of the details, we do know that this new standard will reinforce the process based approach to quality management. We expect it will also confirm the standard cannot be taken to be a model for documentation of a business's processes. We understand that the structure of the standard will be quite different, and is likely to emphasise the activities of the business instead of the criteria for a quality audit. At this stage, these sections include:

  1. Leadership, Planning - policy, management commitment, objectives and planning.
  1. Support - resources, competencies and documentation.
  1. Operation - producing goods and services, customer interaction, managing non-conformances.
  1. Performance, Improvement - monitoring, internal audits, corrective action and improvements

What does this mean for you?

If your Quality Manual and supporting documentation is already not process-based ,then you're probably going to have a bit of work to do. If your management, operational and support processes are not already well defined, then you'll likely need to fix this. You may need to identify then define your processes and ensure they are aligned and consistent. This exercise may also include documenting and ensuring your staff understand this new approach. The upside to this is that you should then have a quality management system which truly sets out what you do, how you should do it, and checks that you do it the right way. The process based approach brings even more changes for external auditors. If we have ever fallen into the bad habit of matching the clauses in your Quality Manual against the standard, then the new changes will put a stop that straightaway. We will need to understand businesses and processes, we will need to assess how well a company's processes are designed and aligned, how well they are planned and controlled, and how well the outputs meet customer requirements. If both of us - you, the business, and we, the auditors - have already been working to a processes management and process audit approach then the changes will not be so significant. There will be a three year transition period during which businesses can shift their quality management system from the 9001:2008 to 9001:2015 requirements. Between now and there will be much public discussion and many seminars and training courses offered. As your accredited certification body, Certex will keep you fully informed of the new requirements as they are made public. We are also planning a series of training sessions and webinars designed for businesses and for consultants and auditors. If you would like to register your interest for these please click here. There is no obligation, but we will be sure to advise you of the sessions.

The New ISO 9001:2015 QMS Standard


A revised version of ISO 9001 is set to be released in September 2015. With the changes coming into force only a little over a year from now, Certex has detailed, decoded and described all relevant information currently available. This article aims to pool together all that information into one handy overview for our clients.

What's happening?

Every five years, the ISO Committee revisits its standards and reviews performance against relevance, popularity, issues and complaints, and so on. Further, every seven years, these Standards are revised and updated. The last update for Quality Management occurred in 2008 and changes were, on the whole, relatively minor. In fact, if your company has robust systems in place, the impact of the 2015 changes should also be quite small. At its last review, the ISO Committee recognised that, though ISO 9001 is currently performing well, it needed to respond more strongly to technological advances that have occurred since the last major change to the system in the late 1990's. For example, many offices now are paperless and ISO 9001 needs to reflect the use of new technologies for document storage. The current ISO 9001 standard has limited relevance to companies which use Cloud-based and Enterprise-related systems. There's more. Increasingly, companies are taking on all three standards: quality, safety and environmental management. That is, they run multiple management systems. Though these standards have very similar requirements, they are phrased and structured differently, and this makes it more onerous for companies who are planning to become certified. It's now recognised that ISO 9001 needs to be updated to keep it relevant to the environments: technological and otherwise, those companies operate within. Further, it needs updating to enable harmonisation with other management systems.

Overall, what do the changes do?

1. Align management systems Nigel Croft, Chair of the ISO subcommittee responsible for ISO 9001, dislikes using the phrase "integrated management systems" [1]. He believes that essentially, an organisation has a single management system which explains how that company runs its business and that this management system may then need to meet criteria and expectations across different sectors like Quality, Environmental management, and Occupational Health & Safety. Aligning 9001 with other Standards like ISO 14001 achieves this and reduces workload for both clients and companies when auditing against multiple management systems. 2. Increase emphasis on the "process approach" We explored this concept in our last newsletter. Very briefly, companies began to use the 9001 standard to describe their Quality Management Systems, and develop their Quality Manual based on the clauses of the 9001 standard. This was problematic because it meant that the Quality Manual was only utilised to describe a business rather than direct its actions. ISO 9001:2015 will reinforce the process-based approach to quality management by structuring the Standard to emphasise the activities of a business instead of the criteria for a quality audit. 3. Incorporate "risk-based thinking" Risk- Based Thinking has always implicitly governed how we run our businesses. We invariably stop to consider: how will this process affect the outcomes that I want to achieve? In this sense, Risk-Based Thinking is also clearly part of 'process approach' because we generally compare a business activity against its consequences before proceeding with the activity in question. So what does 9001:2015 aim to do? Quite simply, it explicitly, brings Risk-Based Thinking to the forefront of our thinking. It makes preventative action part of the 'routine' which in turn, reminds us to identify both risks as well as new opportunities in a process. Businesses thereby gain a significant understanding of both their system processes as well the management of their system processes. The changes recognise that the amount of rigour we apply to risk management will differ depending on the nature of the organisation that we are running. Thus, it specifically caters for the context of an organisation including: who is running the company, where are they running it and how big it is. More importantly, it considers the impact of an organisation on the communities that they operate on or have a significant influence in. This involves considerations such as sustainability, business continuity, environmental and social impact..

What will you need to do?

You will not need to take any action immediately. When you have your next audit with Certex we will point out any areas that may not be consistent with the updated standard. You will then have until 2017 to implement the necessary changes. Further, many businesses will not need to make many changes; some will see no change. At Certex we have always strongly believed that your quality management system should be about your business first and foremost. It should describe what you do and how you do it. It should focus on the most important areas in your business. It should help your business be transparent, controlled and consistent. If your quality management system does this for you then you are already in a good situation. Certex will be running a series of one day workshops to help explain these changes, starting at the end of July. Please let us know if you would like more information by emailing or phoning + 61 3 9585 8241.