The ACNC’s recent review of safeguarding risk management in the NFP sector is an important reminder to board and committee members to re-examine current practices and procedures.
Providing support and services to vulnerable people is the core purpose of many charities and other not-for-profits (NFPs). Operating in this space triggers a set of legal and ethical duties that are often described as “safeguarding” obligations.
The Australian Charities and Not-for-profits Commission (ACNC) defines safeguarding as “protecting the welfare and human rights of people that are connected with your charity or its work — particularly people that may be at risk of abuse, neglect or exploitation”. It describes safeguarding as “part of a charity’s primary duty of care”.
The ACNC recently completed a compliance review into the sector’s management of safeguarding risk.
While the review found that the charity sector “acknowledges the importance of safeguarding and understands the risks of poor safeguarding”, it was “not always documented in formal policies and procedures. This resulted in inconsistency in addressing safeguarding risks”.
Significantly, it also found that “most charities were aware of their various legal obligations in relation to safeguarding. However, these obligations were rarely collected in a single place”.
Legislation governing human services, including the new Aged Care Act 2024 (Cth) that commences on 1 July 2025, is increasingly exacting. This is an important and welcome legacy of three major Royal Commissions that have been held during the past decade.
These Royal Commissions highlighted the tragic consequences of safeguarding failures addressing violence, abuse, neglect and exploitation of people with disability (2019–22), aged care quality and safety (2018–21) and institutional responses to child sexual abuse (2013–17).
Some of those legal obligations are specific to particular settings, such as the National Disability Insurance Scheme (NDIS) or aged care.
Others, including work health and safety (WHS) legislation, apply more generally. A provider’s not-for-profit status will not protect it from significant liability if those legal obligations are not met.
Significant civil penalties
Three recent NFP cases show how serious the consequences can be. The three cases involved NFPs that were registered NDIS providers. All three cases arose from the death of clients while in the registered provider’s care. In each case, the NDIS Quality and Safeguards Commission brought civil penalty proceedings based on contraventions of sections 73J and 73V of the National Disability Insurance Scheme Act 2013 (Cth). Section 73J applies to registered providers and is contravened if the provider breaches a condition of its registration, including the condition requiring compliance with the Practice Standards.
The Practice Standards include identifying and managing risks to participants. There must be identifiable, accurately recorded, current and confidential information concerning each participant. Each participant’s needs must be met by workers who are competent in their role, who hold the relevant qualifications and have the relevant expertise and experience to provide person-centred supports. Section 73V applies more broadly to providers and other people they employ or engage. It is contravened by a failure to comply with the NDIS Code of Conduct, including the obligation to provide supports and services in a safe and competent manner with care and skill.
The first case, Australian Foundation for Disability [2023] FCA 629, was settled in June 2023 with the provider agreeing to pay a civil penalty of $400,000. The second, LiveBetter Services Ltd [2024] FCA 374, was settled in April 2024 with the provider agreeing to a $1.8m civil penalty. And in January 2025, Valmar Support Services Ltd [2025] FCA 11 was settled on the basis of an agreed civil penalty of $1.9m.
In approving the Valmar settlement, Justice Elizabeth Raper said, “reluctantly it is my view the agreed penalty is within the range of what could be considered an appropriate penalty, but is at the very lowest possible end of the range”.
Justice Raper’s comments reflected her concern about the provider’s complete failure to ensure any staff were trained on the choking risk that resulted in the client’s death, despite that risk being central to the client’s care. She found no explanation was possible for the provider’s failure to train its employees as to how to feed clients with known risks of choking.
Board and committee members’ responsibilities
The ACNC’s 2024 safeguarding risk review examined the role of the NFP’s “responsible people” (defined to include members of the governing body) in managing the risk. The ACNC emphasised that board or committee members — not the CEO or paid staff — are ultimately responsible for protecting people, including vulnerable people, connected with the NFP’s work. This includes responsible people taking steps to ensure the NFP has appropriate formal policies and procedures to protect against the risk of harms.
For individual board and committee members, some key legal principles apply. Directors and committee members owe a duty of care to the NFP and under the ACNC Governance Standard. This includes taking appropriate steps to address the NFP’s exposure to consequences of a safeguarding failure. ASIC, as the corporate regulator, cannot bring penalty proceedings against NFP directors for negligence, but the duty still applies.
Board and committee members also have an affirmative duty to exercise due diligence to ensure the NFP complies with its obligations under WHS laws. These laws protect clients and others affected by the work performed, not just employees. Again, while a volunteer director or member cannot be prosecuted for a contravention, the statutory due diligence obligation still applies.
The new aged care legislation, commencing in July, includes a due diligence obligation on board or committee members to ensure the provider complies with its statutory obligations relating to the health and safety of clients. A due diligence failure in aged care, including by a volunteer board or committee member, can be the subject of enforcement proceedings by the regulator, leading to personal liability to civil penalties for the contravention.
An individual can also be liable if they are “involved in a contravention” by an NFP of a civil penalty provision like section 73J of the NDIS Act. While involvement liability is rare for non-executive directors or committee members, it can arise if a person has the required knowledge of the essential elements of the NFP’s contravention and contributed to it.
It is completely unacceptable that a vulnerable person should be hurt or killed by an NFP’s failure to manage its safeguarding risks properly. The ACNC’s 2024 review found that the sector’s responsible people — including its volunteer board and committee members — clearly recognise this. But good intentions are not enough. Boards and committees should take the time now to ensure that processes and procedures are adequate and that evolving legal obligations are clearly understood.
Dr Pamela Hanrahan MAICD is an Emerita Professor of the University of NSW and a consultant at Johnson Winter Slattery.
This article first appeared under the headline ‘Shifting Sands’ in the March 2025 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content