EthosOne
Insights
By Dave Yeates

Sector Signal: 1 July moved the burden of proof

Every fortnight we scan the regulatory, legal and risk landscape for Australian and New Zealand independent schools and pull out the patterns that matter at board level. This issue covers 28 June to 12 July 2026, and one date dominates it.

On 1 July, a cluster of statutory commencements landed that all point the same way: the school no longer gets credit for having the policy. It gets credit for being able to prove the control.

Pattern one: Queensland's Reportable Conduct Scheme is live

The Reportable Conduct Scheme under the Child Safe Organisations Act 2024 commenced on 1 July 2026 for all reporting entities, including non-state schools and boarding facilities. The scheme was brought forward from the original timetable that had schools starting 1 January 2027, and some commentary still carries the old date. The QFCC implementation timetable is the authoritative source: for schools, this is live now.

The duties are specific and personal. The head of entity, in practice the principal, must ensure systems exist to prevent reportable conduct, must notify the QFCC within three business days of becoming aware of a reportable allegation, must investigate, and must close out findings. Penalties attach to notification failures, and the duties apply to conduct by current and former workers, inside and outside work.

For boards, the questions are sharp. Who is the head of entity? How does the board keep line of sight over allegations without compromising investigations? And where is the evidence that the system existed before the first allegation arrives? This lands on top of the Child Safe Standards, in force for Queensland schools since January, completing the two-limb regime the Royal Commission recommended.

Pattern two: the new financial year rewrote the employer risk register

New South Wales set the tone. Section 26A of the WHS Act 2011 (NSW) commenced 1 July, turning every approved code of practice, including Managing Psychosocial Hazards at Work, into a legal compliance benchmark: follow the code, or demonstrate your alternative achieves an equal or higher standard. On the same day, SafeWork NSW published its 2026-27 Regulatory Statement naming psychosocial risk one of four enforcement priorities.

But the codes were only one line in a much larger 1 July load. Three more changes switched on the same day, and every one of them lands on a school's payroll and people systems.

Workers compensation reform. New psychological injury claims in NSW are now compensable only for defined "relevant events" with a real and direct connection to employment. Claims arising from interpersonal conflict or general work stress are excluded, impairment thresholds rise, and weekly payments for most primary psychological claims are capped. The strategic consequence for schools is bigger than the claims maths: with compensation narrowed, the school's prevention framework becomes the primary control, and the likely venue for disputes. Staff shut out of workers compensation are more likely to arrive as WHS complaints, psychosocial claims, or both. Prevention is no longer the soft option. It is the load-bearing wall.

Payday Super. From 1 July, superannuation is payable every payday, with contributions required to reach funds within days of each pay run. Penalties no longer accrue quarterly, they accrue pay run by pay run. For a school running fortnightly pays with a seasonal tail of term-time casuals, relief staff and ELC or OSHC employees, that is roughly 26 compliance events a year where there used to be four. The board-level question for the finance committee is simple: has anyone confirmed the July pay runs cleared correctly, and who is watching the ones after that?

Award wages and wage theft. The 4.75 per cent award increase took effect from the first full pay period after 1 July. Schools are award-heavy employers in exactly the places boards look at least: support staff, ELC, OSHC, casual supervision. Underpayment is now criminal wage-theft exposure, so a payroll configuration error is no longer an embarrassing back-pay exercise. It is a governance event with personal consequences.

Taken together, these three changes share one shape: obligations that used to be periodic and forgiving are now continuous and evidenced. A school cannot policy its way through any of them. It has to be able to show, pay run by pay run, that the control operated.

New Zealand moved in parallel: the Health and Safety at Work Amendment Bill passed its final reading on 1 July, introducing deemed compliance for organisations that follow Approved Codes of Practice from April 2027. The inverse framing of NSW, and the same practical message: map your controls to the code.

Pattern three: the cyber assurance gap, quantified

Aon's Independent Schools Risk Report 2026, released 29 June from a survey of 306 independent schools, ranks cyber as the sector's number one risk. One in four schools experienced a cyber incident, up from one in five in 2024. The governance finding is the one that should stop a board meeting: directors reported average assurance on cyber of 61.9 per cent against average capability of 37.1 per cent. Boards are more confident than they are capable, by the widest margin of any risk measured.

The fortnight supplied the illustration. Media reported that ransomware actors published what they claim is more than 600GB of data from a South Australian school on the dark web, weeks after the school's systems went offline in June. And on 9 July the Australian Cyber Security Centre issued a critical alert on large-scale exploitation of website content management systems, the software most school websites run on, often vendor-managed and outside the IT patch cycle.

Pattern four: AI governance is leaving the staffroom and entering the boardroom

For two years, AI in schools has mostly been a teaching and learning conversation: assessment integrity, lesson planning, classroom policy. This fortnight confirmed the conversation has changed rooms.

On 29 June the Australian Institute of Company Directors released version 2 of A Director's Guide to AI Governance, updated board-level guidance on AI oversight, risk appetite and controls. When the AICD refreshes a director tool, it is signalling where it expects director duties to be tested next. And in the same window, Aon's sector survey flagged AI as an emerging risk for independent schools for the first time, alongside board capability, with directors reporting low confidence in their ability to oversee it. The same assurance-to-capability gap that exists on cyber is forming on AI, earlier in the curve.

The exposure for schools is concrete, not hypothetical. AI is already inside admissions, wellbeing notes, learning analytics, marketing and the edtech stack, which means it is already handling student data. The Australian Framework for Generative AI in Schools sets national expectations and is on an annual review cycle. And the OAIC's Children's Online Privacy Code, due for registration on 10 December 2026, will put the privacy posture of every student-facing app, AI features included, inside procurement due diligence.

The pattern from the rest of this issue applies here with unusual force, because AI is the one risk where the board can get ahead of the evidence test rather than catch up to it. A school does not need an AI strategy document. It needs AI on the risk register with a named owner, an inventory of where AI is actually in use across the school, and a procurement gate for anything new that touches student data. That is a term's work, not a transformation program, and it converts next year's uncomfortable question into this year's one-page board paper.

The watchlist: what did not make the headlines, but belongs in the board pack

The four patterns above are the spine of the fortnight. But a scan that only reports the loudest signals misses the ones that will be loud next term. Five more developments deserve more than a passing mention.

New Zealand quietly restructured the system around its boards. The Education and Training (System Reform) Amendment Act commenced on 6 July, shifting responsibility for setting and maintaining teaching standards from the Teaching Council to the Secretary for Education, adjusting curriculum and attendance regulation, and deferring school boards' next long-term strategic plans to 2027, with annual plans and reports still required this year. Later stages move some Ministry regulatory functions to ERO and stand up a new School Property Agency. For an NZ board this is not background noise: the planning cycle it was working to has changed mid-year, and the governance calendar, strategic-plan timeline and workforce assumptions built on the old settings need to be re-dated now, not at the next review.

Victoria's new registration rulebook lands within days. The VRQA's final updated Guidelines to the Minimum Standards for school registration are expected from Term 3 2026, which begins the day after this issue closes, applying from 1 January 2027. The drafts flag three changes with real governance weight: an express prohibition on cross-subsidisation between schools operating under one proprietor, a shift in financial forecasting metrics, and a formal registration pathway for online and hybrid campuses with mandatory online supervision policies. Multi-school entities in Victoria should treat this as a live agenda item: five-year forecasts built on the old assumptions may need to be re-cut before the January application of the new guidelines, and that work will not compress well into December.

NSW just collected a board-level attestation from every non-government school. The 30 June deadline for 2025 annual reports to NESA fell inside this window. It reads as administrative, but it is not: the annual report is a public, board-owned attestation that feeds directly into NESA's risk-based registration model, where the depth of a school's next renewal, principal certification or full inspection, is shaped by the risk picture the school itself presents. A late, thin or internally inconsistent report is not a paperwork problem. It is an input into how hard the regulator looks at you next time.

Privacy enforcement just previewed the sector's next uncomfortable audit. The Privacy Commissioner's twin determinations against Medmate and Monash IVF, which drew a wave of law-firm analysis inside the window, found both organisations breached the Privacy Act by collecting sensitive information through third-party tracking pixels without consent and using it for marketing. The read-across to schools is direct and unflattering: school websites routinely run Meta and Google pixels on enrolment, wellbeing and chaplaincy pages, exactly the pages that can reveal sensitive information about children. With the Children's Online Privacy Code arriving in December, a pixel audit of the school's marketing stack is one of the cheapest pieces of risk work available this term, and one of the most likely to surprise the people who commission it.

Online safety enforcement is escalating, and it will land in your wellbeing data. At the window's edge the Government announced it will double maximum penalties to $99 million under the under-16 social media law and hand eSafety stronger powers to compel platforms, and third parties like age-assurance and app-store providers, to produce evidence of compliance. Six months into the regime, with investigations into five platforms running and the perimeter expanding into gaming platforms, each enforcement wave produces the same downstream effect: student account churn, workaround behaviour, and displacement onto whatever platform the regulator has not reached yet. That lands in school wellbeing and behaviour data, not in Canberra. Boards should expect their digital citizenship and parent-communication settings to need another pass this year.

And one for the capital planners: South Australia announced almost $13 million in capital grants to non-government schools on 11 July, including $6.38 million to independents. For recipients, the grant brings acquittal, procurement and project-governance obligations that belong on the register from day one. For everyone else, the program's cadence is the planning signal.

Six questions worth taking to your next board meeting

  1. If a reportable allegation arrived tomorrow, could the school show the regulator, or its own board, that the prevention system existed before the allegation did?
  2. Could the board map its psychosocial controls line by line against the code of practice, or would it be starting from the policy folder?
  3. Has anyone confirmed the July pay runs cleared Payday Super and the new award rates correctly, and who owns that check for every pay run from here?
  4. With psychological injury compensation narrowed, is the school's prevention framework strong enough to carry the weight that just shifted onto it?
  5. The sector's own data says director assurance on cyber runs 25 points ahead of capability. Where would your board's line sit if the evidence were on the table?
  6. Does anyone in the room know, today, everywhere AI is in use across the school, which of those uses touch student data, and what the tracking pixels on the school website are collecting?

The schools that will be calm through the rest of 2026 are not the ones with the most policies. They are the ones who can open the register and show the work.

Sector Signal is EthosOne's fortnightly read of the governance, risk and compliance landscape for independent school boards. Primary sources only.

Discover more about EthosOne

Continue exploring governance insight, product context, or speak with our team.

Board-ready in 30 days

EthosOne supports everyone who plays a role in school governance:

What you can expect

Governance Clarity

Boards get consistent, ready-to-present insights.

Assurance Confidence

No blind spots, everything tracked under ownership.

Compliance Control

State-aligned obligations managed and visible.

Risk Transparency

ISO-aligned risk management with accountability.

Get your Exposure Score

Walk into the next board meeting already sure.

Book a demo for your school

When the assessor calls, the evidence is already there.