The National Higher Education Code on gender-based violence: what Australian universities must do by 2026

Australian higher education has had a decade of reviews, surveys, and voluntary commitments on sexual violence and harassment. From 1 January 2026, it has a law. The National Higher Education Code to Prevent and Respond to Gender-based Violence 2025 (F2025L01251) is a legislative instrument made under section 15 of the Universities Accord (National Higher Education Code to Prevent and Respond to Gender-based Violence) Act 2025 (Cth) (No. 34, 2025). It sets seven enforceable standards that every Table A and Table B provider must meet, gives the Secretary of the Department of Education regulator powers, and exposes providers that fail to comply to a civil penalty of up to 200 penalty units per contravention under section 20 of the Act, which at the current penalty unit value of A$330 works out to A$66,000 per contravention. All other TEQSA-registered higher education providers join the regime on 1 January 2027.

If you work in governance, student safety, HR, legal, risk, or residential life at an Australian university, the Code changes how you have to operate. This article walks through what it requires, how it interacts with the National Student Ombudsman, and what the practical compliance steps look like. It is written as a guide for employers rather than as legal advice, and some specifics are flagged for your legal team to verify before you rely on them.

Why this Code exists

The background is hard to ignore. The 2021 National Student Safety Survey, run by Universities Australia and the Social Research Centre with 43,819 respondents from 38 universities, found that 4.5% of Australian university students had been sexually assaulted in a university context since they started their studies (around 1 in 20), and 16.1% had been sexually harassed in a university context since they started (around 1 in 6). Women, trans and non-binary students, students with disability, and students of diverse sexual orientation were disproportionately affected. The 2023 National Tertiary Education Union survey of tertiary-sector workers found that 29% of respondents had personally experienced sexual harassment at work, up from 19% in a comparable 2018 survey, with 38% of women reporting a personal experience. A 2024 review by the Australian Human Rights Institute at UNSW found that university responses to disclosures remained inconsistent, under-resourced, and often retraumatising for the people who reported.

The reporting gap is part of the picture. The 2021 Survey found that only 3.0% of students who had been sexually harassed and 5.6% of those who had been sexually assaulted in a university context made a formal report to their provider. Around one in two students who responded said they knew little or nothing about their university's reporting or complaint processes. A system that depends on a formal complaint, inside a structure most users find inaccessible or unsafe, leaves most harm unaddressed. The Code is designed to close that gap on both ends: raise the quality of response so people are more willing to use it, and require the provider to act on prevention and disclosure signals before a formal report ever arrives.

The 2024 Australian Universities Accord final report recommended a binding national code. In February 2025 the Minister for Education introduced the Universities Accord (National Higher Education Code to Prevent and Respond to Gender-based Violence) Bill. It passed Parliament in August 2025 and received Royal Assent the same month. On 17 October 2025, the Code itself was registered as a legislative instrument. For the first time in Australian higher education, prevention and response to gender-based violence carries the force of Commonwealth law, backed by civil penalties and funding conditions, rather than sitting with sector covenants and voluntary commitments.

Two other reforms matter because they sit alongside the Code:

• The National Student Ombudsman, which opened on 1 February 2025 with powers modelled on a Royal Commission. It takes student complaints about registered higher education providers, including complaints about a provider's handling of sexual violence, and can require documents and compel answers. In its first six months of operation the Ombudsman received around 2,200 contacts and opened roughly 1,800 formal complaints, with gender-based violence making up about 5% of complaint volume.
• The Respect at Work reforms to the Sex Discrimination Act 1984 (Cth), which imposed a positive duty on all employers (including universities as employers of staff) to take reasonable and proportionate measures to eliminate sex discrimination, sexual harassment, and sex-based harassment. The Australian Human Rights Commission has had enforcement powers in this area since December 2023.

A university dealing with a single incident of sexual assault on campus today is operating inside three overlapping regulatory frameworks at once: the National Code (as a higher education provider), the Sex Discrimination Act positive duty (as an employer), and potentially the Respect at Work framework and the Fair Work Act (for staff-on-staff or staff-on-student conduct). The National Code is the newest of the three, and the one most specifically designed for the higher education context.

Who the Code applies to

The Code applies to "registered higher education providers" under the Tertiary Education Quality and Standards Agency Act 2011 (Cth), phased in over two commencement dates:

• 1 January 2026 for Table A and Table B providers under the Higher Education Support Act 2003 (Cth). Table A is Australia's public universities (the 37 publicly funded universities) and Table B is a small group of private universities such as Bond and Torrens. Together these providers educate the vast majority of Australian and international students in the sector.
• 1 January 2027 for all other TEQSA-registered higher education providers. This includes independent private higher education providers, industry-based higher education providers, and overseas universities with Australian campuses that are not on Table A or Table B.

The Code applies to the provider's whole community. That means domestic and international students, staff (academic, professional, casual, and contractors where the provider exercises control), higher degree research candidates, visitors to campus, and the provider's online and distance learners. It also explicitly reaches into student accommodation, whether the accommodation is owned by the provider, leased by the provider, run by an affiliated college, or privately operated but marketed on the provider's website as recommended student housing.

What "gender-based violence" means under the Code

The Code defines "Gender-based Violence" in its Definitions section as:

"Any form of physical or non-physical violence, harassment, abuse or threats, based on gender, that results in, or is likely to result in, harm, coercion, control, fear or deprivation of liberty or autonomy."

The definition is deliberately broad and aligns with the National Plan to End Violence Against Women and Children 2022 to 2032. The Department of Education's public guidance indicates that gender-based violence under the Code includes:

• Sexual assault and sexual harassment
• Domestic and family violence, including intimate partner violence
• Stalking, including cyber stalking
• Image-based abuse, including non-consensual sharing of intimate images
• Coercive control
• Sex-based harassment that falls short of the threshold for sexual harassment under the Sex Discrimination Act
• Harassment directed at people because of their gender identity or sexual orientation
• Technology-facilitated abuse
• Forced marriage and other forms of modern slavery with a gendered dimension

The definition is wider than the Sex Discrimination Act test for sexual harassment. Providers should design their prevention and response systems against the Code's definition so that behaviour sitting below the statutory threshold still triggers a response. Under paragraph 2.3(c), every provider's Policy on preventing and responding to Gender-based Violence must adopt the Code definition, so individual universities cannot quietly narrow it.

The seven standards

Each standard is legally enforceable in its own right. A breach of any standard is a breach of the Code, and the Secretary can take action against any provider that fails to meet any standard.

Standard 1: Accountable leadership and governance

Under paragraph 1.1, the provider's "Higher Education Principal Executive Officer" (the HEPEO, typically the Vice-Chancellor or equivalent chief executive, as defined by reference to the Ombudsman Act 1976 (Cth)) is accountable for compliance with the Code. Paragraph 1.2 requires the governing body (University Council, Senate, or Board) or a subcommittee reporting directly to it to include members with expertise in student and staff safety and wellbeing.

Paragraph 1.4 requires the HEPEO to prepare, implement, and publish on the provider's website a "Whole-of-Organisation Prevention and Response Plan". The Plan must include a whole-of-organisation assessment identifying systemic risks, enablers, and barriers; a gender equality action plan (which the Secretary may prescribe the form of); and a systemic review and analysis of the provider's responses to disclosures and formal reports. It must reflect the experience of groups disproportionately affected by gender-based violence, including women, First Nations people, culturally and linguistically diverse communities, people with disability, and people of diverse sexual orientation and gender identity. It must be developed through engagement with students and staff, including those who have experienced gender-based violence. It must be endorsed by the Governing Body.

Paragraph 1.9 then requires the provider to report to the Governing Body at least every six months against the Plan's outcomes framework, with de-identified incident data. Paragraph 1.10 adds a biennial written HEPEO report to the Secretary commencing after the Initial Reporting Date (1 January 2026 for Table A/B providers).

The Plan has to function as a governance instrument. It names accountabilities, sets out how the provider will measure change, and is reviewed on the cadence set in paragraph 1.11. A communications document that sits on a website and is never revisited will fall short of the standard.

Standard 2: Safe environments and systems

Standard 2 is about the upstream work: preventing harm by designing it out of the institution's systems. Specific requirements include:

• Working with Children Checks. Paragraph 2.1(a) requires providers to ensure staff comply with the Working with Children Check regime in their governing State or Territory.
• Pre-employment declarations. Paragraph 2.1(b) requires providers, as part of the engagement process, to ask prospective employees and Governing Body members to declare whether they have been investigated for an allegation of gender-based violence, or determined to have engaged in conduct that constitutes gender-based violence, during previous employment or in a legal process. The provider must then take the declaration and any risks arising from it into account when deciding suitability for the position (paragraph 2.1(c)).
• Management of personal relationships. Paragraph 2.2 requires employees to declare any existing or previous intimate personal relationship with another employee where one has supervisory, oversight, or decision-making responsibilities over the other, or with a student where the employee has academic or other decision-making responsibilities in relation to that student. Where a declaration is made, the provider must implement a conflict-of-interest management plan that includes permanent alternative teaching, research, or working arrangements.
• Alternative arrangements on disclosure. Under paragraph 2.1(f), when a student or staff member alleges they have experienced gender-based violence, the provider must make alternative teaching, research, supervision, employment, or living arrangements as necessary to ensure their safety.
• Scope of the Policy. Paragraph 2.4 requires the provider's Policy to apply not only to students, leadership, and staff but also to Affiliated Organisations and to entities conducting activities on behalf of the provider, including businesses that operate on, use, or lease the provider's land and facilities.
• Restrictions on non-disclosure agreements. Paragraph 2.8 prohibits the use of a non-disclosure agreement by the provider unless requested by the discloser. Even where requested, the agreement cannot stop the discloser from sharing their experience for the purpose of seeking support or advice, nor prevent the provider from complying with its reporting obligations under the Code. Settlement terms cannot include a non-disparagement clause that has the effect of requiring the discloser to keep their experience of gender-based violence confidential.
• National Student Ombudsman recommendations. Paragraph 2.9 requires the provider to implement any recommendations the National Student Ombudsman directs to it in relation to gender-based violence.

Standard 3: Knowledge and capability

Every student and every staff member must receive ongoing, evidence-informed education on preventing gender-based violence. The word "evidence-informed" is important. Generic e-learning modules that have not been evaluated for effectiveness will not satisfy the standard.

People who are likely to receive disclosures (residential advisors, supervisors, student services staff, first-line managers, academic advisors, HR business partners) must receive specialist annual training on trauma-informed response, confidentiality, the reporting pathway, and their obligations under the Code. The provider has to monitor and evaluate the effectiveness of the training and adjust it based on what the evaluation shows.

Standard 4: Safety and support

Responses to disclosures and formal reports must be trauma-informed and person-centred. In practical terms that means:

• Paragraph 4.4 requires a risk assessment in response to every disclosure and every formal report, with ongoing management and monitoring of identified risks.
• Paragraph 4.6 requires the provider to assign staff with relevant expertise to develop a tailored support plan collaboratively with the discloser, covering safety measures, urgent access to an Accredited Specialist (a registered psychologist, social worker, or counsellor with trauma-informed training and cultural competency), academic or work adjustments, and discussion of the investigation and disciplinary process if the discloser wants it.
• Paragraph 4.7 requires a parallel, tailored support plan for the respondent, including access to support services, an Accredited Specialist, and academic or work adjustments, developed without compromising the safety of the discloser.
• Paragraph 4.8 requires the provider to prohibit the same staff member from being assigned to support both the discloser and the respondent.
• Where accommodation-related disclosures are in scope, Standard 7 (paragraph 7.1(g)) requires a risk assessment and support plans for both parties within 48 hours, which is the tightest timeframe in the Code.
• Support is available regardless of whether the person makes a formal report. Many people who disclose never want a formal process, and they keep access to support under Standard 4 either way.

Standard 5: Safe processes

This is the standard most university general counsel will be watching closely. Standard 5 prescribes how reporting and response actually works.

Paragraph 5.2 requires multiple channels including in-person, email, phone, and online. Paragraph 5.3 requires the provider to ensure disclosures and formal reports can be made anonymously, and paragraph 5.4 requires reasonable and proportionate action on anonymous matters where possible, including by identifying trends.

Paragraph 5.8 requires the provider to investigate every formal report where the respondent is a student or staff member, regardless of the context in which the gender-based violence occurred. There is no carve-out for off-campus conduct. Paragraph 5.10 requires the provider to notify both the discloser and the respondent in writing on the same day if an investigation is to commence, with the discloser notified first. Paragraph 5.12 prohibits the provider from requiring the discloser or respondent to produce physical evidence.

Paragraph 5.15 requires procedures to be designed so that formal reports (including any resulting disciplinary process) are finalised within 45 business days. Paragraph 5.24 sets a parallel 20-business-day target for appeals. Under paragraphs 5.17 and 5.26, extensions are only permitted where required in the particular context, and the Higher Education Principal Executive Officer must personally satisfy themselves that any extension is genuinely needed.

Paragraph 5.18 requires the provider to provide the respondent with procedural fairness in the disciplinary process. Paragraph 5.20 requires the provider to impose sanctions proportionate to the substantiated conduct, which may include exclusion and expulsion. Paragraphs 5.21 and 5.22 require written notice of the outcome (including reasons and the right to complain to the National Student Ombudsman) to both parties, with the discloser notified on the same day as the respondent unless the discloser requests otherwise.

Disclosure vs formal report. The Code draws a clear line between the two, and so should the provider's policy. A Disclosure is defined as "the provision of information about a person's experience of Gender-based Violence to a Provider by the Discloser or another person". A Formal Report is defined as information provided through formal reporting channels that requires the Provider to consider taking steps beyond support, including the commencement of an investigation and/or a disciplinary process. The same conversation can cover both, or either one on its own. Standard 4 protects the right to support regardless of whether the person ever makes a formal report. Standard 5 governs what happens once they do. Paragraph 5.7 requires the provider to seek and consider the discloser's views before progressing a disclosure to an investigation, and paragraph 5.6 requires the provider to have regard to the discloser's wishes when determining the pathway. A policy that conflates disclosures with formal reports, or that withholds support unless the person agrees to a formal process, will breach the Code.

The process has to be procedurally fair to the respondent and trauma-informed for the person who disclosed at the same time. Universities that lean too far one way risk a procedural fairness challenge from the respondent; too far the other way and they breach Standard 4.

Standard 6: Data, evidence, and impact

Paragraph 6.2 requires providers to collect and report process data on policies, procedures, and plans; de-identified data on gender-based violence incidents enabling trend analysis; and administrative de-identified demographic and enrolment data about disclosers and respondents.

Paragraph 6.12 sets the annual reporting cycle. By 30 June each year, providers must give the Secretary the previous calendar year's data, with the first Table A and Table B data due by 30 June 2027 (for calendar year 2026) and the first data from other TEQSA-registered providers due by 30 June 2028 (for calendar year 2027).

The required data set under paragraphs 6.13 and 6.14 is detailed. It includes the total number of disclosures and formal reports, the mode of reporting (including the number of anonymous disclosures), the number of formal reports resolved within 45 days, the number of respondents required to relocate from student accommodation, the number of non-disclosure agreements proposed and executed, and if known, how satisfied disclosers and respondents were with the provider's response. Demographic data must cover sex, gender identity, sexual orientation, year of birth, ethnicity, religion, country of birth, languages, interpreter needs, Indigenous status, and disability status.

For most providers this is where the gap between current practice and the Code will be largest. Running data collection and analysis that is robust enough to be used for governance decisions, safe enough to protect confidentiality, and connected enough to the actual casework to be accurate, is a significant build. Spreadsheets and manual tallies will not meet the standard.

Standard 7: Safe student accommodation

Standard 7 extends the Code's obligations to student accommodation. The Code divides accommodation into three categories:

• Directly owned, operated, or managed by the provider. Paragraph 7.1 applies and requires the provider, in addition to meeting every other Standard, to declare-check and manage accommodation staff relationships, take immediate safety action on a disclosure, conduct a risk assessment within 48 hours, develop support plans for the discloser and the respondent within 48 hours, and where an allegation is substantiated, permanently remove the respondent from the accommodation (paragraph 7.1(h)).
• Student Accommodation Providers under the Control of the provider (the Code uses the Corporations Act 2001 (Cth) section 50AA meaning of control). Paragraphs 7.2 to 7.8 require the provider to have arrangements in place so the Student Accommodation Provider prepares its own Whole-of-Organisation Prevention and Response Plan, meets equivalent safe-environment, NDA, policy, training, and data-reporting standards, and either adopts the provider's Policies and Procedures or implements an equivalent Policy.
• Affiliated Student Accommodation Providers. The Code defines Affiliation broadly to include a Student Accommodation Provider that has a service agreement with the provider, operates on the provider's land, is authorised to use the provider's intellectual property, or is listed or promoted by the provider as student accommodation. Paragraphs 7.9 and 7.10 require the provider to do "everything reasonably possible within its power" to enter into, or amend, a legally binding agreement so the Affiliated Provider meets the same standards.
• Enforcement by withdrawal. Paragraph 7.11 gives Standard 7 real teeth. If an Affiliated Student Accommodation Provider refuses to enter an agreement meeting the standard, the provider must report this to the Secretary (who may publish the name) and must not continue to authorise the affiliated provider to use the university's intellectual property or domain names, advertise, market, or promote the affiliated provider to students, or have any agreement to reserve spaces for its students.

The practical consequence: a provider cannot outsource compliance by pointing students to third-party accommodation and stopping there. If the provider's branding, marketing, or recommendations drive students into particular accommodation, the provider must either lock in equivalent standards through agreement or withdraw the branding and referral arrangement.

Standard 7 excludes homestay arrangements, rental properties leased under ordinary residential tenancies with private landlords, and hotels or serviced apartments used as temporary accommodation.

The regulator and what enforcement looks like

The Secretary of the Department of Education is the regulator for the Code, under the Universities Accord (National Higher Education Code to Prevent and Respond to Gender-based Violence) Act 2025 (Cth) (the Act). The Act applies the standard Commonwealth Regulatory Powers (Standard Provisions) Act 2014 framework. The Secretary's toolkit includes:

• Monitoring and investigation powers (section 35, section 36 of the Act). Authorised officers can exercise the monitoring and investigation powers in Parts 2 and 3 of the Regulatory Powers Act, including entry to premises with consent or under warrant.
• Information-gathering notices (section 27). The Secretary can compel a higher education provider, or a person connected with a provider, to produce documents, things, or information. Non-compliance is itself a civil penalty of 60 penalty units.
• Compliance notices (section 32). The Secretary can issue a written notice requiring remedial action by a specified date.
• Infringement notices (section 38) and enforceable undertakings (section 39) are both available.
• Injunctions (section 40). The Secretary can apply to the Federal Court of Australia or the Federal Circuit and Family Court (Division 2) for an injunction under Part 7 of the Regulatory Powers Act.
• Civil penalty for non-compliance with the Code (section 20). A provider is liable to a civil penalty of up to 200 penalty units per contravention if it fails to comply with any requirement under the national code. At the current Commonwealth penalty unit value of A$330 (set by section 4AA of the Crimes Act 1914 and due to be re-indexed on 1 July 2026), that is A$66,000 per contravention. Ancillary civil penalties of 60 penalty units also apply for failure to keep records (section 21), failure to give information to the Secretary (section 22), failure to notify material changes (section 23), and providing false or misleading information (section 24).

Section 46 of the Act times these enforcement powers to the provider's "application day": 1 January 2026 for Table A and Table B providers, and 1 January 2027 for everyone else. From the application day onwards, civil penalty provisions, compliance notices under section 32, and Part 6 regulatory powers (including injunctions) apply in full.

Compliance with the Code is also a condition of funding under the Higher Education Support Act 2003 (Cth). The section 20 note flags that a failure to comply can lead to the Minister taking action under Division 22 of that Act (suspension or revocation of approval as a higher education provider), or TEQSA taking separate regulatory action under the TEQSA Act's Threshold Standards. For any university that relies on Commonwealth student contribution funding and FEE-HELP, those downstream consequences are the real risk, well beyond any single 200-unit civil penalty.

How this interacts with the National Student Ombudsman

The National Student Ombudsman, established by the Ombudsman Amendment (National Student Ombudsman) Act 2024, started taking complaints on 1 February 2025. A student (or prospective or former student) who believes their provider has mishandled a complaint, including a complaint about gender-based violence, can escalate to the Ombudsman. The Ombudsman has powers to require documents and answers under oath, can make recommendations to the provider and to the Minister, and can refer matters to other regulators or to police.

The Ombudsman is not the regulator of the Code. The Secretary of the Department of Education is. But the Ombudsman is a powerful complaint-driven feedback loop into the regulator. A pattern of complaints to the Ombudsman about a provider's handling of disclosures is exactly the kind of signal that will invite compliance action by the Secretary. Providers should assume any systemic weakness in their Code-compliance systems will surface through Ombudsman casework within the first twelve months.

What good looks like: a working Code-compliance system

A minimum viable compliance system for a Table A or Table B provider has several moving parts:

1. A governance structure with named accountability. The Vice-Chancellor owns the Prevention and Response Plan. A standing committee of Council or Senate receives quarterly reports on prevention work, case volumes, outcomes, and themes.
2. A published Prevention and Response Plan. Co-designed with students and staff, reviewed annually, with measurable indicators.
3. A central disclosure and reporting platform. Multiple intake channels (in person, online form, phone, anonymous digital channel), single case record per matter, structured workflow from intake through triage, support planning, investigation, outcome, and close-out.
4. A trained response workforce. First responders (RAs, student services, managers, academic advisors) trained annually. Investigators with independent standing. Appeal decision-makers who are not involved in the original decision.
5. A data layer that rolls up to governance. De-identified reporting that shows volume, types of conduct, source channels, outcomes, time-to-resolution against the 45-business-day rule, and appeal rates.
6. A written policy suite aligned to the Code. Staff code of conduct, student conduct policy, sexual misconduct response policy, personal relationships policy, accommodation behavioural standards, whistleblower protections, privacy and data governance policy. All cross-referenced, all published, all consistent.
7. Third-party accommodation agreements. Formal agreements with affiliated colleges and recommended private accommodation providers, specifying equivalent standards, information-sharing, and cooperation in investigations.
8. A continuous-improvement cycle. Annual review of data, survey results, Ombudsman complaints, and legal and regulatory developments, feeding back into the Plan and the policies.

The gap between this and what most providers have today is substantial. Many providers have pieces (a policy, a portal, training) but few have the whole stack integrated.

A note for students and staff looking for help now

This article is written for university administrators planning compliance. If you are a student or staff member who has experienced gender-based violence and you are looking at this page for information:

• Most Australian universities operate a dedicated service (commonly called a Safer Communities Office, Student Safety team, or Respect and Safety unit) that can take a disclosure, arrange counselling, and help you understand your reporting options without pushing you into a formal process. You do not have to make a formal report to access support.
• Under the National Code, every provider must publish multiple reporting channels, including an anonymous option, and must respond in a trauma-informed way.
• If you have already raised something with your provider and you are unhappy with how it has been handled, you can escalate to the National Student Ombudsman.
• For 24/7 domestic, family, and sexual violence counselling, 1800RESPECT (1800 737 732) is a free national support line. In an emergency, call 000.

How Elker fits in

Elker is a speak-up and case management platform that gives higher education providers the operational infrastructure to deliver on Standards 4, 5, 6, and 7. Students and staff can raise concerns through multiple secure channels, including fully anonymous intake, with optional two-way messaging that preserves anonymity during follow-up. Cases move through a configurable workflow from triage to support plan, investigation, outcome, and closure, with built-in time-to-resolution tracking so the 45-business-day formal report requirement and the 20-business-day appeal requirement are visible to the investigation team and to governance in real time. Aggregated analytics give the Vice-Chancellor, the Council or Senate committee, and the Prevention and Response Plan owner the de-identified data they need for Standard 6 reporting. Cybersecurity, information security, and access controls follow secure-by-design and privacy-by-design principles. Elker is ISO 27001 certified and SOC 2 attested. Australian owned and operated, Elker serves higher education clients across Australia and globally. The Prevention and Response Plan, the governance model, and the underlying culture still have to come from inside the university, but the operational side of receiving, handling, and learning from gender-based violence disclosures is what Elker is built for.