Whistleblowing

Whistleblowers in private sector entities are predominantly covered by the Corporations Act 2001 (Cth) part 9.4AAA.

Whistleblowers are also covered by the Taxation Administration Act 1953 where the disclosure relates to tax information.

Public officials are covered by the Public Interest Disclosure Act 2013 (Cth).

Australian whistleblower protections are slightly different from that of the EU. Broadly, the 2019 EU Directive provides much broader protection for whistleblowers. In Australia, the laws are more specific to certain circumstances. Some examples:

• the EU Directive covers both the public and private sector, while Australia has two separate systems;
• the EU Directive covers individuals who assist whistleblowers, while the Australian systems do not;
• the EU Directive notes that disclosable acts referred to as breaches include acts or omissions that are not unlawful but that defeat the object or purpose of the law. Australia has key disclosable acts that are not this broad.
• the EU Directive, like Australian law:
  • covers individuals outside of the typical employer/employee relationship;
  • does not consider motive as to why someone reports;
  • protects the whistleblower's identity and grants protection to anonymous disclosers who are later identified;
  • allows people to report internally or directly to the authorities; and
  • allows for public disclosure in certain circumstances. 

The status of whistleblowers in Germany, as in other EU member states, is primarily governed by European law. The relevant legislation is Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting infringements of Union law (EU Whistleblower-Directive).

The German legislature has incorporated the EU-Whistleblower-Directive into German law by enacting the Whistleblower Protection Act (“Hinweisgeberschutzgesetz”) which – largely – entered into force on July 2, 2023.

If the Whistleblower Protection Act (hereinafter referred to as “HinSchG”) should meet specific concerns under European law, this will be pointed out separately in the following.

In the UK, the legal framework for whistleblowers is set out in the Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998 and the Employment and Regulatory Reform Act 2013).

The UK framework does not fully comply with European standards set out in the EU Directive 2019/1937/EU (the Directive).  Especially now that the UK has left the EU, it is not known whether UK whistleblowing legislation will be amended to reflect the workers’ rights and best practices introduced by the Directive.

According to the Australian Securities and Investment Commission (ASIC), public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation entities must now have a whistleblower policy. Among other things, the law requires the whistleblower policy to include information about the legal protections available to whistleblowers, and how a company will investigate whistleblower disclosures and protect whistleblowers from detriment.

ASIC Regulatory Guide 270, Whistleblower Policies was created to help companies and other entities establish a policy in line with their legal obligations.

In principle, companies that regularly employ 50 or more employees are obliged to set up an internal reporting system (section 12 (1), (2) HinSchG). For companies with between 50 and 249 employees, this obligation will only apply from 17 December 2023 (section 42 HinSchG).

For certain employers, particularly in the financial and insurance sectors or for data provision companies, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act (section 12 (3) HinSchG).   

There is no legal requirement in the UK for companies to implement a whistleblowing procedure or policy or any requirements as to the content or form of any procedure or policy if one is adopted. However:

• The Department for Business Innovation and Skills has published guidance entitled Whistleblowing: Guidance for Employers and Code of Practice which identifies that it is best practice for an employer to have a whistleblowing policy or appropriate written procedure. The guidance can be found here.
• The UK Corporate Governance Code set by the Financial Reporting Council recommends public-listed companies implement a whistleblowing procedure.
• Financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority will be subject to regulatory requirements that require the operation of applicable whistleblowing procedures.

There is no specific guidance on whether there may be a whistleblower procedure at a Group level encompassing all subsidiaries. However, in the absence of a prohibition to this effect, the better view is that such a procedure is possible at a Group level covering all subsidiaries. 

Under section 1317AA(4) of the Corporations Act, an entity's policy must cover the types of disclosures that qualify for protection. Disclosable matters involve information that the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances, concerning:

• an entity; or
• if the entity is a body corporate, a related body corporate of the entity.

Under section 1317AAA of the Corporations Act, an entity’s policy must explain the role of “eligible recipients” – that is, to receive disclosures that qualify for protection. If an entity is a body corporate, an eligible recipient includes:

• an officer or senior manager of the entity or related body corporate;
• the internal or external auditor (including a member of an audit team conducting an audit) or actuary of the entity or related body corporate; and
• a person authorised by the entity to receive disclosures that may qualify for protection.

According to the explanatory memorandum of the Whistleblower Protection Act, it is legally permissible to implement an independent and confidential internal reporting office as a "third party" within the meaning of article 8(5) of the EU Whistleblower Directive at another group company (eg, parent company, sister company or subsidiary), which may also work for several independent companies in the group (section 14 (1) HinSchG). However, the European Commission has already announced in two statements during the legislative process that a group-wide whistleblower system does not meet the requirements of the EU Whistleblower Directive. The question of the compatibility of the regulation with EU law will only arise in practice at a later stage, provided that this question needs to be clarified in court. 

The Whistleblower Protection Act in line with the EU Directive further provides that several private employers with between 50 and 249 employees employed on a regular basis may commonly implement and operate an internal reporting office to receive notifications. However, the legal obligation to take action to remedy the violation and the corresponding duty to report back to the person making the report has to remain with the individual employer.   

Yes. Employers can implement a whistleblowing procedure at a Group level.

Sections 1311(1) and 1317AI(4) of the Corporations Act notes that it is an offence of strict liability not to implement a whistleblower's policy.

The penalty for non-compliance for individuals is 60 penalty units (A$13,320) and for companies is 600 penalty units (A$133,200), and is enforceable by ASIC.

If there are no whistleblowing procedures in the company (ie, an internal reporting system is not implemented and operated), this constitutes an administrative offence punishable by a fine. This fine may amount to up to 20,000 EUR (section 40 (2) No. 2, (5) HinSchG).

At this point, it should be noted that there is a high incentive for employers to implement an internal reporting channel, since the external reporting channel is available to the whistleblower in any case. Consequently, if an internal reporting office were not implemented or operated, the whistleblower would be forced to report directly to the external reporting office. As a result, the employer would not be able to make internal corrections without the reported information leaving the company.

No, because there is no underlying legal requirement under the Employment Rights Act 1996 for companies to implement a whistleblowing procedure or policy.

Strictly speaking, no. ASIC Regulatory Guide 270 does not refer to employee representative bodies needing to be involved in the implementation of whistleblower policies.

Although the implementation of a whistleblower system is based on a legal obligation, the works council only has to be involved under certain circumstances.

At first, the employer is, in principle, already obliged to inform the works council in good time and comprehensively about everything it requires to carry out its duties. This information requirement should enable the works council to review whether co-determination or participation rights exist or whether other tasks have to be carried out according to the German Works Constitution Act (BetrVG).

For instance, instructions concerning the orderly conduct of employees are subject to co-determination. These instructions are intended to ensure an undisturbed work process or to organise the way employees live and work together in the company.  If, in the course of the implementation of a whistleblower system, the already existing contractual obligations are extended or regulations regarding the specific reporting procedure are introduced (eg, in the form of a reporting obligation on the part of employees), the organisational behaviour would be affected and the works council must therefore be involved (section 87 (1) No. 1 BetrVG).

Furthermore, in the context of setting up an internal reporting channel, the Whistleblower Protection Act only stipulates that whistleblowers must be given the option of submitting a report to the whistleblowing system in text form or verbally. This could, of course, also be provided via digital channels - eg, via software- or web-based solutions. Should the introduction and use of such technical equipment in the relevant case allow the employer to monitor the behavior or performance of employees (eg, those who deal with the complaint), further co-determination rights of the works council according to section 87 (1) No. 6 BetrVG can be triggered.   

There is no specific legal requirement in the Employment Rights Act 1996 for employee representative bodies to be involved in (or otherwise agree to) the implementation of a whistleblowing procedure or policy. However, the rules in place with existing employee representative bodies may require consultation on any new policy or procedure and, in any event, it is best practice to involve employee representatives in the implementation of a whistleblowing system.

Under section 1317AI(5)(f) of the Corporations Act, an entity's policy must cover information on how the policy will be made available to officers and employees.

ASIC Regulatory Guide 270 provides examples of how to make a policy available to staff. It suggests:

• holding staff briefing sessions or smaller team meetings;
• posting the policy on the staff intranet or other communication platform;
• posting information on staff noticeboards;
• setting out the policy in the employee handbook; and
• incorporating the policy in employee induction information packs and training for new starters.

Further, an entity should conduct upfront and ongoing education and training.

Specialist training should be provided to staff members who have specific responsibilities under the policy.

Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations also receive appropriate training.

To ensure disclosers outside an entity can access the entity’s whistleblower policy, the policy should be available on the entity’s external website.

The Whistleblower Protection Act does not oblige the company itself to publish any information regarding the internal reporting office or the internal reporting channel implemented. However, the internally implemented reporting office must have clear and easily accessible information available on the external reporting procedure and relevant reporting procedures of European Union institutions, bodies or agencies (section 13 (2) HinSchG).

The current explanatory memorandum to the Whistleblower Protection Act also contains the more detailed, but not legally binding, reference that the information can be made available via a public website, company intranet or a bulletin board that is accessible to all employees. In this context, it is recommended that the company also refers to the internally implemented reporting office or the internal reporting channel in the same way. This helps to counteract the risk that potential whistleblowers will report primarily via the external reporting channel.

Furthermore, the German Supply Chain Due Diligence Act (LkSG) also provides for the implementation of complaint mechanisms so that the regulatory requirements of companies can also be met through a uniform reporting system. Within its scope of application, the LkSG also provides for the publication of procedural rules for such a reporting system in text form as well as for annual reporting obligations on what measures the company has taken as a result of complaints.

According to the Whistleblowing: Guidance for Employers and Code of Practice published by the Department for Business Innovation and Skills (BEIS), it is best practice for the whistleblowing policy or procedures to be in writing and easily accessible to all workers. BEIS also recommends that awareness of the policy or procedures is raised through all available means such as staff engagement, intranet sites and other marketing communications.

ASIC Regulatory Guide 270 notes that it is good practice but not mandatory that an entity has mechanisms in place for monitoring the effectiveness of its whistleblower policy.

ASIC suggests an entity could set up:

• oversight arrangements for ensuring its board, audit or risk committee are kept informed about the effectiveness of the policy;
• a mechanism to enable matters to be escalated to the entity's board or the audit or risk committee; and
• periodic reporting to the board, audit or risk committee.

The guide also notes that entities may consider involving an independent whistleblowing service provider authorised to receive their internal disclosures. This is especially so for smaller entities. Using an outside service provider may encourage more disclosures since disclosers can:

• make their disclosure anonymously, confidentially and outside business hours;
• receive updates on the status of their disclosure while retaining anonymity; and
• provide additional information anonymously.

In principle, the Whistleblower Protection Act intentionally does not specify which persons or organisational units are best qualified to carry out the tasks of the internal reporting office or to manage the corresponding reporting channel. However, the internal reporting office may not be subject to any conflicts of interest and it also must be independent. The EU Whistleblower-Directive mentions, for instance, the head of the compliance department or the legal or data protection officer as possible internal reporting offices.

If, in addition to the (internal) persons responsible for receiving and processing internal reports, other (external) persons have to be involved in a supporting activity, this supporting activity is legally only permissible to the extent that is necessary for the supporting activity. This applies, for example, to IT service providers that provide technical support for reporting channels.

It is also legally permissible to appoint a third party to carry out the tasks of an internal reporting office, including the reporting channel (section 14 (1) HinSchG). Third parties may include lawyers, external consultants, trade union representatives or employee representatives.

However, engaging a third party does not relieve the employer of the obligation to take appropriate action to remedy a possible violation. In particular, for follow-up actions to check the validity of a report, there must be cooperation between the commissioned third party and the employer.

The reporting channel can be outsourced. Where an employer’s whistleblowing policy or procedure authorises disclosure to a third party (eg, an external hotline), UK law will treat a disclosure to the third party the same as a disclosure to the employer.

The Department for Business Innovation and Skills guidance on whistleblowing identifies that larger UK organisations may have a designated team who can be approached to make a disclosure. The guidance recommends that smaller organisations should have at least one senior member of staff as a point of contact for whistleblowers. However, the guidance also acknowledges that there are commercial providers who can manage a whistleblowing process on behalf of the employer.

It's good practice for any organisation to have appropriate information technology and organisational measures for securing personal information they receive, handle and record as part of their whistleblower policy.

Entities should consult the Australian Privacy Principles under the Privacy Act 1988 (Cth) for any industry or government-specific standards.

Under the Privacy Act section 26WE, there are also requirements for the entity to report a data breach to the Office of the Australian Information Commissioner if it is likely to result in serious harm to individuals whose personal information is involved in the breach.

The internal reporting office implemented by the employer is, initially, authorised to process personal data insofar as this is necessary for the fulfilment of its task under the Whistleblower Protection Act (10 HinSchG). The wide-ranging processing authority allows the personal data contained in the reports to be both received and analysed by the reporting office. In addition, new personal data may be recorded and further processed during the implementation of the follow-up measures.

The employer's obligation to protect the data collected in the course of the whistleblowing procedure is then directly based on the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act. This means, for instance, that data processing has to be limited to the extent necessary to fulfil the tasks of the internal and external reporting channel – data minimisation principle, (article 5 (1) lit. c) GDPR).

Finally, the processing of personal data is complemented by the confidentiality requirements of internal (and external) offices, (section 8 HinSchG).

When implementing and operating whistleblowing procedures, employers must comply with the relevant UK data protection requirements, which implement those set out in the EU’s General Data Protection Regulation (the GDPR). When an individual makes a disclosure, in most cases this will include the personal data of related individuals. Employers must ensure that they have the requisite technical and organisational measures in place to secure any personal data disclosed or obtained as part of the whistleblowing disclosure or subsequent investigation.

An entity should analyse how best to structure, draft and present their policy.

An entity should also consider other standards and guidelines to ensure the policy is as up-to-date as it can be.

Entities should take care in determining whether they are complying with all legal requirements under the Corporations Act.

ASIC Regulatory Guide 270 provides a useful overview of what should be included in the policy as follows:

• policy's purpose;
• who the policy applies to;
• matters the policy applies to;
• who can receive a disclosure;
• how to make a disclosure;
• legal protections for disclosures;
• support and practical protections;
• handling and investigating disclosures; and
• ensuring fair treatment of all individuals.

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

According to the German Whistleblower Protection Act, the internal whistleblowing reporting office is not obliged by law to accept or process anonymous reports; however, they “shall” be processed.  Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

The Department for Business Innovation and Skills guidance on whistleblowing recommends, as best practice, several practical considerations when setting up a whistleblowing procedure, including, but not limited to:

• employers should provide training to all workers on how disclosures should be raised and to managers on how to deal with disclosures;
• organisations should ensure that there are a range of alternative persons who a whistleblower can approach if a worker feels unable to approach their manager; and
• any clauses in any settlement agreements or non-disclosures agreements (including confidentiality clauses in the employment contract) must not prevent workers from making disclosures in the public interest.

Section 1317AA of the Corporations Act provides that a disclosure qualifies for protection under the Act where:

• the discloser is an eligible whistleblower; and
• the disclosure is made to any of the following:
  • ASIC;
  • APRA;
  • A Commonwealth authority; and
  • Subsection 4 or 5 applies - see immediately below. 

Subsection 4 applies to disclosures of information where the discloser has reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs or circumstances related to:

• the regulated entity; or
• a related body corporate of the regulated entity.

Subsection 5 applies to a disclosure of information if the discloser has reasonable grounds to suspect that the information:

• indicates the regulated entity or officer of the entity or related body corporate of the entity or officer of the related body, has engaged in conduct that constitutes an offence against, or contravention of any of the following:
  • the Corporations Act;
  • the ASIC Act;
  • the Banking Act 1959;
  • the Financial Sector (Collection of Data) Act 2001;
  • the Insurance Act 1973;
  • the Life Insurance Act 1995;
  • the National Consumer Credit Protection Act 2009;
  • the Superannuation Industry (Supervision) Act 1993;
  • an instrument made under an Act referred to in any of subparagraphs (i) to (viii); or
• constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months or more, represents a danger to the public or the financial system, or is prescribed by the regulations for this paragraph.

What an entity chooses to specify as falling under the policy, therefore, needs to cover these areas.

ASIC Regulatory Guide 270 provides some examples:

• illegal conduct;
• fraud, money laundering, misappropriation of funds;
• offering or accepting a bribe;
• financial irregularities;
• failure to comply or breach of legal or regulatory requirements; and
• engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure.

The Whistleblower Protection Act´s  material scope of application goes beyond European legal requirements. It extends the material scope of application to all violations that are subject to punishment (section 2 (1) No. 1 HinSchG). Additionally, violations subject to fines are included insofar as the violated regulation serves to protect life, body, health or the rights of employees or their representative bodies (section 2 (1) No. 2 HinSchG). The last alternative covers not only regulations that directly serve occupational health and safety or health protection, but also related notification and documentation requirements, for example under the Minimum Wage Act. Thus, as a result, section 2 (2) No. 2 HinSchG covers the majority of administrative offences in the context of employment.

Finally, the Whistleblower Protection Act also provides for a list of infringements that predominantly correspond to the relevant areas of law according to the recitals of the EU Whistleblower Directive.

In the UK, only certain “protected disclosures” will be protected under the Employment Rights Act 1996. There are several conditions, one of which is that the disclosure of the information must “tend to show” that one or more types of failures or wrongdoing has occurred or is likely to occur (each a “relevant failure”):  

• a criminal offence has been committed, is being committed or is likely to be committed;
• a person has failed, is failing or is likely to fail to comply with any legal obligation to which he or she is subject;
• a miscarriage of justice has occurred, is occurring or is likely to occur;
• the health or safety of any individual has been, is being or is likely to be endangered;
• the environment has been, is being or is likely to be damaged; or
• information tending to show any matter falling under the categories above is being or is likely to be deliberately concealed.

There is no requirement that the qualifying disclosure must relate to a relevant failure or failures of the employer. The disclosure can relate to a relevant failure of the employer, an individual employed or engaged by the employer or a third party.

There is also no requirement that the relevant failure occurs or would occur in the UK. It could occur, or be occurring, outside of the UK.

The other conditions are set out in question 14.

The Taxation Administration Act 1953 is tax specific. The Public Interest Disclosure Act 2013 (Cth) is also specific to public officials.

Otherwise, most other companies are covered under the Corporations Act as section 1317AAB outlines what is a regulated entity. It includes:

• a Company;
• a Corporation to which paragraph 51(xx) of the Constitution applies;
• an authorised deposit-taking institution;
• a general insurer;
• a life company;
• a superannuation entity or trustee; or
• an entity prescribed by the regulations.

The Whistleblower Protection Act itself does not distinguish between different sectors regarding the internal reporting process. However, it contains an enumerative list of regulations from other statutes that take precedence over the Whistleblower Protection Act for the reporting of information on violations; these regulations are therefore lex specialis compared to the Whistleblower Protection Act (section 4 (1) HinSchG). Priority special provisions are, among others, regulated by the Money Laundering Act, the Banking Act, the Insurance Supervision Act and the Stock Exchange Act.    

The UK Corporate Governance Code recommends public-listed companies implement whistleblowing procedures.

Financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority will be subject to regulatory rules and requirements that govern the terms and operation of their whistleblowing procedures.

Broadly, a whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing (National Whistleblower Center, 2002).

A commonly accepted definition specifies that the act of whistleblowing is: 

"…the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employees to persons that may be able to effect action".[1]

A whistleblower is a natural person who, in the context of his or her professional activity or in the preliminary stages of professional activity, has obtained information about violations and reports or discloses it to the – internal or external – reporting offices provided for under the Whistleblower Protection Act (section 1 (1) HinSchG).

The Whistleblower Protection Act also applies to the protection of persons who are subject to a report or disclosure, as well as other persons who are affected by a report or disclosure, (section 1 (2) HinSchG).

There is no specific legal definition of “a whistleblower” under UK law.

Whistleblowers are often, but not always, employees of the organisations where the misconduct has occurred or is occurring.

Previous examples of internal whistleblowers include:

• the Commonwealth Bank Financial Planner Scandal whistleblower; and
• the CommInsure Life Insurance Scandal whistleblower.

Previous examples of external whistleblowers who were not employees include:

• a Ponzi Scheme whistleblower who was an external financial analyst; and
• the Trio Capital Superannuation Fraud whistleblower who was an external financial analyst.

While the commonly accepted definition of “whistleblowing” refers to employees of an organisation (both former and current), an eligible whistleblower is not limited to an employee of an organisation. This is highlighted in section 1317AAA of the Corporations Act, particularly subsections (c), (d), (g) and (h). This section of the Corporations Act is discussed further below.

Whistleblowers may be employees, but also, for instance, self-employed persons, volunteers, members of corporate bodies or employees of suppliers. In addition to persons who obtain knowledge in advance, such as in a job interview or during pre-contractual negotiations, the scope of protection also includes those for whom the employment or service relationship has been terminated. As a result, the status of a whistleblower is not dependent on formal criteria such as type of employment.

Whistleblowing legislation in the UK protects a wide range of individuals. The following individuals can be a whistleblower:

• employees;
• employee shareholders; and
• an extended definition of workers, including:
  • agency workers;
  • self-employed medical practitioners in the NHS and student nurses/midwives;
  • police officers;
  • homeworkers and freelancers; and
  • trainees.

The level of legal protection will depend on the status of the individual (please see question 23).

Under the Corporations Act an individual must meet the definition of an “eligible whistleblower”.

Relevantly, the criteria set out in the Corporations Act include most people with a connection to a company or organisation who may be in a position to observe or be affected by misconduct and may face discrimination for reporting it. The importance of meeting the definition of an “eligible whistleblower” is that these people can access the rights and protections in the law when they report misconduct, and such protection is extended to their spouses and relatives.

Under section 1317AAA of the Corporations Act, an eligible whistleblower can be someone who is, or has been, any of the following:

• an officer of the regulated entity;
• an employee of the regulated entity;
• an individual who supplies services or goods to the regulated entity (whether paid or unpaid);
• an employee of a person that supplies services or goods to the regulated entity (whether paid or unpaid);
• an individual who is an associate of the regulated entity;
• for a regulated entity, which is a superannuation entity:
  • an individual who is a trustee (within the meaning of the Superannuation Industry (Supervision) Act 1993), custodian (within the meaning of that Act) or investment manager (within the meaning of that Act) of the superannuation entity;
  • an officer of a body corporate that is a trustee, custodian or investment manager of the superannuation entity;
  • an employee of an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid);
  • an individual who supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid); or
  • an employee of a person that supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid).
• a relative of an individual referred to in any of paragraphs (a) to (f);
• a dependant of an individual referred to in any of paragraphs (a) to (f), or of such an individual's spouse; or
• an individual prescribed by the Corporations Regulations 2001 as being an eligible whistleblower in relation to the regulated entity.

To be qualified as a whistleblower, the person providing the information must have obtained the information in the context of his or her professional activity or in the preliminary stages of professional activity. Information about violations falls within the substantive scope of the Act only if it relates to the employing entity or another entity with which the whistleblower is or has been in professional contact.

Yes. In the UK, only certain “protected disclosures” will be protected under the Employment Rights Act 1996. A protected disclosure must satisfy three main conditions. It must:

• be a disclosure of information;
• be a “qualifying disclosure”, meaning that in the reasonable belief of the worker making the disclosure it is made in the public interest and tends to show that one or more types of failures or wrongdoing has occurred or is likely to occur (for details of relevant failures or wrongdoing please see question 10); and
• be made under the specific methods of disclosure depending on the recipient of the disclosure.

Regarding the “methods” of disclosure (ie, to whom disclosure is made), the disclosure requirements range from limited requirements for an internal disclosure to an employer up to more stringent requirements for external disclosures to a third party outside of the employer’s organisation.

Minimum Requirements

A qualifying disclosure is made where the worker makes the disclosure to:

• the employer;
• a third party authorised by the employer to receive qualifying disclosures;
• their legal adviser in the course of obtaining legal advice; or
• to a Government minister if the worker’s employer is a statutory appointed individual or body (for example, an executive non-departmental public body or an NHS body).

In such cases, there are no additional requirements over and above the general conditions 1 and 2 set out above.  

Moderate Requirements

A qualifying disclosure is made where the worker makes the disclosure to:

• a responsible person. In this instance, the worker must reasonably believe the relevant failure relates solely or mainly to:
  • the conduct of a person other than the employer; or
  • any other matter for which a person other than the employer has responsibility; or
• any “prescribed persons” named in a relevant order. This includes, but is not limited to, HM Revenue and Customs, The Office of Communications (Ofcom), the Financial Conduct Authority and the Health and Safety Executive. However, in this instance, a worker must reasonably believe that:
  • the relevant failure is within the remit of the prescribed person; and
  • the information disclosed and any allegation contained in it is substantially true.

Stricter Restrictions

Under UK law, a worker may make an external disclosure to a third-party organisation (eg, the press, and union officials); however, for such disclosures to be protected four additional conditions must be met.

The worker must:

• reasonably believe that the information they have disclosed and any allegation contained in it is substantially true;
• not have made the disclosure for personal gain;
• either:
  • reasonably believe (when they made the disclosure) that they will be subjected to a detriment by their employer if they make a disclosure to the employer or prescribed person;
  • (where there is no prescribed person) reasonably believe that if they were to make the disclosure to the employer, it is likely that evidence surrounding the relevant failure will be concealed or destroyed; or
  • have already made a disclosure of substantially the same information to their employer or a prescribed person.
• The fourth and final test is that, in all the circumstances of the case, it must be reasonable for the worker to make the external disclosure.

However, where an external disclosure relates to an “exceptionally serious” failure the conditions are slightly less stringent. The conditions are:

• the worker must reasonably believe that the information disclosed, and any allegation contained in it, is substantially true;
• the worker must not make the disclosure for personal gain;
• the relevant failure must be of an exceptionally serious nature (eg, rare cases of extreme public concern); and
• in all the circumstances, it is reasonable for the worker to make the external disclosure. 

Yes, while whistleblowers can provide their name and contact details when they report - they can also report anonymously (ASIC Information Sheet 238 issued on 1 July 2019). 

This means that a whistleblower must make their disclosure to:

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation;
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation;
• an actuary of the company or organisation, or a related company or organisation;
• a person authorised by the company or organisation to receive whistleblower disclosures;
• ASIC or the APRA; or
• a lawyer.

However, they do not have to identify themselves or their role, and so can raise their concerns anonymously and still access the same whistleblower protections afforded to those who provide their name and contact details when they report.

However, while an individual can report their concerns to ASIC anonymously, ASIC will not be able to follow up with the whistleblower for further information or next steps due to this anonymity (ASIC Information Sheet 238 issued on 1 July 2019).[2]

The Whistleblower Protection Act does not state that the employer must set up reporting channels in such a way that anonymous reports are admissible (section 16 (1) HinSchG). Also, external reporting offices do not have to process anonymous reports (section 27 (1) HinSchG). According to the Whistleblower Protection Act, however, anonymous reports “shall” be processed by the internal and external reporting offices. Against this background, employers are entirely free to choose whether to provide systems that allow for the submission and processing of anonymous reports or not.

Yes. The Department for Business Innovation and Skills  guidance on whistleblowing recognises that it is good practice to have a facility for anonymous reporting. However, it recommends that workers should be made aware that if a disclosure is made anonymously it may be more difficult for the individual to qualify for protection as a whistleblower. There will be no documentary evidence linking the worker to the disclosure for an employment tribunal to consider.

It is uncertain whether a whistleblower needs to be a direct witness of the violation that they are disclosing. Rather, it appears that the only requirement that a whistleblower must show is that they have reasonable grounds to suspect that the information being disclosed about the company or organisation concerns:

• misconduct; or
• an improper state of affairs or circumstances.

Directly witnessing a violation would be the easiest way to establish reasonable grounds; however, it does not appear that this is a prerequisite for whistleblowers.

Relevantly, “reasonable grounds” means that a reasonable person in the whistleblower's position would also suspect the information indicates misconduct or a breach of the law (ASIC Information Sheet 238 issued on 1 July 2019).

In principle, the whistleblowers do not have to be direct witnesses to a violation. However, they must have obtained information about violations in connection with or before their professional activities. Violation information is defined as a reasonable suspicion or knowledge of actual or potential breaches and attempts to conceal such breaches that have occurred or are very likely to occur (section 3 (3) HinSchG). However, only whistleblowers acting in good faith are protected from any discriminatory measures as a result of their report.

No. The worker must have a “reasonable belief” that the information disclosed tends to show one of the relevant types of wrongdoing.

ASIC Regulatory Guide 270 provides guidance on establishing a whistleblower policy. Under this guide, an entity's whistleblower policy must:

• identify the different types of disclosers within and outside the entity who can make a disclosure that qualified for protection;
• identify the types of wrongdoing that can be reported (ie, disclosable matters), based on the entity's business operations and practices;[3]
• identify the types of people within and outside the entity who can receive a disclosure that qualifies for protection;
• include information about how to make a disclosure;
• include information about the protections available to disclosers who qualify for protection as a whistleblower, including the protections under the Corporations Act; and
• outline the entity's measures for supporting disclosers and protecting disclosers from detriment in practice.

The whistleblower procedure requires – in its broad outlines – that the personal and material scope of the Whistleblower Protection Act is applicable. Assuming this, the whistleblower must have obtained information about violations in connection with his or her professional activities or in advance of professional activities. In a further step, the whistleblower must report or disclose these violations to the internal and external reporting bodies responsible. The Reporting Office will issue an acknowledgement of receipt to the person making the report within seven days. Within three months of the acknowledgement of receipt, feedback will be provided to the whistleblower on planned and already taken follow-up measures and their reasoning. This information will be documented in compliance with the principle of confidentiality. This documentation will be deleted two years after the conclusion of the proceedings.

Under the Employment Rights Act 1996, there is no requirement to have a whistleblowing procedure and, therefore, there are no prescribed terms and conditions.

The hierarchical order for reporting a breach is:

• employer;
• competent authority or authorities (including ASIC, APRA, the Australian Federal Police, or a lawyer); and
• the public or media.

Relevantly, the general rule is that a whistleblower must first report to their employer. However, if the employer does not adequately deal with the report, or the employee is not comfortable reporting to their employer, they can go to the competent authorities. As a last resort, the whistleblower may go public.

There is no legally binding hierarchy between internal and external reporting channels. Therefore, the whistleblower has, in principle, the right to choose whether to report the violations externally or internally. However, in cases where effective internal action can be taken against violations, whistleblowers are to give preference to reporting to an internal reporting office. If an internally reported violation is not remedied, the whistleblower making the report is free to contact an external reporting office (section 7 (1) HinSchG).

Yes. In the UK, in addition to the general conditions that amount to a “protected disclosure”, there is essentially a tiered system of disclosure depending on to whom the disclosure is made. The disclosure requirements range from limited requirements for an internal disclosure to an employer up to more stringent requirements for external disclosures to a third party outside of the employer’s organisation. Please see question 11 for further details.

Whistleblower policy provisions will affect how a company can investigate the concern. The company's whistleblower policy must include information about how it will investigate concerns.

However, generally speaking, a company or organisation may report information to external authorities, such as ASIC, APRA, the Australian Federal Police or to a lawyer to seek advice about whistleblower protections.

Once the reporting process at the internal reporting office is completed, the internal reporting office can take various follow-up actions. In addition to internal investigations, the process can also be handed over to a competent authority for further investigation (section 18 No. 4 HinSchG).

A protected disclosure may trigger a requirement to inform an external authority. This will ultimately depend on the nature of the company, the protected disclosure and the relevant failure disclosed. For example, if the disclosure relates to a regulatory breach, a regulated employer may need to inform the Financial Conduct Authority, or a disclosure that indicates money laundering would need to be disclosed to the National Crime Agency.

Generally, there should be no further action against a whistleblower if their accusation was founded on a reasonable cause. If the whistleblower had a reasonable but erroneous belief in the wrongdoing, and as a result they are dismissed by their employer, then they would potentially have a claim for unfair dismissal.

However, if the whistleblower did not have a reasonable ground, further action may be taken. This will depend on the parties involved and what the company or organisation decide to do. For instance, if following an investigation, it is found that the whistleblowing was deliberately false (ie, was not founded on a reasonable ground), then disciplinary action may follow. Such disciplinary action may include dismissal, termination of services or cessation of a service or client relationship.

As a principle, the disclosure of inaccurate information about violations is prohibited under the Whistleblower Protection Act (section 32 (2) HinSchG). A whistleblower may, however, not be sanctioned if the facts, after being verified, are merely not confirmed or do not constitute a violation in the final analysis. If the information disclosed was incorrect, the following legal consequences will apply:

On the one hand, the whistleblower must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG). The whistleblower's liability for damages is based on the fact that a false report or disclosure has far-reaching consequences for the person affected or accused. The effects may no longer be completely reversible. According to the Whistleblower Protection Act, claims for damages resulting from merely negligent incorrect reporting should not arise. Besides, only whistleblowers acting in good faith are protected from further repercussions.

On the other hand, the whistleblower acts improperly if he intentionally discloses incorrect information in violation of section 32 (2) of the Whistleblower Protection Act (section 40 (1) HinSchG). This administrative offence may be punished with a fine of up to 20,000 EUR (section 40 (5) HinSchG).

No. There are no sanctions for false reporting under the Employment Rights Act 1996.  

While the worker must have a “reasonable belief” that the information disclosed tends to show one of the relevant types of wrongdoing, there is no requirement for the worker to prove that the allegations or facts are, in fact, true. Certain disclosures carry a higher test and require the worker to show that they believed the facts were “substantially true”.  Please see the stricter restrictions outlined in question 11.

To qualify as a protected disclosure the worker must reasonably believe that the disclosure is made in the public interest. There is no longer a legal requirement that the disclosure is made in “good faith”. However, tribunals do have a statutory power to reduce compensation for unfair dismissal by up to 25 per cent where the tribunal believes that the disclosure was not made in good faith. If a disclosure is deliberately falsely made, the whistleblower may be subject to disciplinary proceedings.

Breaching a whistleblower's anonymity and engaging in (or threatening to engage in) detrimental conduct towards a whistleblower or potential whistleblower, will carry a civil penalty for:

• a body corporate of a maximum of the greater of A$10.5 million, or if a court can determine the benefit derived or detriment avoided because of the contravention, three times that amount, or 10% of the annual turnover of the entity up to a maximum of A$525 million.
• an individual, the greater of A$1.05 million, or if a court can determine the benefit derived or detriment avoided, three times that amount.

Moreover, a failure to comply with the confidentiality and detrimental conduct provisions will also be a criminal offence, punishable by imprisonment or fines.

Retaliation against the whistleblower is prohibited under the Whistleblower Protection Act. This also applies to threats and attempts at retaliation (section 36 (1) HinSchG). In addition, it is prohibited to interfere or attempt to interfere with reports or communications between a whistleblower and the reporting office (section 7 (2) HinSchG).

If the whistleblower was nevertheless obstructed, the following legal consequences will apply: if a retaliation occurs, the person causing the violation must compensate the whistleblower for the resulting damage. However, this does not entitle the whistleblower to an employment relationship, a vocational training relationship, any other contractual relationship, or career advancement.

In addition, taking an illegal reprisal or interfering with the communications between the whistleblower and the reporting office constitutes an administrative offence, which can be punished with a fine of up to 50,000 EUR (section 40 (2) No. 3, (5) HinSchG).

The Employment Rights Act 1996 does not provide for specific sanctions for obstructing a whistleblower. However, in the UK, workers are protected against suffering a detriment on the grounds of making a protected disclosure and the dismissal of an employee will be automatically unfair if the reason or principal reason for the dismissal is that they have made a protected disclosure. For further details of the scope of protection please see question 23.

There is no formal registration process for whistleblowers[4]; however, the protections afforded under the law will only apply to a whistleblower who meets the following criteria:  

The whistleblower must be a current or former: 

• employee of the company or organisation the disclosure is about, or a related company or organisation; ;
• officer (usually that means a director or company secretary) of the company or organisation the disclosure is about, or a related company or organisation; 
• contractor, or an employee of a contractor, who has supplied goods or services to the company or organisation the disclosure is about – this can be either paid or unpaid (and includes volunteers); 
• an associate of the company or organisation, usually a person with whom the company or organisation acts in concert; or 
• trustee, custodian or investment manager of a superannuation entity, or an officer, employee, or a goods or service provider to a trustee, custodian, or investment manager. 

Protection is also offered if you are a spouse, relative or dependant of one of the people referred to above.  

The organisation the disclosure is about must be:

• a company; 
• a bank; 
• a provider of general insurance or life insurance; 
• a superannuation entity or a superannuation trustee; or 
• an incorporated association or other body corporate that is a trading or financial corporation – this includes not-for-profit organisations that trade in goods or services, lend or borrow money, or provide other financial services, and their trading or financial activities make up a sufficiently significant proportion of their overall activities. 

It is important to note that not all not-for-profit organisations are subject to whistleblower protections.

The whistleblower must make their disclosure to: 

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation; 
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation; 
• an actuary of the company or organisation, or a related company or organisation; 
• a person authorised by the company or organisation to receive whistleblower disclosures; 
• ASIC or APRA; or 
• a lawyer.

The whistleblower must have reasonable grounds to suspect that the information they are disclosing about the company or organisation concerns:

• misconduct; or 
• an improper state of affairs or circumstances.

Relevantly, this information can be about the company or organisation, or any officer or employee of the company or organisation, engaging in conduct that:

• breaches the Corporations Act; 
• breaches other financial sector laws enforced by ASIC or APRA; 
• breaches an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months; or
• represents a danger to the public or the financial system. 

The protections under the Corporations Act can also apply to a whistleblower report to a journalist or a member of the Commonwealth Parliament or a state or territory parliament. However, protection is only in certain limited circumstances, as set out below:

Public Interest Disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above. 
• At least 90 days must have passed since the whistleblower reported their concerns to ASIC or APRA, and the whistleblower does not have reasonable grounds to believe that action to address the concerns is being or has been taken.  
• The whistleblower must have reasonable grounds to believe that reporting their concerns to a journalist or parliamentarian would be in the public interest. 
• After 90 days from when the whistleblower reported to ASIC or APRA, the whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make a public interest disclosure.[5] 
• The whistleblower must report their concerns about misconduct or an improper state of affairs or circumstances or a breach of the law to a journalist or a parliamentarian.

Emergency disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above.
• The whistleblower must have reasonable grounds to believe that the information in the report concerns substantial and imminent danger to the health or safety of one or more people or the natural environment.
• The whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make an emergency disclosure.[6]   
• The whistleblower must report their concerns about the substantial or imminent danger to a journalist or parliamentarian.

To obtain protection, the whistleblower generally has to contact the responsible internal or external reporting offices. Disclosure of information about violations directly to the public is subject to strict conditions. This is only permissible, for example, if there is a risk of irreversible damage or in cases where the external reporting agency has not taken the required measures (section 32 (1) HinSchG).

The whistleblower providing the information must further act in good faith (ie, must have reasonable cause to believe, at the time of the report or disclosure that the information disclosed is true, and the information relates to violations that fall within the material scope of the Whistleblower Protection Act (section 33 (1) No. 2 and 3 HinSchG).

To gain statutory protection, a whistleblower must follow the correct procedure for disclosing the qualifying disclosure as outlined in question 14.

The Corporations Act and the Taxation Administration Act 1953 (Cth) (Taxation Act) both contain protections for whistleblowers. Amending legislation that came into effect on 1 July 2019 strengthened the protection for whistleblowers under these Acts.[7]

Protection under the Corporations Act

Under the Corporations Act, a whistleblower is afforded:

• protection of information;
• protection against legal action; and
• protection from detriment.

Protection of information

A whistleblower can ask the company or organisation that receives the whistleblower report to keep that individual's identity, or information that is likely to lead to their identification, confidential. Generally, companies and organisations that receive a report cannot disclose information without the whistleblower's consent. However, they may report the information to ASIC, APRA, the Australian Federal Police, or a lawyer for advice about whistleblower protections. Although such information must remain confidential.

Protection against legal action

Relevantly, the Corporations Act protects a whistleblower against certain legal actions related to making the disclosure: including:

• criminal prosecution (and the disclosure cannot be used against the whistleblower in a prosecution, unless the disclosure is false);
• civil litigation (such as for breach of an employment contract, duty of confidentiality, or other contractual obligation); or
• administrative action (including disciplinary action).

Protection against detriment

Moreover, the Corporations Act makes it illegal (through a criminal offence and civil penalty) for someone to cause or threaten detriment to a whistleblower because they believe or suspect that they have made, may have made, or could make a whistleblower disclosure.

The criminal offence and civil penalty apply even if that individual did not make a whistleblower report, but the offender caused or threatened detriment to the individual because they believed or suspected that they have or might make a report. A person may be found to have caused an individual detriment if they:

• dismissed an individual from employment;
• injured an individual during their employment;
• altered an individual's position or duties to their disadvantage;
• discriminated against that individual and other employees of the same employer;
• harassed or intimidated the individual;
• caused psychological harm to that individual;
• damaged that individual's property, reputation, business, or financial position; or
• caused any other damage.

Importantly, the offence and penalty require that the detriment be the result of an actual or suspected whistleblower disclosure.

Other protection

An individual can seek compensation through a court if they suffer loss, damage or injury for making their disclosure.

Alternatively, an individual can pursue other remedies, such as:

• an order that the individual's employer reinstate them to their original position or a comparable position;
• an injunction to prevent or stop the detrimental conduct;
• an order that the person, company or organisation that has caused the individual detriment or threatened them, apologise to that individual.

Protection under the Taxations Act

Under the Taxations Act, the following protection is provided to an eligible whistleblower:

• protection of information – noting that it is illegal for someone to disclose a whistleblower's identity, or information that is likely to lead to their identification;
• protection from civil, criminal or administrative liability for making their disclosure and an entity cannot be sued for a breach of confidentiality clause in a contract; and
• immunity from disciplinary action.

The most fundamental part of the protection is the prohibition of retaliation against the whistleblower. Therefore, the reporting or disclosing of information may not result in unjustified disadvantages such as disciplinary measures, dismissal or other discrimination against the person providing the information. In Addition, the Whistleblower Protection Act still contains a reversal of the burden of proof if the whistleblower suffers a disadvantage in connection with their professional activities. However, it is presumed that the disadvantage is a reprisal for the tip-off only if the whistleblower also asserts this themself. It should be noted, however, that the reversal of the burden of proof in favour of the whistleblower will only apply in labour court disputes and not in fining proceedings.

Furthermore, the Whistleblower Protection Act contains an exclusion of responsibility. Thus, a whistleblower cannot be made legally responsible for obtaining or accessing information that he or she has reported or disclosed, unless the obtaining or accessing of the information and the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG). In addition, a whistleblower does not violate any disclosure restrictions and may not be held legally responsible for the disclosure of information made in a report or disclosure if he or she had reasonable cause to believe that the disclosure of the information was necessary to detect a violation.

There are two main types of protection for whistleblowers under the Employment Rights Act 1996: protection against being subjected to a detriment and against unfair dismissal. The type of protection an individual whistleblower has depends on their legal status. Employees have more protection than workers.

Detriment: All workers have a right not to be subjected to any detriment on the ground they have made a protected disclosure. The definition of worker is wide (as outlined in question 13).

A worker must have:

• made a protected disclosure;
• suffered an identifiable detriment; and
• been subjected to the detriment by an act or deliberate omission of the employer, another worker or agent and this must have been done on the ground that the worker had made a protected disclosure.

There is no definition of “detriment” under the Employment Rights Act 1996. Detriment is interpreted widely. Examples include, but are not limited to:

• suspending a worker;
• disciplinary action;
• changes to the worker’s role or workplace;
• exposing the worker as a whistleblower; and
• giving a bad reference.

Workers have three months from the date of the act or omission to bring a claim. Liability for detriment claims is uncapped.  In successful claims, a worker will be awarded a compensatory award to cover financial losses together with an injury to feelings award.

Automatic unfair dismissal: An employee will be automatically unfairly dismissed if the reason or principal reason for the dismissal is the fact that the employee made a protected disclosure. Workers do not have unfair dismissal protection under UK law.

An employee will be deemed to have been dismissed where:

• the contract of employment was terminated by the employer (whether with or without notice);
• the employee was employed under a fixed-term contract and the contract expired without being renewed on the same terms; or
• the employee has been constructively dismissed.

The selection of an employee for redundancy is automatically unfair if the reason or principal reason for the section is that the worker made a protected disclosure.

Employees have three months from the date of termination to bring a claim. Employees do not need a minimum length of service to have protection. Compensation for automatic unfair dismissal is uncapped.

In addition to the protections afforded to whistleblowers as summarised above (namely, the protection of information or confidentiality), the status of whistleblower can be supported by whistleblower policies. Relevantly, from 1 January 2020, the Corporations Act made it a requirement for all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities to have a whistleblowing policy.

ASIC's Regulatory Guide 270 provides a handy overview of what should be included in a whistleblower policy. In this regard, the Regulatory Guide notes:

• in RG 270.40 that the purpose of a whistleblower policy is "to ensure individuals who disclose wrongdoing can do so safely, securely and with confidence that they will be protected and supported"; and
• in RG.270.11 that, under section 1317AI(5)(c) of the Corporations Act, an entity's whistleblower policy must have information that details how the entity will support whistleblowers and protect them from detriment.  

At first, the person providing the information may not be subject to legal liability for obtaining or accessing information that he or she has reported or disclosed. This does not apply if the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG).

In addition, whistleblowers are protected by a comprehensive prohibition of retaliation. Therefore, any adverse consequences caused by disclosure are prohibited. These include, for example, dismissal, disciplinary measures or salary reductions (section 36 (1) HinSchG). Measures that violate the prohibition are void under section 134 of the Civil Code. The prohibition of retaliation is rounded off by a reversal of the burden of proof. According to this, it is presumed that a disadvantage that occurs after a disclosure is retaliation. As a consequence, the person who has disadvantaged the whistleblower has to prove that it is factually justified and was not based on the report or the disclosure if the whistleblower also asserts the disadvantage himself (section 36 (2) HinSchG).

In addition, the whistleblower is entitled to damages in the event of a violation (section 37(1) HinSchG).

There are no specific “support measures” outside of the legal protection under UK whistleblowing laws (outlined in question 23).  However, the UK whistleblowing charity Protect operates a free, confidential whistleblowing advice line.

If there is abusive reporting or non-compliance with the procedure of whistleblowing, there is a risk of:

• retaliation;
• reprisal;
• conflict problems;
• ongoing problems in the workplace; and
• adverse treatment which may impact an individual's health and safety.

(Office of the Independent Commissioner Against Corruption, Frameworks and practices for minimising risks of retaliation, November 2019).

If a whistleblower abusively reports a violation, this may initially give rise to criminal liability. Possible criminal offences are pretending to have committed a criminal offence (section 145d of the Criminal Code), false suspicion (section 164 of the Criminal Code) or offences of honour (section 185 et seq of the Criminal Code).

The whistleblower providing the abusive information also must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG). Furthermore, there may be competing claims for damages, for example under section 823 (2) of the Civil Code in conjunction with a protective law.

Moreover, the whistleblower commits an administrative offence if he or she intentionally discloses inaccurate information. This may be punished with a fine of up to 20,000 EUR (section 40 (1), (6) HinSchG).

In principle, the whistleblower is free to decide whether he or she reports a violation through the internal or the external reporting channel (section 7 (1) HinSchG). However, if a violation is disclosed to the public directly (ie, without first using internal or external reporting channels and without there being an exceptional circumstance for this), the whistleblower is generally not subject to the protection of sections 35 to 37 of the Whistleblower Protection Act. Only in narrow exceptions is the whistleblower still protected, for example, if there is a danger of irreversible damage or comparable circumstances may represent an immediate or obvious threat to the public interest.

The Employment Rights Act 1996 does not provide for specific sanctions for abusive reporting. Please see question 20 for further details.  

The main consequence of non-compliance with the statutory whistleblowing procedure will be that the worker will not be deemed to have made a protected disclosure. As a result, they will not be in a position to bring a claim under the relevant whistleblowing protections.