Whistleblowing

Whistleblowers in private sector entities are predominantly covered by the Corporations Act 2001 (Cth) part 9.4AAA.

Whistleblowers are also covered by the Taxation Administration Act 1953 where the disclosure relates to tax information.

Public officials are covered by the Public Interest Disclosure Act 2013 (Cth).

Australian whistleblower protections are slightly different from that of the EU. Broadly, the 2019 EU Directive provides much broader protection for whistleblowers. In Australia, the laws are more specific to certain circumstances. Some examples:

• the EU Directive covers both the public and private sector, while Australia has two separate systems;
• the EU Directive covers individuals who assist whistleblowers, while the Australian systems do not;
• the EU Directive notes that disclosable acts referred to as breaches include acts or omissions that are not unlawful but that defeat the object or purpose of the law. Australia has key disclosable acts that are not this broad.
• the EU Directive, like Australian law:
  • covers individuals outside of the typical employer/employee relationship;
  • does not consider motive as to why someone reports;
  • protects the whistleblower's identity and grants protection to anonymous disclosers who are later identified;
  • allows people to report internally or directly to the authorities; and
  • allows for public disclosure in certain circumstances. 

The status of whistleblowers in Germany, as in other EU member states, is primarily governed by European law. The relevant legislation is Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting infringements of Union law (EU Whistleblower-Directive).

The German legislature has incorporated the EU-Whistleblower-Directive into German law by enacting the Whistleblower Protection Act (“Hinweisgeberschutzgesetz”) which – largely – entered into force on July 2, 2023.

If the Whistleblower Protection Act (hereinafter referred to as “HinSchG”) should meet specific concerns under European law, this will be pointed out separately in the following.

According to the Australian Securities and Investment Commission (ASIC), public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation entities must now have a whistleblower policy. Among other things, the law requires the whistleblower policy to include information about the legal protections available to whistleblowers, and how a company will investigate whistleblower disclosures and protect whistleblowers from detriment.

ASIC Regulatory Guide 270, Whistleblower Policies was created to help companies and other entities establish a policy in line with their legal obligations.

In principle, companies that regularly employ 50 or more employees are obliged to set up an internal reporting system (section 12 (1), (2) HinSchG). For companies with between 50 and 249 employees, this obligation will only apply from 17 December 2023 (section 42 HinSchG).

For certain employers, particularly in the financial and insurance sectors or for data provision companies, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act (section 12 (3) HinSchG).   

There is no specific guidance on whether there may be a whistleblower procedure at a Group level encompassing all subsidiaries. However, in the absence of a prohibition to this effect, the better view is that such a procedure is possible at a Group level covering all subsidiaries. 

Under section 1317AA(4) of the Corporations Act, an entity's policy must cover the types of disclosures that qualify for protection. Disclosable matters involve information that the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances, concerning:

• an entity; or
• if the entity is a body corporate, a related body corporate of the entity.

Under section 1317AAA of the Corporations Act, an entity’s policy must explain the role of “eligible recipients” – that is, to receive disclosures that qualify for protection. If an entity is a body corporate, an eligible recipient includes:

• an officer or senior manager of the entity or related body corporate;
• the internal or external auditor (including a member of an audit team conducting an audit) or actuary of the entity or related body corporate; and
• a person authorised by the entity to receive disclosures that may qualify for protection.

According to the explanatory memorandum of the Whistleblower Protection Act, it is legally permissible to implement an independent and confidential internal reporting office as a "third party" within the meaning of article 8(5) of the EU Whistleblower Directive at another group company (eg, parent company, sister company or subsidiary), which may also work for several independent companies in the group (section 14 (1) HinSchG). However, the European Commission has already announced in two statements during the legislative process that a group-wide whistleblower system does not meet the requirements of the EU Whistleblower Directive. The question of the compatibility of the regulation with EU law will only arise in practice at a later stage, provided that this question needs to be clarified in court. 

The Whistleblower Protection Act in line with the EU Directive further provides that several private employers with between 50 and 249 employees employed on a regular basis may commonly implement and operate an internal reporting office to receive notifications. However, the legal obligation to take action to remedy the violation and the corresponding duty to report back to the person making the report has to remain with the individual employer.   

Sections 1311(1) and 1317AI(4) of the Corporations Act notes that it is an offence of strict liability not to implement a whistleblower's policy.

The penalty for non-compliance for individuals is 60 penalty units (A$13,320) and for companies is 600 penalty units (A$133,200), and is enforceable by ASIC.

If there are no whistleblowing procedures in the company (ie, an internal reporting system is not implemented and operated), this constitutes an administrative offence punishable by a fine. This fine may amount to up to 20,000 EUR (section 40 (2) No. 2, (5) HinSchG).

At this point, it should be noted that there is a high incentive for employers to implement an internal reporting channel, since the external reporting channel is available to the whistleblower in any case. Consequently, if an internal reporting office were not implemented or operated, the whistleblower would be forced to report directly to the external reporting office. As a result, the employer would not be able to make internal corrections without the reported information leaving the company.

Strictly speaking, no. ASIC Regulatory Guide 270 does not refer to employee representative bodies needing to be involved in the implementation of whistleblower policies.

Although the implementation of a whistleblower system is based on a legal obligation, the works council only has to be involved under certain circumstances.

At first, the employer is, in principle, already obliged to inform the works council in good time and comprehensively about everything it requires to carry out its duties. This information requirement should enable the works council to review whether co-determination or participation rights exist or whether other tasks have to be carried out according to the German Works Constitution Act (BetrVG).

For instance, instructions concerning the orderly conduct of employees are subject to co-determination. These instructions are intended to ensure an undisturbed work process or to organise the way employees live and work together in the company.  If, in the course of the implementation of a whistleblower system, the already existing contractual obligations are extended or regulations regarding the specific reporting procedure are introduced (eg, in the form of a reporting obligation on the part of employees), the organisational behaviour would be affected and the works council must therefore be involved (section 87 (1) No. 1 BetrVG).

Furthermore, in the context of setting up an internal reporting channel, the Whistleblower Protection Act only stipulates that whistleblowers must be given the option of submitting a report to the whistleblowing system in text form or verbally. This could, of course, also be provided via digital channels - eg, via software- or web-based solutions. Should the introduction and use of such technical equipment in the relevant case allow the employer to monitor the behavior or performance of employees (eg, those who deal with the complaint), further co-determination rights of the works council according to section 87 (1) No. 6 BetrVG can be triggered.   

Under section 1317AI(5)(f) of the Corporations Act, an entity's policy must cover information on how the policy will be made available to officers and employees.

ASIC Regulatory Guide 270 provides examples of how to make a policy available to staff. It suggests:

• holding staff briefing sessions or smaller team meetings;
• posting the policy on the staff intranet or other communication platform;
• posting information on staff noticeboards;
• setting out the policy in the employee handbook; and
• incorporating the policy in employee induction information packs and training for new starters.

Further, an entity should conduct upfront and ongoing education and training.

Specialist training should be provided to staff members who have specific responsibilities under the policy.

Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations also receive appropriate training.

To ensure disclosers outside an entity can access the entity’s whistleblower policy, the policy should be available on the entity’s external website.

The Whistleblower Protection Act does not oblige the company itself to publish any information regarding the internal reporting office or the internal reporting channel implemented. However, the internally implemented reporting office must have clear and easily accessible information available on the external reporting procedure and relevant reporting procedures of European Union institutions, bodies or agencies (section 13 (2) HinSchG).

The current explanatory memorandum to the Whistleblower Protection Act also contains the more detailed, but not legally binding, reference that the information can be made available via a public website, company intranet or a bulletin board that is accessible to all employees. In this context, it is recommended that the company also refers to the internally implemented reporting office or the internal reporting channel in the same way. This helps to counteract the risk that potential whistleblowers will report primarily via the external reporting channel.

Furthermore, the German Supply Chain Due Diligence Act (LkSG) also provides for the implementation of complaint mechanisms so that the regulatory requirements of companies can also be met through a uniform reporting system. Within its scope of application, the LkSG also provides for the publication of procedural rules for such a reporting system in text form as well as for annual reporting obligations on what measures the company has taken as a result of complaints.

ASIC Regulatory Guide 270 notes that it is good practice but not mandatory that an entity has mechanisms in place for monitoring the effectiveness of its whistleblower policy.

ASIC suggests an entity could set up:

• oversight arrangements for ensuring its board, audit or risk committee are kept informed about the effectiveness of the policy;
• a mechanism to enable matters to be escalated to the entity's board or the audit or risk committee; and
• periodic reporting to the board, audit or risk committee.

The guide also notes that entities may consider involving an independent whistleblowing service provider authorised to receive their internal disclosures. This is especially so for smaller entities. Using an outside service provider may encourage more disclosures since disclosers can:

• make their disclosure anonymously, confidentially and outside business hours;
• receive updates on the status of their disclosure while retaining anonymity; and
• provide additional information anonymously.

In principle, the Whistleblower Protection Act intentionally does not specify which persons or organisational units are best qualified to carry out the tasks of the internal reporting office or to manage the corresponding reporting channel. However, the internal reporting office may not be subject to any conflicts of interest and it also must be independent. The EU Whistleblower-Directive mentions, for instance, the head of the compliance department or the legal or data protection officer as possible internal reporting offices.

If, in addition to the (internal) persons responsible for receiving and processing internal reports, other (external) persons have to be involved in a supporting activity, this supporting activity is legally only permissible to the extent that is necessary for the supporting activity. This applies, for example, to IT service providers that provide technical support for reporting channels.

It is also legally permissible to appoint a third party to carry out the tasks of an internal reporting office, including the reporting channel (section 14 (1) HinSchG). Third parties may include lawyers, external consultants, trade union representatives or employee representatives.

However, engaging a third party does not relieve the employer of the obligation to take appropriate action to remedy a possible violation. In particular, for follow-up actions to check the validity of a report, there must be cooperation between the commissioned third party and the employer.

It's good practice for any organisation to have appropriate information technology and organisational measures for securing personal information they receive, handle and record as part of their whistleblower policy.

Entities should consult the Australian Privacy Principles under the Privacy Act 1988 (Cth) for any industry or government-specific standards.

Under the Privacy Act section 26WE, there are also requirements for the entity to report a data breach to the Office of the Australian Information Commissioner if it is likely to result in serious harm to individuals whose personal information is involved in the breach.

The internal reporting office implemented by the employer is, initially, authorised to process personal data insofar as this is necessary for the fulfilment of its task under the Whistleblower Protection Act (10 HinSchG). The wide-ranging processing authority allows the personal data contained in the reports to be both received and analysed by the reporting office. In addition, new personal data may be recorded and further processed during the implementation of the follow-up measures.

The employer's obligation to protect the data collected in the course of the whistleblowing procedure is then directly based on the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act. This means, for instance, that data processing has to be limited to the extent necessary to fulfil the tasks of the internal and external reporting channel – data minimisation principle, (article 5 (1) lit. c) GDPR).

Finally, the processing of personal data is complemented by the confidentiality requirements of internal (and external) offices, (section 8 HinSchG).

An entity should analyse how best to structure, draft and present their policy.

An entity should also consider other standards and guidelines to ensure the policy is as up-to-date as it can be.

Entities should take care in determining whether they are complying with all legal requirements under the Corporations Act.

ASIC Regulatory Guide 270 provides a useful overview of what should be included in the policy as follows:

• policy's purpose;
• who the policy applies to;
• matters the policy applies to;
• who can receive a disclosure;
• how to make a disclosure;
• legal protections for disclosures;
• support and practical protections;
• handling and investigating disclosures; and
• ensuring fair treatment of all individuals.

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

According to the German Whistleblower Protection Act, the internal whistleblowing reporting office is not obliged by law to accept or process anonymous reports; however, they “shall” be processed.  Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

Section 1317AA of the Corporations Act provides that a disclosure qualifies for protection under the Act where:

• the discloser is an eligible whistleblower; and
• the disclosure is made to any of the following:
  • ASIC;
  • APRA;
  • A Commonwealth authority; and
  • Subsection 4 or 5 applies - see immediately below. 

Subsection 4 applies to disclosures of information where the discloser has reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs or circumstances related to:

• the regulated entity; or
• a related body corporate of the regulated entity.

Subsection 5 applies to a disclosure of information if the discloser has reasonable grounds to suspect that the information:

• indicates the regulated entity or officer of the entity or related body corporate of the entity or officer of the related body, has engaged in conduct that constitutes an offence against, or contravention of any of the following:
  • the Corporations Act;
  • the ASIC Act;
  • the Banking Act 1959;
  • the Financial Sector (Collection of Data) Act 2001;
  • the Insurance Act 1973;
  • the Life Insurance Act 1995;
  • the National Consumer Credit Protection Act 2009;
  • the Superannuation Industry (Supervision) Act 1993;
  • an instrument made under an Act referred to in any of subparagraphs (i) to (viii); or
• constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months or more, represents a danger to the public or the financial system, or is prescribed by the regulations for this paragraph.

What an entity chooses to specify as falling under the policy, therefore, needs to cover these areas.

ASIC Regulatory Guide 270 provides some examples:

• illegal conduct;
• fraud, money laundering, misappropriation of funds;
• offering or accepting a bribe;
• financial irregularities;
• failure to comply or breach of legal or regulatory requirements; and
• engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure.

The Whistleblower Protection Act´s  material scope of application goes beyond European legal requirements. It extends the material scope of application to all violations that are subject to punishment (section 2 (1) No. 1 HinSchG). Additionally, violations subject to fines are included insofar as the violated regulation serves to protect life, body, health or the rights of employees or their representative bodies (section 2 (1) No. 2 HinSchG). The last alternative covers not only regulations that directly serve occupational health and safety or health protection, but also related notification and documentation requirements, for example under the Minimum Wage Act. Thus, as a result, section 2 (2) No. 2 HinSchG covers the majority of administrative offences in the context of employment.

Finally, the Whistleblower Protection Act also provides for a list of infringements that predominantly correspond to the relevant areas of law according to the recitals of the EU Whistleblower Directive.

The Taxation Administration Act 1953 is tax specific. The Public Interest Disclosure Act 2013 (Cth) is also specific to public officials.

Otherwise, most other companies are covered under the Corporations Act as section 1317AAB outlines what is a regulated entity. It includes:

• a Company;
• a Corporation to which paragraph 51(xx) of the Constitution applies;
• an authorised deposit-taking institution;
• a general insurer;
• a life company;
• a superannuation entity or trustee; or
• an entity prescribed by the regulations.

The Whistleblower Protection Act itself does not distinguish between different sectors regarding the internal reporting process. However, it contains an enumerative list of regulations from other statutes that take precedence over the Whistleblower Protection Act for the reporting of information on violations; these regulations are therefore lex specialis compared to the Whistleblower Protection Act (section 4 (1) HinSchG). Priority special provisions are, among others, regulated by the Money Laundering Act, the Banking Act, the Insurance Supervision Act and the Stock Exchange Act.    

Broadly, a whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing (National Whistleblower Center, 2002).

A commonly accepted definition specifies that the act of whistleblowing is: 

"…the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employees to persons that may be able to effect action".[1]

A whistleblower is a natural person who, in the context of his or her professional activity or in the preliminary stages of professional activity, has obtained information about violations and reports or discloses it to the – internal or external – reporting offices provided for under the Whistleblower Protection Act (section 1 (1) HinSchG).

The Whistleblower Protection Act also applies to the protection of persons who are subject to a report or disclosure, as well as other persons who are affected by a report or disclosure, (section 1 (2) HinSchG).

Whistleblowers are often, but not always, employees of the organisations where the misconduct has occurred or is occurring.

Previous examples of internal whistleblowers include:

• the Commonwealth Bank Financial Planner Scandal whistleblower; and
• the CommInsure Life Insurance Scandal whistleblower.

Previous examples of external whistleblowers who were not employees include:

• a Ponzi Scheme whistleblower who was an external financial analyst; and
• the Trio Capital Superannuation Fraud whistleblower who was an external financial analyst.

While the commonly accepted definition of “whistleblowing” refers to employees of an organisation (both former and current), an eligible whistleblower is not limited to an employee of an organisation. This is highlighted in section 1317AAA of the Corporations Act, particularly subsections (c), (d), (g) and (h). This section of the Corporations Act is discussed further below.

Whistleblowers may be employees, but also, for instance, self-employed persons, volunteers, members of corporate bodies or employees of suppliers. In addition to persons who obtain knowledge in advance, such as in a job interview or during pre-contractual negotiations, the scope of protection also includes those for whom the employment or service relationship has been terminated. As a result, the status of a whistleblower is not dependent on formal criteria such as type of employment.

Under the Corporations Act an individual must meet the definition of an “eligible whistleblower”.

Relevantly, the criteria set out in the Corporations Act include most people with a connection to a company or organisation who may be in a position to observe or be affected by misconduct and may face discrimination for reporting it. The importance of meeting the definition of an “eligible whistleblower” is that these people can access the rights and protections in the law when they report misconduct, and such protection is extended to their spouses and relatives.

Under section 1317AAA of the Corporations Act, an eligible whistleblower can be someone who is, or has been, any of the following:

• an officer of the regulated entity;
• an employee of the regulated entity;
• an individual who supplies services or goods to the regulated entity (whether paid or unpaid);
• an employee of a person that supplies services or goods to the regulated entity (whether paid or unpaid);
• an individual who is an associate of the regulated entity;
• for a regulated entity, which is a superannuation entity:
  • an individual who is a trustee (within the meaning of the Superannuation Industry (Supervision) Act 1993), custodian (within the meaning of that Act) or investment manager (within the meaning of that Act) of the superannuation entity;
  • an officer of a body corporate that is a trustee, custodian or investment manager of the superannuation entity;
  • an employee of an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid);
  • an individual who supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid); or
  • an employee of a person that supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid).
• a relative of an individual referred to in any of paragraphs (a) to (f);
• a dependant of an individual referred to in any of paragraphs (a) to (f), or of such an individual's spouse; or
• an individual prescribed by the Corporations Regulations 2001 as being an eligible whistleblower in relation to the regulated entity.

To be qualified as a whistleblower, the person providing the information must have obtained the information in the context of his or her professional activity or in the preliminary stages of professional activity. Information about violations falls within the substantive scope of the Act only if it relates to the employing entity or another entity with which the whistleblower is or has been in professional contact.

Yes, while whistleblowers can provide their name and contact details when they report - they can also report anonymously (ASIC Information Sheet 238 issued on 1 July 2019). 

This means that a whistleblower must make their disclosure to:

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation;
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation;
• an actuary of the company or organisation, or a related company or organisation;
• a person authorised by the company or organisation to receive whistleblower disclosures;
• ASIC or the APRA; or
• a lawyer.

However, they do not have to identify themselves or their role, and so can raise their concerns anonymously and still access the same whistleblower protections afforded to those who provide their name and contact details when they report.

However, while an individual can report their concerns to ASIC anonymously, ASIC will not be able to follow up with the whistleblower for further information or next steps due to this anonymity (ASIC Information Sheet 238 issued on 1 July 2019).[2]

The Whistleblower Protection Act does not state that the employer must set up reporting channels in such a way that anonymous reports are admissible (section 16 (1) HinSchG). Also, external reporting offices do not have to process anonymous reports (section 27 (1) HinSchG). According to the Whistleblower Protection Act, however, anonymous reports “shall” be processed by the internal and external reporting offices. Against this background, employers are entirely free to choose whether to provide systems that allow for the submission and processing of anonymous reports or not.

It is uncertain whether a whistleblower needs to be a direct witness of the violation that they are disclosing. Rather, it appears that the only requirement that a whistleblower must show is that they have reasonable grounds to suspect that the information being disclosed about the company or organisation concerns:

• misconduct; or
• an improper state of affairs or circumstances.

Directly witnessing a violation would be the easiest way to establish reasonable grounds; however, it does not appear that this is a prerequisite for whistleblowers.

Relevantly, “reasonable grounds” means that a reasonable person in the whistleblower's position would also suspect the information indicates misconduct or a breach of the law (ASIC Information Sheet 238 issued on 1 July 2019).

In principle, the whistleblowers do not have to be direct witnesses to a violation. However, they must have obtained information about violations in connection with or before their professional activities. Violation information is defined as a reasonable suspicion or knowledge of actual or potential breaches and attempts to conceal such breaches that have occurred or are very likely to occur (section 3 (3) HinSchG). However, only whistleblowers acting in good faith are protected from any discriminatory measures as a result of their report.

ASIC Regulatory Guide 270 provides guidance on establishing a whistleblower policy. Under this guide, an entity's whistleblower policy must:

• identify the different types of disclosers within and outside the entity who can make a disclosure that qualified for protection;
• identify the types of wrongdoing that can be reported (ie, disclosable matters), based on the entity's business operations and practices;[3]
• identify the types of people within and outside the entity who can receive a disclosure that qualifies for protection;
• include information about how to make a disclosure;
• include information about the protections available to disclosers who qualify for protection as a whistleblower, including the protections under the Corporations Act; and
• outline the entity's measures for supporting disclosers and protecting disclosers from detriment in practice.

The whistleblower procedure requires – in its broad outlines – that the personal and material scope of the Whistleblower Protection Act is applicable. Assuming this, the whistleblower must have obtained information about violations in connection with his or her professional activities or in advance of professional activities. In a further step, the whistleblower must report or disclose these violations to the internal and external reporting bodies responsible. The Reporting Office will issue an acknowledgement of receipt to the person making the report within seven days. Within three months of the acknowledgement of receipt, feedback will be provided to the whistleblower on planned and already taken follow-up measures and their reasoning. This information will be documented in compliance with the principle of confidentiality. This documentation will be deleted two years after the conclusion of the proceedings.

The hierarchical order for reporting a breach is:

• employer;
• competent authority or authorities (including ASIC, APRA, the Australian Federal Police, or a lawyer); and
• the public or media.

Relevantly, the general rule is that a whistleblower must first report to their employer. However, if the employer does not adequately deal with the report, or the employee is not comfortable reporting to their employer, they can go to the competent authorities. As a last resort, the whistleblower may go public.

There is no legally binding hierarchy between internal and external reporting channels. Therefore, the whistleblower has, in principle, the right to choose whether to report the violations externally or internally. However, in cases where effective internal action can be taken against violations, whistleblowers are to give preference to reporting to an internal reporting office. If an internally reported violation is not remedied, the whistleblower making the report is free to contact an external reporting office (section 7 (1) HinSchG).

Whistleblower policy provisions will affect how a company can investigate the concern. The company's whistleblower policy must include information about how it will investigate concerns.

However, generally speaking, a company or organisation may report information to external authorities, such as ASIC, APRA, the Australian Federal Police or to a lawyer to seek advice about whistleblower protections.

Once the reporting process at the internal reporting office is completed, the internal reporting office can take various follow-up actions. In addition to internal investigations, the process can also be handed over to a competent authority for further investigation (section 18 No. 4 HinSchG).

Generally, there should be no further action against a whistleblower if their accusation was founded on a reasonable cause. If the whistleblower had a reasonable but erroneous belief in the wrongdoing, and as a result they are dismissed by their employer, then they would potentially have a claim for unfair dismissal.

However, if the whistleblower did not have a reasonable ground, further action may be taken. This will depend on the parties involved and what the company or organisation decide to do. For instance, if following an investigation, it is found that the whistleblowing was deliberately false (ie, was not founded on a reasonable ground), then disciplinary action may follow. Such disciplinary action may include dismissal, termination of services or cessation of a service or client relationship.

As a principle, the disclosure of inaccurate information about violations is prohibited under the Whistleblower Protection Act (section 32 (2) HinSchG). A whistleblower may, however, not be sanctioned if the facts, after being verified, are merely not confirmed or do not constitute a violation in the final analysis. If the information disclosed was incorrect, the following legal consequences will apply:

On the one hand, the whistleblower must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG). The whistleblower's liability for damages is based on the fact that a false report or disclosure has far-reaching consequences for the person affected or accused. The effects may no longer be completely reversible. According to the Whistleblower Protection Act, claims for damages resulting from merely negligent incorrect reporting should not arise. Besides, only whistleblowers acting in good faith are protected from further repercussions.

On the other hand, the whistleblower acts improperly if he intentionally discloses incorrect information in violation of section 32 (2) of the Whistleblower Protection Act (section 40 (1) HinSchG). This administrative offence may be punished with a fine of up to 20,000 EUR (section 40 (5) HinSchG).

Breaching a whistleblower's anonymity and engaging in (or threatening to engage in) detrimental conduct towards a whistleblower or potential whistleblower, will carry a civil penalty for:

• a body corporate of a maximum of the greater of A$10.5 million, or if a court can determine the benefit derived or detriment avoided because of the contravention, three times that amount, or 10% of the annual turnover of the entity up to a maximum of A$525 million.
• an individual, the greater of A$1.05 million, or if a court can determine the benefit derived or detriment avoided, three times that amount.

Moreover, a failure to comply with the confidentiality and detrimental conduct provisions will also be a criminal offence, punishable by imprisonment or fines.

Retaliation against the whistleblower is prohibited under the Whistleblower Protection Act. This also applies to threats and attempts at retaliation (section 36 (1) HinSchG). In addition, it is prohibited to interfere or attempt to interfere with reports or communications between a whistleblower and the reporting office (section 7 (2) HinSchG).

If the whistleblower was nevertheless obstructed, the following legal consequences will apply: if a retaliation occurs, the person causing the violation must compensate the whistleblower for the resulting damage. However, this does not entitle the whistleblower to an employment relationship, a vocational training relationship, any other contractual relationship, or career advancement.

In addition, taking an illegal reprisal or interfering with the communications between the whistleblower and the reporting office constitutes an administrative offence, which can be punished with a fine of up to 50,000 EUR (section 40 (2) No. 3, (5) HinSchG).

There is no formal registration process for whistleblowers[4]; however, the protections afforded under the law will only apply to a whistleblower who meets the following criteria:  

The whistleblower must be a current or former: 

• employee of the company or organisation the disclosure is about, or a related company or organisation; ;
• officer (usually that means a director or company secretary) of the company or organisation the disclosure is about, or a related company or organisation; 
• contractor, or an employee of a contractor, who has supplied goods or services to the company or organisation the disclosure is about – this can be either paid or unpaid (and includes volunteers); 
• an associate of the company or organisation, usually a person with whom the company or organisation acts in concert; or 
• trustee, custodian or investment manager of a superannuation entity, or an officer, employee, or a goods or service provider to a trustee, custodian, or investment manager. 

Protection is also offered if you are a spouse, relative or dependant of one of the people referred to above.  

The organisation the disclosure is about must be:

• a company; 
• a bank; 
• a provider of general insurance or life insurance; 
• a superannuation entity or a superannuation trustee; or 
• an incorporated association or other body corporate that is a trading or financial corporation – this includes not-for-profit organisations that trade in goods or services, lend or borrow money, or provide other financial services, and their trading or financial activities make up a sufficiently significant proportion of their overall activities. 

It is important to note that not all not-for-profit organisations are subject to whistleblower protections.

The whistleblower must make their disclosure to: 

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation; 
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation; 
• an actuary of the company or organisation, or a related company or organisation; 
• a person authorised by the company or organisation to receive whistleblower disclosures; 
• ASIC or APRA; or 
• a lawyer.

The whistleblower must have reasonable grounds to suspect that the information they are disclosing about the company or organisation concerns:

• misconduct; or 
• an improper state of affairs or circumstances.

Relevantly, this information can be about the company or organisation, or any officer or employee of the company or organisation, engaging in conduct that:

• breaches the Corporations Act; 
• breaches other financial sector laws enforced by ASIC or APRA; 
• breaches an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months; or
• represents a danger to the public or the financial system. 

The protections under the Corporations Act can also apply to a whistleblower report to a journalist or a member of the Commonwealth Parliament or a state or territory parliament. However, protection is only in certain limited circumstances, as set out below:

Public Interest Disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above. 
• At least 90 days must have passed since the whistleblower reported their concerns to ASIC or APRA, and the whistleblower does not have reasonable grounds to believe that action to address the concerns is being or has been taken.  
• The whistleblower must have reasonable grounds to believe that reporting their concerns to a journalist or parliamentarian would be in the public interest. 
• After 90 days from when the whistleblower reported to ASIC or APRA, the whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make a public interest disclosure.[5] 
• The whistleblower must report their concerns about misconduct or an improper state of affairs or circumstances or a breach of the law to a journalist or a parliamentarian.

Emergency disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above.
• The whistleblower must have reasonable grounds to believe that the information in the report concerns substantial and imminent danger to the health or safety of one or more people or the natural environment.
• The whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make an emergency disclosure.[6]   
• The whistleblower must report their concerns about the substantial or imminent danger to a journalist or parliamentarian.

To obtain protection, the whistleblower generally has to contact the responsible internal or external reporting offices. Disclosure of information about violations directly to the public is subject to strict conditions. This is only permissible, for example, if there is a risk of irreversible damage or in cases where the external reporting agency has not taken the required measures (section 32 (1) HinSchG).

The whistleblower providing the information must further act in good faith (ie, must have reasonable cause to believe, at the time of the report or disclosure that the information disclosed is true, and the information relates to violations that fall within the material scope of the Whistleblower Protection Act (section 33 (1) No. 2 and 3 HinSchG).

The Corporations Act and the Taxation Administration Act 1953 (Cth) (Taxation Act) both contain protections for whistleblowers. Amending legislation that came into effect on 1 July 2019 strengthened the protection for whistleblowers under these Acts.[7]

Protection under the Corporations Act

Under the Corporations Act, a whistleblower is afforded:

• protection of information;
• protection against legal action; and
• protection from detriment.

Protection of information

A whistleblower can ask the company or organisation that receives the whistleblower report to keep that individual's identity, or information that is likely to lead to their identification, confidential. Generally, companies and organisations that receive a report cannot disclose information without the whistleblower's consent. However, they may report the information to ASIC, APRA, the Australian Federal Police, or a lawyer for advice about whistleblower protections. Although such information must remain confidential.

Protection against legal action

Relevantly, the Corporations Act protects a whistleblower against certain legal actions related to making the disclosure: including:

• criminal prosecution (and the disclosure cannot be used against the whistleblower in a prosecution, unless the disclosure is false);
• civil litigation (such as for breach of an employment contract, duty of confidentiality, or other contractual obligation); or
• administrative action (including disciplinary action).

Protection against detriment

Moreover, the Corporations Act makes it illegal (through a criminal offence and civil penalty) for someone to cause or threaten detriment to a whistleblower because they believe or suspect that they have made, may have made, or could make a whistleblower disclosure.

The criminal offence and civil penalty apply even if that individual did not make a whistleblower report, but the offender caused or threatened detriment to the individual because they believed or suspected that they have or might make a report. A person may be found to have caused an individual detriment if they:

• dismissed an individual from employment;
• injured an individual during their employment;
• altered an individual's position or duties to their disadvantage;
• discriminated against that individual and other employees of the same employer;
• harassed or intimidated the individual;
• caused psychological harm to that individual;
• damaged that individual's property, reputation, business, or financial position; or
• caused any other damage.

Importantly, the offence and penalty require that the detriment be the result of an actual or suspected whistleblower disclosure.

Other protection

An individual can seek compensation through a court if they suffer loss, damage or injury for making their disclosure.

Alternatively, an individual can pursue other remedies, such as:

• an order that the individual's employer reinstate them to their original position or a comparable position;
• an injunction to prevent or stop the detrimental conduct;
• an order that the person, company or organisation that has caused the individual detriment or threatened them, apologise to that individual.

Protection under the Taxations Act

Under the Taxations Act, the following protection is provided to an eligible whistleblower:

• protection of information – noting that it is illegal for someone to disclose a whistleblower's identity, or information that is likely to lead to their identification;
• protection from civil, criminal or administrative liability for making their disclosure and an entity cannot be sued for a breach of confidentiality clause in a contract; and
• immunity from disciplinary action.

The most fundamental part of the protection is the prohibition of retaliation against the whistleblower. Therefore, the reporting or disclosing of information may not result in unjustified disadvantages such as disciplinary measures, dismissal or other discrimination against the person providing the information. In Addition, the Whistleblower Protection Act still contains a reversal of the burden of proof if the whistleblower suffers a disadvantage in connection with their professional activities. However, it is presumed that the disadvantage is a reprisal for the tip-off only if the whistleblower also asserts this themself. It should be noted, however, that the reversal of the burden of proof in favour of the whistleblower will only apply in labour court disputes and not in fining proceedings.

Furthermore, the Whistleblower Protection Act contains an exclusion of responsibility. Thus, a whistleblower cannot be made legally responsible for obtaining or accessing information that he or she has reported or disclosed, unless the obtaining or accessing of the information and the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG). In addition, a whistleblower does not violate any disclosure restrictions and may not be held legally responsible for the disclosure of information made in a report or disclosure if he or she had reasonable cause to believe that the disclosure of the information was necessary to detect a violation.

In addition to the protections afforded to whistleblowers as summarised above (namely, the protection of information or confidentiality), the status of whistleblower can be supported by whistleblower policies. Relevantly, from 1 January 2020, the Corporations Act made it a requirement for all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities to have a whistleblowing policy.

ASIC's Regulatory Guide 270 provides a handy overview of what should be included in a whistleblower policy. In this regard, the Regulatory Guide notes:

• in RG 270.40 that the purpose of a whistleblower policy is "to ensure individuals who disclose wrongdoing can do so safely, securely and with confidence that they will be protected and supported"; and
• in RG.270.11 that, under section 1317AI(5)(c) of the Corporations Act, an entity's whistleblower policy must have information that details how the entity will support whistleblowers and protect them from detriment.  

At first, the person providing the information may not be subject to legal liability for obtaining or accessing information that he or she has reported or disclosed. This does not apply if the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG).

In addition, whistleblowers are protected by a comprehensive prohibition of retaliation. Therefore, any adverse consequences caused by disclosure are prohibited. These include, for example, dismissal, disciplinary measures or salary reductions (section 36 (1) HinSchG). Measures that violate the prohibition are void under section 134 of the Civil Code. The prohibition of retaliation is rounded off by a reversal of the burden of proof. According to this, it is presumed that a disadvantage that occurs after a disclosure is retaliation. As a consequence, the person who has disadvantaged the whistleblower has to prove that it is factually justified and was not based on the report or the disclosure if the whistleblower also asserts the disadvantage himself (section 36 (2) HinSchG).

In addition, the whistleblower is entitled to damages in the event of a violation (section 37(1) HinSchG).

If there is abusive reporting or non-compliance with the procedure of whistleblowing, there is a risk of:

• retaliation;
• reprisal;
• conflict problems;
• ongoing problems in the workplace; and
• adverse treatment which may impact an individual's health and safety.

(Office of the Independent Commissioner Against Corruption, Frameworks and practices for minimising risks of retaliation, November 2019).

If a whistleblower abusively reports a violation, this may initially give rise to criminal liability. Possible criminal offences are pretending to have committed a criminal offence (section 145d of the Criminal Code), false suspicion (section 164 of the Criminal Code) or offences of honour (section 185 et seq of the Criminal Code).

The whistleblower providing the abusive information also must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG). Furthermore, there may be competing claims for damages, for example under section 823 (2) of the Civil Code in conjunction with a protective law.

Moreover, the whistleblower commits an administrative offence if he or she intentionally discloses inaccurate information. This may be punished with a fine of up to 20,000 EUR (section 40 (1), (6) HinSchG).

In principle, the whistleblower is free to decide whether he or she reports a violation through the internal or the external reporting channel (section 7 (1) HinSchG). However, if a violation is disclosed to the public directly (ie, without first using internal or external reporting channels and without there being an exceptional circumstance for this), the whistleblower is generally not subject to the protection of sections 35 to 37 of the Whistleblower Protection Act. Only in narrow exceptions is the whistleblower still protected, for example, if there is a danger of irreversible damage or comparable circumstances may represent an immediate or obvious threat to the public interest.