Whistleblowing

Whistleblowers in private sector entities are predominantly covered by the Corporations Act 2001 (Cth) part 9.4AAA.

Whistleblowers are also covered by the Taxation Administration Act 1953 where the disclosure relates to tax information.

Public officials are covered by the Public Interest Disclosure Act 2013 (Cth).

Australian whistleblower protections are slightly different from that of the EU. Broadly, the 2019 EU Directive provides much broader protection for whistleblowers. In Australia, the laws are more specific to certain circumstances. Some examples:

• the EU Directive covers both the public and private sector, while Australia has two separate systems;
• the EU Directive covers individuals who assist whistleblowers, while the Australian systems do not;
• the EU Directive notes that disclosable acts referred to as breaches include acts or omissions that are not unlawful but that defeat the object or purpose of the law. Australia has key disclosable acts that are not this broad.
• the EU Directive, like Australian law:
  • covers individuals outside of the typical employer/employee relationship;
  • does not consider motive as to why someone reports;
  • protects the whistleblower's identity and grants protection to anonymous disclosers who are later identified;
  • allows people to report internally or directly to the authorities; and
  • allows for public disclosure in certain circumstances. 

According to the Australian Securities and Investment Commission (ASIC), public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation entities must now have a whistleblower policy. Among other things, the law requires the whistleblower policy to include information about the legal protections available to whistleblowers, and how a company will investigate whistleblower disclosures and protect whistleblowers from detriment.

ASIC Regulatory Guide 270, Whistleblower Policies was created to help companies and other entities establish a policy in line with their legal obligations.

There is no specific guidance on whether there may be a whistleblower procedure at a Group level encompassing all subsidiaries. However, in the absence of a prohibition to this effect, the better view is that such a procedure is possible at a Group level covering all subsidiaries. 

Under section 1317AA(4) of the Corporations Act, an entity's policy must cover the types of disclosures that qualify for protection. Disclosable matters involve information that the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances, concerning:

• an entity; or
• if the entity is a body corporate, a related body corporate of the entity.

Under section 1317AAA of the Corporations Act, an entity’s policy must explain the role of “eligible recipients” – that is, to receive disclosures that qualify for protection. If an entity is a body corporate, an eligible recipient includes:

• an officer or senior manager of the entity or related body corporate;
• the internal or external auditor (including a member of an audit team conducting an audit) or actuary of the entity or related body corporate; and
• a person authorised by the entity to receive disclosures that may qualify for protection.

Sections 1311(1) and 1317AI(4) of the Corporations Act notes that it is an offence of strict liability not to implement a whistleblower's policy.

The penalty for non-compliance for individuals is 60 penalty units (A$13,320) and for companies is 600 penalty units (A$133,200), and is enforceable by ASIC.

Strictly speaking, no. ASIC Regulatory Guide 270 does not refer to employee representative bodies needing to be involved in the implementation of whistleblower policies.

Under section 1317AI(5)(f) of the Corporations Act, an entity's policy must cover information on how the policy will be made available to officers and employees.

ASIC Regulatory Guide 270 provides examples of how to make a policy available to staff. It suggests:

• holding staff briefing sessions or smaller team meetings;
• posting the policy on the staff intranet or other communication platform;
• posting information on staff noticeboards;
• setting out the policy in the employee handbook; and
• incorporating the policy in employee induction information packs and training for new starters.

Further, an entity should conduct upfront and ongoing education and training.

Specialist training should be provided to staff members who have specific responsibilities under the policy.

Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations also receive appropriate training.

To ensure disclosers outside an entity can access the entity’s whistleblower policy, the policy should be available on the entity’s external website.

ASIC Regulatory Guide 270 notes that it is good practice but not mandatory that an entity has mechanisms in place for monitoring the effectiveness of its whistleblower policy.

ASIC suggests an entity could set up:

• oversight arrangements for ensuring its board, audit or risk committee are kept informed about the effectiveness of the policy;
• a mechanism to enable matters to be escalated to the entity's board or the audit or risk committee; and
• periodic reporting to the board, audit or risk committee.

The guide also notes that entities may consider involving an independent whistleblowing service provider authorised to receive their internal disclosures. This is especially so for smaller entities. Using an outside service provider may encourage more disclosures since disclosers can:

• make their disclosure anonymously, confidentially and outside business hours;
• receive updates on the status of their disclosure while retaining anonymity; and
• provide additional information anonymously.

It's good practice for any organisation to have appropriate information technology and organisational measures for securing personal information they receive, handle and record as part of their whistleblower policy.

Entities should consult the Australian Privacy Principles under the Privacy Act 1988 (Cth) for any industry or government-specific standards.

Under the Privacy Act section 26WE, there are also requirements for the entity to report a data breach to the Office of the Australian Information Commissioner if it is likely to result in serious harm to individuals whose personal information is involved in the breach.

An entity should analyse how best to structure, draft and present their policy.

An entity should also consider other standards and guidelines to ensure the policy is as up-to-date as it can be.

Entities should take care in determining whether they are complying with all legal requirements under the Corporations Act.

ASIC Regulatory Guide 270 provides a useful overview of what should be included in the policy as follows:

• policy's purpose;
• who the policy applies to;
• matters the policy applies to;
• who can receive a disclosure;
• how to make a disclosure;
• legal protections for disclosures;
• support and practical protections;
• handling and investigating disclosures; and
• ensuring fair treatment of all individuals.

Section 1317AA of the Corporations Act provides that a disclosure qualifies for protection under the Act where:

• the discloser is an eligible whistleblower; and
• the disclosure is made to any of the following:
  • ASIC;
  • APRA;
  • A Commonwealth authority; and
  • Subsection 4 or 5 applies - see immediately below. 

Subsection 4 applies to disclosures of information where the discloser has reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs or circumstances related to:

• the regulated entity; or
• a related body corporate of the regulated entity.

Subsection 5 applies to a disclosure of information if the discloser has reasonable grounds to suspect that the information:

• indicates the regulated entity or officer of the entity or related body corporate of the entity or officer of the related body, has engaged in conduct that constitutes an offence against, or contravention of any of the following:
  • the Corporations Act;
  • the ASIC Act;
  • the Banking Act 1959;
  • the Financial Sector (Collection of Data) Act 2001;
  • the Insurance Act 1973;
  • the Life Insurance Act 1995;
  • the National Consumer Credit Protection Act 2009;
  • the Superannuation Industry (Supervision) Act 1993;
  • an instrument made under an Act referred to in any of subparagraphs (i) to (viii); or
• constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months or more, represents a danger to the public or the financial system, or is prescribed by the regulations for this paragraph.

What an entity chooses to specify as falling under the policy, therefore, needs to cover these areas.

ASIC Regulatory Guide 270 provides some examples:

• illegal conduct;
• fraud, money laundering, misappropriation of funds;
• offering or accepting a bribe;
• financial irregularities;
• failure to comply or breach of legal or regulatory requirements; and
• engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure.

The Taxation Administration Act 1953 is tax specific. The Public Interest Disclosure Act 2013 (Cth) is also specific to public officials.

Otherwise, most other companies are covered under the Corporations Act as section 1317AAB outlines what is a regulated entity. It includes:

• a Company;
• a Corporation to which paragraph 51(xx) of the Constitution applies;
• an authorised deposit-taking institution;
• a general insurer;
• a life company;
• a superannuation entity or trustee; or
• an entity prescribed by the regulations.

Broadly, a whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing (National Whistleblower Center, 2002).

A commonly accepted definition specifies that the act of whistleblowing is: 

"…the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employees to persons that may be able to effect action".[1]

Whistleblowers are often, but not always, employees of the organisations where the misconduct has occurred or is occurring.

Previous examples of internal whistleblowers include:

• the Commonwealth Bank Financial Planner Scandal whistleblower; and
• the CommInsure Life Insurance Scandal whistleblower.

Previous examples of external whistleblowers who were not employees include:

• a Ponzi Scheme whistleblower who was an external financial analyst; and
• the Trio Capital Superannuation Fraud whistleblower who was an external financial analyst.

While the commonly accepted definition of “whistleblowing” refers to employees of an organisation (both former and current), an eligible whistleblower is not limited to an employee of an organisation. This is highlighted in section 1317AAA of the Corporations Act, particularly subsections (c), (d), (g) and (h). This section of the Corporations Act is discussed further below.

Under the Corporations Act an individual must meet the definition of an “eligible whistleblower”.

Relevantly, the criteria set out in the Corporations Act include most people with a connection to a company or organisation who may be in a position to observe or be affected by misconduct and may face discrimination for reporting it. The importance of meeting the definition of an “eligible whistleblower” is that these people can access the rights and protections in the law when they report misconduct, and such protection is extended to their spouses and relatives.

Under section 1317AAA of the Corporations Act, an eligible whistleblower can be someone who is, or has been, any of the following:

• an officer of the regulated entity;
• an employee of the regulated entity;
• an individual who supplies services or goods to the regulated entity (whether paid or unpaid);
• an employee of a person that supplies services or goods to the regulated entity (whether paid or unpaid);
• an individual who is an associate of the regulated entity;
• for a regulated entity, which is a superannuation entity:
  • an individual who is a trustee (within the meaning of the Superannuation Industry (Supervision) Act 1993), custodian (within the meaning of that Act) or investment manager (within the meaning of that Act) of the superannuation entity;
  • an officer of a body corporate that is a trustee, custodian or investment manager of the superannuation entity;
  • an employee of an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid);
  • an individual who supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid); or
  • an employee of a person that supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid).
• a relative of an individual referred to in any of paragraphs (a) to (f);
• a dependant of an individual referred to in any of paragraphs (a) to (f), or of such an individual's spouse; or
• an individual prescribed by the Corporations Regulations 2001 as being an eligible whistleblower in relation to the regulated entity.

Yes, while whistleblowers can provide their name and contact details when they report - they can also report anonymously (ASIC Information Sheet 238 issued on 1 July 2019). 

This means that a whistleblower must make their disclosure to:

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation;
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation;
• an actuary of the company or organisation, or a related company or organisation;
• a person authorised by the company or organisation to receive whistleblower disclosures;
• ASIC or the APRA; or
• a lawyer.

However, they do not have to identify themselves or their role, and so can raise their concerns anonymously and still access the same whistleblower protections afforded to those who provide their name and contact details when they report.

However, while an individual can report their concerns to ASIC anonymously, ASIC will not be able to follow up with the whistleblower for further information or next steps due to this anonymity (ASIC Information Sheet 238 issued on 1 July 2019).[2]

It is uncertain whether a whistleblower needs to be a direct witness of the violation that they are disclosing. Rather, it appears that the only requirement that a whistleblower must show is that they have reasonable grounds to suspect that the information being disclosed about the company or organisation concerns:

• misconduct; or
• an improper state of affairs or circumstances.

Directly witnessing a violation would be the easiest way to establish reasonable grounds; however, it does not appear that this is a prerequisite for whistleblowers.

Relevantly, “reasonable grounds” means that a reasonable person in the whistleblower's position would also suspect the information indicates misconduct or a breach of the law (ASIC Information Sheet 238 issued on 1 July 2019).

ASIC Regulatory Guide 270 provides guidance on establishing a whistleblower policy. Under this guide, an entity's whistleblower policy must:

• identify the different types of disclosers within and outside the entity who can make a disclosure that qualified for protection;
• identify the types of wrongdoing that can be reported (ie, disclosable matters), based on the entity's business operations and practices;[3]
• identify the types of people within and outside the entity who can receive a disclosure that qualifies for protection;
• include information about how to make a disclosure;
• include information about the protections available to disclosers who qualify for protection as a whistleblower, including the protections under the Corporations Act; and
• outline the entity's measures for supporting disclosers and protecting disclosers from detriment in practice.

The hierarchical order for reporting a breach is:

• employer;
• competent authority or authorities (including ASIC, APRA, the Australian Federal Police, or a lawyer); and
• the public or media.

Relevantly, the general rule is that a whistleblower must first report to their employer. However, if the employer does not adequately deal with the report, or the employee is not comfortable reporting to their employer, they can go to the competent authorities. As a last resort, the whistleblower may go public.

Whistleblower policy provisions will affect how a company can investigate the concern. The company's whistleblower policy must include information about how it will investigate concerns.

However, generally speaking, a company or organisation may report information to external authorities, such as ASIC, APRA, the Australian Federal Police or to a lawyer to seek advice about whistleblower protections.

Generally, there should be no further action against a whistleblower if their accusation was founded on a reasonable cause. If the whistleblower had a reasonable but erroneous belief in the wrongdoing, and as a result they are dismissed by their employer, then they would potentially have a claim for unfair dismissal.

However, if the whistleblower did not have a reasonable ground, further action may be taken. This will depend on the parties involved and what the company or organisation decide to do. For instance, if following an investigation, it is found that the whistleblowing was deliberately false (ie, was not founded on a reasonable ground), then disciplinary action may follow. Such disciplinary action may include dismissal, termination of services or cessation of a service or client relationship.

Breaching a whistleblower's anonymity and engaging in (or threatening to engage in) detrimental conduct towards a whistleblower or potential whistleblower, will carry a civil penalty for:

• a body corporate of a maximum of the greater of A$10.5 million, or if a court can determine the benefit derived or detriment avoided because of the contravention, three times that amount, or 10% of the annual turnover of the entity up to a maximum of A$525 million.
• an individual, the greater of A$1.05 million, or if a court can determine the benefit derived or detriment avoided, three times that amount.

Moreover, a failure to comply with the confidentiality and detrimental conduct provisions will also be a criminal offence, punishable by imprisonment or fines.

There is no formal registration process for whistleblowers[4]; however, the protections afforded under the law will only apply to a whistleblower who meets the following criteria:  

The whistleblower must be a current or former: 

• employee of the company or organisation the disclosure is about, or a related company or organisation; ;
• officer (usually that means a director or company secretary) of the company or organisation the disclosure is about, or a related company or organisation; 
• contractor, or an employee of a contractor, who has supplied goods or services to the company or organisation the disclosure is about – this can be either paid or unpaid (and includes volunteers); 
• an associate of the company or organisation, usually a person with whom the company or organisation acts in concert; or 
• trustee, custodian or investment manager of a superannuation entity, or an officer, employee, or a goods or service provider to a trustee, custodian, or investment manager. 

Protection is also offered if you are a spouse, relative or dependant of one of the people referred to above.  

The organisation the disclosure is about must be:

• a company; 
• a bank; 
• a provider of general insurance or life insurance; 
• a superannuation entity or a superannuation trustee; or 
• an incorporated association or other body corporate that is a trading or financial corporation – this includes not-for-profit organisations that trade in goods or services, lend or borrow money, or provide other financial services, and their trading or financial activities make up a sufficiently significant proportion of their overall activities. 

It is important to note that not all not-for-profit organisations are subject to whistleblower protections.

The whistleblower must make their disclosure to: 

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation; 
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation; 
• an actuary of the company or organisation, or a related company or organisation; 
• a person authorised by the company or organisation to receive whistleblower disclosures; 
• ASIC or APRA; or 
• a lawyer.

The whistleblower must have reasonable grounds to suspect that the information they are disclosing about the company or organisation concerns:

• misconduct; or 
• an improper state of affairs or circumstances.

Relevantly, this information can be about the company or organisation, or any officer or employee of the company or organisation, engaging in conduct that:

• breaches the Corporations Act; 
• breaches other financial sector laws enforced by ASIC or APRA; 
• breaches an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months; or
• represents a danger to the public or the financial system. 

The protections under the Corporations Act can also apply to a whistleblower report to a journalist or a member of the Commonwealth Parliament or a state or territory parliament. However, protection is only in certain limited circumstances, as set out below:

Public Interest Disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above. 
• At least 90 days must have passed since the whistleblower reported their concerns to ASIC or APRA, and the whistleblower does not have reasonable grounds to believe that action to address the concerns is being or has been taken.  
• The whistleblower must have reasonable grounds to believe that reporting their concerns to a journalist or parliamentarian would be in the public interest. 
• After 90 days from when the whistleblower reported to ASIC or APRA, the whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make a public interest disclosure.[5] 
• The whistleblower must report their concerns about misconduct or an improper state of affairs or circumstances or a breach of the law to a journalist or a parliamentarian.

Emergency disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above.
• The whistleblower must have reasonable grounds to believe that the information in the report concerns substantial and imminent danger to the health or safety of one or more people or the natural environment.
• The whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make an emergency disclosure.[6]   
• The whistleblower must report their concerns about the substantial or imminent danger to a journalist or parliamentarian.

The Corporations Act and the Taxation Administration Act 1953 (Cth) (Taxation Act) both contain protections for whistleblowers. Amending legislation that came into effect on 1 July 2019 strengthened the protection for whistleblowers under these Acts.[7]

Protection under the Corporations Act

Under the Corporations Act, a whistleblower is afforded:

• protection of information;
• protection against legal action; and
• protection from detriment.

Protection of information

A whistleblower can ask the company or organisation that receives the whistleblower report to keep that individual's identity, or information that is likely to lead to their identification, confidential. Generally, companies and organisations that receive a report cannot disclose information without the whistleblower's consent. However, they may report the information to ASIC, APRA, the Australian Federal Police, or a lawyer for advice about whistleblower protections. Although such information must remain confidential.

Protection against legal action

Relevantly, the Corporations Act protects a whistleblower against certain legal actions related to making the disclosure: including:

• criminal prosecution (and the disclosure cannot be used against the whistleblower in a prosecution, unless the disclosure is false);
• civil litigation (such as for breach of an employment contract, duty of confidentiality, or other contractual obligation); or
• administrative action (including disciplinary action).

Protection against detriment

Moreover, the Corporations Act makes it illegal (through a criminal offence and civil penalty) for someone to cause or threaten detriment to a whistleblower because they believe or suspect that they have made, may have made, or could make a whistleblower disclosure.

The criminal offence and civil penalty apply even if that individual did not make a whistleblower report, but the offender caused or threatened detriment to the individual because they believed or suspected that they have or might make a report. A person may be found to have caused an individual detriment if they:

• dismissed an individual from employment;
• injured an individual during their employment;
• altered an individual's position or duties to their disadvantage;
• discriminated against that individual and other employees of the same employer;
• harassed or intimidated the individual;
• caused psychological harm to that individual;
• damaged that individual's property, reputation, business, or financial position; or
• caused any other damage.

Importantly, the offence and penalty require that the detriment be the result of an actual or suspected whistleblower disclosure.

Other protection

An individual can seek compensation through a court if they suffer loss, damage or injury for making their disclosure.

Alternatively, an individual can pursue other remedies, such as:

• an order that the individual's employer reinstate them to their original position or a comparable position;
• an injunction to prevent or stop the detrimental conduct;
• an order that the person, company or organisation that has caused the individual detriment or threatened them, apologise to that individual.

Protection under the Taxations Act

Under the Taxations Act, the following protection is provided to an eligible whistleblower:

• protection of information – noting that it is illegal for someone to disclose a whistleblower's identity, or information that is likely to lead to their identification;
• protection from civil, criminal or administrative liability for making their disclosure and an entity cannot be sued for a breach of confidentiality clause in a contract; and
• immunity from disciplinary action.

In addition to the protections afforded to whistleblowers as summarised above (namely, the protection of information or confidentiality), the status of whistleblower can be supported by whistleblower policies. Relevantly, from 1 January 2020, the Corporations Act made it a requirement for all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities to have a whistleblowing policy.

ASIC's Regulatory Guide 270 provides a handy overview of what should be included in a whistleblower policy. In this regard, the Regulatory Guide notes:

• in RG 270.40 that the purpose of a whistleblower policy is "to ensure individuals who disclose wrongdoing can do so safely, securely and with confidence that they will be protected and supported"; and
• in RG.270.11 that, under section 1317AI(5)(c) of the Corporations Act, an entity's whistleblower policy must have information that details how the entity will support whistleblowers and protect them from detriment.  

If there is abusive reporting or non-compliance with the procedure of whistleblowing, there is a risk of:

• retaliation;
• reprisal;
• conflict problems;
• ongoing problems in the workplace; and
• adverse treatment which may impact an individual's health and safety.

(Office of the Independent Commissioner Against Corruption, Frameworks and practices for minimising risks of retaliation, November 2019).