This article will focus primarily on whistleblowing protections in the private sector, but it also provides an overview on the systems in place in the public sector below.
Public sector protection
The majority of Australian states and territories have implemented statutory schemes that address whistleblowing. Generally, state legislation regulates whistleblowing in the public sector, with the exception of the South Australian and Australian Capital Territory regimes, which govern both public and private whistleblowing.1 At the federal level, the Public Interest Disclosure Act 2013 (Cth) (PID Act) operates to remove barriers preventing individuals within the public sector from disclosing and reporting serious problems that may affect public administration.
The PID Act requires all Australian government agencies, Commonwealth companies and public authorities to investigate suspected wrongdoing and take appropriate action. Conduct that may be the subject of a public interest disclosure, under the PID Act, includes, but is not limited to:
- a contravention of the law;
- perverting the course of justice;
- an abuse of public trust;
- falsifying scientific research;
- wastage of public money; or
- conduct that is a danger to health, safety or the environment.
A current or former public official can make a public interest disclosure. This includes:
- public servants (ongoing, non-ongoing and casual);
- parliamentary service employees;
- service providers under a Commonwealth contract;
- statutory office holders;
- staff of Commonwealth companies; or
- temporary employees engaged through a recruitment agency.
The Australian Commonwealth Ombudsman has prepared the below infographic that aptly summarizes the public interest disclosure scheme under the PID Act.
Private sector protection
Pt 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act) outlines the protections owed to whistleblowers in the private sector. Although this protection is predominately confined to the private sector, the protections and obligations apply to any entities duly incorporated under the Corporations Act. This means that government business enterprises, government-owned corporations and local government-owned corporations that have been incorporated under the Corporations Act are subject to the expanded whistleblower protection regime. Similar whistleblower protections relating specifically to taxation exist in the Taxation Administration Act 1953 (Cth).
In 2019, the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 amended the Corporations Act to introduce new obligations and increased protections in respect of whistleblowing in the private sector. These amendments came into effect on January 1, 2020. The amendments expanded the category of people eligible to make protected disclosures, introduced stronger protections for whistleblowers and, significantly, introduced a requirement for certain entities to adopt and implement a whistleblower policy. The new statutory regime’s increased protection of whistleblowers was designed to ensure the “early detection and prosecution of misconduct in businesses,” and as a corollary to this, to avoid the evasion of tax liabilities.2 Ultimately, it demonstrates the Australian regulators’ growing focus on corporate responsibility and good governance in the private sector.
Entities captured under the new whistleblowing regime also have an obligation to ensure they meet their respective obligations under any applicable State or Commonwealth law or regulation.
For the protections afforded under Pt 9.4AAA of the Corporations Act to be relied upon, the disclosure must satisfy a number of requirements. They are that the disclosure:
- is made by an “eligible whistleblower” in relation to a “regulated entity”;
- is made to a person or body specified in Pt 9.4AAA(3) – “an eligible receiver”; and
- is about a disclosable matter.
Since the 2019 amendments, an “eligible whistleblower” has been extended to include officers, employees, contractors, suppliers and individual associates of a regulated entity or a related body corporate, as well as current or former relatives or dependents, which includes a spouse or former spouse, of the above categories. An important feature of the 2019 amendments is that whistleblowers are no longer required to have acted in good faith so as to fall within the protective measures of the Corporations Act. To be an eligible whistleblower, an individual need only have "reasonable grounds to suspect" wrongdoing (the disclosable matter).3
To receive protection, a whistleblower must disclose the relevant information to either the Australian Securities and Information Commission (ASIC), the Australian Prudential Regulation Authority (APRA), a regulatory body, a legal practitioner or an “eligible recipient.”4
An eligible recipient in relation to a company includes:
- an officer (a director or secretary) or senior manager;
- an auditor, or a member of an audit team conducting an audit;
- an actuary; or
- a person authorized by the company to receive disclosures that may qualify for protection under the Corporations Act.5
Under the Corporations Act, a protected disclosure includes:
- information that an individual has reasonable grounds to suspect pertains to “misconduct or an improper state of affairs or circumstances” in relation to a regulated entity or of a related body corporate;
- any contravention of the Corporations Act or another financial sector law enforced by ASIC or APRA;
- offences against another Commonwealth law that is punishable by imprisonment for 12 months or more; and
- any conduct that endangers the public or the financial system is also potentially disclosable.6
The Corporations Act defines misconduct as including “fraud, negligence, default, breach of trust, or breach of duty.”7 The Corporations Act does not define an “improper state of affairs”; however, it is clear that the phrase casts a broad net and is not limited by the list of conduct that amounts to a disclosable matter. Also not defined in the Corporations Act, ASIC have defined “reasonable grounds” as meaning instances where a reasonable person in the position of the discloser would also suspect the information to be indicative of misconduct or a breach of the law.8
Notably “personal work-related grievances” will generally not amount to a disclosable matter.9
Protections and penalties
Whistleblowers who make protected disclosures are entitled to legal protection under Pt 9.4AAA of the Corporations Act, and there are serious penalties for both individuals and entities who are found to be in breach of these protections.
The protections afforded to whistleblowers under the Corporations Act include:
- identity protection (confidentiality);
- protection from detrimental acts or omissions;
- compensation and remedies; and
- civil, criminal and administrative liability protection.
The confidentiality obligation and the protection from detrimental acts or omissions apply not only to regulated entities but to their employees and officers.
Whistleblowers are not required to provide their identity to qualify for the protection afforded by the Corporations Act. Any individual who is either directly or indirectly aware of a whistleblower’s identity has a strict obligation of confidentiality.10 An individual must not disclose a whistleblower’s identity, or information that is likely to lead to the whistleblower’s identification, unless authorized under s 1317AAE of the Corporations Act.
The pecuniary penalty for disclosing a whistleblower’s identity without their consent is currently a fine up to AUD1,110,000 for an individual and AUD11,100,000 for a company. Individuals and entities are also exposed to criminal penalties – up to AUD13,320 or six months’ imprisonment (or both) for individuals and up to AUD133,200 for a company.
It is illegal for a person to cause or threaten detriment to an eligible whistleblower because they believe or suspect that the eligible whistleblower has or might make a protected disclosure.
The Corporations Act defines detriment as:
- dismissal of an employee;
- injury of an employee in their employment;
- alteration of an employee’s position or duties to their disadvantage;
- discrimination between an employee and other employees of the same employer;
- harassment or intimidation of a person;
- harm or injury to a person, including psychological harm;
- damage to a person’s property;
- damage to a person’s reputation;
- damage to a person’s business or financial position; or
- any other damage to a person.11
The offence and penalty require that the detriment was a result of an actual or suspected whistleblower disclosure and is punishable by both pecuniary and criminal penalties.
The criminal penalties are up to AUD53,280 or two years’ imprisonment (or both) for individuals and AUD532,800 for a company.12
The pecuniary penalties are the same as that for a breach of confidentiality – up to AUD1,110,000 for an individual and AUD11,100,000 for a company.
An eligible whistleblower can seek compensation through a court if they suffer loss, damage or injury as a consequence of making a disclosure. Despite consultation and deliberation, the 2019 amendments did not introduce a whistleblowing reward scheme, to provide whistleblowers with a percentage of the penalties arising out of the misconduct that they report, akin to other jurisdictions, like the United States.
If a whistleblower demonstrates a reasonable possibility that they were subject to detrimental conduct, the onus is on the entity to prove that the conduct was taken for a reason other than the whistleblower's disclosure. It is also against the law for a person to cause detriment or harm or to threaten to cause detriment or harm to a whistleblower for reporting misconduct.
Internal whistleblower programs
Certain Australian companies are required by law to implement and maintain a whistleblower policy.13 This obligation captures public companies, proprietary companies that are trustees of registrable superannuation entities and large proprietary companies.
A proprietary company is defined as “large” for a financial year if it satisfies at least two of the below criteria:
- the consolidated revenue for the financial year of the company and any entities it controls is AUD50 million or more;
- the value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is AUD25 million or more; and
- the company and any entities it controls have 100 or more employees at the end of the financial year.
It is important that companies that are not required by law to have whistleblowing policies are aware of, and observe all of the obligations under the Corporations Act, as they will still need to handle any whistleblowing complaints in compliance with the law, and will be liable for any breach of the same. For this reason, we recommend that all companies employing staff should have internal policies that are readily accessible and compliant with the Corporations Act.
An entity’s whistleblower policy must include information about the protections under the Corporations Act that are available to disclosers who qualify for protection as a whistleblower.14 To assist users of an entity’s whistleblower policy, the policy must identify the people within and outside the entity who can receive disclosures that qualify for protection.
The policy needs to cover all stages of the whistleblowing process; from the initial receipt of a disclosure, to undertaking the investigation, monitoring the outcome and ensuring that the discloser is supported throughout the process.15 It must provide examples of how the entity will protect the confidentiality of a discloser’s identity and protect disclosers from detrimental acts or omissions.16
Further, an entity’s policy must state that a discloser is protected from any of the following in relation to their disclosure:
- civil liability (eg any legal action against the discloser for breach of an employment contract, duty of confidentiality or another contractual obligation);
- criminal liability (eg attempted prosecution of the discloser for unlawfully releasing information, or other use of the disclosure against the discloser in a prosecution (other than for making a false disclosure)); and
- administrative liability (eg disciplinary action for making the disclosure).
An entity’s whistleblowing policy must also outline its measures for ensuring its policy is widely disseminated to and easily accessible by disclosers within and outside the entity. Relevantly, the policy must be made accessible to all employees and officers within six months of the end of the financial year and must be maintained in all subsequent financial years (where the company qualifies as a large proprietary company).
Failure to have a compliant whistleblower policy is an offence under the Corporations Act, punishable by criminal penalty only. Individuals can be fined up to AUD13,320 and companies can be charged up to AUD133,200.
ASIC have released a regulatory guide titled “RG 270 Whistleblowing policies” that outlines in further detail the requirements of a whistleblower policy, as well as recommendations that entities can implement for best practice.
1 See for eg, the Public Interest Disclosures Act 1994 (NSW); Public Interest Disclosure Act 2012 (ACT); Public Interest Disclosures Act 2002 (TAS); Public Interest Disclosure Act 2003 (WA); Public Interest Disclosure Act 2010 (Qld); Whistleblowers Protection Act 1993 (SA); Protected Disclosure Act 2012 (Vic); Public Interest Disclosure Act (NT).
2 Explanatory Memorandum to the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017 (Cth), para 1.4.
3 Corporations Act 2001 (Cth) (Corporations Act), s 1317AA(4).
4 Corporations Act, s 1317AA(1).
5 Corporations Act, s 1317AAC.
6 Corporations Act, ss 1317AA(4); 1317AA(5).
7 Corporations Act, s 9.
8 Australian Securities & Investments Commission, "Whistleblower rights and protections", Information Sheet 238 (Webpage, 1 July 2019).
9 Corporations Act, s 1317AADA(2).
10 See Corporations Act, ss 1317AA, 1317AAA, 1317AAC and 1317AAD.
11 Corporations Act, s 1317ADA.
12 Corporations Act, s 1317AC.
13 Corporations Act, s 1317AA.
14 Corporations Act s1317AI(5)(a).
15 Australian Securities & Investments Commission, 'ASIC Regulatory Guide' Regulatory Guide 270 Whistleblower policies (Regulatory Guide, November 2019)
16 Corporations Act s1317AI(5)(c).
For a pdf of the full guide please click on the button below.