Recent amendments to Australia’s corporate whistleblower protection regime have been heralded as game-changing. But will they actually work?
The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Whistleblower Protections Act) introduced new obligations in respect of whistleblowing. From 1 January 2020, public listed companies, large proprietary companies and trustees of registrable superannuation entities must have a whistleblowing policy in place or risk being exposed to civil penalties. Regardless of the size of your organisation, if you are an entity that is incorporated in Australia under the Corporations Act 2001, you are still bound by the new obligations created by the Whistleblower Protections Act.
One of the objectives of the Whistleblower Protections Act is to help to uncover misconduct that might not otherwise be detected. This is facilitated by an organisation having a transparent whistleblower policy in place, which is designed to give individuals confidence in the system and make them more likely to report any potential wrongdoing.
With only 11 weeks to go until policies must be implemented, ASIC has issued a Draft Regulatory Guide 000 Whistleblower policies (Draft Guidance) to assist organisations to implement and maintain a whistleblower policy that complies with the obligations under the Corporations Act. It is expected that the Guide will be issued in final form later this month. However, the Draft Guidance risks hindering the objectives of the Whistleblower Protections Act because some provisions appear to extend an organisation’s obligations beyond what is required and seek to impose a detailed and complex policy.
We explore those concerns regarding whistleblower policies and consider the practical impact of the Draft Guidance below.
Reporting emergency and public interest disclosures
In order for a ‘whistleblower’ to receive protection in relation to any complaint, they first must report the matter to at least one of the following: ASIC, APRA, a regulatory body, (the Regulator) a legal practitioner or an ‘eligible recipient’.If the entity is a body corporate, the eligible recipient can include a senior manager or officer.
The potential wrongdoing must be about misconduct or an improper state of affairs in relation to the regulated entity. This includes contravention of a provision of any law of the Commonwealth that is punishable by imprisonment for a period of 12 months or more or represents a danger to the public or the financial system.
In addition, the whistleblower will also be protected if they disclose to a journalists or a member of parliament either as a public interest disclosure or an emergency disclosure, provided certain requirements are met.
Those provisions include that the whistleblower must have specifically notified the Regulator (not just any eligible recipient) and then wait 90 days (in the case of a public interest disclosure) before being able to raise the concern with a journalist or member of parliament and only after they have notified the Regulator that they intend to make a public interest disclosure.
In the case of an emergency disclosure, there is no waiting period. The whistleblower must:
- have previously notified the Regulator;
- believe that the information concerns a substantial and imminent danger to the health or safety of one or more persons or to the natural environment; and
- have notified the Regulator that they intend to make an emergency disclosure.
Emergency and public interest disclosures have the potential to cause serious harm to companies. While organisations would naturally prefer that a whistleblower disclose internally, rather than go straight to the Regulator, the Whistleblower Protections Act provides that a policy must set out information about the protections available to whistleblowers, including protections under the relevant part of the Act and information about how the disclosures that qualify for protection may be made and how they may be made.
To comply with this requirement, it appears that regulated entities will need to include guidance in their whistleblower policy which states that, in order to obtain the protections provided by the Whistleblower Protections Act, employees must: first report the alleged misconduct to the Regulator before they disclose the matters to a journalist or a member of parliament in circumstances where they believe that the misconduct is a matter of public interest or of a substantial and imminent danger to the health or safety of one or more persons or to the natural environment
The Draft Guidance thankfully promotes a less technical approach:
“It is good practice for an entity’s policy to encourage its employees and external disclosers to make a disclosure to the entity in the first instance. However the entity needs to ensure that its policies, processes and procedures make it safe for disclosures to do so.”
The Draft Guidance also states that the policy could also:
“acknowledge that a discloser can make a disclosure directly to regulatory bodies or other external parties about a disclosable matter and qualify for protection under the Corporations Act without making a prior disclosure to the entity.”
While this approach is welcomed, it is not made clear what the policy should actually say about this protection. The Draft Guidance appears to suggest that policies should actually explain the circumstances when a public interest/emergency disclosure can be made. This appears to be counter-initiative to the legislatures’ intention that disclosures should be made internally first and that emergency/public interest disclosures should be the last resort.
What is a disclosable matter?
Whistleblowing is not a new concept. While it was acknowledged that the law needed to be tightened, there was a belief amongst the business community that the misconduct that needed to be addressed concerned corporate, tax or financial misconduct, rather than individuals behaving badly towards each other in the corporate world.
The Whistleblower Protections Act defines a disclosable matter as:
- information that concerns ‘misconduct’ or ‘an improper state of affairs’ or circumstances in relation to the regulated entity; or if the regulated entity is a body corporate – a related body corporate of the regulated entity and/or
- conduct that the regulated entity, or if the regulated entity is a body corporate, a related body corporate of the regulated entity, its officers or employees have engaged in which constitutes an offence or contravention of various laws, including any law of the Commonwealth that is punishable by imprisonment for a period of 12 months or represents a danger to the public or financial system.
‘Misconduct’ is expressly defined by section 9 of the Corporations Act and includes fraud, negligence, default, breach of trust, and breach of duty.
The concept of an ‘improper state of affairs’ is not defined in the legislation, however the Revised Explanatory Memorandum states that it ‘may not involve unlawful conduct but may indicate a systemic issue that would assist the relevant regulator in performing its functions’.
These are narrow concepts that do not embody the definition of misconduct that is commonly used in relation to employee conduct, and therefore support the view that the wrongdoing that should be reported is in relation to corporate, tax or financial affairs.
However, the Draft Guidance appears to support a broad interpretation. It notes that an entity’s policy should explain that:
- disclosable matters include conduct that may not involve a contravention of a particular law (for example, ‘misconduct or an improper state of affairs or circumstances’ may not involve unlawful conduct in relation to the entity or a related body corporate of the entity but may indicate a systemic issue that the relevant regulator should know about to properly perform its functions. It may also relate to dishonest or unethical behaviour and practices, conduct that may cause harm, or conduct prohibited by the entity’s standards or code(s) of conduct);
- information that indicates a significant risk to public safety or the stability of, or confidence in, the financial system is also a disclosable matter, even if it does not involve a breach of a particular law.
The majority of HR complaints raise alleged breaches of the employer’s Code of Conduct and are likely to include complaints of discrimination, bullying, harassment or victimisation. This type of conduct is unlikely to fall within the definition of misconduct in the Corporations Act, but appears to be covered by the Draft Guidance. This is an expansive interpretation which does not appear to be supported by the terms of the legislation.
Further, although the Draft Guidance notes that workplace grievances remain the jurisdiction of the Fair Work Act 2009 (Cth), it goes on to explain that a personal work-related grievance still qualifies for protection if:
- it includes information about misconduct, or information about misconduct includes or is accompanied by a personal work-related grievance (mixed report);
- the entity had breached employment or other laws punishable by imprisonment for a period of 12 months or more (or has engaged in conduct that represents a danger to the public or the disclosure relates to information that suggests misconduct beyond the discloser’s personal circumstances);
- the discloser suffers from or is threatened with detriment for making a disclosure; or
- the discloser seeks legal advice or legal representation about the operation of the whistleblower protections under the Act.
With the exception of an offence under the Work Health and Safety Act 2011 (Cth) (which applies to very few employers), there are no federal employment laws that provide for criminal sanctions. However, by suggesting that a report about a personal grievance could be a protected disclosure if the entity has ‘breached employment laws,’ the Draft Guidance may lead organisations to treat such complaints as a whistleblower complaint, when this does not appear to be required.
A practical consequence of the extension of the types of ‘misconduct’ beyond the apparent scope of the legislation is that organisations will need to revisit many HR policies dealing with such matters, and how general HR complaints are handled.
Say, for example, a Chief Operating Officer receives a complaint about bullying and victimisation by a colleague. There is no request by the employee to remain anonymous and, in any event, the COO is aware that HR have previously investigated the allegations and found the allegations unsubstantiated. Normally, the matter would be instinctively passed back to HR for further investigation. The inference in the Draft Guidance is that the conduct is a disclosable matter and would prevent the issue being passed back to HR. This is because in doing so the COO may breach the confidentiality provisions of the Whistleblower Protections Act, unless consent has been given by the reporter.
Further, organisations that adopt the extended view of misconduct in the Draft Guidance are likely to find that their ability to investigate complaints – particularly those whereby the identity of the respondent must be disclosed – is hindered in a way that does not appear to be consistent with the legislative intent.
To give another example, say a COO receives a complaint from one employee alleging sexual harassment from another employee. To ensure that the COO complies with his or her obligations, they should ask the employee to consent to their complaint being passed to the Whistleblowing Protection Officer and/or the Whistleblowing Investigation Officer. If consent is refused, or the employee does not wish their identity to be disclosed, arguably the COO cannot take the matter any further.
Such an interpretation is inconsistent with industry practice and, arguably, is also inconsistent with an organisation’s duties under the Work Health and Safety Act 2011 (Cth), whereby complaints will be investigated regardless of whether the employee wishes to remain anonymous or consents to the matter being investigated.
We do not think such a broad interpretation of ‘disclosable matters’ is the intention of the legislature.
What should a whistleblower policy include?
To deliver on the object of the Whistleblower Protections Act, a whistleblower policy needs to be clear and easily understood across all levels of an organisation.
The Draft Guidance notes that the following provisions should be included in a policy:
- information about the protections provided in the tax whistle-blower regime;
- governance matters – including outlining the key roles and responsibilities;
- details provisions as to how confidentiality should be protected;
- how an entity will in practice protect disclosers from detriment;
- detail about the investigation process including timeframes; and
- how the findings from an investigation will be documented and indicate the information that the discloser will receive.
These provisions go well beyond the obligations of Whistleblower Protections Act, and, if included, will lead to organisations creating detailed, long, and complex policies that are unlikely to be clear and easily understood. It could therefore destroy one of the key objectives of the legislation, namely encouraging more people to report. If individuals cannot understand the policy, they will inevitably have no trust or confidence in the system. This may also push them to disclose to the Regulator in the first instance, rather than internally.
While guidance is to be welcomed, some things are best left as ‘guidelines’ separate from any policy.
What should organisations be doing right now?
- Implement a policy. At this stage, the most important thing for organisations to do is ensure they have a policy in place that complies with the Whistleblower Protections Act before1 January 2020. Even if your organisation is not required to have a policy, if you are an Australian registered company, we recommend that you put one in place regardless. This will ensure that the obligations of the Whistleblower Protections Act are front of mind and you do not inadvertently breach the confidentiality provisions, exposing your organisation to civil and/or criminal penalties. Once the Draft Guidance has been finalised, policies can then be amended to ensure they meet your obligations.
- Review your HR practices. Ensure that all HR complaints are dealt with appropriately and do not inadvertently breach the whistleblower provisions. Practically, this can easily be dealt with by obtaining a whistleblower’s consent to share their identity and information.
- Train you eligible recipients. Are senior managers aware of what a whistleblowing complaint looks like and what they should do if they receive one? Or are they more than likely to pass it to their executive assistant or HR and ask them to deal with it? If the latter is the case, we recommend that your organisation invests in training for all eligible recipients, whistleblowing protection officers and whistleblowing investigation officers to ensure confidentiality obligations are met.
 Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, Section 1317AA(1) & (2)
 Ibid, Section 1317AAC(1)(a)
 Ibid, Section 1317AAC(4)
 Ibid, Section 1317AAD
 Ibid, Section 1317AAD(2)
 Ibid, Section 1317AI(5)(a) & (b)
 Draft Regulatory Guide 000 Whistleblower Policies, RG 000.62
 Ibid, RG 000.63
 Ibid, RG 000.69 and RG 000.70
 Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, Section 1317AA(4)
 Ibid, Section 1317AA(5)
 Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2019, Revised Explanatory Memorandum, 2.34
 Draft Regulatory Guide 000 Whistleblower Policies, RG 000.41
 Ibid, RG 000.42
 Ibid, RG 000.51
 Ibid, RG 000.53
 Ibid, RG 000.11 and RG 000.12
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.