16 October 2019
Recent amendments to Australia’s corporate whistleblower protection regime have been heralded as game-changing. But will they actually work?
The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Whistleblower Protections Act) introduced new obligations in respect of whistleblowing. From 1 January 2020, public listed companies, large proprietary companies and trustees of registrable superannuation entities must have a whistleblowing policy in place or risk being exposed to civil penalties. Regardless of the size of your organisation, if you are an entity that is incorporated in Australia under the Corporations Act 2001, you are still bound by the new obligations created by the Whistleblower Protections Act.
One of the objectives of the Whistleblower Protections Act is to help to uncover misconduct that might not otherwise be detected. This is facilitated by an organisation having a transparent whistleblower policy in place, which is designed to give individuals confidence in the system and make them more likely to report any potential wrongdoing.
With only 11 weeks to go until policies must be implemented, ASIC has issued a Draft Regulatory Guide 000 Whistleblower policies (Draft Guidance) to assist organisations to implement and maintain a whistleblower policy that complies with the obligations under the Corporations Act. It is expected that the Guide will be issued in final form later this month. However, the Draft Guidance risks hindering the objectives of the Whistleblower Protections Act because some provisions appear to extend an organisation’s obligations beyond what is required and seek to impose a detailed and complex policy.
We explore those concerns regarding whistleblower policies and consider the practical impact of the Draft Guidance below.
In order for a ‘whistleblower’ to receive protection in relation to any complaint, they first must report the matter to at least one of the following: ASIC, APRA, a regulatory body, (the Regulator) a legal practitioner or an ‘eligible recipient’.If the entity is a body corporate, the eligible recipient can include a senior manager or officer.
The potential wrongdoing must be about misconduct or an improper state of affairs in relation to the regulated entity. This includes contravention of a provision of any law of the Commonwealth that is punishable by imprisonment for a period of 12 months or more or represents a danger to the public or the financial system.
In addition, the whistleblower will also be protected if they disclose to a journalists or a member of parliament either as a public interest disclosure or an emergency disclosure, provided certain requirements are met.
Those provisions include that the whistleblower must have specifically notified the Regulator (not just any eligible recipient) and then wait 90 days (in the case of a public interest disclosure) before being able to raise the concern with a journalist or member of parliament and only after they have notified the Regulator that they intend to make a public interest disclosure.
In the case of an emergency disclosure, there is no waiting period. The whistleblower must:
Emergency and public interest disclosures have the potential to cause serious harm to companies. While organisations would naturally prefer that a whistleblower disclose internally, rather than go straight to the Regulator, the Whistleblower Protections Act provides that a policy must set out information about the protections available to whistleblowers, including protections under the relevant part of the Act and information about how the disclosures that qualify for protection may be made and how they may be made.
To comply with this requirement, it appears that regulated entities will need to include guidance in their whistleblower policy which states that, in order to obtain the protections provided by the Whistleblower Protections Act, employees must: first report the alleged misconduct to the Regulator before they disclose the matters to a journalist or a member of parliament in circumstances where they believe that the misconduct is a matter of public interest or of a substantial and imminent danger to the health or safety of one or more persons or to the natural environment
The Draft Guidance thankfully promotes a less technical approach:
“It is good practice for an entity’s policy to encourage its employees and external disclosers to make a disclosure to the entity in the first instance. However the entity needs to ensure that its policies, processes and procedures make it safe for disclosures to do so.”
The Draft Guidance also states that the policy could also:
“acknowledge that a discloser can make a disclosure directly to regulatory bodies or other external parties about a disclosable matter and qualify for protection under the Corporations Act without making a prior disclosure to the entity.”
While this approach is welcomed, it is not made clear what the policy should actually say about this protection. The Draft Guidance appears to suggest that policies should actually explain the circumstances when a public interest/emergency disclosure can be made. This appears to be counter-initiative to the legislatures’ intention that disclosures should be made internally first and that emergency/public interest disclosures should be the last resort.
Whistleblowing is not a new concept. While it was acknowledged that the law needed to be tightened, there was a belief amongst the business community that the misconduct that needed to be addressed concerned corporate, tax or financial misconduct, rather than individuals behaving badly towards each other in the corporate world.
The Whistleblower Protections Act defines a disclosable matter as:
‘Misconduct’ is expressly defined by section 9 of the Corporations Act and includes fraud, negligence, default, breach of trust, and breach of duty.
The concept of an ‘improper state of affairs’ is not defined in the legislation, however the Revised Explanatory Memorandum states that it ‘may not involve unlawful conduct but may indicate a systemic issue that would assist the relevant regulator in performing its functions’.
These are narrow concepts that do not embody the definition of misconduct that is commonly used in relation to employee conduct, and therefore support the view that the wrongdoing that should be reported is in relation to corporate, tax or financial affairs.
However, the Draft Guidance appears to support a broad interpretation. It notes that an entity’s policy should explain that:
The majority of HR complaints raise alleged breaches of the employer’s Code of Conduct and are likely to include complaints of discrimination, bullying, harassment or victimisation. This type of conduct is unlikely to fall within the definition of misconduct in the Corporations Act, but appears to be covered by the Draft Guidance. This is an expansive interpretation which does not appear to be supported by the terms of the legislation.
Further, although the Draft Guidance notes that workplace grievances remain the jurisdiction of the Fair Work Act 2009 (Cth), it goes on to explain that a personal work-related grievance still qualifies for protection if:
With the exception of an offence under the Work Health and Safety Act 2011 (Cth) (which applies to very few employers), there are no federal employment laws that provide for criminal sanctions. However, by suggesting that a report about a personal grievance could be a protected disclosure if the entity has ‘breached employment laws,’ the Draft Guidance may lead organisations to treat such complaints as a whistleblower complaint, when this does not appear to be required.
A practical consequence of the extension of the types of ‘misconduct’ beyond the apparent scope of the legislation is that organisations will need to revisit many HR policies dealing with such matters, and how general HR complaints are handled.
Say, for example, a Chief Operating Officer receives a complaint about bullying and victimisation by a colleague. There is no request by the employee to remain anonymous and, in any event, the COO is aware that HR have previously investigated the allegations and found the allegations unsubstantiated. Normally, the matter would be instinctively passed back to HR for further investigation. The inference in the Draft Guidance is that the conduct is a disclosable matter and would prevent the issue being passed back to HR. This is because in doing so the COO may breach the confidentiality provisions of the Whistleblower Protections Act, unless consent has been given by the reporter.
Further, organisations that adopt the extended view of misconduct in the Draft Guidance are likely to find that their ability to investigate complaints – particularly those whereby the identity of the respondent must be disclosed – is hindered in a way that does not appear to be consistent with the legislative intent.
To give another example, say a COO receives a complaint from one employee alleging sexual harassment from another employee. To ensure that the COO complies with his or her obligations, they should ask the employee to consent to their complaint being passed to the Whistleblowing Protection Officer and/or the Whistleblowing Investigation Officer. If consent is refused, or the employee does not wish their identity to be disclosed, arguably the COO cannot take the matter any further.
Such an interpretation is inconsistent with industry practice and, arguably, is also inconsistent with an organisation’s duties under the Work Health and Safety Act 2011 (Cth), whereby complaints will be investigated regardless of whether the employee wishes to remain anonymous or consents to the matter being investigated.
We do not think such a broad interpretation of ‘disclosable matters’ is the intention of the legislature.
To deliver on the object of the Whistleblower Protections Act, a whistleblower policy needs to be clear and easily understood across all levels of an organisation.
The Draft Guidance notes that the following provisions should be included in a policy:
These provisions go well beyond the obligations of Whistleblower Protections Act, and, if included, will lead to organisations creating detailed, long, and complex policies that are unlikely to be clear and easily understood. It could therefore destroy one of the key objectives of the legislation, namely encouraging more people to report. If individuals cannot understand the policy, they will inevitably have no trust or confidence in the system. This may also push them to disclose to the Regulator in the first instance, rather than internally.
While guidance is to be welcomed, some things are best left as ‘guidelines’ separate from any policy.
What should organisations be doing right now?
 Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, Section 1317AA(1) & (2)
 Ibid, Section 1317AAC(1)(a)
 Ibid, Section 1317AAC(4)
 Ibid, Section 1317AAD
 Ibid, Section 1317AAD(2)
 Ibid, Section 1317AI(5)(a) & (b)
 Draft Regulatory Guide 000 Whistleblower Policies, RG 000.62
 Ibid, RG 000.63
 Ibid, RG 000.69 and RG 000.70
 Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, Section 1317AA(4)
 Ibid, Section 1317AA(5)
 Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2019, Revised Explanatory Memorandum, 2.34
 Draft Regulatory Guide 000 Whistleblower Policies, RG 000.41
 Ibid, RG 000.42
 Ibid, RG 000.51
 Ibid, RG 000.53
 Ibid, RG 000.11 and RG 000.12
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.