A new era for Whistleblowers in Australia

Publication March 2019


Changes to Australia’s whistleblowing laws are now one step closer to implementation. Amendments to the Corporations Act 2001 (Cth) and Taxation Administration Act 1953 (Cth) to provide for an expanded corporate whistleblowing scheme and a new tax affairs whistleblowing scheme have now passed both Houses of Parliament and will commence on 1 July 2019.   

Public companies and large proprietary companies will then have until 1 January 2020 to implement a compliant whistleblowing policy. It is unlikely that existing whistleblowing policies will comply with the proposed legislative requirements.

The amended laws will apply to disclosures even if the disclosed conduct occurred before the commencement date.  The amended victimisation and compensation provisions apply to protected disclosures made at any time, if the victimisation in respect of the disclosure occurs after the commencement date. (This earlier commencement of the victimisation provisions means that entities ought to update their whistleblower policies and processes now to ensure they comply with the new laws).


Corporate whistleblowing scheme

The amendments to the Corporations Act will create a consolidated and expanded whistleblower protection regime, applying to “regulated entities”1  in the corporate, financial and credit sectors.2  This is broad and means it will apply to the vast majority of businesses.


Changes to the protected disclosure regime

Under the changes to the Corporations Act:

  • there will be a broader range of conduct which can be reported and receive protection:
    • the conduct needs to concern “misconduct” or an “improper state of affairs”, which are broadly defined;
    • previously the subject matter of protected disclosures was limited to contraventions of the Corporations legislation;
  • disclosures will be able to be made anonymously and do not need to be made in “good faith”, although the whistleblower will need to have reasonable grounds for their concern; 
  • disclosures about personal work-related grievances will only be protected in certain limited circumstances.  

A disclosure of a work-related grievance will only be protected if it relates to systemic issues, or involves detrimental conduct to the whistleblower.  A disclosure of a work related grievance will also be protected if it is made to a legal practitioner to obtain legal advice or representation in relation to the whistleblower provisions.


Who can make a protected disclosure?

Whistleblower disclosures will be able to be made by current and former:

  • Employees and officers;
  • Contractors, suppliers and their employees;
  • An individual who is an associate (as defined in the Corporations Act) of the entity; and 
  • Spouses and relatives of any of the above. 

A contractor or supplier includes an individual who supplies goods or services, whether paid or unpaid.   


Who can disclosures be made to?

Whistleblowing disclosures will be able to be made to:

  • ASIC, APRA, and other prescribed Commonwealth authorities;
  • officers or senior managers of the entity;
  • an auditor or actuary of the entity; and 
  • persons authorised to receive disclosures.  This could include a whistleblowing hotline. 

The Bill was amended during its passage through the Senate to remove the ability of employees to report disclosures to their supervisor or line manager, thus reducing the compliance burden on companies by narrowing the group of staff eligible to receive disclosures.

Disclosures to parliamentarians and journalists

The amendments also provide for public interest and emergency disclosures to be made to members of Parliament and to journalists. An emergency disclosure to a parliamentarian or journalist must be based on the whistleblower having reasonable grounds to believe the information disclosed concerns a substantial and imminent danger to the health or safety of one or more persons, or the natural environment.  The extent of the information disclosed must be no greater than is necessary to inform the recipient of the substantial and imminent danger.  

A whistleblower will be able to make a public interest disclosure to a journalist or parliamentarian if:

  • the whistleblower has previously made a protected disclosure (the first disclosure) to a regulator;
  • at least 90 days have passed since the first disclosure was made,
  • the whistleblower does not have reasonable grounds to believe that action is being or has been taken to address the matters to which the first disclosure related;
  • the whistleblower has reasonable grounds to believe that making a further disclosure to a journalist or MP would be in the public interest;
  • the whistleblower has given written notification to the authority that they intend to make a public interest disclosure; 
  • the extent of the information disclosed is no greater than necessary to inform the recipient of the misconduct or improper state of affairs to which the first disclosure related.

The definition of journalist includes journalists working for electronic services operated on a non-commercial basis by a body that provides a national broadcasting service. This could mean that entities are not aware of complaints before this mechanism is used to contact the media or a journalist.  Entities should try to avoid this by adopting user friendly internal speak up processes and ensuring that there is tone from the top committing to protect whistleblowers.


Ramifications for breaching anonymity or engaging in detrimental conduct

Breaching a whistleblower’s anonymity and engaging in (or threatening to engage in) detrimental conduct towards a whistleblower or potential whistleblower, will carry a civil penalty for a body corporate of a maximum of the greater of $10,500,000, or if a Court can determine the benefit derived or detriment avoided because of the contravention, 3 times that amount, or 10% of the annual turnover of the entity up to a maximum of $525 million. Penalties for an individual will be the greater of $1,050,000, or if a Court can determine the benefit derived or detriment avoided, 3 times that amount. Failure to comply with the confidentiality and detrimental conduct provisions will also be criminal offences, punishable by imprisonment and / or fines. 

A regulated entity can be liable to pay compensation if they engage in detrimental conduct towards a whistleblower. They can also be jointly or severally liable to pay compensation if their employees engage in detrimental conduct towards another person, based on a belief or suspicion that the other person is an actual or potential whistleblower. A body corporate can also be liable to pay compensation if a third person engages in detrimental conduct towards a second person, based on a belief or suspicion that the second person is an actual or potential whistleblower, and the body corporate fails to fulfill any duty they have to prevent the third person from engaging in that detrimental conduct, or to take reasonable steps to ensure that the third person does not engage in detrimental conduct.  

The Bill was amended to remove a due diligence defence for employers. The Act instead provides that in deciding whether to make an order requiring an employer to compensate a whistleblower for its employees’ conduct, the court may have regard to the following factors:

  • whether the employer took reasonable precautions and exercised due diligence to avoid the detrimental conduct;
  • if the employer has a whistleblower policy, the extent to which the employer gave effect to the policy;
  • any duty the employer was under to prevent the detrimental conduct or to take reasonable steps to ensure the detrimental conduct was not engaged in. 

To manage these new requirements, we anticipate that businesses will need to implement training across the organisation, to ensure that whistleblower disclosures are recognised and dealt with confidentially and sensitively, and ensure that whistleblowers are not subjected to detrimental conduct. Any whistleblower process should also be actively managed and reviewed for effectiveness. 


Compliant whistleblower policies must be implemented

Once the Act commences, public companies, large proprietary companies3 and proprietary companies that are trustees of a registrable superannuation entity, will have 6 months to implement a compliant whistleblowing policy (ie by 1 January 2020). Failure to have a policy will be a criminal offence. The maximum penalty for not having a policy is $126,000. ASIC will have the power to exempt a class of entities from complying with this requirement.


It is unlikely that any existing whistleblower policy will comply with the new laws

Businesses will either need to start developing a policy or update existing policies (and note on the existing policy that it is being updated and provide an internal reference for queries).

The policy will need to be made available to officers and employees, and provide for: 

  • protections available to whistleblowers, including protections under the Corporations Act;
  • who can receive disclosures qualifying for protection under the Corporations Act (protected disclosures), and how they can be made; 
  • how the company will support whistleblowers and protect them from detriment;
  • how the company will investigate protected disclosures;
  • how the company will ensure fair treatment of employees who are mentioned in protected disclosures, or to whom such disclosures relate;
  • how will the policy will be made available to officers and employees; and
  • any other matters prescribed by regulations.

New tax affairs whistleblowing scheme – broad application

The changes to the Taxation Administration Act (TAA), enabling disclosures to be made about misconduct and improper conduct in relation to tax affairs, will also come into effect on 1 July 2019.  These changes have a broader application than the Corporations Act scheme and will apply to all kinds of legal persons, including sole traders, companies, partnerships, body politics, any other unincorporated association or body of persons, trusts, superannuation funds, and approved deposit funds. 

These provisions apply to both internal disclosures to the entity and external disclosures to the Commissioner for Taxation. 

The victimisation provisions of the TAA carry criminal penalties of up to 2 years prison and / or a fine of $50,400 for an individual and $252,000 for a body corporate.  Breaching the confidentiality of a tax whistleblower carries a penalty of up to 6 months prison and / or $12,600 for an individual and $63,000 for a body corporate.4


Review of the legislation – more changes likely?

The Act will be reviewed 5 years after it commences. 

The Australian Labor Party have released their policy for further reform, stating that if elected they will introduce a single Whistleblower Act, a Whistleblower Protection Authority, and consider implementing rewards for whistleblowers. This may well be an issue for the upcoming election.


Contact us

We have designed high-value packages to assist companies in updating their existing policy or in implementing a compliant policy and whistleblowing process.  

Our packages include user-friendly and cyber-secure technology supported by our investigation and regulatory expertise.  Most importantly, our legal advice in relation to your whistleblower protection regime is covered by legal professional privilege, minimising risk to organisations and their directors.

You can download our brochure here, or visit our Whistleblower hub to view more articles.


1 Regulated entities include companies, foreign corporations, trading or financial corporations formed within the limits of the Commonwealth, Authorised Deposit Institutions, insurers, life companies, superannuation entities and other prescribed entities.   

2 The whistleblowing provisions in the Banking Act 1959, the Insurance Act 1973, the Life Insurance Act 1995 and the Superannuation Industry (Supervision) Act 1993 have been repealed, and replaced by the new provisions in the Corporations Act. 

3 From 1 July 2019, a proprietary company will be a large proprietary company for a financial year if it satisfies at least 2 of the following: (a)  the consolidated revenue for the financial year of the company and the entities it controls (if any) is $50 million; (b)  the value of the consolidated gross assets at the end of the financial year of the company and the entities it controls (if any) is $25 million; (c)  the company and the entities it controls (if any) have 100 or more employees at the end of the financial year.

4 These penalties will also increase when the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2018 passes.  

Recent publications

Subscribe and stay up to date with the latest legal news, information and events...