Company officer obligations under the whistleblower protection provisions
This is Information Sheet 247 (INFO 247). It summarises the obligations of company officers and senior managers under the whistleblower provisions. It provides guidance for companies on complying with the whistleblower provisions.
All companies in Australia must comply with the whistleblower protection provisions (whistleblower provisions) in Part 9.4AAA of the Corporations Act 2001 (Corporations Act). The Corporations Act provides strong protections for corporate sector whistleblowers to encourage them to come forward with their concerns.
If you are a company officer or senior manager, you are an 'eligible recipient' under the Corporations Act. This means that eligible whistleblowers can make 'qualifying disclosures' to you and then access the whistleblower rights and protections. For more information on who is an 'eligible whistleblower', see Information Sheet 238 Whistleblower rights and protections (INFO 238).
You must ensure you do not breach the whistleblower provisions when handling a whistleblower disclosure. Your main legal obligations are to not:
- disclose a whistleblower's identity or information likely to lead to their identification, unless that disclosure is authorised under the law
- cause or threaten to cause detriment to (or victimise) a whistleblower for making their disclosure.
Public companies, large proprietary companies and corporate trustees of registrable superannuation entities must have a whistleblower policy. For further information, see Regulatory Guide 270 Whistleblower policies (RG 270).
Even if your company is not required to have a whistleblower policy under the law, we encourage you to put in place arrangements for handling whistleblower disclosures. For those companies that are not required to have a whistleblower policy, our guidance in this information sheet may help you develop these whistleblower arrangements. These arrangements may form part of the governance arrangements for your company.
The whistleblower provisions also affect how your company can respond to a whistleblower's concerns, including investigating the allegations and addressing or reporting on the misconduct. We have provided guidance on how you can:
- obtain consent from whistleblowers to disclose their identity as part of your investigation
- address any employment issues involving a whistleblower while also handling their disclosure.
If you are unsure about your obligations under the whistleblower provisions, either generally or regarding a specific qualifying disclosure, we encourage you to seek legal advice.
There may be other whistleblower protection regimes in other laws that your company must comply with. In these circumstances, we encourage your company to establish processes to comply with each regime. Officers and senior managers should seek legal advice about their obligations for handling disclosures under the different regimes.
Definition of officers and senior managers
Generally, under the law, an 'officer' includes, but is not limited to, a director or company secretary of a company. Liquidators and other external administrators will also be officers once they are appointed to the company.
Under the Corporations Act, a 'senior manager' is a person other than a director or company secretary who makes, or participates in making decisions that:
- affect the whole, or a substantial part of, the business of the company or organisation, or
- have the capacity to significantly affect the company's or organisation's financial standing.
This will generally be senior executives within a company. It may include chief executive officers, chief financial officers, chief operating officers, and chief risk officers, as well as public officers of charities or not-for-profit organisations.
How to identify qualifying disclosures
If a whistleblower's disclosure meets certain criteria, it is a 'qualifying disclosure'. It is important that you, as an eligible recipient, identify a qualifying disclosure when you receive it.
A qualifying disclosure is a disclosure of information from an eligible whistleblower who has reasonable grounds to suspect that the information concerns:
- an improper state of affairs or circumstances
- a breach of the law, or
- danger to the public or the financial system.
The information can be about conduct by your company, an officer or employee of your company, a related company, or an officer or employee of the related company.
The definition of 'misconduct' in the Corporations Act includes fraud, negligence, default, breach of trust and breach of duty. 'Improper state of affairs or circumstances' is not defined in the Corporations Act and is intentionally broad. It may not involve unlawful conduct, but may indicate a systemic issue that a relevant regulator should know about to properly perform its functions. It may also relate to unethical business behaviour and practices that may cause consumer harm.
The whistleblower's motives or personal views about the people or companies involved are irrelevant, but the whistleblower must have reasonable grounds to suspect the concerns that they report. This is an objective test. A person is not protected for a false claim. It must be an allegation they have reasonable grounds to suspect is the case.
A disclosure solely about a personal work-related grievance is not covered by the whistleblower provisions. However, a disclosure that includes a personal work-related grievance may be covered in certain circumstances.
If you are unsure whether an individual's disclosure to you is a qualifying disclosure, we encourage you to seek legal advice.
Personal work-related grievances
A disclosure from an individual solely about their personal work-related grievance is not considered a qualifying disclosure, and therefore is not covered by the whistleblower provisions.
A disclosure is solely about a personal work-related grievance if the information concerns a grievance related to the employee's employment or former employment, has implications for the employee personally, and does not also have significant implications for the employer.
Examples of grievances that may be personal work-related grievances include:
- an interpersonal conflict between the individual and another employee
- a decision about the engagement, transfer or promotion of the individual
- a decision about the terms and conditions of engagement of the individual
- a decision to suspend or terminate the engagement of the individual, or to otherwise discipline the individual.
The person may still have rights and protections under workplace or other laws, even if the whistleblower provisions do not apply to their disclosure. For example, these disclosures may be protected under the Fair Work Act 2009. You may wish to consider whether the person's concerns need to be handled by your company's processes for employee relations or workplace disputes.
A disclosure of a personal work-related grievance may still fall under the whistleblower provisions if:
- the person suffers, or is threatened with, detriment for making the disclosure
- the disclosure includes information about misconduct, an improper state of affairs or circumstances, a breach of the law, or danger to the public or the financial system, in addition to the personal work-related grievance, or
- the disclosure suggests misconduct that has significant implications for the company beyond the discloser's personal circumstances.
Maintaining the confidentiality of the whistleblower's identity
When disclosing to you as an eligible recipient, a whistleblower does not have to give you their name or contact details, and they can remain anonymous.
Even if you know the whistleblower's identity, you must maintain their confidentiality. This can mean that, once you receive a qualifying disclosure, you cannot disclose the whistleblower's identifying details to others, including other eligible recipients. However, in some instances you may be authorised to disclose their identity under the law – for example, if the whistleblower consents or if it is necessary for the investigation into the concerns (the 'investigation defence').
Unauthorised disclosure of a whistleblower's identity
The Corporations Act makes it illegal (through a criminal offence and a civil penalty) for someone to disclose the identity, or information likely to lead to the identification, of a whistleblower. The exception to this is if the disclosure is authorised under the law.
The offence and penalty only apply if you make an unauthorised disclosure of the whistleblower's identity, or information likely to lead to their identification, gained directly or indirectly from the whistleblower's qualifying disclosure. You can disclose other information from the qualifying disclosure, such as the alleged misconduct, as long as this does not also amount to an unauthorised disclosure of the whistleblower's identity or information likely to lead to their identification.
We can investigate allegations that a person has made an unauthorised disclosure of a whistleblower's identity, or information likely to lead to their identification.
Your company could also be liable to pay compensation to a whistleblower if they suffer loss, damage or injury from detrimental conduct by someone within the company for making their report. 'Detrimental conduct' includes damage to the whistleblower's reputation, which could result from a breach of their confidentiality.
Authorised disclosure of a whistleblower's identity
An 'authorised disclosure' of a whistleblower's identity, or information likely to lead to their identification, is a disclosure:
- to ASIC, the Australian Prudential Regulation Authority or the Australian Federal Police
- to a lawyer for advice about the whistleblower provisions, or
- with the whistleblower's consent.
You can disclose information likely to lead to a whistleblower's identification without their consent under the investigation defence – that is, when the disclosure is part of your company's investigation into the concerns.
You may only rely on the investigation defence if:
- the information does not include the whistleblower's identity
- you have taken all reasonable steps to reduce the risk that the whistleblower will be identified from the information, and
- it is reasonably necessary for investigating the whistleblower's concerns.
Reasonable steps could include, among other things, removing the whistleblower's name, position title, team and other identifying details from their disclosure. Companies could also investigate the concern without commenting on or attributing the source, or after masking the source.
If you are uncertain about whether you can rely on the investigation defence, you should seek advice from a legal practitioner.
Arrangements for managing whistleblower correspondence
We appreciate that you may have staff who receive, manage or draft your correspondence on your behalf. This may include staff who are responsible for or administer the technology systems your company uses to record and manage correspondence and other documents. Through their role, these staff may become aware of a qualifying disclosure addressed to you. They should be mindful of the obligations in the whistleblower provisions and how your company handles qualifying disclosures. This will help ensure that your staff are able to handle the disclosure on your behalf in accordance with the legislative requirements.
Prohibition on victimising or causing detriment to a whistleblower
The Corporations Act makes it illegal (through a criminal offence and a civil penalty) for someone to cause or threaten to cause detriment to, or victimise, a person because they believe or suspect that the person has made, may have made, or could make a qualifying disclosure. You or your company could also be liable to pay compensation to a whistleblower if they suffer loss, damage or injury as a result of detrimental conduct in response to their qualifying disclosure.
The criminal offence and civil penalty, as well as civil liability, apply even if the person has not made a qualifying disclosure. This is provided the reason (or part of the reason) the offender caused or threatened detriment is because they believed or suspected that the person had made, may have made or could make a qualifying disclosure.
Detriment includes actions or other conduct against a whistleblower or potential whistleblower to:
- dismiss them from their employment
- injure them in their employment
- alter their position or duties as an employee to their disadvantage
- discriminate between them as an employee and other employees of the same employer
- harass or intimidate them
- harm or injure them, including causing them psychological harm
- damage their property
- damage their reputation
- damage their business or financial position
- cause them any other damage.
We can investigate allegations that a person caused or threatened to cause detriment to a whistleblower. This may result in a penalty to the offender or the company, or officers and employees of the company who are involved in the conduct.
Whistleblowers may also be afforded protection from detriment under workplace laws. For example, if their disclosure constitutes the exercise of a workplace right under the Fair Work Act 2009. Further information about these protections is available from the Fair Work Ombudsman.
Arrangements for handling whistleblower disclosures
All companies in Australia are subject to the whistleblower provisions. Public companies, large proprietary companies and corporate trustees of registrable superannuation entities must have a whistleblower policy. The policy must set out, among other things, how those companies will handle whistleblower disclosures and support and protect whistleblowers. RG 270 contains guidance for companies on establishing and implementing a whistleblower policy.
Even if your company is not required to have a whistleblower policy under the law, we encourage you to put in place arrangements for handling whistleblower disclosures. For those companies that are not required to have a whistleblower policy, our guidance in this information sheet may help you develop arrangements to handle whistleblower disclosures.
These arrangements may form part of the governance arrangements for your company. They can help ensure you and your company handle any disclosures you receive in line with the legislative requirements. Similarly, company officers could oversee these arrangements as part of their responsibilities for governance, compliance and risk management.
Note: For more information on the governance arrangements your company should have in place, see Information Sheet 79 Your company and the law (INFO 79).
We consider that the following key principles will help a company to manage itself, comply with its obligations and improve its performance:
- respect and fair treatment for whistleblowers
- a commitment to addressing whistleblower concerns
- reporting whistleblower concerns to senior executives and board members.
Guidance on arrangements for handling whistleblower disclosures
Unless your company is required to have a whistleblower policy, the Corporations Act does not prescribe any particular approach to handling whistleblower disclosures. However, you must not:
- disclose a whistleblower's identity or information likely to lead to their identification, unless that disclosure is authorised under the law
- cause or threaten to cause detriment to (or victimise) a whistleblower for making their disclosure.
We encourage companies to develop arrangements to handle whistleblower disclosures that suit their particular circumstances. The arrangements can be tailored to the nature, size, scale and complexity of their business.
Effective, tailored arrangements can help you comply with the whistleblower provisions and handle whistleblower disclosures in line with the legislative requirements. Effective arrangements for handling disclosures from whistleblowers could include documented processes to:
- receive whistleblower disclosures
- assess the concerns and investigate them if necessary
- raise the concerns with the subjects and seek redress or correction
- limit access to materials related to disclosures using secure recording-keeping or technology systems
- communicate with the whistleblower
- train staff in their obligations.
The arrangements could be run internally or use an external service provider, such as a complaints service or hotline, and be integrated with other integrity or compliance functions.
RG 270 could also be a reference for companies wishing to establish arrangements to handle whistleblower disclosures and address whistleblower concerns. However, only public companies, large proprietary companies and corporate trustees of registrable superannuation entities are required to have a whistleblower policy meeting the requirements set out in the law.
Guidance on dealing with disclosures made directly or personally to you
Whistleblowers can report their concerns directly to you as an eligible recipient and access the whistleblower rights and protections.
We appreciate that your company may prefer whistleblowers to report their concerns using whistleblower arrangements your company has established or authorised, rather than reporting to you directly or personally as an eligible recipient. We understand that this can help your company properly and systematically manage whistleblower disclosures and promptly address the concerns raised.
If you receive a whistleblower disclosure personally, you can encourage the whistleblower to report directly to the company's whistleblower arrangements. This may be the most appropriate way for your company to acknowledge a whistleblower's concerns.
If you refer the whistleblower's report to the company's whistleblower arrangements yourself, you might disclose the whistleblower's identity or information likely to lead to identification of them. Given the confidentiality obligation, you will need the whistleblower's consent to refer the report. This consent may be clear from the whistleblower's qualifying disclosure or from the context of how you receive it.
Addressing whistleblower disclosures
The whistleblower provisions also affect how your company can investigate the whistleblower's concerns and address, correct or report on the misconduct or breach of the law.
Depending on the circumstances, companies may need to pursue the concern without commenting on or attributing the source, or after masking the source.
You must also comply with the confidentiality obligation while affording any procedural fairness to people who may be the subject of the qualifying disclosure. These issues will need to be handled carefully, according to the legal requirements and within the consent of the whistleblower.
Consent from the whistleblower to disclose their identity
If you receive a qualifying disclosure personally, you must maintain the confidentiality of the whistleblower's identifying information – that is, you must not make an unauthorised disclosure of their identifying information. Whistleblowers can consent to their identifying details being disclosed.
You or your company may need to disclose the whistleblower's identity, or information likely to lead to their identification, so you can effectively investigate the concerns and address any misconduct. You should inform the whistleblower if this is the case and discuss it with them.
A whistleblower's consent, and any limits to their consent, may be clear from their qualifying disclosure. If not, you should clarify how the whistleblower wishes their identifying information to be treated as soon as practicable after receiving their qualifying disclosure.
If the whistleblower is uncomfortable with providing consent, you could also discuss with them how your company will protect them and their identifying information during any subsequent investigation and steps to address the misconduct. Your company's arrangements could include that, with the whistleblower's consent, their identifying information will only be shared with staff:
- involved in investigating and addressing the concerns, or
- responsible for supporting the whistleblower and protecting them from detriment.
You may wish to set out your company's approach in the documentation for your company's arrangements. It could also be set out in your company's whistleblower policy, if your company is required to have one. For further information about whistleblower policies, see RG 270.
Clear information about your company's arrangements will make it easy for you to clarify with the whistleblower whether they consent to you disclosing their identifying details. It may also alleviate any concerns they have, because they will know what to expect from making a disclosure internally, and any subsequent investigation of their concerns. They can also identify any of the company's processes that might raise particular concerns for them or their allegations.
Addressing employment issues relating to a whistleblower
Your company may have a work-related grievance or performance issue it needs to address with an employee who has made a qualifying disclosure. Your company may also need to respond to serious misconduct by an employee who has made a qualifying disclosure.
The whistleblower provisions do not constrain your company's ability to exercise lawful rights it may have to address employment issues relating to an employee who has made a qualifying disclosure. That is, unless the reason (or part of the reason) your company takes these actions is because the employee made a qualifying disclosure. If that is the reason (or part of the reason), this is likely to breach the prohibition against causing or threatening to cause detriment to a whistleblower.
With respect to the whistleblower provisions, provided any actions by the company to address an employment issue with a whistleblower are not because of the whistleblower disclosure, either wholly or in part, you can still, for example:
- manage unsatisfactory performance or conduct, such as under a company performance policy or a workplace instrument
- make changes to their employment arrangements or position authorised under a workplace law, workplace instrument or contract
- conduct a disciplinary process or take appropriate disciplinary action against them, or
- terminate their employment.
Note: The whistleblower provisions protect whistleblowers for making qualifying disclosures. They do not provide an immunity from liability for the whistleblower if they are involved in the misconduct they disclose. For further information, see INFO 238.
The processes a company has developed for employee relations or addressing issues with employees may also need to account for the whistleblower provisions. This includes the confidentiality obligation and the prohibition against causing or threatening to cause detriment to a whistleblower.
When a company has an employment issue with a whistleblower, they could handle the employment issue separately from the whistleblower's qualifying disclosure. This could be demonstrated through separate documentation of the employment issue and the qualifying disclosure, and different staff members responsible for handling each issue.
Handling these issues separately could help ensure you and your company comply with the whistleblower provisions. This would depend on there being resources available to the company, and there could be other approaches more suitable to the company's specific circumstances to ensure compliance.
Further information about workplace protections, employment disputes and addressing underperformance and serious misconduct by employees is available from the Fair Work Ombudsman. You may also wish to seek legal advice where you are considering taking actions to address employment issues relating to an employee who has made a qualifying disclosure.
Public companies, large proprietary companies and corporate trustees must have whistleblower policies
If your company is a public company, a large proprietary company, or the corporate trustee of a registrable superannuation entity, it must have a whistleblower policy. The policy must be available to officers and employees of your company.
A small proprietary company that becomes a large proprietary company after 1 January 2020 will have six months from the date it qualifies as a large proprietary company to establish a whistleblower policy.
This policy must provide information on:
- the protections available to whistleblowers, including protections under the whistleblower provisions
- to whom a whistleblower can report their concerns, and how they can report their concerns. This will help whistleblowers understand the company's arrangements, given that a company can authorise particular staff or third parties to receive reports from whistleblowers
- how the company will support whistleblowers and protect them from detriment
- how the company will investigate whistleblower reports. This will help whistleblowers understand how their reports and their personal information will be handled during any investigation
- how the company will ensure fair treatment of employees of the company who are mentioned in whistleblower reports, or to whom such reports relate
- how the policy is to be made available to officers and employees of the company, and
- any matters prescribed by the regulations.
Note: No regulations have yet been prescribed.
We have granted relief from the requirement to have a whistleblower policy to public companies that:
- are limited by guarantee
- operate on a not-for-profit basis
- have an annual (consolidated) revenue of less than $1 million.
Note: See ASIC Corporations (Whistleblower Policies) Instrument 2019/1146 for more information.
RG 270 contains guidance for companies on establishing and implementing a whistleblower policy.
Where to find more information
- INFO 79 Your company and the law
- INFO 238 Whistleblower rights and protections
- Information Sheet 239 How ASIC handles whistleblower reports (INFO 239)
- Information Sheet 246 Company auditor obligations under the whistleblower protection provisions (INFO 246)
- RG 270 Whistleblower policies
- ASIC Corporations (Whistleblower Policies) Instrument 2019/1146
- the section of our website on whistleblowing, including our summary of the whistleblower provisions and information for not-for-profit organisations
- the whistleblower provisions of the Corporations Act (especially Part 9.4AAA) on the Federal Register of Legislation
Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice.
You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.
Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.
This information sheet was issued on 30 June 2020.