The Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2018 has passed through the Senate and is expected to be approved by the House of Representatives early next year.

    These reforms significantly expand private sector whistleblower protections and the range and quantum of penalties for failure to prevent detriment to whistleblowers, and set new obligations in relation to internal whistleblower policies.

    The AICD strongly supports measures to detect and address corporate wrongdoing, and recognises that whistleblowers can play an important role in helping companies to identify, detect and prevent unlawful or unethical activity.

    Statutory protections for whistleblowers help to ensure that people who come forward to report wrongdoing, often in challenging circumstances, are not victimised. The AICD acknowledges the government’s commitment to reform Australia’s whistleblowing laws to broaden and strengthen their coverage, and notes that the reforms have strong bipartisan support.

    Assuming the Bill passes in February 2019 many of the provisions will commence three months after assent. Companies will have six months to put compliant whistleblowing policies in place.

    Implications for directors

    Robust corporate whistleblowing frameworks support good governance.

    Boards have a strong interest in corporate misconduct being brought to light early, so that it can be addressed and prevented from recurring.

    In the context of the AICD’s response to Commissioner Hayne’s interim report of the Financial Services Royal Commission, we noted that strong whistleblower policies can be a final line of defence for companies against misconduct.

    On a practical note, work will need to be done at a management level, subject to board oversight and approval, to prepare compliant whistleblower policies and review and update relevant processes. Significant penalties and protected disclosures to regulators and media create very strong incentives for companies to encourage internal disclosures.

    Boards will also want comfort that information flows and reporting processes are appropriately capturing and escalating whistleblower reports.

    Key elements of legislation

    Key elements of the legislation, including recent government amendments, include the following:

    • Expansion of whistleblower protection: The Bill broadens existing protections and remedies for corporate and financial sector whistleblowers, including extending protections and remedies to both current and former: officers (including directors); employees; contractors; suppliers; and unpaid workers – as well as relatives of any of these individuals. It also gives whistleblowers the ability to make a claim for compensation against a body corporate if the body corporate breaches existing duties by allowing a third party to victimise the whistleblower. These changes significantly broaden the range of individuals covered by whistleblower protections, and organisations will need to consider this much wider scope in updating policies and procedures.
    • Eligible recipients of protected disclosures include an officer or senior manager of the entity, an auditor, actuary or other person authorised by the entity to receive disclosures, and relevant regulators (ASIC, APRA or other Commonwealth authorities prescribed in the regulations). Disclosures to lawyers by whistleblowers for the purposes of obtaining advice are also captured.
    • Exclusion of certain “personal work-related grievances”: Most personal work-related grievances (that are not connected to victimisation as a whistleblower) are excluded from protection. The exclusion will not apply in a limited range of circumstances, including if the information has broader significant implications for the entity, concerns certain offences, or represents a danger to the public or financial system.
    • Reports to third parties: The Bill includes two categories of disclosures to protect whistleblowers who report to Parliamentarians or to the media:
      • a public interest category based on a broad public interest test (subject to a number of requirements, including that 90 days have passed since the disclosure was made to a prescribed authority (such as ASIC or APRA), in which time the whistleblower reasonably believes that no action has been taken); and
      • an emergency disclosure category based on substantial and imminent danger to a person’s health and safety, or the natural environment (also subject to conditions, including that the disclosure has previously been made to a prescribed authority).

    In relation to these emergency and public interest disclosure categories, it is worth noting that these disclosures (for example, to the media) could be made without the company itself ever having learned of the complaint – having strong internal policies and procedures to encourage reports internally becomes even more important given this reputation risk.

    • Requirement to have a whistleblowing policy: The Bill includes a requirement that certain bodies corporate have whistleblower policies (see below for further detail).
    • Increased penalties: The Bill increases civil and criminal penalties for disclosing whistleblower identity or victimising a whistleblower in line with recent reforms intended to strengthen corporate penalties. For companies, the maximum civil penalty is set at 50,000 penalty units (currently $10.5 million), three times the benefit derived or detriment avoided, or 10% of annual turnover (up to 1 million penalty units, currently $210 million). There are also significant penalties for individuals who disclose a whistleblower’s identity or cause detriment to a whistleblower ($200,000). The current Bill narrows the scope of staff potentially caught by this to ‘senior managers’ which the AICD has welcomed (previous drafts applied these potential penalties to all managers).
    • Compensation orders for whistleblowers suffering detriment can be made by the courts, which could include apologies, injunctions, financial compensation and reinstatement. The court may consider whether the employer took reasonable precautions and exercised due diligence to avoid the detrimental conduct and whether it had policies in place to prevent victimisation in considering compensation orders. Individuals and companies who engage in detrimental conduct would be jointly and severally liable to pay compensation.
    • Burden of proof: The Bill requires the complainant to bear the initial onus of proof to point to evidence that suggests a reasonable possibility that detriment has occurred. Once this onus is discharged, the other person (the company, or individual alleged to have engaged in misconduct) bears the onus of proving that the claim is not made out. The AICD has raised concerns about the difficulties this may create for entities. The Government has indicated that the scheduled review of the legislation, five years post-implementation, could consider this issue.

    More contentious proposals, such as whistleblower rewards or a bounty scheme, are not included in the Bill.

    Requirement to have a whistleblowing policy

    The Bill requires public companies, large proprietary companies and proprietary companies that are a trustee of a registerable superannuation entity to have a whistleblower policy in place. Failure to comply with this requirement is a criminal offence.

    In accordance with the provisions in the Bill, a whistleblowing policy must contain information about:

    • the protections available to whistleblowers, including the protections available under the legislation;
    • how and to whom an individual can make a disclosure;
    • how the company will support whistleblowers and protect them from detriment;
    • how the company will investigate disclosures that qualify for protection under the legislation;
    • how the company will ensure fair treatment of employees who are mentioned in whistleblower disclosures; and
    • how the policy will be made available.


    The Bill delays the commencement of the legislation once passed – there will be a period of at least 3 months from the date that the legislation receives Royal Assent before it comes into effect, and companies will be required to have a compliant whistleblower policy in place 6 months after the legislation commences.

    The Bill also includes a requirement for a post-implementation review of the law five years after the legislation commences.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.